SEC Amends Privacy Rule to Establish Data Breach Notification Standard

9 minute read | May.24.2024

The Securities and Exchange Commission (SEC) has amended its privacy rule – Regulation S-P – to establish a federal minimum standard for covered institutions to notify affected individuals of a data breach.

While the amendments complement some state notification requirements, they provide a uniform standard irrespective of whether state law requires notification. They also capture transfer agents that may already be subject to oversight by a federal banking agency.

Background: Regulation S-P

Regulation S-P represents a set of privacy and data security rules adopted pursuant to the Gramm-Leach-Bliley Act (GLBA) and the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The regulation governs the treatment of consumer nonpublic personal information (NPI) by certain SEC registrants.

Under the GLBA, Regulation S-P generally requires broker-dealers, investment companies and registered investment advisers to adopt and maintain written policies and procedures to protect customer records and information (Safeguards Rule). Under the FACT Act, Regulation S-P requires the same entities to properly dispose of consumer report information (Disposal Rule).

The amendments, adopted May 16, update these requirements by expanding customer data protections and establishing minimum data breach notification standards, among other things. According to the SEC, the amendments are meant to address changes in market technology and risk since the introduction of Regulation S-P in 2000.

Key Takeaways

In summary, the amendments:

Require covered institutions to develop, implement and maintain written policies and procedures for an incident response program that are reasonably designed to detect, respond to and recover from unauthorized access to or use of customer information.
Establish a 30-day notification deadline for data breaches implicating sensitive customer information.
Require covered institutions to establish, maintain and enforce written policies and procedures reasonably designed to require oversight of service providers.
Align more closely the Safeguards and Disposal Rules by applying both rules to “customer information” and broadening the scope of customers protected under the rules.
Require all transfer agents to comply with the Safeguards Rule.
Introduce recordkeeping requirements for compliance with the Safeguards and Disposal Rules.

SEC Registrants Covered by the Amendments

The amendments apply to:

Broker-dealers (including funding portals).
Registered and unregistered investment companies.
Registered investment advisers.
Transfer agents registered with the SEC or a Federal banking agency.

Covered institutions must adopt written policies and procedures for incident response programs, but funding portals are excluded from certain recordkeeping requirements.

Incident Response Program Requirements

To protect customer information, the amendments require a covered institution to develop, implement and maintain written policies and procedures that address administrative, technical and physical safeguards for the protection of customer information. The written policies and procedures must include a program to:

Assess the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of customer information that may have been accessed or used without authorization.
Contain and control a security incident to prevent further unauthorized access to or use of customer information.
Provide a clear and conspicuous notice to affected individuals in the event of a data breach impacting their sensitive customer information.

The SEC explained that there are no specific steps a covered institution must take when carrying out its incident response program. The SEC also did not say who must oversee the incident response program instead giving covered institutions the flexibility to manage these responsibilities.

Important Definitions

Customer Information

For non-transfer agents, customer information is:

any record containing nonpublic personal information … about a customer of a financial institution, whether in paper, electronic or other form, that is in the possession of a covered institution or that is handled or maintained by the covered institution or on its behalf regardless of whether such information pertains to (a) individuals with whom the covered institution has a customer relationship, or (b) to the customers of other financial institutions where such information has been provided to the covered institution.

For transfer agents, customer information is:

any record containing nonpublic personal information … identified with any natural person, who is a securityholder of an issuer for which the transfer agent acts or has acted as transfer agent, that is in the possession of a transfer agent or that is handled or maintained by the transfer agent or on its behalf, regardless of whether such information pertains to individuals with whom the transfer agent has a customer relationship, or pertains to the customers of other financial institutions and has been provided to the transfer agent.

The difference between transfer agents and non-transfer agents in the customer information definition acknowledges that in most instances, a transfer agent’s “customer” is the issuer of securities for which the transfer agent maintains a record of ownership, rather than the securityholders whose information the transfer agent maintains as part of the issuer’s ownership records.

Sensitive Customer Information

The term “sensitive customer information” means:

any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.

The SEC provided examples of sensitive customer information that alone could create a substantial risk of harm or inconvenience, including:

Social Security numbers.
Biometric records.
Taxpayer identification numbers.
Other types of identifying information that can be used to authenticate an individual’s identity.

Like other data breach statutes where partial information can be combined with other information to pose risks to consumers, the SEC noted sensitive customer information would include a name or online username in combination with authenticating information such as a partial Social Security number, access code or mother’s maiden name.

Customer Information Systems

The amendments define “customer information systems” as:

the information resources owned or used by a covered institution, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of customer information to maintain or support the covered institution’s operations.

Data Breach Notification Timing Requirements and Permitted Delays

The amendments generally require covered institutions to notify affected individuals as soon as practicable, but no later than 30 days after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred, except under limited circumstances.

While a covered institution may still be working toward remediating a breach, the amendments nevertheless require notification within 30 days so affected individuals may take measures to protect themselves.

Service Providers and Delegation of Notification Requirement

As mentioned above, the amendments also require covered institutions to oversee service providers for compliance with the Safeguards Rule and data breach notification requirements.

Each covered institution’s policies and procedures must be reasonably designed to ensure service providers:

Protect against unauthorized access to or use of customer information.
Notify the covered institution as soon as possible, but no later than 72 hours after becoming aware of unauthorized access to a customer information system.

In addition, the amendments allow covered institutions to enter into written agreements with service providers to notify affected individuals on the covered institution’s behalf. However, the SEC made clear that responsibility for notification ultimately rests with the covered institution regardless of any service agreements.

Application to Bank Transfer Agents

The SEC addressed transfer agents who already are subject to a federal banking agency requirement to maintain an incident response program. In those cases, the SEC said, it will be possible for transfer agents to comply with guidance from the federal banking agency or agencies and the SEC amendments. To the extent the amendments impose additional requirements, the SEC said it is appropriate for it to establish a minimum nationwide standard for the notification of securityholders affected by a transfer agent data breach.

Exception from Requirement to Deliver Annual Privacy Notice

In addition to establishing new data security requirements, the amendments also conform Regulation S-P’s annual privacy notice requirement to mirror Regulation P’s requirements for consumer financial products or services.

Under the current version of Regulation P, and Regulation S-P when the amendments take effect, a covered institution need not send an annual privacy notice if the covered institution:

Provides only non-public personal information to non-affiliated third parties when an exception to third-party opt-out applies.
Has not changed its policies and practices with regard to disclosing non-public personal information from its most recent disclosure sent to customers.

If a covered institution does change its privacy practices, it will need to resume providing annual privacy notices. If the change in practices requires providing a revised privacy notice under Regulation S-P, the covered institution must treat the revision as an initial privacy notice, including the limitations on sharing information until the consumer has an opportunity to opt out of sharing. If the changed practices do not require a revised privacy notice under Regulation S-P, the covered institution must resume providing annual privacy notices within 100 days of the change.

Compliance Period

The rule will take effect 60 days after publication in the Federal Register. After publication, larger entities (as defined below) will have 18 months to comply with the amendments, and smaller entities will have 24 months to comply.

The amendments generally define large entities as follows:

Entity	Larger Entity Qualifications
Investment companies	Net assets of $1 billion or more as of the end of the most recent fiscal year.
Registered investment advisers	$1.5 billion or more in assets under management
Broker-dealers	All broker-dealers that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act (RFA). A broker-dealer is a small-entity under the RFA if it: (i) Had total capital of less than $500,000 on the date in its prior fiscal year in which its audited financial statements were prepared or, if not required to file audited financial statements, on the last business day of its prior fiscal year. (ii) Is not affiliated with any person that is not a small entity.
Transfer Agents	All transfer agents that are not small entities under the Exchange Act for purposes of the RFA. A transfer agent is a small entity under the RFA if it: (i) Received less than 500 items for transfer and less than 500 items for processing during the preceding six months. (ii) Transferred items only of issuers that are small entities. (iii) Maintained master shareholder files that in the aggregate contained less than 1,000 shareholder accounts or was the named transfer agent for less than 1,000 shareholder accounts at all times during the preceding fiscal year. (iv) Is not affiliated with any person that is not a small entity.

To learn more about the issues discussed above or the impact they may have on your business, please reach out to the authors (Sasha Leonhardt, Ignacio Sandoval, Joe Santiesteban, and Hayden Irwin) or other members of the Orrick team.

Authors

Sasha Leonhardt Partner, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Washington, D.C.

See my bio

D:+1 202 349 7971
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Cyber, Privacy & Data Innovation
Fintech
Government Investigations and Enforcement Actions

vCard

See full bio

Sasha Leonhardt Partner

Washington, D.C.

Sasha also has substantial experience advising clients on the Servicemembers Civil Relief Act (SCRA), Military Lending Act (MLA), Consumer Financial Protection Act (CFPA), Truth in Lending Act (TILA), Real Estate Settlement Procedures Act (RESPA), Equal Credit Opportunity Act (ECOA), Fair Housing Act (FHA), and Fair Debt Collection Practices Act (FDCPA). He advises companies, non-profits and industry associations with consumer privacy issues arising from the Gramm-Leach-Bliley Act (GLBA) and Regulation P, the Fair Credit Reporting Act (FCRA) and its Affiliate Marketing Rule and state and federal laws that address data privacy and information security.

In addition to representing clients, Sasha has published numerous articles on various aspects of consumer financial services law and practice, including data privacy, class action litigation, white collar litigation, whistleblower lawsuits and recent trends in regulation and enforcement. He also maintains an active pro bono practice and serves as a member of the Legal Counsel for the Elderly’s Young Lawyers Alliance. A frequent speaker on a variety of legal topics, Sasha has taught at Duke University School of Law and American University Washington College of Law, and was previously a Professorial Lecturer in Law at the George Washington University Law School.

Prior to joining Orrick, Sasha was a partner at Buckley LLP. He also previously served as Deputy Press Secretary to Maryland Governor Martin O’Malley. He is accredited as a Privacy Law Specialist, a Fellow of Information Privacy, a Certified Information Privacy Manager (CIPM/US), and a Certified Information Privacy Professional (CIPP/US) by the International Association of Privacy Professionals.

Ignacio Sandoval Partner, Financial & Fintech Advisory, Technology Companies Group

Washington, D.C.

See my bio

D:+1 202 349 8053
E: [email protected]

Practice:

Financial & Fintech Advisory
Technology Companies Group
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Ignacio Sandoval Partner

Washington, D.C.

Ignacio engages with the SEC and the Financial Industry Regulatory Authority (FINRA) on behalf of clients on critical matters related to their business by seeking regulatory relief, interpretive guidance, exemptions and as a subject matter expert in enforcement and examination matters. He advises major U.S. broker-dealers in their clearing, retail, trading and institutional businesses, and on their financial responsibility and operational obligations.

Ignacio has counseled numerous broker-dealers on their obligations under the net capital rule (Rule 15c3-1), the customer protection rule (Rule 15c3-3), margin (Regulation T, Regulation U, Regulation X, FINRA Rule 4210, etc.), recordkeeping and reporting rules (Rule 17a-3, Rule 17a-4, Rule 17a-5, Rule 17a-8, Rule 17a-11, Rule 17a-13, etc.) and other middle office and back-office requirements. He has drafted market standard clearing and custody agreements for broker-dealers and has experience working on various types of agreements affecting market intermediaries and participants, including trading agreements, customer agreements, distribution agreements and platform agreements.

Ignacio regularly registers and provides support to alternative trading systems (ATS) and counsels market participants regarding their obligations to register as such. In addition, he has helped broker-dealers develop management platforms for clients involving money market funds and other cash equivalent instruments. He also has experience with cash sweep programs involving money market funds and bank deposit programs insured by the Federal Deposit Insurance Corporation (FDIC).

Ignacio’s experience also includes matters relating to domestic and foreign broker-dealer registrations, customer account statement and confirmation requirements, mergers and acquisition brokers, anti-money laundering obligations for buy-side and sell-side participants, transaction confirmations and outsourcing broker-dealer technology and platforms. He counsels foreign exchanges and foreign clearing organizations regarding U.S. regulatory obligations on the access of U.S. person to foreign options markets and security-futures products.

Joseph C Santiesteban Partner, Cyber, Privacy & Data Innovation, California Consumer Privacy Act

Seattle

See my bio

D:+1 206 839 4352
E: [email protected]

Practice:

Technology & Innovation Sector
Cyber, Privacy & Data Innovation
California Consumer Privacy Act
Strategic Advisory & Government Enforcement (SAGE)

vCard

See full bio

Joseph C Santiesteban Partner

Seattle

He brings significant experience advising companies – from one of the largest telecommunications providers to leading entertainment companies to startups on the cutting-edge of AI and more – on the full cycle of an incident. He also advises companies and executives in connection to regulatory investigations, class actions, enforcement actions, and other disputes that frequently flow from privacy and cybersecurity incidents.

Joe helps clients respond quickly and with integrity to protect their brand, build trust and mitigate legal risk. He is highly skilled at directing incident investigations, analyzing potential claims and defenses, examining potential notification obligations and advising on effective communications strategies. He draws on this experience to help companies proactively prepare for an incident through creative strategies that foster engagement and collaboration between legal, security, communications and leadership teams. This includes building and improving incident response programs through response plans, simulated incidents, threat workshops, and training. In addition, Joe assists clients in practically evaluating the legal risk of security decisions in a variety of transactions and across the product lifecycle.

He also provides strategic advice to cybersecurity companies, including those looking to push technological and defense boundaries in cyber defense, incident response, and threat intelligence. This includes helping companies maximize their security offerings by navigating the Computer Fraud and Abuse Act (CFAA), the Electronic Communications Privacy Act (ECPA), and the Federal Wiretap Act, as well as state law analogs.

Joe serves on the Orrick’s Finance and Audit and Pro Bono Committees. A leader and advocate for diversity and inclusion initiatives, Joe is the co-head of Orrick’s Latinx Inclusion Network and was selected as a 2024 Rising Star by the Minority Corporate Counsel Association (MCCA). He was also named to Lawdragon's 2024 500 X Next Generation Rising Stars List and a member of the Washington Latino Bar Association and the Hispanic National Bar Association.

Hayden Irwin Associate, Financial & Fintech Advisory, Strategic Advisory & Government Enforcement (SAGE)

Santa Monica

See my bio

D:+1 310 424 3949
E: [email protected]

Practice:

Financial & Fintech Advisory
Strategic Advisory & Government Enforcement (SAGE)
Fintech

vCard

See full bio

Hayden Irwin Associate

Santa Monica

Prior to joining Orrick, Hayden was an associate at Buckley LLP.