I write in support of today’s amendments to Regulation S-P, albeit with some reservations. Protecting customers’ information and notifying them when it is compromised are important—even more important than when the Commission adopted the original version of Regulation S-P in 2000. All of us have given our personal information to a business with a tinge of fear that our information is at risk because even companies that work hard to protect this information are under constant attack by cybercriminals.[1] And many of us have received a letter notifying us of a breach involving our information.[2] Today’s Regulation S-P modernization will help covered institutions appropriately prioritize safeguarding customer information. Customers will be notified promptly when their information has been compromised so they can take steps to protect themselves, like changing passwords or keeping a closer eye on credit scores. My reservations stem from the breadth of the rule and the likelihood that it will spawn more consumer notices than are helpful.

If this prediction materializes, rather than singing of longing for mail, the modern-day Marvelettes might revise their 1961 classic “Please Mr. Postman”[3] to complain about too much mail:

So many days you stop by,
See the tears standin’ in my eye,
This week you already brought me four,
and now you’re droppin’ another consumer notice at my door.

As these lyrics illustrate, my greatest concern about the rule is that its breadth could undermine the value of the customer notifications by making them so commonplace that people ignore them. At some point, the notifications will stop having the intended effect. If covered institutions fear being second-guessed after making a reasonable judgment not to send a notice, they will err on the side of sending a notice, even if one might not be necessary. How does your behavior change if you start getting a notice every few months? Or every month? Or every week? What if you get notifications from multiple entities related to the same breach?

These questions highlight a key challenge for a rulemaking like this one: providing a framework for adequate notification while avoiding an environment in which covered institutions default to over-notification. During the implementation period, the staff should work with industry to facilitate the development of sound policies and procedures that achieve the right balance. The Commission needs to show that it will not use Regulation S-P to set up well-intentioned firms for enforcement actions. We should work with firms as they try to mitigate the damage wrought by cyber-criminals.

We also can help to address the problem of over-notification by participating in efforts to streamline notification requirements. Today’s amendments set a needed notification baseline for the financial services industry, which will benefit investors. However, the industry still will contend with an array of different and sometimes conflicting state and federal requirements. Further consolidation and harmonization of these requirements is a worthy goal on which federal and state regulators should continue to work.

Despite my reservations, I support this rule. At a time when our identities are increasingly online and information travels at lightening speeds around the world, I particularly appreciate the work of the Commission staff to help protect customer information. Thank you to staff in the Divisions of Investment Management, Trading and Markets, and Economic and Risk Analysis, and the Office of General Counsel on this rule. This project has not been easy, and I am grateful for your hard work to get us to today’s final rule.