SEC Finalizes Data Breach Notification Rule

The Securities and Exchange Commission finalized amendments to Regulation S-P on Thursday. The rule will require broker/dealers, registered advisers, investment companies and transfer agents to develop policies to protect customer data and to inform affected customers of a data breach within 30 days.

The updates to Reg S-P were first proposed in March 2023. Like the proposal, the final rule requires covered institutions to maintain written policies that are “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information,” and maintain an “incident response program.”

Covered parties must also “provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization.” This notification must take place “as soon as practicable, but not later than 30 days” from when the institution learned of the breach.

SEC Chairman Gary Gensler explained in a statement that the purpose of customer notification is to “help ensure that customers receive sufficient notice to take measures to protect themselves from harm that might result from the breach.” Under pre-existing rules, there is no mandate to inform customers of a breach, according to Gensler.

In the event reporting a breach to a customer could compromise national security or public safety, the attorney general may request a 30-day extension. The final rule said that the SEC would also consider additional delays. In response to commenters, the SEC indicated that it has created an interagency line for this purpose and guidance on how covered parties can request an exemption. It also clarified that local and state law enforcement can make such a request on their own behalf.

David Oliwenstein, a partner with Pillsbury Winthrop Shaw Pittman, says that covered parties must disclose a breach unless the party reasonably determines that there is minimal risk of “substantial harm or inconvenience” regarding sensitive customer information. He says that they will have to “apply a commonsense framework” since this phrase is not specifically defined.

Oliwenstein says the SEC will expect covered parties to have policies on employee training, network security, internal notifications, and the confirmation and classification of incidents. There will also be an “expectation from the regulators that registrants actually take measures to test the adequacy of their programs,” which can include the simulation of a breach to “see how folks respond internally, and identify weaknesses.”

Larger institutions will have 18 months to comply with the rule and smaller institutions will have 24 months from the effective date, which is 60 days after its entry in the Federal Register. The proposal initially provided for 12 months for both.