Statement on the Amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information
May 16, 2024
Today, the Commission adopted amendments to Regulation S-P, which were proposed last year.[1] Regulation S-P was initially adopted in 2000 pursuant to the Gramm-Leach-Bliley Act, or the GLBA.[2] Congress subsequently amended the applicable privacy provisions of the GLBA in 2015.[3]
Regulation S-P is intended to provide customers and consumers with protections against threat actors who commit identity theft and other harms using personally identifiable information such as social security numbers, names, phone numbers, and addresses. In the years since Regulation S-P’s initial adoption, the world has changed in how customers and financial institutions interact – from a paper-based world to a digital one. For some context, consider that in 2000, the country had just survived Y2K, pagers were still in vogue, and smartphones in their current incarnation did not yet exist. Even the idea of conducting financial transactions on the Internet — much less on mobile devices — was novel. Perhaps the closest forerunner to the modern smartphone was the Blackberry, where rather than looking at social media, a person could whittle away idle time with Brickbreaker.
Regulation S-P has two main components: a safeguard rule and a disposal rule. The safeguard rule generally requires financial institutions – including broker-dealers, funding portals, investment advisers, registered investment companies, and employee securities companies (collectively, “covered institutions”) — to adopt written policies and procedures to protect customer information against unauthorized access and use, including anticipated threats or hazards to the security or integrity of customer information. Regulation S-P also requires these covered institutions to provide initial and annual privacy notices to customers describing information sharing policies and informing customers of their rights. Regulation S-P’s second component is the disposal rule, which generally requires financial institutions and, after the final amendments, all transfer agents to properly dispose of consumer report information.
Considering the statutory mandate of GLBA and the importance of a retrospective review of a rule that was adopted nearly 25 years ago, I supported issuing the Commission’s proposed amendments to Regulation S-P for public comment, although I had significant concerns about the potential for unnecessary and duplicative overlap with other proposed cybersecurity requirements for registered investment companies, registered investment advisers, broker-dealers, and other entities.[4] None of the proposals appeared to effectively consider how they would operate in conjunction with each other. Since the proposals, I have been encouraged by the internal discussions and coordination among Commission staff to address potential overlap and duplication as they consider finalizing those rules. The adoption of Regulation S-P is the first step of updating our privacy and cyber-security rule book.
Today’s amendments to Regulation S-P will require covered institutions to adopt written policies and procedures that provide for an incident response program to protect customer information from unauthorized access, including to (1) assess the nature and scope of any incident, (2) take appropriate steps to contain and control the incident, and (3) notify affected individuals whose sensitive customer information was, or is reasonable likely to have been, accessed or used without authorization unless after a reasonable investigation, the covered institution determines that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. The notice must be provided as soon as practicable, but generally not later than 30 days after the financial institution becomes aware that there has been an unauthorized breach of customer information.
I would like to highlight two changes from the proposal: first, the final amendments remove the proposed definition of “substantial harm or inconvenience.”[5] The proposed definition was a grab bag of assorted examples, including theft, fraud, harassment, physical harm, impersonation, intimidation, damaged reputation, impaired eligibility for credit, or the misuse of information identified with an individual to obtain a financial product or service, which may or may not cause “substantial” harm or inconvenience. The proposed definition included a new standard, “more than trivial,” which appeared to capture situations that were not substantial. Consistent with other agencies, the final rule relies on GLBA’s use of “substantial harm or inconvenience” and is not defined, which is an improvement over the proposal’s overly complex definition that appeared to be at odds in certain respects with GLBA.
Second, the final amendments do not require a financial institution to enter into a contract with its service providers to deliver data breach notices. However, the financial institution will remain responsible for ensuring that such notices are sent, regardless of which entity sends the notice. This is a good change: the Commission should not be mandating or micro-managing contracts between private parties in such instances. Moreover, it recognizes the practical difficulty for smaller covered institutions to negotiate with large service providers, due to unequal bargaining power.
I also appreciate the efforts made to ensure that the Commission is creating a federal minimum standard for covered institutions to notify individuals in writing within 30 days following the covered institution’s activation of its response program for unauthorized access to or use of customer information. At the proposal stage, I was concerned that covered institutions would be burdened and customers would be confused by multiple notices about breaches of their sensitive customer information. While there is still a potential for such a result, the final amendments are designed so that customers – regardless of where they live – will have notice of a covered institution’s potential data breach and can take steps to protect themselves if they choose.
Many Americans, including myself, have had their sensitive customer information breached by threat actors hacking into financial institutions’ databases. In this increasingly digital world, there are more opportunities for breaches to occur with potentially devasting damage to investors through identify theft and other substantial harms. I support today’s amendments and am hopeful that they will reduce the potential for breaches and assist customers in taking appropriate action to protect themselves.
I thank the staff in the Divisions of Trading and Markets, Investment Management, and Economic and Risk Analysis, as well as the Office of the General Counsel, for their considerable efforts.
[1] See Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, Exchange Act Release No. 97141 (Mar. 15, 2023) [88 FR20616 (Apr. 6, 2023)], available at sec.gov/files/rules/proposed/2023/34-97141.pdf; and Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information, Exchange Act Release No. 100155 (May 16, 2024), available at sec.gov/files/rules/final/2024/34-100155.pdf
[2] 15 U.S.C. § 6804. Section 504 of GLBA required the Commission and other federal agencies to adopt rules implementing notice requirements and restrictions on a financial institution's ability to disclose nonpublic personal information about consumers.
[3] See Fixing America’s Surface Transportation Act (FAST) Act, Pub. L. 114-94, section 75001, adding section 503(f) to the GLBA, codified at 15 U.S.C. 6803(f). The FAST Act amendments provided an exception to the annual notice delivery requirements for a financial institution that meets certain requirements. The exception, contained in section 503(f)(1), provides that a financial institution must not share nonpublic personal information about customers except as described in certain statutory exceptions. In addition, section 503(f)(2) requires that the financial institution must not have changed its policies and practices with regard to disclosing nonpublic personal information from those that the institution disclosed in the most recent privacy notice it sent.
[4] Mark T. Uyeda, Statement on the Proposed Amendments to Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information (Mar. 15, 2023), available at https://www.sec.gov/news/statement/uyeda-statement-regulation-sp-031523. See alsoCybersecurity Risk Management Proposed Rules for Broker-Dealers, Clearing Agencies, Major Security-Based Swap Participants, the Municipal Securities Rulemaking Board, National Securities Associations, National Securities Exchanges, Security-Based Swap Data Repositories, Security-Based Swap Dealers, and Transfer Agents, Exchange Act Release No. 97142 (Mar. 15, 2023) [88 FR 20212 (Apr. 5, 2023)], available at https://www.sec.gov/files/rules/proposed/2023/34-97142.pdf, and Cybersecurity Risk Management for Investment Advisers, Registered Investment Companies, and Business Development Companies, Securities Act Release No. 11028 (Feb. 9, 2022), [87 FR 13524 (Mar. 9, 2022)], available at https://www.sec.gov/files/rules/proposed/2022/33-11028.pdf.
[5] Amended Regulation S-P will require covered institutions to adopt procedures to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer. Covered institutions are required to notify customers of a breach unless the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.