Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information

<RULE> SECURITIES AND EXCHANGE COMMISSION <CFR>17 CFR Parts 240, 248, 270, and 275</CFR> <DEPDOC>[Release Nos. 34-100155; IA-6604; IC-35193; File No. S7-05-23]</DEPDOC> <RIN>RIN 3235-AN26</RIN> <SUBJECT>Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information</SUBJECT> <HD SOURCE="HED">AGENCY:</HD> Securities and Exchange Commission. <HD SOURCE="HED">ACTION:</HD> Final rule. <SUM> <HD SOURCE="HED">SUMMARY:</HD> The Securities and Exchange Commission (“Commission” or “SEC”) is adopting rule amendments that will require brokers and dealers (or “broker-dealers”), investment companies, investment advisers registered with the Commission (“registered investment advisers”), funding portals, and transfer agents registered with the Commission or another appropriate regulatory agency (“ARA”) as defined in the Securities Exchange Act of 1934 (“transfer agents”) to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately. In addition, the amendments extend the application of requirements to safeguard customer records and information to transfer agents; broaden the scope of information covered by the requirements for safeguarding customer records and information and for properly disposing of consumer report information; impose requirements to maintain written records documenting compliance with the amended rules; and conform annual privacy notice delivery provisions to the terms of an exception provided by a statutory amendment to the Gramm-Leach-Bliley Act (“GLBA”). </SUM> <EFFDATE> <HD SOURCE="HED">DATES:</HD> <E T="03">Effective date:</E> This rule is effective August 2, 2024. <E T="03">Compliance date:</E> The applicable compliance dates are discussed in section II.F of this rule. </EFFDATE> <FURINF> <HD SOURCE="HED">FOR FURTHER INFORMATION CONTACT:</HD> Emily Hellman, James Wintering, Special Counsels; Edward Schellhorn, Branch Chief; Devin Ryan, Assistant Director; John Fahey, Deputy Chief Counsel; Emily Westerberg Russell, Chief Counsel; Office of Chief Counsel, Division of Trading and Markets, (202) 551-5550; Kevin Schopp, Senior Special Counsel; Moshe Rothman, Assistant Director; Office of Clearance and Settlement, Division of Trading and Markets, (202) 551-5550, Susan Ali and Andrew Deglin, Counsels; Michael Khalil and Y. Rachel Kuo, Senior Counsels; Blair Burnett and Bradley Gude, Branch Chiefs; or Brian McLaughlin Johnson, Assistant Director, Investment Company Regulation Office, Division of Investment Management, (202) 551-6792, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549. </FURINF> <SUPLINF> <HD SOURCE="HED">SUPPLEMENTARY INFORMATION:</HD> The Commission is adopting amendments to 17 CFR 248.1 through 248.100 (“Regulation S-P”) under Title V of the GLBA [15 U.S.C. 6801 through 6827], the Fair Credit Reporting Act (“FCRA”) [15 U.S.C. 1681 through 1681x], the Securities Exchange Act of 1934 (“Exchange Act”) [15 U.S.C. 78a <E T="03">et seq.</E> ], the Investment Company Act of 1940 (“Investment Company Act”) [15 U.S.C. 80a-1 <E T="03">et seq.</E> ], and the Investment Advisers Act of 1940 (“Investment Advisers Act”) [15 U.S.C. 80b-1 <E T="03">et seq.</E> ]. <HD SOURCE="HD1">Table of Contents</HD> <EXTRACT> <FP SOURCE="FP-2">I. Introduction and Background</FP> <FP SOURCE="FP-2">II. Discussion</FP> <FP SOURCE="FP1-2">A. Incident Response Program Including Customer Notification</FP> <FP SOURCE="FP1-2">1. Assessment</FP> <FP SOURCE="FP1-2">2. Containment and Control</FP> <FP SOURCE="FP1-2">3. Notice to Affected Individuals</FP> <FP SOURCE="FP1-2">4. Service Providers</FP> <FP SOURCE="FP1-2">B. Scope of Safeguards Rule and Disposal Rule</FP> <FP SOURCE="FP1-2">1. Scope of Information Protected</FP> <FP SOURCE="FP1-2">2. Extending the Scope of the Safeguards Rule and the Disposal Rule To Cover All Transfer Agents</FP> <FP SOURCE="FP1-2">3. Maintaining the Current Regulatory Framework for Notice-Registered Broker-Dealers</FP> <FP SOURCE="FP1-2">C. Recordkeeping</FP> <FP SOURCE="FP1-2">D. Exception From Requirement To Deliver Annual Privacy Notice</FP> <FP SOURCE="FP1-2">E. Existing Staff No-Action Letters and Other Staff Statements</FP> <FP SOURCE="FP1-2">F. Compliance Period</FP> <FP SOURCE="FP-2">III. Other Matters</FP> <FP SOURCE="FP-2">IV. Economic Analysis</FP> <FP SOURCE="FP1-2">A. Introduction</FP> <FP SOURCE="FP1-2">B. Broad Economic Considerations</FP> <FP SOURCE="FP1-2">C. Baseline</FP> <FP SOURCE="FP1-2">1. Safeguarding Customer Information: Risks and Practices</FP> <FP SOURCE="FP1-2">2. Regulations and Guidelines</FP> <FP SOURCE="FP1-2">3. Market Structure</FP> <FP SOURCE="FP1-2">D. Benefits and Costs of the Final Rule Amendments</FP> <FP SOURCE="FP1-2">1. Written Policies and Procedures</FP> <FP SOURCE="FP1-2">2. Extending the Scope of the Safeguards Rule and the Disposal Rule</FP> <FP SOURCE="FP1-2">3. Recordkeeping</FP> <FP SOURCE="FP1-2">4. Exception From Annual Notice Delivery Requirement</FP> <FP SOURCE="FP1-2">E. Effects on Efficiency, Competition, and Capital Formation</FP> <FP SOURCE="FP1-2">F. Reasonable Alternatives Considered</FP> <FP SOURCE="FP1-2">1. Reasonable Assurances From Service Providers</FP> <FP SOURCE="FP1-2">2. Lower Threshold for Customer Notice</FP> <FP SOURCE="FP1-2">3. Encryption Safe Harbor</FP> <FP SOURCE="FP1-2">4. Longer Customer Notification Deadlines</FP> <FP SOURCE="FP1-2">5. Broader National Security and Public Safety Delay in Customer Notification</FP> <FP SOURCE="FP-2">V. Paperwork Reduction Act</FP> <FP SOURCE="FP1-2">A. Introduction</FP> <FP SOURCE="FP1-2">B. Amendments to the Safeguards Rule and Disposal Rule</FP> <FP SOURCE="FP-2">VI. Final Regulatory Flexibility Act Analysis</FP> <FP SOURCE="FP1-2">A. Need for, and Objectives of, the Final Amendments</FP> <FP SOURCE="FP1-2">B. Significant Issues Raised by Public Comments</FP> <FP SOURCE="FP1-2">C. Small Entities Subject to Final Amendments</FP> <FP SOURCE="FP1-2">D. Projected Reporting, Recordkeeping, and Other Compliance Requirements</FP> <FP SOURCE="FP1-2">E. Agency Action To Minimize Effect on Small Entities</FP> <FP SOURCE="FP-2">Statutory Authority</FP> </EXTRACT> <HD SOURCE="HD1">I. Introduction and Background</HD> Regulation S-P is a set of privacy rules adopted pursuant to the GLBA and the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”) that govern the treatment of nonpublic personal information about consumers by certain financial institutions. <SU>1</SU> <FTREF/> The Commission is adopting rule amendments that are designed to modernize and enhance the protections that Regulation S-P provides by addressing the expanded use of technology and corresponding risks that have emerged since the Commission originally adopted Regulation S-P in 2000. The amendments in particular update the requirements of the “safeguards” and “disposal” rules. The safeguards rule requires brokers, dealers, investment companies, <SU>2</SU> <FTREF/> and registered investment advisers to adopt written policies and procedures that address administrative, technical, and physical safeguards to protect customer records and information. <SU>3</SU> <FTREF/> The disposal rule, which applies to transfer agents registered with the Commission in addition to the institutions covered by the safeguards rule, requires proper disposal of consumer report information. <SU>4</SU> <FTREF/> In addition, under Regulation Crowdfunding, funding portals must comply with the requirements of Regulation S-P as they apply to brokers. <SU>5</SU> <FTREF/> Thus, funding portals will also be required to comply with the applicable amendments to Regulation S-P adopted in this release. <FTNT> <SU>1</SU>   <E T="03">See</E> 17 CFR 248.1. </FTNT> <FTNT> <SU>2</SU>  Regulation S-P applies to investment companies as the term is defined in section 3 of the Investment Company Act (15 U.S.C. 80a-3), whether or not the investment company is registered with the Commission. <E T="03">See</E> 17 CFR 248.3(r). Thus, a business development company, which is an investment company but is not required to register as such with the Commission, is subject to Regulation S-P. Similarly, employees' securities companies—including those that are not required to register under the Investment Company Act—are investment companies and are, therefore, subject to Regulation S-P. By contrast, issuers that are excluded from the definition of investment company—such as private funds that are able to rely on section 3(c)(1) or 3(c)(7) of the Investment Company Act—are not subject to Regulation S-P. </FTNT> <FTNT> <SU>3</SU>  17 CFR 248.30(a). References in this release to “rule 248.30” are to 17 CFR 248.30. </FTNT> <FTNT> <SU>4</SU>  Rule 248.30(b). </FTNT> <FTNT> <SU>5</SU>   <E T="03">See</E> 17 CFR 227.403(b). Accordingly, unless otherwise stated (for example, <E T="03">see infra</E> sections IV and V), references in this release to “brokers” or “broker-dealers” include funding portals. </FTNT> The final Regulation S-P amendments are needed to provide enhanced protection of customer or consumer information and help ensure that customers of covered institutions receive timely and consistent notifications in the event of unauthorized access to or use of their information. <SU>6</SU> <FTREF/> In evaluating amendments to Regulation S-P, we have considered developments in how firms obtain, share, and maintain individuals' personal information since the Commission originally adopted Regulation S-P, which correspond ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━ Preview showing 10k of 880k characters. Full document text is stored and available for version comparison. ━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━━