Statement on Amendments to Regulation S-P

Washington D.C.

Today, the Commission is considering amendments to Regulation S-P that will require covered firms to notify their customers of data breaches. I support these amendments because, through making critical updates to a rule first adopted in 2000, these amendments will help protect the privacy of customers’ financial data.

In 1999, Congress passed a provision to help ensure that financial firms protect customers’ nonpublic personal information. As a member of the U.S. Department of Treasury team at the time, I was proud to work with then-Congressman Ed Markey on this important legislation. The provision mandated that federal financial regulators adopt rules to advance consumers’ privacy. The SEC did so in 2000, through Regulation S-P, which requires covered firms to notify customers about how they use their nonpublic personal information.

Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially. Complaints about identity theft have more than doubled in just the four years from 2018 to 2022, per the FBI’s Internet Crime Complaint Center.

Investors would benefit from a financial privacy rule more modern than the AOL era. Though the current rule requires covered firms to notify customers about how they use their nonpublic personal information, these firms have no requirement to notify customers about breaches. I think we should close this gap.

Thus, under these amendments, covered firms will be required to notify customers of breaches that might put their personal data at risk. Critically, our amendments would help ensure that customers receive sufficient notice to take measures to protect themselves from harm that might result from the breach.

Second, to ensure that covered firms properly identify when breaches occur, firms will need to establish reasonable policies to detect, respond to, and recover from breaches affecting customer information.

Third, the amendments will require covered firms to take measures to properly dispose of customer information.

Fourth, the amendments will extend Reg S-P’s requirements to transfer agents registered with the Commission or another appropriate regulatory agency. These firms maintain sensitive personal information relating to who owns a security, including when and how that security changes hands. I think it is important that transfer agents follow the same standards as the other covered firms, both when it comes to notifying about breaches and properly disposing of records.

The amendments allow for limited delays in providing notice of the data breach if the U.S. Attorney General determines that notice poses a substantial risk to national security or public safety. Further, the amendments provide that if the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such delay through possible exemptive orders or other action.

We look forward to working with our fellow federal and state-level regulators to continue protecting customers from these breaches. In drafting the amendments, we benefitted from examining state-level laws to discern best practices.

I believe that these amendments will help customers maintain their privacy and protect themselves. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.

I’d also like to thank members of the SEC staff for their work on this proposal, including:

  • Natasha Vij Greiner, Sarah ten Siethoff, Brian Johnson, Bradley Gude, Blair Burnett, Rachael Kuo, Michael Khalil, Andrew Deglin, and Susan Ali in the Division of Investment Management;
  • Haoxiang Zhu, David Saltiel, Andrea Orr, Emily Westerberg Russell, John Fahey, Devin Ryan, Edward Schellhorn, Moshe Rothman, James Wintering, Emily Hellman, and Kevin Schopp in the Division of Trading and Markets;
  • Jessica Wachter, Ross Askanazi, Dominique Brabant, Rebecca Orban, Ralph Bien-Aime, Daniel Chapman, Elizabeth Phillips, Jeorge Young, Lauren Moore, and Charles Woodworth in the Division of Economic and Risk Analysis; and
  • Meridith Mitchell, Robert Teply, Natalie Shioji, Alice Wang, Cathy Ahn, Ronesha Butler, Elise Bruntel, and Maureen Johansen in the Office of the General Counsel.

Last Reviewed or Updated: May 16, 2024