9 minute read | May.24.2024
The Securities and Exchange Commission (SEC) has amended its privacy rule – Regulation S-P – to establish a federal minimum standard for covered institutions to notify affected individuals of a data breach.
While the amendments complement some state notification requirements, they provide a uniform standard irrespective of whether state law requires notification. They also capture transfer agents that may already be subject to oversight by a federal banking agency.
Regulation S-P represents a set of privacy and data security rules adopted pursuant to the Gramm-Leach-Bliley Act (GLBA) and the Fair and Accurate Credit Transactions Act of 2003 (FACT Act). The regulation governs the treatment of consumer nonpublic personal information (NPI) by certain SEC registrants.
Under the GLBA, Regulation S-P generally requires broker-dealers, investment companies and registered investment advisers to adopt and maintain written policies and procedures to protect customer records and information (Safeguards Rule). Under the FACT Act, Regulation S-P requires the same entities to properly dispose of consumer report information (Disposal Rule).
The amendments, adopted May 16, update these requirements by expanding customer data protections and establishing minimum data breach notification standards, among other things. According to the SEC, the amendments are meant to address changes in market technology and risk since the introduction of Regulation S-P in 2000.
In summary, the amendments:
The amendments apply to:
Covered institutions must adopt written policies and procedures for incident response programs, but funding portals are excluded from certain recordkeeping requirements.
To protect customer information, the amendments require a covered institution to develop, implement and maintain written policies and procedures that address administrative, technical and physical safeguards for the protection of customer information. The written policies and procedures must include a program to:
The SEC explained that there are no specific steps a covered institution must take when carrying out its incident response program. The SEC also did not say who must oversee the incident response program instead giving covered institutions the flexibility to manage these responsibilities.
For non-transfer agents, customer information is:
any record containing nonpublic personal information … about a customer of a financial institution, whether in paper, electronic or other form, that is in the possession of a covered institution or that is handled or maintained by the covered institution or on its behalf regardless of whether such information pertains to (a) individuals with whom the covered institution has a customer relationship, or (b) to the customers of other financial institutions where such information has been provided to the covered institution.
For transfer agents, customer information is:
any record containing nonpublic personal information … identified with any natural person, who is a securityholder of an issuer for which the transfer agent acts or has acted as transfer agent, that is in the possession of a transfer agent or that is handled or maintained by the transfer agent or on its behalf, regardless of whether such information pertains to individuals with whom the transfer agent has a customer relationship, or pertains to the customers of other financial institutions and has been provided to the transfer agent.
The difference between transfer agents and non-transfer agents in the customer information definition acknowledges that in most instances, a transfer agent’s “customer” is the issuer of securities for which the transfer agent maintains a record of ownership, rather than the securityholders whose information the transfer agent maintains as part of the issuer’s ownership records.
The term “sensitive customer information” means:
any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.
The SEC provided examples of sensitive customer information that alone could create a substantial risk of harm or inconvenience, including:
Like other data breach statutes where partial information can be combined with other information to pose risks to consumers, the SEC noted sensitive customer information would include a name or online username in combination with authenticating information such as a partial Social Security number, access code or mother’s maiden name.
The amendments define “customer information systems” as:
the information resources owned or used by a covered institution, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of customer information to maintain or support the covered institution’s operations.
The amendments generally require covered institutions to notify affected individuals as soon as practicable, but no later than 30 days after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred, except under limited circumstances.
While a covered institution may still be working toward remediating a breach, the amendments nevertheless require notification within 30 days so affected individuals may take measures to protect themselves.
As mentioned above, the amendments also require covered institutions to oversee service providers for compliance with the Safeguards Rule and data breach notification requirements.
Each covered institution’s policies and procedures must be reasonably designed to ensure service providers:
In addition, the amendments allow covered institutions to enter into written agreements with service providers to notify affected individuals on the covered institution’s behalf. However, the SEC made clear that responsibility for notification ultimately rests with the covered institution regardless of any service agreements.
The SEC addressed transfer agents who already are subject to a federal banking agency requirement to maintain an incident response program. In those cases, the SEC said, it will be possible for transfer agents to comply with guidance from the federal banking agency or agencies and the SEC amendments. To the extent the amendments impose additional requirements, the SEC said it is appropriate for it to establish a minimum nationwide standard for the notification of securityholders affected by a transfer agent data breach.
In addition to establishing new data security requirements, the amendments also conform Regulation S-P’s annual privacy notice requirement to mirror Regulation P’s requirements for consumer financial products or services.
Under the current version of Regulation P, and Regulation S-P when the amendments take effect, a covered institution need not send an annual privacy notice if the covered institution:
If a covered institution does change its privacy practices, it will need to resume providing annual privacy notices. If the change in practices requires providing a revised privacy notice under Regulation S-P, the covered institution must treat the revision as an initial privacy notice, including the limitations on sharing information until the consumer has an opportunity to opt out of sharing. If the changed practices do not require a revised privacy notice under Regulation S-P, the covered institution must resume providing annual privacy notices within 100 days of the change.
The rule will take effect 60 days after publication in the Federal Register. After publication, larger entities (as defined below) will have 18 months to comply with the amendments, and smaller entities will have 24 months to comply.
The amendments generally define large entities as follows:
Entity |
Larger Entity Qualifications |
Investment companies |
Net assets of $1 billion or more as of the end of the most recent fiscal year. |
Registered investment advisers |
$1.5 billion or more in assets under management |
Broker-dealers |
All broker-dealers that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act (RFA).
A broker-dealer is a small-entity under the RFA if it: (i) Had total capital of less than $500,000 on the date in its prior fiscal year in which its audited financial statements were prepared or, if not required to file audited financial statements, on the last business day of its prior fiscal year. (ii) Is not affiliated with any person that is not a small entity. |
Transfer Agents |
All transfer agents that are not small entities under the Exchange Act for purposes of the RFA. A transfer agent is a small entity under the RFA if it: (i) Received less than 500 items for transfer and less than 500 items for processing during the preceding six months. (ii) Transferred items only of issuers that are small entities. (iii) Maintained master shareholder files that in the aggregate contained less than 1,000 shareholder accounts or was the named transfer agent for less than 1,000 shareholder accounts at all times during the preceding fiscal year. (iv) Is not affiliated with any person that is not a small entity. |
To learn more about the issues discussed above or the impact they may have on your business, please reach out to the authors (Sasha Leonhardt, Ignacio Sandoval, Joe Santiesteban, and Hayden Irwin) or other members of the Orrick team.