- The Securities and Exchange Commission (SEC) has introduced new data-breach reporting regulations for certain financial firms to enhance the protection of consumers’ nonpublic personal information.
- Under the new rules, financial institutions must inform affected customers of a data breach as soon as possible but no later than 30 days after unauthorized access is discovered.
- These steps are designed to help customers maintain their privacy and protect themselves from the fallout of data breaches, ensuring they receive timely notifications to take necessary protective measures.
The Securities and Exchange Commission (SEC) has introduced new data-breach reporting regulations for certain financial firms to enhance the protection of consumers’ nonpublic personal information. These amendments to Regulation S-P, adopted over 24 years ago, mandate that broker-dealers, investment companies, registered investment advisers, and transfer agents establish robust incident response programs. These programs must be capable of responding to and recovering from unauthorized access to customer information and include policies for notifying individuals whose data has been compromised.
Under the new rules, financial institutions must inform affected customers of a data breach as soon as possible but no later than 30 days after unauthorized access is discovered. The notification must detail the incident, the data breach type, and recommended steps for customers to protect themselves. This move addresses the growing technological risks and aims to modernize financial data protection in light of the significant changes in the nature, scale, and impact of data breaches over the past two decades.
The amendments will be effective 60 days after publication in the Federal Register. Larger entities will have 18 months to comply, while smaller entities will have 24 months. The amendments also extend to transfer agents, ensuring they adhere to the same standards as other covered firms in notifying about breaches and properly disposing of customer information.
SEC emphasized that these updates are crucial for modernizing financial privacy rules to protect investors in today’s digital landscape better. The amendments include provisions for limited delays in breach notifications if national security or public safety is at risk, as determined by the U.S. Attorney General. These steps are designed to help customers maintain their privacy and protect themselves from the fallout of data breaches, ensuring they receive timely notifications to take necessary protective measures.
Leave a Reply
You must be logged in to post a comment.