The US Securities and Exchange Commission (SEC) issued a notice of proposed rulemaking (the Proposal) on March 15 that would require SEC-regulated investment advisers, investment companies, and broker dealers to provide notice to individuals affected by certain types of data breaches, along with other related requirements. The Proposal was part of a spate of privacy proposals issued by the SEC and follows other recent proposals.
Currently, the SEC’s Regulation S-P “Safeguards Rule” requires SEC-regulated investment advisers, investment companies, and broker dealers (collectively, Covered Entities) to adopt written policies and procedures for administrative, technical, and physical safeguards to protect customer records and information, but it does not include a requirement to notify affected individuals in the event of a data breach. Covered Entities generally respond to data breaches according to applicable state data breach notification laws.
The Proposal would require Covered Entities to notify individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization.
It would also require covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. Under the Proposal, a response program would include procedures to assess the nature and scope of any incident and to take appropriate steps to contain and control the incident to prevent further unauthorized access or use.
Notification Trigger
Under the Proposal, notification would be required if “sensitive customer information” was, or is reasonably likely to have been, “accessed or used” without authorization. Sensitive customer information means any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.
The Proposal details some examples describing information identified with an individual that, without any other identifying information, could create a substantial risk of harm or inconvenience to an individual identified with the information.
Form of Notification
A customer notice must be clear and conspicuous and provided by a means designed to ensure that each affected individual can reasonably be expected to receive it. The notice should include key information with details about the incident, the breached data, and how affected individuals could respond to the breach to protect themselves.
It should also include contact information sufficient to permit an affected individual to contact the covered institution to inquire about the incident, including a telephone number (which should be a toll-free number if available), an email address or equivalent method or means, a postal address, and the name of a specific office to contact for further information and assistance.
Notification Timing
A Covered Entity would be required to provide notice as soon as practicable but no later than 30 days after it becomes aware that the incident occurred or is reasonably likely to have occurred.
The SEC is also proposing to broaden and align the scope of the Safeguards Rule and Disposal Rule (related to disposal of collected information) to cover “customer information,” a new defined term. This change would expand the Safeguards and Disposal rules to both nonpublic personal information that a Covered Entity collects about its own customers and to nonpublic personal information that a Covered Entity receives about customers of other financial institutions. The new notification requirement only relates to the first subset of information.
The Safeguards Rule does not currently apply to transfer agents. The Proposal would extend the application of the safeguards provisions to transfer agents.
The Proposal would also include requirements to maintain written records documenting compliance.
The SEC has requested comments on a variety of aspects of the Proposal. Comments on the Proposal must be received on or before 60 days after publication in the Federal Register.
If you have any questions or would like more information on the issues discussed in this LawFlash, please contact any of the following:
[1] i.e., clearing agencies; major security-based swap participants; the Municipal Securities Rulemaking Board; national securities exchanges; national securities associations (i.e., FINRA); security-based swap data repositories; security-based swap dealers; and transfer agents