In a move aimed at bolstering the protection of customer data, the Securities and Exchange Commission (SEC) has adopted amendments to Regulation S-P, which governs the treatment of personal information of consumers. The changes will require certain financial institutions to disclose security breaches within 30 days of discovery.

Under the new amendments, broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents will now be bound by the requirement to notify individuals whose personal information has been compromised. The notifications must be provided "as soon as practicable, but not later than 30 days" after the discovery of unauthorized network access or use of customer data.

SEC Chair Gary Gensler emphasized the need for these critical updates, stating that the nature and impact of data breaches have significantly transformed in the last 24 years. The amendments aim to safeguard the privacy of customers' financial data. Gensler added, "The basic idea for covered firms is if you've got a breach, then you've got to notify. That's good for investors."

The notifications sent by the covered institutions must include details about the incident, the compromised information, and guidance on how affected individuals can protect themselves. However, a potential loophole exists, allowing institutions to avoid issuing notices if they can demonstrate that the personal information has not been used in a manner resulting in "substantial harm or inconvenience" or is unlikely to be used as such.

Alongside the notification requirements, the amendments also mandate covered institutions to develop, implement, and maintain written policies and procedures that are reasonably designed to detect, respond to, and recover from unauthorized access or use of customer information.

The changes to Regulation S-P further expand and align the safeguards and disposal rules to encompass both nonpublic personal information that covered institutions collect about their own customers and information received from other financial institutions about their customers.

Additionally, covered institutions, excluding funding portals, will be compelled to create and maintain written records documenting compliance with the safeguards and disposal rules. Regulation S-P's annual privacy notice delivery provisions will also be aligned with the terms of an exception added by the FAST Act, eliminating the requirement for annual privacy notices under certain conditions.

The amendments broaden the scope of nonpublic personal information covered to include information received by the firm from other financial institutions. This move strengthens the protection of customer data beyond what the firm itself collects.

SEC Commissioner Hester M. Peirce expressed some reservations about the broad reach of the new requirements, raising concerns about the potential inundation of consumer notices that may not be helpful. However, the amendments are expected to increase transparency and promptness in notifying individuals of security breaches, allowing them to take necessary steps to protect themselves.

The new rules will take effect 60 days after publication in the Federal Register, with large organizations having 18 months and smaller organizations having 24 months to comply with the amendments. The SEC invites public comments on the amendments, which can be accessed via the provided link.

Overall, the SEC's adoption of these amendments reflects the growing importance of safeguarding customer information in an evolving digital landscape, aiming to enhance transparency, accountability, and protection for individuals affected by security breaches.