Proposed Rule2023-05774
Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
April 6, 2023
Issuing agencies
Securities and Exchange Commission
Abstract
The Securities and Exchange Commission ("Commission" or "SEC") is proposing rule amendments that would require brokers and dealers (or "broker-dealers"), investment companies, and investment advisers registered with the Commission ("registered investment advisers") to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately. The Commission also is proposing to broaden the scope of information covered by amending requirements for safeguarding customer records and information, and for properly disposing of consumer report information. In addition, the proposed amendments would extend the application of the safeguards provisions to transfer agents. The proposed amendments would also include requirements to maintain written records documenting compliance with the proposed amended rules. Finally, the proposed amendments would conform annual privacy notice delivery provisions to the terms of an exception provided by a statutory amendment to the Gramm-Leach-Bliley Act ("GLBA").
Full Text
<html>
<head>
<title>Federal Register, Volume 88 Issue 66 (Thursday, April 6, 2023)</title>
</head>
<body><pre>
[Federal Register Volume 88, Number 66 (Thursday, April 6, 2023)]
[Proposed Rules]
[Pages 20616-20685]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2023-05774]
[[Page 20615]]
Vol. 88
Thursday,
No. 66
April 6, 2023
Part II
Securities and Exchange Commission
-----------------------------------------------------------------------
17 CFR Parts 240, 248, 270, et al.
Regulation S-P: Privacy of Consumer Financial Information and
Safeguarding Customer Information; Proposed Rule
��Federal Register / Vol. 88 , No. 66 / Thursday, April 6, 2023 /
Proposed Rules��
[[Page 20616]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 240, 248, 270, and 275
[Release Nos. 34-97141; IA-6262; IC-34854; File No. S7-05-23]
RIN 3235-AN26
Regulation S-P: Privacy of Consumer Financial Information and
Safeguarding Customer Information
AGENCY: Securities and Exchange Commission.
ACTION: Proposed rule.
-----------------------------------------------------------------------
SUMMARY: The Securities and Exchange Commission (``Commission'' or
``SEC'') is proposing rule amendments that would require brokers and
dealers (or ``broker-dealers''), investment companies, and investment
advisers registered with the Commission (``registered investment
advisers'') to adopt written policies and procedures for incident
response programs to address unauthorized access to or use of customer
information, including procedures for providing timely notification to
individuals affected by an incident involving sensitive customer
information with details about the incident and information designed to
help affected individuals respond appropriately. The Commission also is
proposing to broaden the scope of information covered by amending
requirements for safeguarding customer records and information, and for
properly disposing of consumer report information. In addition, the
proposed amendments would extend the application of the safeguards
provisions to transfer agents. The proposed amendments would also
include requirements to maintain written records documenting compliance
with the proposed amended rules. Finally, the proposed amendments would
conform annual privacy notice delivery provisions to the terms of an
exception provided by a statutory amendment to the Gramm-Leach-Bliley
Act (``GLBA'').
DATES: Comments should be received on or before June 5, 2023.
ADDRESSES: Comments may be submitted by any of the following methods:
Electronic Comments
<bullet> Use the Commission's internet comment form (<a href="http://www.sec.gov/rules/submitcomments.htm">http://www.sec.gov/rules/submitcomments.htm</a>); or
<bullet> Send an email to <a href="/cdn-cgi/l/email-protection#f183849d94dc929e9c9c949f8582b1829492df969e87"><span class="__cf_email__" data-cfemail="a0d2d5ccc58dc3cfcdcdc5ced4d3e0d3c5c38ec7cfd6">[email protected]</span></a>. Please include
File Number S7-05-23 on the subject line.
Paper Comments
<bullet> Send paper comments to Secretary, Securities and Exchange
Commission, 100 F Street NE, Washington, DC 20549-1090.
All submissions should refer to File Number S7-05-23. The file number
should be included on the subject line if email is used. To help the
Commission process and review your comments more efficiently, please
use only one method of submission. The Commission will post all
comments on the Commission's website (<a href="http://www.sec.gov/rules/proposed.shtml">http://www.sec.gov/rules/proposed.shtml</a>). Comments are also available for website viewing and
printing in the Commission's Public Reference Room, 100 F Street NE,
Washington, DC 20549, on official business days between the hours of 10
a.m. and 3 p.m. Operating conditions may limit access to the
Commission's public reference room. All comments received will be
posted without change; the Commission does not edit personal
identifying information from submissions. You should submit only
information that you wish to make available publicly.
Studies, memoranda, or other substantive items may be added by the
Commission or staff to the comment file during this rulemaking. A
notification of the inclusion in the comment file of any such materials
will be made available on the Commission's website. To ensure direct
electronic receipt of such notifications, sign up through the ``Stay
Connected'' option at <a href="http://www.sec.gov">www.sec.gov</a> to receive notifications by email.
FOR FURTHER INFORMATION CONTACT: Susan Poklemba, Brice Prince, or James
Wintering, Special Counsels; Edward Schellhorn, Branch Chief; Devin
Ryan, Assistant Director; John Fahey, Deputy Chief Counsel; Emily
Westerberg Russell, Chief Counsel; Office of Chief Counsel, Division of
Trading and Markets, (202) 551-5550; Jessica Leonardo or Taylor
Evenson, Senior Counsels; Aaron Ellias, Acting Branch Chief; Marc
Mehrespand, Branch Chief; Thoreau Bartmann, Co-Chief Counsel, Chief
Counsel's Office, Division of Investment Management, (202) 551-6792,
Securities and Exchange Commission, 100 F Street NE, Washington, DC
20549.
SUPPLEMENTARY INFORMATION: The Commission is proposing for public
comment amendments to 17 CFR 248 (``Regulation S-P'') \1\ under Title V
of the GLBA [15 U.S.C. 6801-6827], the Fair Credit Reporting Act
(``FCRA'') [15 U.S.C. 1681-1681x], the Securities Exchange Act of 1934
(``Exchange Act'') [15 U.S.C. 78a et seq.], the Investment Company Act
of 1940 (``Investment Company Act'') [15 U.S.C. 80a-1 et seq.], and the
Investment Advisers Act of 1940 (``Investment Advisers Act'') [15
U.S.C. 80b-1 et seq.].
---------------------------------------------------------------------------
\1\ Unless otherwise noted, all references below to rules
contained in Regulation S-P are to Part 248 of Chapter 17 of the
Code of Federal Regulations (``CFR'').
---------------------------------------------------------------------------
Table of Contents
I. Introduction
A. Background
B. 2008 Proposal
C. Overview of the Proposal
II. Discussion
A. Incident Response Program Including Customer Notification
1. Assessment
2. Containment and Control
3. Service Providers
4. Notice to Affected Individuals
B. Remote Work Arrangement Considerations
C. Scope of Information Protected Under the Safeguards Rule and
Disposal Rule
1. Definition of Customer Information
2. Safeguards Rule and Disposal Rule Coverage of Customer
Information
3. Extending the Scope of the Safeguards Rule and the Disposal
Rule To Cover All Transfer Agents
4. Maintaining the Current Regulatory Framework for Notice-
Registered Broker-Dealers
D. Recordkeeping
E. Exception From the Annual Notice Delivery Requirement
1. Current Regulation S-P Requirements for Privacy Notices
2. Proposed Amendment
F. Request for Comment on Limited Information Disclosure When
Personnel Leave Their Firms
G. Other Current Commission Rule Proposals
1. Covered Institutions Subject to the Regulation SCI Proposal
and the Exchange Act Cybersecurity Proposal
2. Investment Management Cybersecurity
H. Existing Staff No-Action Letters and Other Staff Statements
I. Proposed Compliance Date
III. Economic Analysis
A. Introduction
B. Broad Economic Considerations
C. Baseline
1. Safeguarding Customer Information--Risks and Practices
2. Regulation
3. Market Structure
D. Benefits and Costs of the Proposed Rule Amendments
1. Response Program
2. Extend Scope of Customer Safeguards to Transfer Agents
3. Recordkeeping
4. Exception From Annual Notice Delivery Requirement
E. Effects on Efficiency, Competition, and Capital Formation
F. Reasonable Alternatives Considered
1. Reasonable Assurances From Service Providers
2. Lower Threshold for Customer Notice
[[Page 20617]]
3. Encryption Safe Harbor
4. Longer Customer Notification Deadlines
5. Broader Law Enforcement Exception From Notification
Requirements
G. Request for Comment on Economic Analysis
IV. Paperwork Reduction Act
A. Introduction
B. Amendments to the Safeguards Rule and Disposal Rule
C. Request for Comment
V. Initial Regulatory Flexibility Act Analysis
A. Reason for and Objectives of the Proposed Action
B. Legal Basis
C. Small Entities Subject to Proposed Rule Amendments
D. Projected Reporting, Recordkeeping, and Other Compliance
Requirements
E. Duplicative, Overlapping, or Conflicting Federal Rules
F. Significant Alternatives
G. Request for Comment
VI. Consideration of Impact on the Economy Statutory Authority
I. Introduction
The Commission adopted Regulation S-P in 2000.\2\ Regulation S-P's
provisions include, among other requirements, rule 248.30(a)
(``safeguards rule''), which requires brokers, dealers, investment
companies,\3\ and registered investment advisers to adopt written
policies and procedures for administrative, technical, and physical
safeguards to protect customer records and information.\4\ Another
provision of Regulation S-P, rule 248.30(b) (``disposal rule''), which
applies to transfer agents registered with the Commission in addition
to the institutions covered by the safeguards rule, requires proper
disposal of consumer report information.\5\ Since Regulation S-P was
adopted, evolving digital communications and information storage tools
and other technologies have made it easier for firms to obtain, share,
and maintain individuals' personal information. This evolution also has
changed or exacerbated the risks of unauthorized access to or use of
personal information,\6\ thus increasing the risk of potential harm to
individuals whose information is not protected against unauthorized
access or use.\7\
---------------------------------------------------------------------------
\2\ See Privacy of Consumer Financial Information (Regulation S-
P), Exchange Act Release No. 42974 (June 22, 2000) [65 FR 40334
(June 29, 2000)] (``Reg. S-P Release''). Regulation S-P is codified
at 17 CFR Part 248, Subpart A.
\3\ Regulation S-P applies to investment companies as the term
is defined in section 3 of the Investment Company Act (15 U.S.C.
80a-3), whether or not the investment company is registered with the
Commission. See 17 CFR 248.3(r). Thus, a business development
company, which is an investment company but is not required to
register as such with the Commission, is subject to Regulation S-P.
Similarly, employees' securities companies--including those that are
not required to register under the Investment Company Act--are
investment companies and are, therefore, subject to Regulation S-P.
By contrast, issuers that are excluded from the definition of
investment company--such as private funds that are able to rely on
section 3(c)(1) or 3(c)(7) of the Investment Company Act--would not
be subject to Regulation S-P.
\4\ See 17 CFR 248.30(a).
\5\ See 17 CFR 248.30(b). In this release, institutions to which
Regulation S-P currently applies, or to which the proposed
amendments would apply, are sometimes referred to as ``covered
institutions.'' The term, ``covered institution'' is sometimes used
in this release to refer to institutions to as ``you'' in Regulation
S-P.
\6\ Unauthorized use differs from unauthorized access in that a
person making unauthorized use of customer information may or many
not be authorized to access it. CF. Van Buren v. United States, 141
S. Ct. 1648, 1652 (2021) (discussing how a person can access a
computer without authorization or exceed authorized access). As
described in more detail below, covered institutions would have to
provide notice to affected individuals whose sensitive customer
information was, or is reasonably likely to have been, accessed or
used without authorization.
\7\ See, e.g., Federal Bureau of Investigation, 2021 Internet
Crime Report (Mar. 22, 2022), at 7-8, available at <a href="https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf">https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf</a> (stating that
the FBI's internet Crime Complaint Center received 847,376
complaints in 2021 (an increase of approximately 181% from 2017).
The complaints included 51,629 related to identity theft and 51,829
related to personal data breaches (increases of approximately 193%
and 68% from 2017, respectively)); the Financial Industry Regulatory
Authority (``FINRA''), 2021 Report on FINRA's Examination and Risk
Monitoring Program: Cybersecurity and Technology Governance (Feb.
2021), available at <a href="https://www.finra.org/sites/default/files/2021-02/2021-report-finras-examination-risk-monitoring-program.pdf">https://www.finra.org/sites/default/files/2021-02/2021-report-finras-examination-risk-monitoring-program.pdf</a>
(noting increased cybersecurity or technology-related incidents at
firms); Office of Compliance Inspections and Examinations (now the
Division of Examinations) (``EXAMS''), Risk Alert, Cybersecurity:
Safeguarding Client Accounts against Credential Compromise (Sept.
15, 2020), available at <a href="https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf">https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf</a> (describing increasingly
sophisticated methods used by attackers to gain access to customer
accounts and firm systems). This Risk Alert, and any other
Commission staff statements represent the views of the staff. They
are not a rule, regulation, or statement of the Commission.
Furthermore, the Commission has neither approved nor disapproved
their content. These staff statements, like all staff statements,
have no legal force or effect: they do not alter or amend applicable
law; and they create no new or additional obligations for any
person.
---------------------------------------------------------------------------
This environment of expanded risks supports our proposing updates
to the requirements of Regulation S-P. Currently, the safeguards rule
addresses protecting customer information against unauthorized access
or use, but it does not include a requirement to notify affected
individuals in the event of a data breach. In assessing firm and
industry compliance with these requirements, Commission staff typically
focus on information security controls, including whether firms have
taken appropriate measures to safeguard customer accounts and to
respond to data breaches.\8\ Commission staff have observed a number of
practices with respect to the information safeguards requirements of
Regulation S-P and have provided observations on several occasions to
assist firms in improving their practices.\9\ Although many firms have
improved their programs for safeguarding customer records and
information in light of these observations, nonetheless we are
concerned that some firms may not maintain plans for addressing
incidents of unauthorized access to or use of data.\10\ We also are
concerned the incident response programs that firms have implemented
may be insufficient to respond to evolving threats or may not include
well-designed plans for customer notification.\11\
---------------------------------------------------------------------------
\8\ See EXAMS, 2022 Examination Priorities, available at <a href="https://www.sec.gov/files/2022-exam-priorities.pdf">https://www.sec.gov/files/2022-exam-priorities.pdf</a>; EXAMS, Investment
Adviser and Broker-Dealer Compliance Issues Related to Regulation S-
P--Privacy Notices and Safeguard Policies (Apr. 16, 2019) (``Reg. S-
P Risk Alert''), available at <a href="https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf">https://www.sec.gov/files/OCIE%20Risk%20Alert%20-%20Regulation%20S-P.pdf</a>.
\9\ See Reg. S-P Risk Alert, supra note 8 (noting that examples
of the most common deficiencies or weaknesses observed by EXAMS
staff included that broker-dealer and investment adviser written
incident response plans did not address, among other things, actions
required to address a cybersecurity incident and assessments of
system vulnerabilities); EXAMS, Observations from Cybersecurity
Examinations (Aug. 7, 2017) (``Observations Risk Alert''), available
at <a href="https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf">https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf</a>.
\10\ See Reg. S-P Risk Alert, supra note 8; Observations Risk
Alert, supra note 9 (noting that some firms lacked plans for
addressing access incidents).
\11\ See Reg. S-P Risk Alert, supra note 8. Although broker-
dealers are subject to self-regulatory organization (``SRO'') rules
requiring written supervisory procedures and written business
continuity plans addressing subjects including data back-up and
recovery, SRO rules do not require notification to customers whose
information is compromised. See, e.g., FINRA Rule 3110 (Supervision)
(requiring members to establish, maintain, and enforce written
procedures to supervise the types of business in which they engage
and the activities of their associated persons that are reasonably
designed to achieve compliance with applicable securities laws and
regulations, and with applicable FINRA rules), and FINRA Rule 4370
(Business Continuity Plans and Emergency Contact Information)
(requiring members to create and maintain a written business
continuity plan identifying procedures relating to an emergency or
significant business disruption that must address specified topics
including data back-up and recovery).
---------------------------------------------------------------------------
We therefore preliminarily believe specifically requiring a
reasonably designed incident response program, including policies and
procedures for assessment, control and containment, and customer
notification, could help reduce or mitigate the potential for harm to
individuals whose sensitive information is exposed or compromised in a
data breach. Requiring firms to adopt incident response programs to
address unauthorized access to or use of customer information,
including
[[Page 20618]]
customer notification and recordkeeping requirements, would enhance
protections for customer information. The advance planning required
under an incident response program should improve an institution's
preparedness and the effectiveness of its response to data breaches
while still being consistent with the requirements for safeguarding
standards articulated in the GLBA.\12\
---------------------------------------------------------------------------
\12\ The GLBA's requirements for standards for safeguarding
customer records and information are described in the Background
section below. See infra section I.A.
---------------------------------------------------------------------------
In certain instances, some types of customer notification plans may
already be required by existing state laws mandating customer
notifications. While all 50 states have enacted laws in recent years
requiring firms to notify individuals of data breaches, standards
differ by state, with some states imposing heightened notification
requirements relative to other states.\13\ Currently, broker-dealers,
investment companies, and registered investment advisers respond to
data breaches according to applicable state laws. For example, states
differ in the types of information that, if accessed or used without
authorization, may trigger a notification requirement.\14\ States also
differ regarding a firm's duty to investigate a data breach when
determining whether notice is required, deadlines to deliver notice,
and the information required to be included in a notice, among other
matters.\15\ As a result, a firm's notification obligations arising
from a single data breach may vary such that customers in one state may
receive notice while customers of the same institution in another state
may not receive notice or may receive less information. In reviewing
these state laws, we determined that certain aspects of these
provisions would be appropriately adopted as components of a Federal
minimum standard for customer notification, which would help affected
customers understand how to respond to a data breach to protect
themselves from potential harm that could result.
---------------------------------------------------------------------------
\13\ Upon its adoption, rule 248.17 essentially restated the
then-current text of section 507 of the GLBA, and as such,
referenced determinations made by the Federal Trade Commission. See
Reg. S-P Release, supra note 2. The proposal would, however, update
rule 248.17 to instead reference determinations made by the Consumer
Financial Protection Bureau, consistent with changes made to section
507 of the GLBA by the Dodd-Frank Wall Street Reform and Consumer
Protection Act. See Public Law 111-203, sec. 1041, 124 Stat. 1376
(2010).
\14\ For example, some states may require a firm to notify
individuals when a data breach includes biometric information, while
others do not. Compare Cal. Civil Code sec. 1798.29 (notice to
California residents of a data breach generally required when a
resident's personal information was or is reasonably believed to
have been acquired by an unauthorized person; ``personal
information'' is defined to mean an individual's first or last name
in combination with one of a list of specified elements, which
includes certain unique biometric data) with Ala. Stat. secs. 8-38-
2, 8-38-4, 8-38-5 (notice of a data breach to Alabama residents is
generally required when sensitive personally identifying information
has been acquired by an unauthorized person and is reasonably likely
to cause substantial harm to the resident to whom the information
relates; ``sensitive personally identifying information'' is defined
as the resident's first or last name in combination with one of a
list of specified elements, which does not include biometric
information).
\15\ See infra sections II.A.4 and III.C.2.a.
---------------------------------------------------------------------------
Our proposal would afford certain individuals greater protections
by, for example, defining ``sensitive customer information'' more
broadly than the current definitions used by at least 12 states,
thereby requiring customers in those states to receive notice for a
broader range of personal information included in a breach.\16\
Additionally, the 30-day notification deadline proposed in this release
is shorter than the timing currently mandated by 15 states, and would
also offer enhanced protections to individuals in 32 states with laws
that do not include a notification deadline as well as those in states
that mandate or permit delayed notifications for law enforcement
purposes.\17\ A standardized notification deadline ensures timely
notice to affected customers and would enhance their ability to take
action quickly to protect themselves against the consequences of a
breach. Further, consistent with 22 state laws, this proposal would
require customer notification unless, after investigation, the covered
institution finds no risk of harm.\18\ Twenty-one states currently have
a presumption against notifying customers of a breach, and only require
notice if, after investigation, the covered institution finds risk of
harm.\19\ In addition, in the 11 states where state customer
notification laws do not apply to entities subject to or in compliance
with the GLBA, the proposal would help ensure customers of such
institutions receive notice of a breach.\20\ As discussed more fully
below, establishing a federal minimum standard would protect
individuals in an environment of enhanced risk.\21\
---------------------------------------------------------------------------
\16\ See infra section II.C.1.
\17\ See infra section II.A.4.e.
\18\ See infra section II.A.4.a.
\19\ See id.
\20\ See id.
\21\ The effect of any inconsistency between the proposed
customer notification and state law requirements may, however, be
mitigated because many states offer safe harbors from their
notification laws for entities that are subject to or in compliance
with requirements under Federal regulations. In particular, as
noted, 11 states offer safe harbors for entities subject to or in
compliance with the GLBA, while others offer safe harbors for
compliance with the notification requirements of the entity's
``primary federal regulator.'' See, e.g., Del. Code Ann. tit. 6
section 12B-103 (providing that a person regulated by the GLBA and
maintaining procedures for security breaches pursuant to the law
established by its Federal regulator is deemed to be in compliance
with the Delaware notification requirements if the person notifies
affected Delaware residents in accordance with those procedures).
See infra note 106 and accompanying text.
---------------------------------------------------------------------------
There are compelling reasons to revisit other aspects of the
current safeguards regime as well. As noted above, the safeguards rule
currently applies to broker-dealers, investment companies, and
registered investment advisers. The safeguards rule does not currently
apply to transfer agents, even though they also obtain, share, and
maintain personal information on behalf of securityholders who hold
securities in registered form (i.e., in their own name rather than
indirectly through a broker). Securityholders whose personal
information is maintained by transfer agents could be harmed by the
unauthorized access or use of such information in the same manner as
customers of broker-dealers, investment companies, and registered
investment advisers, yet such securityholders are not currently
protected by the safeguards rule. The Commission preliminarily believes
that extending the safeguards rule to cover transfer agents is
necessary to ensure that there is a Federal minimum standard for the
notification of securityholders who are affected by a data breach that
leads to the unauthorized access or use of their information,
regardless of whether that data breach occurs at a broker-dealer,
investment company, registered investment adviser, or transfer
agent.\22\
---------------------------------------------------------------------------
\22\ See infra section II.C.3.
---------------------------------------------------------------------------
In addition, the safeguards rule currently requires only that
institutions protect their own customers' information. This potentially
overlooks information a broker-dealer, investment company, or
registered investment adviser may have received from another financial
institution about that financial institution's customers,\23\ such as
[[Page 20619]]
nonpublic personal information from an introducing broker or dealer
that clears transactions for its customers through a clearing broker on
a fully disclosed basis.\24\ Applying the safeguards rule and the
disposal rule to customer information that a covered institution
receives from other financial institutions would better protect
individuals by ensuring customer information safeguards are not lost
when a third-party financial institution shares that information with a
covered institution.\25\ Finally, applying the safeguards rule and the
disposal rule to a broader set of information should enhance the
security and confidentiality of customers' personal information.
---------------------------------------------------------------------------
\23\ Under section 501(b) of the GLBA, the standards to be
established by the Commission must, among other things, ``protect
against unauthorized access to or use of'' customer records or
information ``which could result in substantial harm or
inconvenience to any customer.'' See 15 U.S.C. 6801(b)(3) (emphasis
added). We agree with the Federal Trade Commission (``FTC'') that
applying the safeguards rule to cover customer information that a
financial institution receives pertaining to another institution's
customers is consistent with the purpose and language of the GLBA.
Further, the Commission agrees with the FTC that this approach is
the most reasonable reading of the statutory language and clearly
furthers the express congressional policy to respect the privacy of
these customers and to protect the security and confidentiality of
their nonpublic personal information. See FTC, Standards for
Safeguarding Customer Information, 67 FR 36484, 36485-86 (May 23,
2002); see also infra section II.C.2 (describing proposed new
definition of ``customer information'' that would include both
nonpublic personal information that a covered institution collects
about its own customers and nonpublic personal information about
customers of a third-party financial institution that the covered
institution receives from the third-party financial institution).
\24\ See 17 CFR 248.3(g)(2)(iii) (``An individual is not your
consumer if he or she has an account with another broker or dealer
(the introducing broker-dealer) that carries securities for the
individual in a special omnibus account with you (the clearing
broker-dealer) in the name of the introducing broker-dealer, and
when you receive only the account numbers and transaction
information of the introducing broker-dealer's consumers in order to
clear transactions.'').
\25\ See infra section II.C.2.
---------------------------------------------------------------------------
Therefore, the Commission is proposing amendments to Regulation S-P
to enhance the protection of this information by: (1) requiring covered
institutions to include incident response programs in their safeguards
policies and procedures to address unauthorized access to or use of
customer information, including procedures for providing timely
notification to affected individuals; (2) extending the safeguards rule
to all transfer agents registered with the Commission or another
appropriate regulatory agency as defined in section 3(a)(34)(B) of the
Exchange Act (unless otherwise noted, we refer to them collectively as
``transfer agents'' for purposes of this release); (3) more closely
aligning the information protected by the safeguards rule and the
disposal rule; and (4) broadening the set of customers covered by those
rules.
A. Background
Title V of the GLBA,\26\ among other things, directed the
Commission and other Federal financial regulators to establish and
implement standards requiring financial institutions subject to their
jurisdiction to adopt administrative, technical, and physical
safeguards for the protection of customer records and information.\27\
The GLBA specified that these standards were ``(1) to insure the
security and confidentiality of customer records and information; (2)
to protect against any anticipated threats or hazards to the security
or integrity of such records; and (3) to protect against unauthorized
access to or use of such records or information which could result in
substantial harm or inconvenience to any customer.'' \28\
---------------------------------------------------------------------------
\26\ 15 U.S.C. 6801-6827.
\27\ See 15 U.S.C. 6801(b) and 6804(a)(1).
\28\ 15 U.S.C. 6801(b).
---------------------------------------------------------------------------
As noted above, the safeguards rule sets forth standards for
safeguarding customer records and information and currently requires
covered institutions to adopt written policies and procedures for
administrative, technical, and physical safeguards to protect customer
records and information.\29\ While the term ``customer records and
information'' is not defined in the GLBA or in Regulation S-P,\30\ the
safeguards must be reasonably designed to meet the GLBA's
standards.\31\ This approach is designed to provide flexibility for
covered institutions to safeguard customer records and information in
accordance with their own privacy policies and practices and business
models.
---------------------------------------------------------------------------
\29\ 17 CFR 248.30(a). Other sections of Regulation S-P
implement the notice and opt out provisions of the GLBA. See 17 CFR
248.1-248.18. In addition to the safeguards rule and the disposal
rule (17 CFR 248.30(b)), the GLBA and Regulation S-P require
brokers, dealers, investment companies and registered investment
advisers to provide an annual notice of their privacy policies and
practices to their customers (and notice to consumers before sharing
their nonpublic customer information with nonaffiliated third
parties outside certain exceptions). See 15 U.S.C. 6803(a); 17 CFR
248.4; 17 CFR 248.5. We are also proposing an exception to the
annual notice delivery requirement. See infra section II.E.
\30\ See 17 CFR 248.30(a); 15 U.S.C. 6801(b)(1) (discussing but
not defining ``customer records or information'').
\31\ Specifically, the safeguards must be reasonably designed to
insure the security and confidentiality of customer records and
information, protect against anticipated threats to the security or
integrity of those records and information, and protect against
unauthorized access to or use of such records or information that
could result in substantial harm or inconvenience to any customer.
See 17 CFR 248.30(a). See also 15 U.S.C. 6801(b).
---------------------------------------------------------------------------
Pursuant to the Fair and Accurate Credit Transactions Act of 2003
(``FACT Act''), the Commission amended Regulation S-P in 2004 by
adopting the disposal rule to protect against the improper disposal of
``consumer report information.'' \32\ ``Consumer report information''
is defined as ``any record about an individual, whether in paper,
electronic or other form, that is a consumer report or is derived from
a consumer report'' and also means ``a compilation of such records,''
but does not include ``information that does not identify individuals,
such as aggregate information or blind data.'' \33\ The disposal rule
currently applies to the financial institutions subject to the
safeguards rule, except that it excludes ``notice-registered broker-
dealers,'' \34\ and it applies to transfer agents registered with the
Commission.\35\ The disposal rule requires these entities that maintain
or possess ``consumer report information'' for a business purpose, to
take ``reasonable measures to protect against unauthorized access to or
use of the information in connection with its disposal.'' \36\
---------------------------------------------------------------------------
\32\ 17 CFR 248.30(b). See Disposal of Consumer Report
Information, Exchange Act Release No. 50781 (Dec. 2, 2004) [69 FR
71322 (Dec. 8, 2004)] (``Disposal Rule Adopting Release''). Section
216 of the FACT Act amended the FCRA by adding section 628 (codified
at 15 U.S.C. 1681w), which directed the Commission and other Federal
financial regulators to adopt regulations ``requiring any person who
maintains or possesses consumer information or any compilation of
consumer information derived from a consumer report for a business
purpose must properly dispose of the information.''
\33\ See 17 CFR 248.30(b)(1)(ii).
\34\ See 17 CFR 248.30(b)(1)(iv) (defining ``notice-registered
broker-dealers'' as ``a broker or dealer registered by notice with
the Commission under section 15(b)(11) of the Securities Exchange
Act of 1934 (15 U.S.C. 78o(b)(11))''). See also infra section II.C.4
further detailing the current regulatory framework for notice-
registered broker-dealers under the safeguards rule and the disposal
rule.
\35\ See 17 CFR 248.30(b)(2)(i).
\36\ See 17 CFR 248.30(b).
---------------------------------------------------------------------------
The GLBA and FACT Act oblige us to adopt regulations, to the extent
possible, that are consistent and comparable with those adopted by the
Banking Agencies and the FTC.\37\ Accordingly, in determining the scope
of the proposed amendments contemplated in this proposal, including for
example, the definitions of ``customer information'' and ``sensitive
customer information'' described below, we are mindful of the need to
set standards for safeguarding customer records and information that
are consistent and comparable with the corresponding standards set by
the Banking Agencies and the FTC.
---------------------------------------------------------------------------
\37\ See generally 15 U.S.C. 6804(a) (directing the agencies
authorized to prescribe regulations under title V of the GLBA to
assure to the extent possible that their regulations are consistent
and comparable); 15 U.S.C. 1681w(a)(2)(A) (directing the agencies
with enforcement authority set forth in 15 U.S.C. 1681s to consult
and coordinate so that, to the extent possible, their regulations
are consistent and comparable). The ``Banking Agencies'' include the
Office of the Comptroller of the Currency (``OCC''), the Board of
Governors of the Federal Reserve System (``FRB''), the Federal
Deposit Insurance Corporation (``FDIC''), and the former Office of
Thrift Supervision.
---------------------------------------------------------------------------
[[Page 20620]]
B. 2008 Proposal
In 2008, the Commission proposed amendments to Regulation S-P
primarily to help prevent information security breaches in the
securities industry and to improve responsiveness when such breaches
occur, with the goal of better protecting investors from identity theft
and other misuse of what the proposal would have defined as ``personal
information.'' \38\ The 2008 Proposal would have set out specific
standards for safeguarding customer records and information, including
requirements for procedures to respond to incidents of unauthorized
access to or use of personal information. Those requirements would have
included procedures for notifying the Commission (or a broker-dealer's
designated examining authority \39\) of data breach incidents, and
procedures for notifying individuals of incidents of unauthorized
access to or misuse of sensitive personal information, if the misuse
had occurred or was reasonably possible. The 2008 Proposal also would
have amended the safeguards rule and the disposal rule so that both
would have protected ``personal information,'' which would have
included any record containing either ``nonpublic personal
information'' or ``consumer report information.'' \40\ In addition, the
2008 Proposal would have extended the safeguards rule to apply to
transfer agents registered with the Commission, and would have extended
the disposal rule to apply to natural persons who are associated
persons of a broker or dealer, supervised persons of a registered
investment adviser, and associated persons of any transfer agent
registered with the Commission. The 2008 Proposal would have further
required brokers, dealers, investment companies, registered investment
advisers, and transfer agents registered with the Commission to
maintain and preserve written records of their policies and procedures
required under the disposal and safeguards rules and compliance with
those policies and procedures.
---------------------------------------------------------------------------
\38\ See Part 248--Regulation S-P: Privacy of Consumer Financial
Information and Safeguarding Customer information, Exchange Act
Release No. 57427 (Mar. 4, 2008) [73 FR 13692, 13693-94 (Mar. 13,
2008)] (``2008 Proposal''). The amendments to Regulation S-P
referenced in the 2008 Proposal have not been adopted.
\39\ A broker-dealer's designated examining authority is the SRO
of which the broker-dealer is a member, or, if the broker-dealer is
a member of more than one SRO, the SRO designated by the Commission
pursuant to 17 CFR 240.17d-1 as responsible for examination of the
member for compliance with applicable financial responsibility rules
(including the Commission's customer account protection rules at 17
CFR 240.15c3-3). See 2008 Proposal, supra note 38, at n.44.
\40\ The 2008 Proposal would have made both the safeguards rule
and the disposal rule, as amended, applicable to ``personal
information,'' which would have been defined to include any record
containing either ``nonpublic personal information'' or ``consumer
report information'' that is identified with any consumer, or with
any employee, investor, or securityholder who is a natural person,
whether in paper, electronic, or other form, that is handled or
maintained by or on behalf of a covered institution. See 2008
Proposal, supra note 38, at 73 FR 13700.
---------------------------------------------------------------------------
The Commission received over 400 comment letters in response to the
2008 Proposal.\41\ The current proposal to amend Regulation S-P has
been informed by comments received on the 2008 Proposal. Most
commenters supported requirements for comprehensive information
security programs that are consistent and comparable to the rules and
guidance of other Federal financial regulators.\42\ Many commenters,
however, objected to changes in the scope of information and entities
covered by the proposed amendments.\43\ Many commenters opposed or
suggested modifying the proposed amendments' information security
breach response provisions.\44\ Comments were mixed on the proposed
exception for disclosures relating to transfers of representatives from
one broker-dealer or registered investment adviser to another.\45\
---------------------------------------------------------------------------
\41\ Comments on the proposal, including comments referenced in
this Release are available on the Commission website at <a href="http://www.sec.gov/comments/s7-06-08/s70608.shtml">http://www.sec.gov/comments/s7-06-08/s70608.shtml</a>. Approximately 328 of the
comments received contained substantially the same content. See
example of Letter Type A available at <a href="https://www.sec.gov/comments/s7-06-08/s70608typea.htm">https://www.sec.gov/comments/s7-06-08/s70608typea.htm</a>.
\42\ See, e.g., Letter from Alan E. Sorcher, Managing Director
and Associate General Counsel, Securities Industry and Financial
Markets Association (May 12, 2008) (``SIFMA Letter''); Letter from
Tamara K. Salmon, Senior Associate Counsel, Investment Company
Institute (May 2, 2008) (``ICI Letter''); Letter from Marcia E.
Asquith, Senior Vice President and Corporate Secretary, Financial
Industry Regulatory Authority (May 12, 2008) (``FINRA Letter'').
\43\ See, e.g., SIFMA Letter; Letter from Charles V. Rossi,
President, The Securities Transfer Association, Inc. (May 9, 2008)
(``STA Letter'').
\44\ See, e.g., SIFMA Letter; ICI Letter; Letter from Karen L.
Barr, General Counsel, Investment Adviser Association (May 12, 2008)
(``IAA Letter''); Letter from Sarah Miller, General Counsel, ABA
Securities Association (May 22, 2008) (``ABASA Letter'').
\45\ See, e.g., SIFMA Letter; IAA Letter (both in support);
Letter from Julius L. Loeser, Chief Regulatory and Compliance
Counsel, Comerica Securities, Inc. (May 9, 2008) (``Comerica
Letter''); Letter from Steven French, President, MemberMap LLC (May
11, 2008) (``MemberMap Letter'') (both opposed).
---------------------------------------------------------------------------
C. Overview of the Proposal
There are no Commission rules at this time expressly requiring
broker-dealers, investment companies, or registered investment advisers
to have policies and procedures for responding to data breach incidents
or to notify customers of those breaches.\46\ As noted above, advance
planning would be part of creating a reasonably designed incident
response program, and its prompt implementation following a breach
(including notification to affected individuals), is important in
limiting potential harmful impacts to individuals. While we recognize
that state laws require covered institutions to notify state residents
of data breaches, those laws are not consistent and exclude some
entities from certain requirements. Accordingly, a Federal minimum
standard would provide notification to all customers of a covered
institution affected by a data breach (regardless of state residency)
and provide consistent disclosure of important information to help
affected customers respond to a data breach. Other Federal regulators'
GLBA safeguarding standards also include a requirement for a data
breach response plan or program.\47\
---------------------------------------------------------------------------
\46\ As noted above, there are no SRO rules requiring
notification to customers whose information has been compromised.
See supra note 11. The Commission has pending proposals to address
cybersecurity risk with respect to investment advisers, investment
companies, and public companies. The Commission encourages
commenters to review those proposals to determine whether it might
affect their comments on this proposing release. See infra note 55.
\47\ The FTC recently amended its Safeguards Rule by, among
other things, adding a requirement for financial institutions under
the FTC's GLBA jurisdiction to establish a written incident response
plan designed to respond to information security events. See FTC,
Standards for Safeguarding Customer Information, 86 FR 70272 (Dec.
9, 2021) (``FTC Safeguards Release''). As amended, the FTC's rule
requires that a response plan address security events materially
affecting the confidentiality, integrity, or availability of
customer information in the financial institution's control, and
that the plan include specified elements that would include
procedures for satisfying an institution's independent obligation to
perform notification as required by state law. See FTC Safeguards
Release, at 70297-98, n.295. Earlier, the Banking Agencies and the
National Credit Union Administration (``NCUA'') jointly issued
guidance on responding to incidents of unauthorized access to or use
of customer information. See Interagency Guidance on Response
Programs for Unauthorized Access to Customer Information and
Customer Notice, 70 FR 15736, 15743 (Mar. 29, 2005) (``Banking
Agencies' Incident Response Guidance''). The Banking Agencies'
Incident Response Guidance provides, among other things, that when
an institution becomes aware of an incident of unauthorized access
to sensitive customer information, the institution should conduct a
reasonable investigation to determine promptly the likelihood that
the information has been or will be misused. If the institution
determines that misuse of the information has occurred or is
reasonably possible, it should notify affected customers as soon as
possible.
---------------------------------------------------------------------------
The Commission is proposing amendments to Regulation S-P's
safeguards rule. The proposed amendments would require covered
institutions to develop, implement, and maintain written policies and
[[Page 20621]]
procedures for an incident response program that is reasonably designed
to detect, respond to, and recover from unauthorized access to or use
of customer information.\48\ The amendments would require that a
response program include procedures to assess the nature and scope of
any incident and to take appropriate steps to contain and control the
incident to prevent further unauthorized access or use.\49\
---------------------------------------------------------------------------
\48\ See proposed rule 248.30(b).
\49\ See proposed rule 248.30(b)(3).
---------------------------------------------------------------------------
The proposed response program procedures also would have to include
notification to individuals whose sensitive customer information was,
or is reasonably likely to have been, accessed or used without
authorization.\50\ Notice would not be required if a covered
institution determines, after a reasonable investigation of the facts
and circumstances of the incident of unauthorized access to or use of
sensitive customer information, that the sensitive customer information
has not been, and is not reasonably likely to be, used in a manner that
would result in substantial harm or inconvenience.\51\ Under the
proposed amendments, a customer notice must be clear and conspicuous
and provided by a means designed to ensure that each affected
individual can reasonably be expected to receive it.\52\ A covered
institution would be required to provide notice as soon as practicable,
but not later than 30 days, that the incident occurred or is reasonably
likely to have occurred.\53\ To the extent a covered institution would
have a notification obligation under both the proposed rules and a
similar state law, a covered institution should be able to provide one
notice to satisfy notification obligations under both the proposed
rules and the state law, provided it included all information required
under both the proposed rules and the state law.\54\
---------------------------------------------------------------------------
\50\ See proposed rule 248.30(b)(4). See proposed rule
248.30(e)(9) for the definition of ``sensitive customer
information.'' See also infra section II.A.4, which includes a
discussion of ``sensitive customer information.''
\51\ See id.
\52\ See proposed rule 248.30(b)(4)(i).
\53\ See proposed rule 248.30(b)(4)(iii).
\54\ We are not aware of any laws that would require the sending
of multiple customer notices.
---------------------------------------------------------------------------
The Commission also is proposing amendments to Regulation S-P to
enhance the protection of customers' nonpublic personal information.
These proposed amendments would more closely align the information
protected under the safeguards rule and the disposal rule by applying
the protections of both rules to ``customer information,'' a newly
defined term. We also propose to broaden the group of customers whose
information is protected under both rules. Additionally, we propose to
bring all transfer agents within the scope of the safeguards rule.
The proposal is not inconsistent with other recent cybersecurity-
related rulemaking proposals.\55\ Additionally, as described in greater
detail below,\56\ the Commission is also proposing rules and rule
amendments related to cybersecurity risk and related disclosures as
well as Regulation SCI.\57\ We encourage commenters to review those
other cybersecurity-related rulemaking proposals to determine whether
those proposals might affect comments on this proposing release.
---------------------------------------------------------------------------
\55\ See Cybersecurity Risk Management for Investment Advisers,
Registered Investment Companies, and Business Development Companies,
Securities Act Release No. 11028 (Feb. 9, 2022) [87 FR 13524 (Mar.
9, 2022)] (``Investment Management Cybersecurity Proposal''); see
also Cybersecurity Risk Management, Strategy, Governance, and
Incident Disclosure, Securities Act Release No. 11038 (Mar. 9, 2022)
[87 FR 16590 (Mar. 23, 2022) (``Corporation Finance Cybersecurity
Proposal'').
\56\ See infra section II.G.
\57\ Regulation SCI is codified at 17 CFR 242.1000 through 1007.
As described further below, while the overall nature of each
cybersecurity-related proposal is similar given the topic, the scope
of each proposal addresses different cybersecurity-related issues as
they relate in different ways to different entities, types of
covered information or systems, and products. See Cybersecurity Risk
Management Proposed Rule for Broker-Dealers, Clearing Agencies,
Major Security-Based Swap Participants, the Municipal Securities
Rulemaking Board, National Securities Associations, National
Securities Exchanges, Security-Based Swap Data Repositories,
Security-Based Swap Dealers, and Transfer Agents, Exchange Act
Release No. 97142 (Mar. 15, 2023), (``Exchange Act Cybersecurity
Proposal'') and Regulation Systems Compliance and Integrity,
Exchange Act Release No. 97143 (Mar. 15, 2023), (``Regulation SCI
Proposal'').
---------------------------------------------------------------------------
II. Discussion
A. Incident Response Program Including Customer Notification
Security incidents can occur in different ways, such as through
takeovers of online accounts by bad actors, improper disposal of
customer information in areas that may be accessed by unauthorized
persons, or the loss or theft of data that includes customer
information. Whatever the means, unauthorized access to, or use of,
customer information may result in misuse, exposure or theft of a
customer's nonpublic personal information, which could result in
substantial harm or inconvenience to individuals affected by a security
incident. Exposure of customer information in a security incident,
whether it results from unauthorized access to or use of customer
information by an employee \58\ or external actor,\59\ could leave
affected individuals vulnerable to having their information further
compromised.\60\ Bad actors can use customer information to cause harm
in a number of ways, such as by stealing
[[Page 20622]]
customer identities to sell to other bad actors on the dark web,\61\
publishing customer information on the dark web, using customer
identities to carry out fraud themselves, or taking over a customer's
account for malevolent purposes. For example, a bad actor could use
compromised customer information such as login credentials (e.g., a
username and password), as part of an account takeover scheme to obtain
unauthorized entry to a customer's online brokerage account, putting
customer assets at risk for unauthorized fund transfers or trades.\62\
Similarly, a bad actor could engage in new account fraud by using
compromised customer information to establish a brokerage account
without the customer's knowledge through identity theft. Once the bad
actor has taken over the customer's account, or has opened a fraudulent
new account, it could potentially use a separate account at another
broker-dealer to trade against these accounts for profit, which could
result in harm to the affected customer.\63\
---------------------------------------------------------------------------
\58\ For example, an employee might access and download
confidential customer data to a personal server that is subsequently
hacked by a third party. Once the customer data has been stolen,
portions of the customer data could be posted on the internet along
with an offer to sell a larger quantity of stolen data in exchange
for payment. See, e.g., Commission Order, In the Matter of Morgan
Stanley Smith Barney LLC, Release No. 34-78021 (June 8, 2016),
available at <a href="https://www.sec.gov/litigation/admin/2016/34-78021.pdf">https://www.sec.gov/litigation/admin/2016/34-78021.pdf</a>
(settled order) (finding that an employee misappropriated data
regarding approximately 730,000 customer accounts, associated with
approximately 330,000 different households, by accessing two of the
firm's portals. The misappropriated data included personally
identifiable information (``PII'') such as customers' full names,
phone numbers, street addresses, account numbers, account balances,
and securities holdings).
\59\ For example, unauthorized third parties could take over
email accounts, resulting in exposure of customer information. An
email account takeover occurs when an unauthorized third party gains
access to the email account and, in addition to being able to view
its contents, is also able to take actions of a legitimate user,
such as sending and deleting emails or setting up forwarding rules.
See, e.g., Commission Order, In the Matter of Cambridge Investment
Research, Inc., et al., Release No. 34-92806 (Aug. 30, 2021)
(``Cambridge Order''), available at <a href="https://www.sec.gov/litigation/admin/2021/34-92806.pdf">https://www.sec.gov/litigation/admin/2021/34-92806.pdf</a> (settled order) (finding that cloud-based
email accounts of over 121 Cambridge independent contractor
representatives were taken over by third parties resulting in the
exposure of at least 2,177 customers' PII stored in the compromised
email accounts and potential exposure of another 3,800 customers'
PII); Commission Order, In the Matter of Cetera Advisor Networks
LLC, et al., Release No. 34-92800 (Aug. 30, 2021), available at
<a href="https://www.sec.gov/litigation/admin/2021/34-92800.pdf">https://www.sec.gov/litigation/admin/2021/34-92800.pdf</a> (settled
order) (finding that email accounts of over 60 Cetera personnel were
taken over by unauthorized third parties resulting in the exposure
of over 4,388 of Cetera customers' PII stored in the compromised
email accounts); Commission Order, In the Matter of KMS Financial
Services, Inc., Release No. 34-92807 (Aug. 30, 2021) (``KMS
Order''), available at <a href="https://www.sec.gov/litigation/admin/2021/34-92807.pdf">https://www.sec.gov/litigation/admin/2021/34-92807.pdf</a> (settled order) (finding that fifteen KMS financial
adviser email accounts were accessed by unauthorized third parties
resulting in the exposure of customer records and information,
including PII, of approximately 4,900 KMS customers).
\60\ Modes of compromise could include, for example, phishing or
credential stuffing. ``Phishing'' is a means of gaining unauthorized
access to a computer system or service by using a fraudulent or
``spoofed'' email to trick a victim into taking action, such as
downloading malicious software or entering his or her log-in
credentials on a fake website purporting to be the legitimate log-in
website for the system or service, while ``credential stuffing'' is
a means of gaining unauthorized access to accounts by automatically
entering large numbers of pairs of log-in credentials that were
obtained elsewhere. See Cambridge Order, supra note 59, at 3, n.5
and n.6.
For example, individuals affected by a security incident might
receive phishing emails requesting them to wire funds to a bank
account or enter PII to access a document, among other things. See,
e.g., KMS Order, supra note 59, at 4.
\61\ The ``dark web'' is a part of the internet that requires
specialized software to access and is specifically designed to
facilitate anonymity by obscuring users' identities, including by
hiding users' internet protocol addresses. The anonymity provided by
the dark web has allowed users to sell and purchase illegal products
and services. See, e.g., SEC v. Apostolos Trovias, Case 1:21-cv-
05925 (S.D.N.Y. filed July 9, 2021) Dkt. No. 1 (complaint) at 1-2,
available at <a href="https://www.sec.gov/litigation/complaints/2021/comp-pr2021-122.pdf">https://www.sec.gov/litigation/complaints/2021/comp-pr2021-122.pdf</a>. The SEC obtained a final judgment against the
defendant on July 19, 2022. See Litigation Release No. 25447 (July
21, 2022), available at <a href="https://www.sec.gov/litigation/litreleases/2022/judg25447.pdf">https://www.sec.gov/litigation/litreleases/2022/judg25447.pdf</a>.
\62\ See, e.g., FINRA Regulatory Notice 20-32, FINRA Reminds
Firms to Be Aware of Fraudulent Options Trading in Connection With
Potential Account Takeovers and New Account Fraud (Sept. 17, 2020),
available at <a href="https://www.finra.org/rules-guidance/notices/20-32">https://www.finra.org/rules-guidance/notices/20-32</a>
(stating that FINRA recently observed an increase in fraudulent
options trading being facilitated by account takeover schemes and
the use of new account fraud); see also FINRA Regulatory Notice 20-
13, FINRA Reminds Firms to Beware of Fraud During the Coronavirus
(COVID-19) Pandemic (May 5, 2020), available at <a href="https://www.finra.org/rules-guidance/notices/20-13">https://www.finra.org/rules-guidance/notices/20-13</a> (stating that some firms
have reported an increase in newly opened fraudulent accounts, and
urging firms to be cognizant of the heightened threat of frauds and
scams to which firms and their customers may be exposed during the
COVID-19 pandemic).
\63\ In 2017, the SEC charged an individual with engaging in an
illegal brokerage account takeover and unauthorized trading scheme
with at least one other person. The SEC's complaint alleged that, in
furtherance of the scheme, the other person(s) accessed at least 110
brokerage accounts of unwitting accountholders, secretly and without
authorization, and used those accounts to place securities trades
that artificially affected the stock prices of various publicly
traded companies. At or about the same time, the charged individual
used his brokerage accounts to trade the same securities, generating
profits by taking advantage of the artificial stock prices that
resulted from the unauthorized trades placed in the victims'
accounts. The complaint alleged that the individual generated at
least $700,000 in illicit profits through his participation in the
scheme by buying or selling stock in his brokerage accounts in his
name at artificially low or high prices generated by the
unauthorized trading of stock in the victims' accounts. See SEC v.
Joseph P. Willner, Case 1:17-cv-06305 (E.D.N.Y. filed Oct. 30, 2017)
(complaint), available at <a href="https://www.sec.gov/litigation/complaints/2017/comp-pr2017-202.pdf">https://www.sec.gov/litigation/complaints/2017/comp-pr2017-202.pdf</a>. In Oct. 2020, the U.S. District Court for
the Eastern District of New York entered a final consent judgment
against this individual for his role in the scheme. See Litigation
Release No. 24947 (Oct. 19, 2020), available at <a href="https://www.sec.gov/litigation/litreleases/2020/lr24947.htm">https://www.sec.gov/litigation/litreleases/2020/lr24947.htm</a>.
---------------------------------------------------------------------------
To help protect against harms that may result from a security
incident involving customer information, the Commission is proposing to
amend the safeguards rule to require that covered institutions'
safeguards policies and procedures include a response program for
unauthorized access to or use of customer information, which would
include customer notification procedures.\64\ The proposed amendments
would require the response program to be reasonably designed to detect,
respond to, and recover from both unauthorized access to and
unauthorized use of customer information (for the purposes of this
release, an ``incident'').\65\ As noted above, any instance of
unauthorized access to or use of customer information would trigger a
covered institution's incident response protocol. The amendments would
also require that the response program include procedures for notifying
affected individuals whose sensitive customer information was, or is
reasonably likely to have been, accessed or used without
authorization.\66\
---------------------------------------------------------------------------
\64\ See proposed rule 248.30(b)(3). For clarity, when the
proposed amendments to the safeguards rule refer to ``unauthorized
access to or use'', the word ``unauthorized'' modifies both
``access'' and ``use.''
\65\ See proposed rule 248.30(b)(3). See also infra section
II.C.1 for a discussion of ``customer information.''
\66\ See proposed rule 248.30(e)(9) for the definition of
``sensitive customer information.'' See also infra section II.A.4,
which includes a discussion of ``sensitive customer information.''
Notice would have to be provided unless a covered institution
determines, after a reasonable investigation of the facts and
circumstances of the incident of unauthorized access to or use of
sensitive customer information, that sensitive customer information
has not been, and is not reasonably likely to be, used in a manner
that would result in substantial harm or inconvenience.
---------------------------------------------------------------------------
In this regard, requiring covered institutions to have this type of
incident response program could help mitigate the risk of harm to
affected individuals stemming from such incidents. For example, having
a response program should help covered institutions to be better
prepared to respond to incidents, and providing notice to affected
individuals should aid those individuals in taking protective measures
that could mitigate harm that might otherwise result from unauthorized
access to or use of their information. Further, a reasonably designed
response program will help facilitate more consistent and systematic
responses to customer information security incidents, and help avoid
inadequate responses based on a covered institution's initial
impressions of the scope of the information involved in the compromise.
In addition, requiring the response program to address any incident
involving customer information can help a covered institution better
contain and control these incidents and facilitate a prompt recovery.
The amendments would require that a covered institution's response
program include policies and procedures containing certain general
elements, but would not prescribe specific steps a covered institution
must take when carrying out incident response activities. Instead,
covered institutions may tailor their policies and procedures to their
individual facts and circumstances. We recognize that given the number
and varying characteristics (e.g., size, business, and complexity) of
covered institutions, each such institution needs to be able to tailor
its incident response program procedures based on its individual facts
and circumstances. The proposed amendments therefore are intended to
give covered institutions the flexibility to address the general
elements in the response program based on the size and complexity of
the institution and the nature and scope of its activities.
Specifically, a covered institution's incident response program
would be required to have written policies and procedures to:
(i) assess the nature and scope of any incident involving
unauthorized access to or use of customer information and identify the
customer information systems and types of customer information that may
have been accessed or used without authorization; \67\
---------------------------------------------------------------------------
\67\ See proposed rule 248.30(b)(3)(i). The term ``customer
information systems'' would mean the information resources owned or
used by a covered institution, including physical or virtual
infrastructure controlled by such information resources, or
components thereof, organized for the collection, processing,
maintenance, use, sharing, dissemination, or disposition of customer
information to maintain or support the covered institution's
operations. See proposed rule 248.30(e)(6).
---------------------------------------------------------------------------
(ii) take appropriate steps to contain and control the incident to
prevent
[[Page 20623]]
further unauthorized access to or use of customer information; \68\ and
---------------------------------------------------------------------------
\68\ See proposed rule 248.30(b)(3)(ii).
---------------------------------------------------------------------------
(iii) notify each affected individual whose sensitive customer
information was, or is reasonably likely to have been, accessed or used
without authorization in accordance with the notification obligations
discussed below, unless the covered institution determines, after a
reasonable investigation of the facts and circumstances of the incident
of unauthorized access to or use of sensitive customer information,
that the sensitive customer information has not been, and is not
reasonably likely to be, used in a manner that would result in
substantial harm or inconvenience.\69\
---------------------------------------------------------------------------
\69\ See proposed rule 248.30(b)(3)(iii).
---------------------------------------------------------------------------
The proposed response program is designed to further the objectives
of the safeguards rule, particularly protecting against unauthorized
access to or use of customer information. We have also proposed rules
that would more broadly address general cybersecurity risks, with which
the response program proposed in Regulation S-P is not inconsistent, as
discussed in more detail below.\70\ Our recent proposals would require
investment advisers, investment companies, and certain market entities
\71\ to adopt and implement written policies and procedures that
require measures to detect, respond to, and recover from a
cybersecurity incident.\72\ The Investment Management Cybersecurity
Proposal, including the cybersecurity response measures, is more
broadly focused on investment advisers and investment companies and
their operations. Among other objectives, the proposed measures would
include policies and procedures reasonably designed to ensure the
protection of adviser (or fund) information systems and adviser (or
fund) information residing therein.\73\ Similarly, the Exchange Act
Cybersecurity Proposal, which includes cybersecurity response measures,
is more broadly focused on Market Entities and their operations, and
would include policies and procedures reasonably designed to ensure the
protection of the Market Entities' information systems and the
information residing on those systems.
---------------------------------------------------------------------------
\70\ See infra section II.G.1-II.G.2, which addresses areas that
are related between the Regulation SCI Proposal and the Exchange Act
Cybersecurity Proposal, as well as with the Investment Management
Cybersecurity Proposal, respectively.
\71\ The Exchange Act Cybersecurity Proposal rules would be
applicable to ``Market Entities'' including: broker-dealers;
clearing agencies; major security-based swap participants; the
Municipal Securities Rulemaking Board; national securities
exchanges; national securities associations (i.e., FINRA); security-
based swap data repositories; security-based swap dealers; and
transfer agents (collectively, ``Covered Entities'') as well as
broker-dealers that are non-Covered Entities. See Exchange Act
Cybersecurity Proposal, supra note 57.
\72\ See Investment Management Cybersecurity Proposal, supra
note 55; Exchange Act Cybersecurity Proposal, supra note 57.
\73\ See Investment Management Cybersecurity Proposal, supra
note 55, at 13589 for definitions of ``fund information system'' and
``fund information.''
---------------------------------------------------------------------------
The response program proposed in Regulation S-P, however, is
narrowly focused and the required incident response policies and
procedures should be specifically tailored to address unauthorized
access to or use of customer information, including procedures for
assessing the nature and scope of such incidents and identifying the
customer information and customer information systems that may have
been accessed or used without authorization, as well as taking steps to
contain and control the incident to prevent further unauthorized access
to or use of customer information. Given the risk of harm posed to
customers and other affected individuals by incidents involving
customer information, it is important that covered institutions'
policies and procedures be reasonably designed to implement an incident
response under these circumstances.
We request comment on the proposed rule's requirement that covered
institutions' policies and procedures include an incident response
program that is reasonably designed to detect, respond to, and recover
from unauthorized access to or use of customer information, including
the following:
1. What best practices have commenters developed or become aware of
with respect to the types of measures that can be implemented as part
of an incident response program? Are there any measures commenters have
found to be ineffective or relatively less effective? To the contrary,
are there any measures that commenters have found to be effective, or
relatively more effective?
2. Should we require the response program procedures to set forth a
specific timeframe for implementing incident response activities under
Regulation S-P? For example, should the procedures state that incident
response activities, such as assessment and containment, should
commence promptly, or immediately, once an incident has been
discovered?
3. Are the proposed elements for the incident response program
appropriate? Should we modify the proposed elements? For instance,
should the rule prescribe more specific steps for incident response
within the framework of the procedures, such as detailing the steps
that an institution should take to assess the nature and scope of an
incident, or to contain and control an incident? If so, please describe
the steps and explain why they should be included. Alternatively,
should the requirements for the incident response program be less
prescriptive and more principles-based? If so, please describe how and
why the requirements should be modified.
4. Are there additional or different elements that should be
included in an incident response program? For example, should the rule
require procedures for taking corrective measures in response to an
incident, such as securing accounts associated with the customer
information at issue? Should the rule require procedures for monitoring
customer information and customer information systems for unauthorized
access to or use of those systems, and data loss as it relates to those
systems? Should the rule require procedures for identifying the titles
and roles of individuals or departments (e.g., managers, directors, and
officers) who should be responsible for overseeing, implementing, and
executing the incident response program, as well as procedures to
determine compliance? If additional or different elements should be
added, please describe the element, and explain why it should be
included in the response program.
5. Is the scope of the incident response program appropriate? For
example, is the scope of the incident response program reasonably
aligned with the vulnerability of the customer information at issue?
<bullet> Should the incident response program be more limited in
scope, so that it would only address incidents that involve
unauthorized access to or use of a subset of customer information
(e.g., sensitive customer information)? If so, please explain the
subset of customer information that should require an incident response
program.
<bullet> Alternatively, should the incident response program be
more expansive in scope, so that it would cover additional activity
beyond unauthorized access to or use of customer information? For
example, should the incident response program address cybersecurity
incident response and recovery at large (i.e., should the rule require
covered institutions to have a response program reasonably designed to
detect, respond to, and recover from a cybersecurity incident)?
1. Assessment
The Commission is proposing to require that the incident response
program include procedures for: (1)
[[Page 20624]]
assessing the nature and scope of any incident involving unauthorized
access to or use of customer information, and (2) identifying the
customer information systems and types of customer information that may
have been accessed or used without authorization.\74\ For example, a
covered institution's assessment may include gathering information
about the type of access, the extent to which systems or other assets
have been affected, the level of privilege attained by any unauthorized
persons, the operational or informational impact of the breach, and
whether any data has been lost or exfiltrated.\75\ Examining a range of
data sources could shed light on the incident timeline, and assessing
affected systems and networks could help to identify additional
anomalous activity that might be adversarial behavior.\76\
---------------------------------------------------------------------------
\74\ See proposed rule 248.30(b)(3)(i). The proposed
requirements related to assessing the nature and scope of a security
incident are consistent with the components of a response program as
set forth in the Banking Agencies' Incident Response Guidance. See
Banking Agencies' Incident Response Guidance, supra note 47, at
15752.
\75\ See Cybersecurity and Infrastructure Security Agency
(``CISA''), Cybersecurity Incident & Vulnerability Response
Playbooks (Nov. 2021), at 10-13 (``CISA Incident Response
Playbook''), available at <a href="https://www.cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf">https://www.cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf</a>. While the CISA Incident Response Playbook
specifically provides Federal agencies with a standard set of
procedures to respond to incidents impacting ``Federal Civilian
Executive Branch'' networks, it may also be useful for the purpose
of strengthening cybersecurity response practices and operational
procedures for public and private sector entities in addition to the
Federal government. See CISA, Press Release, CISA Releases Incident
and Vulnerability Response Playbooks to Strengthen Cybersecurity for
Federal Civilian Agencies (Nov. 16, 2021), available at <a href="https://www.cisa.gov/news/2021/11/16/cisa-releases-incident-and-vulnerability-response-playbooks-strengthen">https://www.cisa.gov/news/2021/11/16/cisa-releases-incident-and-vulnerability-response-playbooks-strengthen</a>. A list of the Federal
Civilian Executive Branch agencies identified by CISA is available
at <a href="https://www.cisa.gov/agencies">https://www.cisa.gov/agencies</a>. The National Institute for
Standards and Technology (``NIST'') defines ``exfiltration'' as
``the unauthorized transfer of information from a system.'' See NIST
Special Publication 800-53, Revision 5, Security and Privacy
Controls for Information Systems and Organizations, Appendix A at
402 (Sept. 2020) available at <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-53r5.pdf</a>.
\76\ See CISA Incident Response Playbook, supra note 75, at 10-
13. NIST defines ``adversary'' as ``[a]n entity that is not
authorized to access or modify information, or who works to defeat
any protections afforded the information.'' See NIST Special
Publication 800-107, Recommendation for Applications Using Approved
Hash Algorithms, Section 3.1 Terms and Definitions, at 3 (Aug.
2012), available at <a href="https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf">https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-107r1.pdf</a>.
---------------------------------------------------------------------------
The assessment requirement is designed to require a covered
institution to identify both the customer information systems and types
of customer information that may have been accessed or used without
authorization during the incident, as well as the specific customers
affected, which would be necessary to fulfill the obligation to notify
affected individuals. Covered institutions generally should evaluate
and adjust their assessment procedures periodically, regardless of any
specific regulatory requirement, to ensure they remain reasonably
designed to accomplish their goals. In addition, assessment should help
facilitate the evaluation of whether sensitive customer information has
been accessed or used without authorization, which informs whether
notice would have to be provided, as discussed below. A covered
institution's assessment may also be useful for collecting other
information that is required to populate the notice, such as
identifying the date or estimated date of the incident, among other
details. Information developed during the assessment process may also
help covered institutions develop a contextual understanding of the
circumstances surrounding an incident, as well as enhance their
technical understanding of the incident, which should be helpful in
guiding incident response activities such as containment and control
measures. The assessment process may also be helpful for identifying
and evaluating existing vulnerabilities that could benefit from
remediation in order to prevent such vulnerabilities from being
exploited in the future.
We request comment on the proposed rule's requirements related to
assessing the nature and scope of any incident involving unauthorized
access to or use of customer information, including the following:
6. Should we provide additional examples for consideration in
assessing the nature and scope of an incident, beyond the examples
provided above (e.g., type of access, the extent to which systems or
other assets have been affected, the level of privilege attained by any
unauthorized persons, the operational or informational impact of the
breach, and whether any data has been lost or exfiltrated)?
7. Should we require that the assessment include the specific
components referenced in the above question?
8. Should we require any specific training for personnel performing
assessments of security incidents? Should the training have to
encompass security updates and training sufficient to address relevant
security risks?
9. Various rules applicable to certain entities require, among
other things, the review, testing, verification, and/or amendment of
policies and procedures at regular intervals.\77\ Should we
specifically require covered institutions to evaluate and adjust, as
appropriate, the assessment procedures periodically in this rule? If
so, how frequently should the evaluation occur? Should we require any
testing (such as a practice exercise) of a covered institution's
assessment process?
---------------------------------------------------------------------------
\77\ See e.g., Rule 38a-1(a)(3) under the Investment Company
Act; FINRA Rule 3120 (Supervisory Control System) and FINRA Rule
3130 (Annual Certification of Compliance and Supervisory Processes).
---------------------------------------------------------------------------
10. Would covered institutions expect to use third parties to
conduct these assessments? If so, to what extent and in what manner?
Should there be any additional or specific requirements for third
parties that conduct assessments? Why or why not?
2. Containment and Control
The Commission is proposing to require that the response program
have procedures for taking appropriate steps to contain and control a
security incident, to prevent further unauthorized access to or use of
customer information.\78\ The objective of containment and control is
to prevent additional damage from unauthorized activity and to reduce
the immediate impact of an incident by removing the source of the
unauthorized activity.\79\ Covered institutions generally should
evaluate and revise their containment and control procedures
periodically, regardless of any specific regulatory requirement, to
ensure they remain reasonably designed to accomplish their goals.
Strategies for containing and controlling an incident vary depending
upon the type of incident and may include, for example, isolating
compromised systems or enhancing the monitoring of intruder activities,
searching for additional compromised systems, changing system
administrator passwords, rotating private keys, and changing or
disabling default user accounts and passwords, among other
interventions. Some standards advise that after ensuring that all means
of persistent access into the network have been accounted for, and any
intrusive
[[Page 20625]]
activity has been sufficiently contained, the artifacts of the incident
should also be eliminated (e.g., by removing malicious code or re-
imaging infected systems) and vulnerabilities or other conditions that
were exploited to gain unauthorized access should be mitigated.\80\
---------------------------------------------------------------------------
\78\ See proposed rule 248.30(b)(3)(ii). These proposed
requirements are consistent with the components of a response
program as set forth in the Banking Agencies' Incident Response
Guidance. See Banking Agencies' Incident Response Guidance, supra
note 47, at 15752.
\79\ For a further discussion of the purposes and practices of
such containment measures, see generally CISA Incident Response
Playbook, supra note 76, at 14; see also Federal Financial
Institutions Examination Council (``FFIEC''), Information Technology
Examination Handbook--Information Security (Sept. 2016), at 52,
available at <a href="https://ithandbook.ffiec.gov/media/274793/ffiec_itbooklet_informationsecurity.pdf">https://ithandbook.ffiec.gov/media/274793/ffiec_itbooklet_informationsecurity.pdf</a>.
\80\ See, e.g., CISA Incident Response Playbook, supra note 75,
at 15.
---------------------------------------------------------------------------
Additional eradication activities may include, for example,
remediating all infected IT environments (e.g., cloud, operational
technology, hybrid, host, and network systems), resetting passwords on
compromised accounts, and monitoring for any signs of adversary
response to containment activities. Because incident response may
involve making complex judgment calls, such as deciding when to shut
down or disconnect a system, developing and implementing written
containment and control policies and procedures will provide a
framework to help facilitate improved decision making at covered
institutions during potentially high-pressure incident response
situations.
We request comment on the proposed rule's requirement that the
incident response program have procedures for taking appropriate steps
to contain and control a security incident, including the following:
11. Should there be additional or more specific requirements for
containing and controlling a breach of a customer information system?
Should the rule prescribe specific minimum steps that need to be taken
to remediate any identified weaknesses in customer information systems
and associated controls? For example, should we require that a covered
institution's containment or control activities be consistent with any
current governmental or industry standards or guidance, such as
standards disseminated by NIST, guidance disseminated by CISA, or
others? \81\
---------------------------------------------------------------------------
\81\ Examples of such standards and guidance include the NIST
Computer Security Incident Handling Guide (NIST Special Publication
800-61, Revision 2, available at <a href="https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final">https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final</a>) and the CISA Incident Response
Playbook, supra note 75, among others.
---------------------------------------------------------------------------
12. Are the examples of steps that may be taken to contain and
control an incident (e.g., isolating compromised systems or enhancing
the monitoring of intruder activities, searching for additional
compromised systems, changing system administrator passwords, rotating
private keys, and changing or disabling default user accounts and
passwords) appropriate? Are there any additional examples of steps that
could be taken to contain and control an incident that should be
provided?
13. Are the examples of remediation and eradication activities
provided (e.g., remediating all infected IT environments (such as
cloud, operational technology, hybrid, host, and network systems,
resetting passwords on compromised accounts, and monitoring for any
signs of adversary response to containment activities) appropriate? Are
there any additional examples of remediation or eradication activities
that should be provided?
14. Should the rule require that a covered institution evaluate and
revise its incident response plan following a customer information
incident?
15. Various rules applicable to certain entities require, among
other things, the review, testing, verification, and/or amendment of
policies and procedures at regular intervals.\82\ Should we
specifically require covered institutions to evaluate and revise
containment and control procedures related to preventing unauthorized
access to or use of customer information periodically? If so, how
frequently should the evaluation occur? For example, should a covered
institution be required to evaluate and revise these containment and
control procedures at least annually?
---------------------------------------------------------------------------
\82\ See e.g., Rule 38a-1(a)(3) under the Investment Company
Act; FINRA Rule 3120 (Supervisory Control System) and FINRA Rule
3130 (Annual Certification of Compliance and Supervisory Processes).
---------------------------------------------------------------------------
16. Who should be responsible for making decisions related to
containment and control? Should the rule require covered institutions
to designate specific personnel to be responsible for making decisions
related to containment and control? For example, should a covered
institution have to identify specific personnel with sufficient
cybersecurity qualifications and experience to either determine if an
incident has been contained or controlled themselves, or hire a third
party who has the requisite cybersecurity and recovery expertise to
perform containment and control functions? If so, what type of
qualifications or experience are useful for informing decisions related
to containment and control? Or should it be the same individuals who
are designated to perform incident response and recovery related
functions for cybersecurity incidents under the Investment Management
Cybersecurity Proposal and the Exchange Act Cybersecurity Proposal?
3. Service Providers
We understand that a covered institution may contract with third-
party service providers to perform certain business activities and
functions, for example, trading and order management, information
technology functions, and cloud computing services, among others, in a
practice commonly referred to as outsourcing.\83\ As a result of this
outsourcing, service providers may receive, maintain, or process
customer information, or be permitted to access a covered institution's
customer information systems. These outsourcing relationships or
activities may expose covered institutions and their customers to risk
through the covered institutions' service providers, including risks
related to system resiliency and the ability of a service provider to
protect customer information and systems (including service provider
incident response programs). Moreover, a security incident at a service
provider could lead to the unauthorized access to or use of customer
information or customer information systems, which could potentially
result in harm to customers. For example, a bad actor could use a
service provider's access to a covered institution's systems to
infiltrate the covered institution's network through a cybersecurity
compromise in the supply chain,\84\ which is a vector that can be used
to conduct a data breach, and thereby gain unauthorized access to the
covered institution's customer information and customer information
systems through
[[Page 20626]]
an initial compromise at the service provider.\85\
---------------------------------------------------------------------------
\83\ See, e.g., Outsourcing by Investment Advisers, Investment
Advisers Act Release No. 6176 (Oct. 26, 2022) [87 FR 68816 (Nov. 16,
2022)] (``Adviser Outsourcing Proposal''); FINRA Notice to Members
05-48, Members' Responsibilities When Outsourcing Activities to
Third-Party Service Providers (July 28, 2005), available at <a href="https://www.finra.org/rules-guidance/notices/05-48">https://www.finra.org/rules-guidance/notices/05-48</a>.
\84\ NIST defines a ``cybersecurity compromise in the supply
chain'' as ``an occurrence within the supply chain whereby the
confidentiality, integrity, or availability of a system or the
information the system processes, stores, or transmits is
jeopardized. A supply chain incident can occur anywhere during the
life cycle of the system, product or service.'' See NIST, Special
Publication NIST SP 800-161r1, Cybersecurity Supply Chain Risk
Management Practices for Systems and Organizations, Glossary at 299,
available at <a href="https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf">https://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-161r1.pdf</a>. According to NIST, key cybersecurity supply
chain risks include risks from third-party service providers with
physical or virtual access to information systems, software code, or
intellectual property. See NIST, Best Practices in Cyber Supply
Chain Risk Management, Conference Materials (``NIST Best Practices
in Cyber Supply Chain Risk Management''), available at <a href="https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf">https://csrc.nist.gov/CSRC/media/Projects/Supply-Chain-Risk-Management/documents/briefings/Workshop-Brief-on-Cyber-Supply-Chain-Best-Practices.pdf</a>.
\85\ For example, in a 2013 cyber supply chain attack, a bad
actor breached the Target Corporation's network and was able to
steal personal information for up to 70 million customers. The bad
actor was able to gain a foothold in Target's network through a
third-party vendor. See U.S. Senate, Committee on Commerce, Science,
and Transportation, A ``Kill Chain'' Analysis of the 2013 Target
Data Breach, Majority Staff Report (Mar. 26, 2014), available at
<a href="https://www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db-a3a67f183883">https://www.commerce.senate.gov/services/files/24d3c229-4f2f-405d-b8db-a3a67f183883</a>.
---------------------------------------------------------------------------
Under the proposed amendments, we propose to define the term
``service provider'' to mean any person or entity that is a third party
and receives, maintains, processes, or otherwise is permitted access to
customer information through its provision of services directly to a
covered institution.\86\ This definition would include affiliates of
covered institutions if they are permitted access to this information
through their provision of services. The proposed scope is intended to
help protect against the risk of harm that may arise from third-party
access to a covered institution's customer information and customer
information systems. For example, in 2015, Division of Examinations
staff released observations following the examinations of some
institutions' cybersecurity policies and procedures relating to vendors
and other business partners, which revealed mixed results with respect
to whether the firms incorporated requirements related to cybersecurity
risk into their contracts with vendors and business partners.\87\
---------------------------------------------------------------------------
\86\ See proposed rule 248.30(e)(10).
\87\ See EXAMS, Cybersecurity Examination Sweep Summary,
National Exam Program Risk Alert, Volume IV, Issue 4 (Feb. 3, 2015),
at 4, available at <a href="https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf">https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf</a>.
---------------------------------------------------------------------------
Given the potential for bad actors to target third parties with
access to a covered institution's systems, it is important to help
mitigate the risk of harm posed by security compromises that may occur
at service providers. For example, a covered institution could retain a
cloud service provider to maintain its books and records.\88\ A
security incident at this cloud service provider that resulted in
unauthorized access to or use of these books and records could create a
risk of substantial harm to the covered institution's customers and
trigger a need for notification to allow the affected customers to
address this risk. Because service providers would be obligated to
notify a covered institution in the event of security breaches
involving customer information systems, as discussed below, this could
potentially help covered institutions implement their own incident
response protocol more quickly and efficiently after such breaches,
which would include notifying affected individuals as needed.
---------------------------------------------------------------------------
\88\ According to NIST, key cybersecurity supply chain risks
include risks from third-party data storage or data aggregators. See
NIST Best Practices in Cyber Supply Chain Risk Management, supra
note 84.
---------------------------------------------------------------------------
The proposed amendments would require that a covered institution's
incident response program include written policies and procedures that
address the risk of harm posed by security compromises at service
providers.\89\ Specifically, these policies and procedures would
require covered institutions, pursuant to a written contract between
the covered institution and its service providers, to require service
providers to take appropriate measures that are designed to protect
against unauthorized access to or use of customer information.\90\
Appropriate measures would include the obligation for a service
provider to notify a covered institution as soon as possible, but no
later than 48 hours after becoming aware of a breach, in the event of
any breach in security that results in unauthorized access to a
customer information system maintained by the service provider, in
order to enable the covered institution to implement its incident
response program expeditiously.\91\ In addition, we are not limiting
entities that can provide customer notification for or on behalf of
covered institutions. A covered institution may, as part of its
incident response program, enter into a written agreement with its
service provider to have the service provider notify affected
individuals on its behalf in accordance with the notification
obligations discussed below.\92\ In that circumstance, the covered
institution could delegate performance of its notice obligation to a
service provider through written agreement, but the covered institution
would remain responsible for any failure to provide a notice as
required by the proposed rules, if adopted.\93\
---------------------------------------------------------------------------
\89\ See proposed rule 248.30(b)(5)(i).
\90\ Id.
\91\ Id.
\92\ See proposed rule 248.30(b)(5)(ii).
\93\ Covered institutions may delegate other functions to
service providers, such as reasonable investigation to determine
whether sensitive customer information has not been and is not
reasonably likely to be, used in a manner that would result in
substantial harm or inconvenience. Covered institutions would remain
responsible for these functions even if they are delegated to
service providers.
---------------------------------------------------------------------------
We request comment on the proposed requirements related to service
providers, including the following:
17. Should we modify the proposed definition of ``service
provider''? For example, should we exclude a covered institution's
affiliates from the definition? Alternatively, should we define
``service provider'' in this rule in a manner similar to proposed rule
206(4)-11 under the Investment Advisers Act? Are there any other
alternative definitions of ``service provider'' that should be used?
\94\
---------------------------------------------------------------------------
\94\ See Adviser Outsourcing Proposal supra note 83. In proposed
rule 206(4)-11, ``service provider'' would mean a person or entity
that performs one or more covered functions, and is not a supervised
person as defined in 15 U.S.C. 80b-2(a)(25) of the Investment
Advisers Act, of the investment adviser. In the proposal, a
``covered function'' would mean a function or service that is
necessary for the investment adviser to provide its investment
advisory services in compliance with the Federal securities laws,
and that, if not performed or performed negligently, would be
reasonably likely to cause a material negative impact on the
adviser's clients or on the adviser's ability to provide investment
advisory services. In the proposal, a covered function would not
include clerical, ministerial, utility, or general office functions
or services.
---------------------------------------------------------------------------
18. Should there be additional or more specific requirements for
entities that are included in the definition of ``service providers?''
19. The proposed definition of service providers applies to
entities that receive, maintain or process customer information, or are
permitted access to a covered institution's customer information. Is
this scope of activities appropriate? Should we exclude any of these
activities? Should we include any other activities?
20. To what extent do covered institutions already have written
policies and procedures that include contractually requiring service
providers to take appropriate measures designed to protect against
unauthorized access to or use of customer information? For example, to
what extent have contractual requirements been incorporated pursuant to
an exception from Regulation S-P's opt-out requirements for service
providers and joint marketing provided by 17 CFR 248.13, which is
conditioned on having a contractual agreement prohibiting the service
provider from disclosing or using customer information other than to
carry out the purposes for which it is disclosed, or pursuant to
Regulation S-ID's requirements \95\ at 17 CFR
[[Page 20627]]
248.201(d)(2)(iii) to respond appropriately to any detected identity
theft red flags to prevent and mitigate identity theft, and under 17
CFR 248.201(e)(4) to exercise appropriate and effective oversight of
service provider arrangements?
---------------------------------------------------------------------------
\95\ See 17 CFR 248.201(d)(2)(iii) and (e)(4). As discussed
further below, Regulation S-ID, among other things, requires
financial institutions subject to the Commission's jurisdiction with
covered accounts to develop and implement a written identity theft
prevention program that is designed to detect, prevent, and mitigate
identity theft in connection with covered accounts, which must
include, among other things, policies and procedures to respond
appropriately to any red flags that are detected pursuant to the
program. See also infra note 547.
---------------------------------------------------------------------------
21. The proposed rule would require policies and procedures
requiring a covered institution, by contract, to require that its
service providers take appropriate measures designed to protect against
unauthorized access to or use of customer information, including
notification to a covered institution in the event of certain types of
breaches in security. Are there any contexts in which a written
contract may be more feasible than others? Rather than using a
contractual approach to implement this requirement that a covered
institution take the required appropriate measures, should the rule
require policies and procedures that require due diligence of or some
type of reasonable assurances from its service providers? What should
reasonable assurances include? For example, should they cover
notification to the covered institution as soon as possible in the
event of any breach in security resulting in unauthorized access to a
customer information system maintained by the service provider to
enable the covered institution to implement its response program? Are
there other reasonable assurances we should require? Alternatively,
should we only require disclosure of whether a covered institution has
or does not have a written contract with service providers?
22. Should there be a written contract requirement for certain
service providers and not others? For example, should the rule identify
a sub-set of service providers as critical service providers and
require a written agreement in those circumstances only, and if so,
what service providers should be included?
23. Are there other methods that we should permit or require
covered institutions to use to help ensure that service providers take
appropriate measures that are designed to protect against unauthorized
access to or use of customer information (for example, a security
certification or representation)? Should we have different requirements
for smaller covered institutions?
24. The proposed rule would require policies and procedures
requiring a covered institution, by contract, to require its service
providers to provide notification to a covered institution as soon as
possible, but no later than 48 hours after becoming aware of a breach,
in the event of any breach in security resulting in unauthorized access
to a customer information system maintained by the service provider. Is
``as soon as possible, but no later than 48 hours after becoming aware
of a breach'' an appropriate timeframe for service providers to provide
notification to a covered institution after such a breach occurs? Why
or why not? Should we use a different timeframe such as ``as soon as
practicable''?
25. Is it appropriate to permit covered institutions to delegate
providing notice to service providers? If service providers are
permitted to provide notice on behalf of covered institutions, should
there be additional or specific requirements for a service provider
that provides notification on behalf of a covered institution? If so,
please describe those requirements and why they should be included.
26. The proposed rule would set forth that as part of its incident
response program, a covered institution may enter into a written
agreement with its service provider for the service provider to notify
affected individuals on its behalf (i.e., to delegate the notice
functions required under the rule to service providers while remaining
responsible for the notice obligation). Should we set forth that a
covered institution may enter into a written agreement with its service
provider for other potentially delegated functions as discussed in this
proposal? For example, should we set forth that a covered institution
may enter into a written agreement for delegating the performance of a
reasonable investigation (e.g., to determine whether sensitive customer
information has not been, and is not reasonably likely to be, used in a
manner that would result in substantial harm or inconvenience) to a
service provider? Should we set forth that a covered institution may
enter into a written agreement for delegating the performance of
assessment activities, or containment and control activities, to a
service provider? Additionally, is it appropriate for a service
provider to assist with these functions, with the responsibility
remaining with the covered institution? Why or why not?
27. To what extent do service providers sub-delegate functions
provided in this proposal to third parties? If so, how should the rule
address sub-delegations between service providers and third parties?
4. Notice to Affected Individuals
Under the proposed amendments, a covered institution must notify
each affected individual whose sensitive customer information was, or
was reasonably likely to have been, accessed or used without
authorization, unless the covered institution has determined, after a
reasonable investigation of the incident, that sensitive customer
information has not been, and is not reasonably likely to be, used in a
manner that would result in substantial harm or inconvenience. The
covered institution must provide a clear and conspicuous notice to each
affected individual by a means designed to ensure that the individual
can reasonably be expected to receive actual notice in writing. The
notice must be provided as soon as practicable, but not later than 30
days, after the covered institution becomes aware that unauthorized
access to or use of customer information has occurred or is reasonably
likely to have occurred.
a. Standard for Providing Notice
The proposed amendments would create an affirmative requirement for
a covered institution to provide notice to individuals whose sensitive
customer information was, or is reasonably likely to have been,
accessed or used without authorization.\96\ These notices would be
designed to give affected individuals an opportunity to respond to and
remediate issues arising from an information security incident, such as
monitoring credit reports for unauthorized activity, placing fraud
alerts on relevant accounts, or changing passwords used to access
accounts.\97\ Such measures, when taken in a timely fashion, may help
affected individuals avoid or mitigate the risk of substantial harm or
inconvenience (``harm risk''),\98\ and in an environment of expanded
risk of cyber incidents,\99\ taking such actions may be particularly
important to protect individuals. Conversely, giving covered
institutions greater discretion to determine whether and when to
provide notices could jeopardize affected
[[Page 20628]]
individuals' ability to evaluate the risk of harm posed by an incident
and choose how to respond to and remediate it.
---------------------------------------------------------------------------
\96\ See proposed rule 248.30(b)(3)(iii). As noted above, a
covered institution could delegate its responsibility for providing
notice to an affected individual to a service provider, by contract,
but the covered institution would remain responsible for any failure
to provide a notice as required by the proposed rules. See infra
section II.A.
\97\ Affected individuals include individuals with whom the
covered institution has a customer relationship, or are individuals
that are customers of other financial institutions whose information
has been provided to the covered institution, and whose sensitive
information was, or is reasonably likely to have been, accessed or
used without authorization. See infra note 127.
\98\ See infra section II.A.4.e (Timing Requirements); see also
supra note 7 and accompanying text (addressing environment of
expanded risks).
\99\ See supra note 7 and accompanying text.
---------------------------------------------------------------------------
A covered institution would not have to provide notice if, after a
reasonable investigation of the facts and circumstances of the incident
of unauthorized access to or use of sensitive customer information, it
determines that sensitive customer information has not been, and is not
reasonably likely to be, used in a manner that would result in
substantial harm or inconvenience.\100\ To be clear, although the
incident response program would be required to address information
security incidents involving any form of customer information, the
notice requirement would only be triggered by unauthorized access to or
use of sensitive customer information.\101\ Unauthorized access to or
use of sensitive customer information presents an increased risk of
harm to the affected individual and accordingly is the appropriate
trigger for customer notification.\102\
---------------------------------------------------------------------------
\100\ See proposed rule 248.30(b)(3)(iii). In 2003, the Banking
Agencies also proposed a similar standard for customer notification,
though it was not ultimately adopted. See Interagency Guidance on
Response Programs for Unauthorized Access to Customer Information
and Customer Notice, 68 FR 47954 (Aug. 12, 2003) (``Banking
Agencies' Proposing Release''). The proposed guidance stated that an
institution should notify affected customers whenever it becomes
aware of unauthorized access to sensitive customer information,
unless the institution, after an appropriate investigation,
reasonably concludes that misuse of the information is unlikely to
occur. See id. at 47960. In adopting the Banking Agencies' Incident
Response Guidance, the Banking Agencies indicated that they wanted
to give institutions greater discretion in determining whether to
send notices, to avoid alarming customers with too many notices and
not to require institutions to prove a negative. See the Banking
Agencies' Incident Response Guidance, supra note 47, at 15743. We
preliminarily believe, however, that a presumption that individuals
would be timely provided with the information in the notifications
would enable them to make their own determinations regarding the
incident.
\101\ See infra section II.A.4.a and section II.A.4.b.
\102\ Customer information that is not disposed of properly
could trigger the requirement to notify affected individuals under
proposed rule 248.30(b)(4)(i). For example, a covered institution
whose employee leaves un-shredded customer files containing
sensitive customer information in a dumpster accessible to the
public would be required to notify affected customers, unless the
institution has determined that sensitive customer information has
not been, and is not reasonably likely to be, used in a manner that
would result in substantial harm or inconvenience.
---------------------------------------------------------------------------
The proposed amendment is designed to permit covered institutions
to rebut the affirmative presumption of notification based on a
reasonable investigation of the facts and circumstances of the incident
of unauthorized access to or use of sensitive customer information.
Such an investigation would have to provide a sufficient basis for the
determination that sensitive customer information has not been, and is
not reasonably likely to be, used in a manner that would result in
substantial harm or inconvenience. In these limited circumstances, the
proposed amendments would not require the covered institution to
provide a notice.
In contrast, if a malicious actor has gained access to a customer
information system and the covered institution simply lacked
information indicating that any particular individual's data stored in
that customer information system was or was not used in a manner that
would result in substantial harm or inconvenience, a covered
institution would not have a sufficient basis to make this
determination.\103\ In order to have a sufficient basis to determine
that notice is not required, a covered institution's investigation
would need to have revealed information sufficient for the institution
to conclude that sensitive customer information has not been, and is
not reasonably likely to be, used in a manner that would result in
substantial harm or inconvenience.
---------------------------------------------------------------------------
\103\ See also infra section II.A.4.d (discussing the
identification of affected individuals in such circumstances).
---------------------------------------------------------------------------
For any determination that a covered institution makes that notice
is not required, the covered institution generally should maintain a
record of the investigation and basis for its determination.\104\
Whether an investigation qualifies as reasonable would depend on the
particular facts and circumstances of the unauthorized access or use.
For example, unauthorized access that is the result of intentional
intrusion by a bad actor may warrant more extensive investigation than
inadvertent unauthorized access by an employee. The investigation may
occur in parallel with an initial assessment and scoping of the
incident and may build upon information generated from those
activities, and the scope of the investigation may be refined by using
available data and the results of ongoing incident response activities.
Information related to the nature and scope of the incident may be
relevant to determining the extent of the investigation, such as
whether the incident is the result of internal unauthorized access or
an external intrusion, the duration of the incident, what accounts have
been compromised and at what privilege level, and whether and what type
of customer information may have been copied, transferred, or retrieved
without authorization.\105\
---------------------------------------------------------------------------
\104\ Proposed rules 248.30(d), 240.17a-4, 240.17ad-7, 270.31a-
1, 270.31a-2, and 275.204-2; see infra section II.C. The
Commission's proposal includes an amendment to a CFR designation in
order to ensure regulatory text conforms more consistently with
section 2.13 of the Document Drafting Handbook. See Office of the
Federal Register, Document Drafting Handbook (Aug. 2018 Edition,
Revision 1.4, dated January 7, 2022), available at <a href="https://www.archives.gov/files/federal-register/write/handbook/ddh.pdf">https://www.archives.gov/files/federal-register/write/handbook/ddh.pdf</a>. In
particular, the proposal is to amend the CFR section designation for
Rule 17Ad-7 (17 CFR 240.17Ad-7) to replace the uppercase letter with
the corresponding lowercase letter, such that the rule would be
redesignated as Rule 17ad-7 (17 CFR 240.17ad-7).
\105\ For example, depending on the nature of the incident, it
may be necessary to consider how a malicious intruder might use the
underlying information in light of current trends in identity theft.
---------------------------------------------------------------------------
As discussed above, while some state laws currently include similar
standards for providing notifications, the proposed rules would impose
a minimum standard to help ensure all individuals would presumptively
receive notifications.\106\ Twenty-one states only require notice if,
after an investigation, the institution finds that a risk of harm
exists, and in eleven states, customer notification laws do not apply
to entities subject to or in compliance with the GLBA.\107\ We
preliminarily believe that setting a minimum standard based on an
affirmative presumption of notification appropriately balances the need
for transparency (i.e., the need for affected individuals to be
informed so that they can take steps to protect themselves, including
for example, by placing fraud alerts in credit reports) with concerns
that the volume of notices that individuals would receive could erode
their efficacy or lead to complacency by affected individuals. Notice
of every incident could diminish the impact and effectiveness of the
notice in a situation where enhanced vigilance is necessary.\108\
Covered institutions likely would be able to send a single notice that
complies with multiple regulatory requirements, which may reduce the
number of notices an individual
[[Page 20629]]
receives. In addition, the proposed standard would help to improve
security outcomes in general by incentivizing covered institutions to
conduct more thorough investigations after an incident occurs, because
a reasonable investigation provides the only means to rebut the
presumption of notification. Reasonably designed policies and
procedures generally should include that a covered institution would
revisit a determination whether a notification is required based on its
investigation if new facts come to light. For example, if a covered
institution determines that risk of use in a manner that would result
in substantial harm or inconvenience is not reasonably likely based on
the use of encryption in accordance with industry standards at the time
of the incident, but subsequently the encryption is compromised or it
is discovered that the decryption key was also obtained by the threat
actor, the covered institution generally should consider revisiting its
determination.
---------------------------------------------------------------------------
\106\ A risk of harm provision under a particular state's rules
may either (i) require a notice only after an entity performs a
required analysis to determine that there is a reasonable likelihood
of harm, or (ii) require notice unless a permitted analysis
determines that there is no reasonable likelihood of harm. This
latter approach is a stricter standard imposed by 22 states and is
consistent with the standard we are proposing. See National
Conference of State Legislatures, Security Breach Notification Laws,
(``NCSL Security Breach Notification Law Resource''), available at
<a href="https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx">https://www.ncsl.org/research/telecommunications-and-information-technology/security-breach-notification-laws.aspx</a>.
\107\ See NCSL Security Breach Notification Law Resource, supra
note 106.
\108\ Eight states do not have risk of harm provisions,
including California and Texas. See NCSL Security Breach
Notification Law Resource, supra note 106. In these states, notices
must generally be provided in all cases of a breach.
---------------------------------------------------------------------------
We request comment on the proposed standard for notification to
affected individuals, including the following:
28. The proposed standard requires providing notice to affected
individuals whose sensitive customer information was, or is reasonably
likely to have been, accessed or used without authorization. Is the
proposed standard for providing notification sufficiently clear? Is a
standard of ``reasonably likely'' appropriate? Should the trigger for
notification be a determination by a covered institution that the risk
of unauthorized access or use of sensitive customer information has
occurred or is ``reasonably possible'' which would suggest a more
expansive standard than ``likely''?
29. A covered institution can rebut the presumption of notification
if it determines that, after a reasonable investigation of the facts
and circumstances of the incident of unauthorized access to or use of
sensitive customer information, sensitive customer information has not
been, and is not reasonably likely to be, used in a manner that would
result in substantial harm or inconvenience. Is this standard ``not
reasonably likely to be'' for rebutting the presumption to notify the
appropriate standard? Should the standard be ``not reasonably
possible''?
30. Should customer notification be required for any incident of
unauthorized access to or use of sensitive customer information
regardless of the risk of use in a manner that would result in
substantial harm or inconvenience? Is there a risk that the volume of
notices received under such a standard would inure affected individuals
to notices of potentially harmful incidents and result in their not
taking protective actions?
31. Do covered institutions expect to be able to perform reasonable
investigations in order to rebut the notification presumption? Why or
why not? Would it be helpful to include specific requirements for a
reasonable investigation? Are there other factors that would influence
whether a covered institution decides to conduct a reasonable
investigation or notify individuals? If additional clarity would assist
covered institutions in making these determinations, please explain.
32. Should we require a covered institution to revisit a
determination that notification is not required based on its
investigation if new facts come to light? If yes, should the rule
provide specific requirements for a covered institution to revisit its
determination?
33. Should we incorporate any additional aspects of the protections
offered to individuals under state laws into the proposed rules?
Alternatively, should any components of the proposal that offer
additional protections to individuals beyond some states' laws be
omitted? Please explain.
34. Under what scenarios would a covered institution be unable to
comply with both the proposed rules and applicable state laws? Please
explain.
35. Should the proposed rules be modified in order to help ensure
covered institutions would not need to provide multiple notices in
order to satisfy obligations under the proposed rules and similar state
laws?
b. Definition of ``Sensitive Customer Information''
We propose to define the term ``sensitive customer information'' to
mean ``any component of customer information alone or in conjunction
with any other information, the compromise of which could create a
reasonably likely risk of substantial harm or inconvenience to an
individual identified with the information.'' \109\ This definition is
intended to cover the types of information that could most likely be
used in a manner that would result in substantial harm or
inconvenience, such as to commit fraud, including identify theft.\110\
We do not believe that notification would be appropriate if
unauthorized access to customer information is not reasonably likely to
cause a harm risk because a customer is unlikely to need to take
protective measures. Moreover, the large volume of notices that
individuals might receive in the event of unauthorized access to such
customer information could erode their efficacy. Accordingly, the
proposed definition is limited to information that, if compromised,
could create a ``reasonably likely risk of substantial harm or
inconvenience.'' \111\
---------------------------------------------------------------------------
\109\ See proposed rule 248.30(e)(9)(i). Our proposed definition
is limited to information identified with customers of financial
institutions. See proposed rule 248.30(e)(5)(i); infra section
II.C.1. Information subject to the safeguards rule, including the
incident response program and customer notice requirements would be
information pertaining to a covered institution's customers and to
customers of other financial institutions that the other
institutions have provided to the covered institution. See proposed
rule 248.30(a); infra section II.C.1.
\110\ See supra note 6 and accompanying text (noting increased
risks of unauthorized access and use of personal information).
\111\ See proposed rule 248.30(e)(9)(i).
---------------------------------------------------------------------------
The definition also provides examples of the types of information
included within the definition of ``sensitive customer information.''
\112\ These examples include certain customer information identified
with an individual that, without any other identifying information,
could create a substantial risk of harm or inconvenience to an
individual identified with the information.\113\ For example, Social
Security numbers alone, without any other information linked to the
individual, would be sensitive because they have been used in ``Social
Security number-only'' or ``synthetic'' identity theft. In this type of
identity theft, a Social Security number,
[[Page 20630]]
combined with identifying information of another real or fictional
person, is used to create a new (or ``synthetic'') identity, which then
may allow the malicious actor to, among other things, open new
financial accounts.\114\ A similar sensitivity exists with other types
of identifying information that can be used alone to authenticate an
individual's identity. A biometric record of a fingerprint or iris
image would present a significant threat of account fraud, identity
theft, or other substantial harm or inconvenience if the image is used
to authenticate a customer of a financial institution.
---------------------------------------------------------------------------
\112\ See proposed rule 248.30(e)(9)(ii). While the information
cited in these examples is sensitive customer information, when that
information is encrypted, it would not necessarily be sensitive
customer information. That cipher text (i.e., the data rendered in a
format not understood by people or machines without an encryption
key) may be analyzed as such (rather than as the decrypted sensitive
customer information, e.g., a Social Security number referenced in
the examples provided in 248.30(e)(9)(ii)(A)(1)-(4) or in
248.30(e)(9)(ii)(B), and be determined not to be sensitive customer
information). And as discussed infra note 119, a covered institution
could consider the strength of the encryption and the security of
the associated decryption key as factors in determining whether
information is sensitive customer information. Accordingly, in
certain circumstances, information that is an encrypted
representation of, for example, a customer's Social Security number
may not be sensitive customer information under the proposed
definition.
\113\ In this respect, our proposed definition is broader than
the definition of ``sensitive customer information'' provided in the
Banking Agencies' Incident Response Guidance. That definition
includes a customer's name, address, or telephone number, only in
conjunction with other pieces of information that would permit
access to a customer account. Our proposed definition would also be
broader than similar definitions of personal information used in
some state statutes to determine the scope of information that, when
subject to breaches, requires notification. See infra note 103 and
accompanying text.
\114\ See, e.g., generally Michael Kan, More Crooks Tapping
``Synthetic Identity Fraud'' to Commit Financial Crimes, PCMag (June
8, 2022), available at <a href="https://www.pcmag.com/news/more-crooks-tapping-synthetic-identity-fraud-to-commit-financial-crimes">https://www.pcmag.com/news/more-crooks-tapping-synthetic-identity-fraud-to-commit-financial-crimes</a>
(describing recent increased frequency of synthetic identity fraud).
---------------------------------------------------------------------------
The proposed definition also provides examples of combinations of
identifying information and authenticating information that could
create a harm risk to an individual identified with the information.
These examples include information identifying a customer, such as a
name or online user name, in combination with authenticating
information such as a partial Social Security number, access code, or
mother's maiden name. A mother's maiden name, for example, in
combination with other identifying information, would present a harm
risk because it may be so widely used for authentication purposes, even
if the maiden name is not used as a password or security question at
the covered institution. For these reasons, we are proposing that
covered institutions should notify customers if this sensitive
information is compromised.\115\
---------------------------------------------------------------------------
\115\ While some states currently define the scope of personal
information incurring a notification obligation in ways that
generally align with our proposed definition of ``sensitive customer
information,'' at least 12 states generally do not include
information we propose to include, such as identifying information
that, in combination with authenticating information, would create a
substantial risk of harm or inconvenience. See NCSL Security Breach
Notification Law Resource, supra note 106.
---------------------------------------------------------------------------
In determining whether the compromise of customer information could
create a reasonably likely harm risk to an individual identified with
the information, a covered institution could consider encryption as a
factor.\116\ Most states except encrypted information in certain
circumstances, including, for example, where the covered institution
can determine that the encryption offers certain levels of protection
or the decryption key has not also been compromised.\117\
---------------------------------------------------------------------------
\116\ We also considered a safe harbor from the definition of
sensitive customer information for encrypted information. See infra
section III.F.
\117\ See e.g., R.I. Gen. Laws sec. 11-49.3-3(a) (defining a
security breach as unauthorized access to or acquisition of certain
``unencrypted, computerized data information,'' and defining
``encrypted'' as data transformed ``through the use of a one hundred
twenty-eight (128) bit or higher algorithmic process into a form in
which there is a low probability of assigning meaning without use of
a confidential process or key'' unless the data was ``acquired in
combination with any key, security code, or password that would
permit access to the encrypted data.''). See also NCSL Security
Breach Notification Law Resource, supra note 106.
---------------------------------------------------------------------------
Specifically, encryption of information using current industry
standard best practices is a reasonable factor for a covered
institution to consider in making this determination. To the extent
encryption in accordance with current industry standards minimizes the
likelihood that the cipher text could be decrypted, it would also
reduce the likelihood that the cipher text's compromise could create a
risk of harm, as long as the associated decryption key is secure.
Covered institutions may also reference commonly used cryptographic
standards to determine whether encryption does, in fact, substantially
impede the likelihood that the cipher text's compromise could create
such risks.\118\ As industry standards continue to develop in the
future, covered institutions generally should review and update, as
appropriate, their encryption practices.\119\
---------------------------------------------------------------------------
\118\ For example, we understand that standards included in
Federal Information Processing Standard Publication 140-3 (FIPS 140-
3) are widely referenced by industry participants.
\119\ Encryption alone does not determine whether data is
``sensitive customer information.'' For example, to the extent a
covered institution determines that cipher text is itself sensitive
customer information, for example because the encryption was
compromised, an investigation of the incident would likely indicate
that there is a risk that the compromised information could be used
in a way to result in substantial harm or inconvenience. A covered
institution may, however, still be able to determine that the risk
of use in this manner is not reasonably likely for reasons unrelated
to the encryption, including for example, because the cipher text
was only momentarily compromised. See generally supra note 115 and
accompanying text.
---------------------------------------------------------------------------
We request comment on the proposed rule's definition of sensitive
customer information, including the following:
36. Should we broaden the proposed definition of ``sensitive
customer information'' to cover additional information? Alternatively,
should we remove some information covered under the proposed definition
or conform the definition to the Banking Agencies' Incident Response
Guidance? \120\ Are there operational or compliance challenges to the
proposed definition?
---------------------------------------------------------------------------
\120\ See supra note 116.
---------------------------------------------------------------------------
37. Should the rule limit the definition to information or data
elements that alone or when linked would permit access to an
individual's accounts? Should the rule specify the identifying
information or data elements (e.g., name, address, Social Security
number, driver's license or other government identification number,
account number, credit or debit card number)?
38. Is the proposed standard in the definition, which covers any
component of customer information the compromise of which could create
a ``reasonably likely'' risk of substantial harm or inconvenience, the
appropriate standard? Do commenters believe that a different standard
would be more appropriate for the proposed rule? For example, would a
``reasonably foreseeable'' standard be more appropriate, even if harm
is not likely to occur? Instead of covering any component of customer
information the compromise of which ``could'' create a reasonably
likely risk of substantial harm or inconvenience, should the standard
cover components of customer information that ``would'' create such
risk?
39. Should we provide additional or alternative examples of what
constitutes ``sensitive customer information'' in the rule text? Do
covered persons or individuals widely use other pieces of information
for authentication purposes, such that our examples should explicitly
reference other authenticating or identifying information that, in
combination, could create a harm risk?
40. Is encryption a relevant factor to a covered institution's
determination of the harm risk? Could encrypted information not present
such risks because of the current strength of the relevant encryption
algorithm, even if this could change in the future because, for
example, of future developments in quantum computing? If a covered
institution determines that encrypted information is not sensitive
customer information, should the covered institution be required to
monitor decryption risk based on, for example, advances in technology
or a future compromise of a decryption key? If such risks do arise,
should a covered institution be required to deliver a notice for a past
incident?
41. Do covered institutions' encryption practices commonly adhere
to particular cryptographic standards, such as those included in FIPS
140-3? \121\ Should we recognize adherence to
[[Page 20631]]
particular standards as a requirement when determining that encryption
is relevant to a covered institution's determination that cipher text's
compromise would not create a reasonably likely harm risk to an
individual identified with the information?
---------------------------------------------------------------------------
\121\ See supra note 121.
---------------------------------------------------------------------------
42. Should we except from the definition of ``sensitive customer
information'' encrypted information, as certain states do? Should any
such exception only apply in limited circumstances, including, for
example, for certain types of information or where the covered
institution can determine that the encryption offers certain levels of
protection (including where the decryption key has not been
compromised)? Would such an exception prevent individuals from
receiving beneficial notifications, including where, for example,
information could be easily decrypted? Should any other type of
information be excepted?
c. Definition of ``Substantial Harm or Inconvenience''
We propose to define ``substantial harm or inconvenience'' to mean
``personal injury, or financial loss, expenditure of effort or loss of
time that is more than trivial,'' and provide examples of included
harms.\122\ As noted above, Regulation S-P requires a covered
institution's policies and procedures to be reasonably designed to,
among other things, protect against unauthorized access to or use of
customer information that could result in substantial harm or
inconvenience to any customer.\123\ Although GLBA and the safeguards
rule use the term ``substantial harm or inconvenience,'' neither
defines the term. The proposed definition is intended to include a
broad range of financial and non-financial harms and inconveniences
that may result from failure to safeguard sensitive customer
information.\124\ For example, a malicious actor could use sensitive
customer information about an individual to engage in identity theft or
as a means of extortion by threatening to make the information public
unless the individual agrees to the malicious actor's demands.\125\
This could cause a customer to incur financial loss, or experience
personal injury, such as physical harm or damaged reputation, or cause
the customer to expend effort to remediate the breach or avoid losses.
All of these effects would be included under our proposed definition.
---------------------------------------------------------------------------
\122\ See proposed rule 248.30(e)(11).
\123\ See supra section I.A.
\124\ Data security incidents may result in varied types of
harms. See generally Alex Scroxton, Data Breaches Are a Ticking
Timebomb for Consumers, <a href="http://ComputerWeekly.com">ComputerWeekly.com</a> (Feb. 9, 2021), available
at <a href="https://www.computerweekly.com/news/252496079/Data-breaches-are-a-ticking-timebomb-for-consumers">https://www.computerweekly.com/news/252496079/Data-breaches-are-a-ticking-timebomb-for-consumers</a> (citing a report in which consumers
reported financial loss, stress, and loss of time among other
effects, from data breaches); Jessica Guynn, Anxiety, Depression and
PTSD: The Hidden Epidemic of Data Breaches and Cyber Crimes, USA
TODAY (Feb. 24, 2020), available at <a href="https://www.usatoday.com/story/tech/conferences/2020/02/21/data-breach-tips-mental-health-toll-depression-anxiety/4763823002/">https://www.usatoday.com/story/tech/conferences/2020/02/21/data-breach-tips-mental-health-toll-depression-anxiety/4763823002/</a> (describing significant psychological
effects of data breach incidents); Eleanor Dallaway, #ISC2Congress:
Cybercrime Victims Left Depressed and Traumatized, INFO. SEC. (Sept.
12, 2016), available at <a href="https://www.infosecurity-magazine.com/news/isc2congress-cybercrime-victims/">https://www.infosecurity-magazine.com/news/isc2congress-cybercrime-victims/</a> (describing mental health effects
of cybercrime).
\125\ The proposed definition of ``sensitive customer
information'' is discussed supra in section II.A.4.b.
---------------------------------------------------------------------------
The proposed definition would include all personal injuries due to
the significance of their impact on customers. However, the proposed
definition includes other harms or inconveniences only when they are,
in each case, more than trivial. More than trivial financial loss,
expenditure of effort, or loss of time would generally include harms
that are likely to be of concern to customers and are of the nature
such that customers are likely to take further action to protect
themselves. By contrast, where a covered institution, its affiliate, or
the individual simply changes the individual's account number as the
result of an incident, this likely would be a trivial effect since it
is not likely to be of concern to the individual or of the nature that
the individual would be likely to take further action. Similarly, in
the absence of additional effects, accidental access of information by
an employee or other agent of the covered institution, its affiliate,
or its service provider would also likely be trivial harms. We do not
intend for covered institutions to design programs and incur costs to
protect customers from harms of such trivial significance that the
customer would be unconcerned with remediating. In this regard, our
proposal to adopt standards that protect customers against substantial
harm or inconvenience from failures to safeguard information is
intended to be consistent with the purposes of the GLBA and Congress's
goals.\126\
---------------------------------------------------------------------------
\126\ See 15 U.S.C. 6801(a) (stating that it is ``the policy of
the Congress that each financial institution has an affirmative and
continuing obligation to respect the privacy of its customers and to
protect the security and confidentiality of these customers'
nonpublic personal information.''). See also supra note 26, infra
note 160, and accompanying text.
---------------------------------------------------------------------------
We request comment on the proposed rule's definition of substantial
harm or inconvenience, including the following:
43. Should we expand the proposed definition of ``substantial harm
or inconvenience''? Alternatively, should we exclude some harms covered
under the proposed definition? Should we exclude some smaller (but more
than trivial) effects? If so, please explain why the rule should not
address these potential harms.
44. Do commenters believe that the proposed rule should reference a
term or terms other than ``substantial'' and ``more than trivial'' in
describing the types of harms that meet our definition? Are additional
or alternative clarifications needed? Is ``more than trivial'' the
appropriate standard? Should we instead use a term such as
``immaterial'' or ``insignificant''?
45. Would a numerical or other objective standard for
``substantial'' harm or inconvenience be appropriate, given the
definition includes harms that would present substantial difficulty in
quantifying, including damaged reputation? If so, please describe how
such an objective standard could be designed and provide examples.
46. Should a harm that is a ``personal injury,'' such as physical,
emotional, or reputational harm, only be included in the proposed
definition if it is more than ``trivial,'' similar to our proposed
treatment of financial loss, expenditure of effort or loss of time?
Should the standard for a harm that is a ``personal injury'' be
something other than ``trivial?''
47. What kinds of financial loss, expenditure of effort or loss of
time would individuals likely be unconcerned with and/or likely not to
try to mitigate? Please provide data, such as customer surveys, to
support your response.
48. Are the rule's proposed examples of certain effects that would
be unlikely to meet the definition of substantial harm or inconvenience
appropriate? If so, please provide examples and explain why.
d. Identification of Affected Individuals
Under the proposed rules, covered institutions would be required to
provide a clear and conspicuous notice to each affected individual
whose sensitive customer information was, or is reasonably likely to
have been, accessed or used without authorization.\127\ We believe
notices
[[Page 20632]]
should be provided to these affected individuals because they would
likely need the information contained in the notices to respond to and
remediate the incident.
---------------------------------------------------------------------------
\127\ As discussed below, proposed rule 248.30(a) explains that
the safeguards rule, including the response program and customer
notification, applies to all customer information that pertains to
individuals with whom the covered institution has a customer
relationship or to customers of other financial institutions and has
been provided to the covered institution. See infra section II.C.1.
Accordingly, proposed rule 248.30(b)(3)(iii) and (b)(4)(i) refers to
``affected individuals whose sensitive customer information was or
is reasonably likely to have been accessed or used without
authorization'' rather than ``customer.'' This is because the term
``customer'' is defined in section 248.3(j) as ``a consumer that has
a customer relationship with the [covered] institution,'' and would
not include customers of financial institutions that had provided
information to the covered institution (within the scope of proposed
rule 248.30(a)).
---------------------------------------------------------------------------
We understand, however, that notwithstanding a covered
institution's determination to provide notices, the identification of
affected individuals may be difficult in circumstances where a
malicious actor has accessed or used information without authorization
in a customer information system. It may, for example, be clear that a
malicious actor gained access to the entire customer information
system, but the covered institution may not be able to determine which
specific individuals' data has been accessed or used. In such cases, we
preliminarily believe that all individuals whose sensitive customer
information is stored in that system should be notified so that they
may have an opportunity to review the information in the required
notification, and take remedial action as they deem appropriate. For
example, individuals may be more vigilant in reviewing account
statements or place fraud alerts in a credit report. They may also be
able to place a hold on opening new credit in their name, or take other
protective actions. Accordingly, the proposed rule would require a
covered institution that is unable to identify which specific
individuals' sensitive customer information has been accessed or used
without authorization to provide notice to all individuals whose
sensitive customer information resides in the affected system that was,
or was reasonably likely to have been, accessed or used without
authorization.\128\
---------------------------------------------------------------------------
\128\ See proposed rule 248.30(b)(4)(ii).
---------------------------------------------------------------------------
We request comment on the proposed rule's requirements for the
identification of affected individuals, including the following:
49. Does the standard ``all individuals whose sensitive customer
information resides in the customer information system'' adequately
cover all of the individuals who are potentially at risk as a result of
unauthorized access to or use of a customer information system? Should
the rule require notice to additional or different individuals?
50. To the extent covered institutions are not able to determine
which individuals are affected with certainty, should the rule require
notice only to those individuals whose sensitive customer information
was ``reasonably likely'' to have been accessed or used without
authorization? Alternatively, should the rule require notice unless it
is ``unlikely'' that the information was not accessed, or would some
other standard be appropriate? Please address how any such standard
would help ensure that all individuals potentially at risk because of
unauthorized access to or use of the customer information system
receive notice.
51. The proposed rule would require covered institutions to provide
notice to each affected individual whose sensitive customer information
was, or is reasonably likely to have been, accessed or used without
authorization, including customers of other financial institutions
where information has been provided to the covered institution. Do
covered institutions have the contact information for customers of
other financial institutions necessary to send the notices as required?
Alternatively, should the rule require only that a covered institution
provide notices to their own customers or to the institution that
provided the covered institution the sensitive customer information?
Are there other operational or compliance challenges to identifying
affected individuals? Would this requirement result in the practical
effect of requiring covered institutions to send notices to all
individuals potentially subject to a breach of their systems
(regardless of whether they are a customer or not) due to the
difficulty of determining an affected individual's status?
e. Timing Requirements
As proposed, the rule would require covered institutions to provide
notices as soon as practicable, but not later than 30 days, after the
covered institution becomes aware that unauthorized access to or use of
customer information has occurred or is reasonably likely to have
occurred except under limited circumstances, discussed below.\129\ We
propose that covered institutions provide notices ``as soon as
practicable'' to expeditiously notify individuals whose information is
compromised, so that these individuals may take timely action to
protect themselves from identity theft or other harm. The amount of
time that would constitute ``as soon as practicable'' may vary based on
several factors, such as the time required to assess, contain, and
control the incident, and if the institution conducts one, the time
required to investigate the likelihood the information could be used in
a manner that would result in substantial harm or inconvenience. For
example, ``as soon as practicable'' may be longer with an incident
involving a significant number of customers.
---------------------------------------------------------------------------
\129\ See proposed rule 248.30(b)(4)(iii).
---------------------------------------------------------------------------
Consistent with the approach taken by many states, we have included
an outside date to ensure that all covered institutions meet a minimum
standard of timeliness. We preliminarily believe that a 30-day period
after becoming aware that unauthorized access to or use of customer
information has occurred or is reasonably likely to have occurred would
permit customers to take actions in response to an incident, including
by placing fraud alerts on relevant accounts or changing passwords used
to access accounts.\130\ The proposal's 30-day period would establish a
shorter notification deadline than those currently used in 15 states,
and would also offer enhanced protections to individuals in 32 states
with laws that do not include an outside date.\131\ At the same time,
this 30-day period would generally allow sufficient time for covered
institutions to perform their assessments, take remedial measures,
conclude any investigation, and prepare notices.\132\ Accordingly, we
preliminarily believe that establishing a minimum requirement to
provide notifications as soon as practicable, together with a 30-day
outside date, strikes the appropriate balance between promoting timely
notice to affected individuals and allowing institutions sufficient
time to implement their incident response programs.\133\
---------------------------------------------------------------------------
\130\ Nineteen states provide an outside date for providing
customer notification, which range from 30 to 90 days. See, e.g.,
Colo. Rev. Stat. sec. 6-1-716(2) (providing that notifications be
provided not later than thirty days after the date of determination
that a security breach occurred); Conn. Gen. Stat. sec. 36a-701b
(b)(1) (providing that notifications be provided not later than
ninety days after the date of determination that a security breach
occurred).
\131\ See NCSL Security Breach Notification Law Resource, supra
note 106.
\132\ See supra section II.A.4.a (discussing the standard of
notice, including that a covered institution must provide clear and
conspicuous notice unless it has determined, after a reasonable
investigation of the facts and circumstances of the incident of
unauthorized access to or use of sensitive customer information,
that sensitive customer information has not been, and is not
reasonably likely to be, used in a manner that would result in
substantial harm or inconvenience). See proposed rule
284.30(b)(4)(i).
\133\ An institution that has completed the required tasks and
has undertaken an investigation before the end of the 30-day period
would be required to provide notices to affected customers ``as soon
as practicable.'' For example, an incident of unauthorized access by
a single employee to a limited set of sensitive customer information
may take only a few days to assess, remediate, and investigate. In
those circumstances we believe a covered institution generally
should provide notices to affected individuals at the conclusion of
those tasks and as soon as the notices have been prepared.
---------------------------------------------------------------------------
[[Page 20633]]
Further, the proposed requirement that a covered institution have
written policies and procedures that provide for a systematic response
to each incident also may facilitate the institution's preparation and
ability to perform an assessment, remediation, and investigation in a
timely manner and within the 30-day period required for providing
customer notices. At the same time, a covered institution would be
required to provide notice within 30 days after becoming aware that an
incident occurred even if the institution had not completed its
assessment or control and containment measures.
Similarly, the proposal would effectively impose a uniform 30-day
notification time-period and would not generally provide for a
notification delay. For example, when there is an ongoing internal or
external investigation related to an incident involving sensitive
customer information.\134\ On-going internal or external
investigations--which often can be lengthy--on their own would not
provide a basis for delaying notice to customers that their sensitive
customer information has been compromised.\135\ Additionally, any such
delay provision could undermine timely and uniform customer
notification that customers' sensitive customer information has been
compromised, as investigations and resolutions of incidents may occur
over an extended period of time and may vary widely in timing and
scope.
---------------------------------------------------------------------------
\134\ Internal investigation refers to an investigation
conducted by a covered institution or a third party selected by a
covered institution. An external investigation refers to any
investigation not conducted by, or at the request of, a covered
institution.
\135\ See Commission Statement and Guidance on Public Company
Cybersecurity Disclosures, Release No. 33-10459 (Feb. 26, 2018) [83
FR 8166, 8169 (Feb. 26, 2018)].
---------------------------------------------------------------------------
At the same time, we recognize that a delay in customer
notification may facilitate law enforcement investigations aimed at
apprehending the perpetrators of the incident and preventing future
incidents. Many states have laws that either mandate or allow entities
to delay providing customer notifications regarding an incident if law
enforcement determines that notification may impede its
investigation.\136\ The principal function of such a delay would be to
allow a law enforcement or national security agency to keep a
cybercriminal unaware of their detection.
---------------------------------------------------------------------------
\136\ Of the 40 states that allow entities to delay providing
notices to individuals for law enforcement investigations, 11 deem
entities to be in compliance with state notification laws if the
entity is subject to or in compliance with GLBA, and nine states
mandate the delay of notices to individuals for law enforcement
investigations, with forty states permitting such delays. See NCSL
Security Breach Notification Law Resource, supra note 106. See supra
note 14 for information regarding the interaction between Regulation
S-P and state laws.
---------------------------------------------------------------------------
The proposed rule would allow a covered institution to delay
providing notice after receiving a written request from the Attorney
General of the United States that the notice required under this rule
poses a substantial risk to national security.\137\ The covered
institution may delay such a notice for an initial period specified by
the Attorney General of the United States, but not for longer than 15
days. The notice may be delayed an additional 15 days if the Attorney
General of the United States determines that the notice continues to
pose a substantial risk to national security. This would allow a
combined delay period of up to 30 days, upon the expiration of which
the covered institution must provide notice immediately.
---------------------------------------------------------------------------
\137\ Any such written request from the Attorney General of the
United States would be subject to the recordkeeping requirements for
covered institutions discussed in section II.D.
---------------------------------------------------------------------------
A covered institution, in certain instances, may be required to
notify customers under the proposal even though that covered
institution could have separate delay reporting requirements under a
particular state law. On balance, it is our current view that timely
customer notification would allow the customer to take remedial actions
and, thereby, would justify providing only for a limited delay.\138\
---------------------------------------------------------------------------
\138\ For example, after timely notice of a breach, individuals
can take important steps to safeguard their information, including
changing passwords, freezing their accounts, and putting a hold on
their credit.
---------------------------------------------------------------------------
We request comment on the proposed rule's notification timing
requirements, including the following:
52. Does this proposed requirement provide covered institutions
with sufficient time to perform assessments, collect the information
necessary to include in customer notices, perform an investigation if
appropriate, and provide notices? Alternatively, does the proposed ``as
soon as practicable'' or 30 day outside date provide too much time?
Should the rule require institutions to provide notice ``as soon as
possible,'' for example? Should the rule provide parameters to define
``as soon as practicable,'' ``as soon as possible,'' ``as soon as
reasonably practicable'' or an alternate standard? If so, please
describe the parameters or other standard. Should the rule require less
time for an outside date, such as 10, 15, or 20 days? Should the rule
provide more time for an outside date, such as 45, 60, or 90 days?
Please be specific on the appropriate outside date and the basis for
the shorter or longer time period. Also, please specify the potential
costs and benefits to a different outside date.
53. Should the proposed timing requirement begin to run upon an
event other than ``becoming aware that unauthorized access to or use of
customer information has occurred or is reasonably likely to have
occurred''? Should the timing requirement begin to run, for example,
after the covered institution ``reasonably should have been aware'' of
the incident or, alternatively, after completing its assessment of the
incident or containment? If the timing requirement should begin upon
``becoming aware that that unauthorized access to or use of customer
information has occurred or is reasonably likely to have occurred,''
should we provide covered institutions with examples of what would
constitute becoming aware?
54. Should the proposed rules incorporate any exceptions from the
timing requirement that would allow for delays under limited
circumstances? If so, what restrictions or conditions should apply to
any such delay and why?
55. Are there other challenges to meeting the proposed timing
requirements, including the requirement to provide notices within 30
days of becoming aware of the incident? If yes, please describe.
56. What operational or compliance challenges arise from the
proposed limited delay for notice or its expiration? Should the
proposed rule have a different delay for notice, for example, by
providing that the Commission shall allow covered institutions to delay
notification to customers where any law enforcement agency requests
such a delay from the covered institution? If so, what restrictions or
conditions should apply to any such law enforcement delay, for example,
a certification, or a different outside time limit on the delay?
f. Notice Contents and Format
We are proposing to require that notices include key information
with details about the incident, the breached data, and how affected
individuals could respond to the breach to protect themselves. This
requirement is
[[Page 20634]]
designed to help ensure that covered institutions provide basic
information to affected individuals that would help them avoid or
mitigate substantial harm or inconvenience.
More specifically, some of the information required, including
information regarding a description of the incident, type of sensitive
customer information accessed or used without authorization, and what
has been done to protect the sensitive customer information from
further unauthorized access or use, would provide customers with basic
information to help them understand the scope of the incident and its
potential ramifications.\139\ We also propose to require covered
institutions to include contact information sufficient to permit an
affected individual to contact the covered institution to inquire about
the incident, including a telephone number (which should be a toll-free
number if available), an email address or equivalent method or means, a
postal address, and the name of a specific office to contact for
further information and assistance, so that individuals can more easily
seek additional information from the covered institution.\140\ All of
this information may help an individual assess the risk posed and
whether to take additional measures to protect against harm from
unauthorized access or use of their information.
---------------------------------------------------------------------------
\139\ See proposed rule 248.30(b)(4)(iv)(A)-(B).
\140\ See proposed rule 248.30(b)(4)(iv)(D). A method or means
equivalent to email generally, for example, includes an internet web
page easily allowing for the submission of inquiries.
---------------------------------------------------------------------------
Similarly, if the information is reasonably possible to determine
at the time the notice is provided, information regarding the date of
the incident, the estimated date of the incident, or the date range
within which the incident occurred would help customers understand the
circumstances related to the breach.\141\ We understand that a covered
institution may have difficulty determining a precise date range for
certain incidents because it may only discover an incident well after
an initial time of access. As a result, similar to the approach taken
by California, the covered institution would only be required to
include a date, or date range, if it is possible to determine at the
time the notice is provided.\142\
---------------------------------------------------------------------------
\141\ See proposed rule 248.30(b)(4)(iv)(C).
\142\ See Cal. Civ. Code sec. 1798.29(d)(2).
---------------------------------------------------------------------------
Finally, we propose that covered institutions include certain
information to assist individuals in evaluating how they should respond
to the incident. Specifically, if the individual has an account with
the covered institution, the proposed rule would require inclusion of a
recommendation that the customer review account statements and
immediately report any suspicious activity to the covered
institution.\143\ The proposed rule would also require covered
institutions to explain what a fraud alert is and how an individual may
place a fraud alert in credit reports.\144\ Further, the proposed rule
would require inclusion of a recommendation that the individual
periodically obtain credit reports from each nationwide credit
reporting company and have information relating to fraudulent
transactions deleted, as well as explain how a credit report can be
obtained free of charge.\145\ In particular, information addressing
potential protective measures could help individuals evaluate how they
should respond to the incident. We also propose for notices to include
information regarding FTC and <a href="http://usa.gov">usa.gov</a> guidance on steps an individual
can take to protect against identity theft, a statement encouraging the
individual to report any incidents of identity theft to the FTC, and
include the FTC's website address.\146\ This would give individuals
resources for additional information regarding how they can respond to
an incident.
---------------------------------------------------------------------------
\143\ See proposed rule 248.30(b)(4)(iv)(E).
\144\ See proposed rule 248.30(b)(4)(iv)(F). We recognize that,
under the Fair Credit Reporting Act (15 U.S.C. 1681a(d)),
individuals may obtain ``consumer reports'' from consumer reporting
agencies. Nevertheless, we refer to ``credit reports'' in proposed
rule 248.30(b)(4)(iv)(G), in part, because the Banking Agencies'
Incident Response Guidance also includes a requirement that notices
include a recommendation that customers obtain ``credit reports,''
and in part, because we believe individuals would generally be more
familiar with this term than the term ``consumer reports.'' See,
e.g., Consumer Financial Protection Bureau (``CFPB''), Check your
credit, <a href="https://www.consumerfinance.gov/owning-a-home/prepare/check-your-credit/">https://www.consumerfinance.gov/owning-a-home/prepare/check-your-credit/</a> (explaining how to check credit reports); CFPB, Credit
reports and scores, <a href="https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/">https://www.consumerfinance.gov/consumer-tools/credit-reports-and-scores/</a> (explaining how to understand credit
reports and scores, how to correct errors and improve a credit
record).
\145\ See proposed rule 248.30(b)(4)(iv)(G)-(H).
\146\ See proposed rule 248.30(b)(4)(iv)(I). See, e.g., Identity
Theft: How to Protect Yourself Against Identity Theft and Respond if
it Happens, available at <a href="https://www.usa.gov/identity-theft">https://www.usa.gov/identity-theft</a>.
---------------------------------------------------------------------------
We propose that covered institutions should be required to provide
the information specified in proposed rule 248.30(b)(4)(iv) in each
required notice. While we recognize that relevant information may vary
based on the facts and circumstances of the incident, we believe that
customers would benefit from the same minimum set of basic information
in all notices. We propose, therefore, to permit covered institutions
to include additional information, but the rule would not permit
omission of the prescribed information in the notices provided to
affected individuals.
The proposed rule would require covered institutions to provide the
notice in a clear and conspicuous manner and by means designed to
ensure that the customer can reasonably be expected to receive actual
notice in writing.\147\ Notices, therefore, would be required to be
reasonably understandable and designed to call attention to the nature
and significance of the information required to be provided in the
notice.\148\ Accordingly, to the extent that a covered institution
includes information in the notice that is not required to be provided
to customers under the proposed rules or provides notice
contemporaneously with other disclosures, the covered institution would
still be required to ensure that the notice is designed to call
attention to the important information required to be provided under
the proposed rule; additional information generally should not prevent
covered institutions from presenting required information in a clear
and conspicuous manner. The requirement to provide notices in writing,
further, would ensure that customers receive the information in a
format appropriate for receiving important information, with
accommodation for those customers who agree to receive the information
electronically. This proposed requirement to provide notice ``in
writing'' could be satisfied either through paper or electronic means,
consistent with existing Commission guidance on electronic delivery of
documents.\149\ Notification in other formats, including, for example,
by a recorded telephone message, may not be retained and referenced as
easily as a notification in writing. These requirements would help
ensure that customers are provided notifications and alerted to their
importance.
---------------------------------------------------------------------------
\147\ See proposed rule 248.30(b)(4)(i); see also 17 CFR
248.9(a) (delivery requirements for privacy and opt out notices) and
17 CFR 248.3(c)(1) (defining ``clear and conspicuous'').
\148\ See 17 CFR 248.3(c)(2) (providing examples explaining what
is meant by the terms ``reasonably understandable'' and ``designed
to call attention'').
\149\ See Use of Electronic Media by Broker Dealers, Transfer
Agents, and Investment Advisers for Delivery of Information;
Additional Examples Under the Securities Act of 1933, Securities
Exchange Act of 1934, and Investment Company Act of 1940, 61 FR
24644 (May 15, 1996); Use of Electronic Media, 65 FR 25843 (May 4,
2000).
---------------------------------------------------------------------------
We request comment on the notification content, format, and
delivery requirements, including the following:
57. Should we require that notices include additional information?
If so, what specific information should we
[[Page 20635]]
include? Please explain why any recommended additional information
would be important to include.
58. Is there prescribed notice information that we should eliminate
or revise? Please explain. For example, should we add information about
security freezes on credit reports, and should that replace fraud alert
information? Should the required information on the notice to assist
individuals in evaluating how they should respond to the incident be
replaced? Please explain. For example, should the notice instead be
required to include an appropriate website that describes then-current
best practices in how to respond to an incident? Are there other
websites, for example, <a href="http://IdentityTheft.gov">IdentityTheft.gov</a>, that should be included in
the notice?
59. Should some of the information we propose to include in the
notices only be required in limited circumstances? For example, should
we only require including information relating to credit reports if the
underlying incident relates to access or use of a subset of sensitive
customer information (perhaps only information of a particular
financial nature)? Should covered institutions be able to determine
whether to provide certain information ``as appropriate'' on a case-by-
case basis? If so, please explain which information and why.
60. In what other formats, if any, should we permit covered
institutions to provide notices? What formats do covered institutions
customarily use to communicate with individuals (e.g., text messages or
some other abbreviated format that might require the use of hyperlinks)
and for which types of communications are those formats generally used?
To the extent we allow such additional formats, would such notices
adequately signal the significance of the information to the
individual--or otherwise present disadvantages to covered institutions
or individuals?
61. The proposed rule amendments would require that covered
institutions provide certain contact information sufficient to permit
an individual to contact the covered institution to inquire about the
incident. Should we require additional or different contact
information? Is the required contact information appropriate or would a
general customer service number suffice? Should the amendments also
require that covered institutions ensure that they have reasonable
policies and procedures in place, including trained personnel, to
respond appropriately to customer inquiries and requests for
assistance?
62. Should we require that covered institutions include specific
and standardized information about steps to protect against identity
theft, instead of requiring inclusion of information about online
guidance from the FTC and <a href="http://usa.gov">usa.gov</a>?
63. Should we require that covered institutions reference
``consumer reports'' instead of ``credit reports'' in notifications
under the proposed rules? Would individuals be more familiar with the
term ``credit report''?
64. To the extent that a covered institution determines it is not
reasonably possible to provide in the notice information regarding the
date of the incident, the estimated date of the incident, or the date
range within which the incident occurred, should that financial
institution be required to state this to customers? In addition, should
the institution be required to state why it is not possible to make
such a determination?
65. Should the notice require that covered institutions describe
what has been done to protect the sensitive customer information from
further unauthorized access or use? Would this description provide a
roadmap for further incidents? If yes, is there other information
rather than this description that may help an individual understand
what has been done to protect their information?
66. Should we incorporate other prescriptive formatting
requirements (e.g., length of notice, size of font, etc.) for the
notice requirement under the proposed rules?
67. Should we require covered institutions to follow plain English
or plain writing principles?
B. Remote Work Arrangement Considerations
Following the onset of the COVID-19 pandemic in the United States
in 2020, the use of remote work arrangements has expanded significantly
throughout the labor force. The U.S. Census Bureau recently announced
that the number of people primarily working from home tripled between
2019 and 2021, from 5.7% to 17.9% of all workers.\150\ In the financial
services industry specifically, the Bureau of Labor Statistics found in
its 2021 Business Response Survey that firms reported 27.5% of jobs in
the industry currently involve full-time telework, with a total of 45%
of jobs involving teleworking ``at least some of the time.'' \151\
---------------------------------------------------------------------------
\150\ Press Release, U.S. Census Bureau releases new 2021
American Community Survey 1-year estimates for all geographic areas
with populations of 65,000 or more (Sept.15, 2022), available at
https://www.census.gov/newsroom/press-releases/2022/people-working-
from-home.html#:~:text=SEPT.,by%20the%20U.S.%20Census%20Bureau.
\151\ Bureau of Labor Statistics, Telework during the COVID-19
pandemic: estimates using the 2021 Business Response Survey (Mar.
2022), available at <a href="https://www.bls.gov/opub/mlr/2022/article/telework-during-the-covid-19-pandemic.htm#_edn6">https://www.bls.gov/opub/mlr/2022/article/telework-during-the-covid-19-pandemic.htm#_edn6</a>.
---------------------------------------------------------------------------
Although recent reports indicate that a growing number of workers
are returning to the office,\152\ as certain members of the securities
industry have previously noted, when covered institutions permit their
own employees to work from remote locations, rather than one of the
firm's offices, it raises particular compliance questions under
Regulation S-P.\153\ In the case of the proposed rule, a covered
institution's policies and procedures under the safeguards rule would
need to be reasonably designed to ensure the security and
confidentiality of customer information, protect against any threats or
hazards to the security or integrity of customer information, and
protect against the unauthorized access to or use of customer
information that could result in substantial harm or inconvenience to
any customer.\154\ Similarly, under the proposed amendments to the
disposal rule, covered institutions, other than notice-registered
broker-dealers, would need to adopt and implement written policies and
procedures under the disposal rule that address the proper disposal of
consumer information and customer information according to a standard
of taking reasonable measures to protect against unauthorized access to
or use of the information in connection with its disposal.\155\ In
satisfying each of these proposed obligations, covered institutions
will need to consider any additional challenges raised by the use of
remote work locations within their policies and procedures.
---------------------------------------------------------------------------
\152\ See Joseph Pisiani and Kailyn Rhone, U.S. Return-to-Office
Rate Rises Above 50% for First Time Since Pandemic Began, Wall
Street Journal (Feb. 1, 2023), available at <a href="https://www.wsj.com/articles/u-s-return-to-office-rate-rises-above-50-for-first-time-since-pandemic-began-11675285071">https://www.wsj.com/articles/u-s-return-to-office-rate-rises-above-50-for-first-time-since-pandemic-began-11675285071</a>.
\153\ See e.g., Letter from Michael Decker, Senior Vice
President, Bond Dealers of America, to Jennifer Piorko Mitchell,
Office of the Corporate Secretary, FINRA, re FINRA Regulatory Notice
20-42 (Feb. 16, 2021), available at <a href="https://www.finra.org/sites/default/files/NoticeComment/Bond%20Dealers%20of%20America%20%5BMichael%20Decker%5D%20-%20FINRA_COVID_lessons_final.pdf">https://www.finra.org/sites/default/files/NoticeComment/Bond%20Dealers%20of%20America%20%5BMichael%20Decker%5D%20-%20FINRA_COVID_lessons_final.pdf</a>; letter from Kelli McMorrow, Head
of Government Affairs, American Securities Association, to Jennifer
Piorko Mitchell, Office of the Corporate Secretary, FINRA, re FINRA
Regulatory Notice 20-42 (Feb. 16, 2021), available at <a href="https://www.finra.org/sites/default/files/NoticeComment/American%20Securities%20Association%20%5BKelli%20McMorrow%5D%20-%202021.02.16%20-%20ASA%20FINRA%20Covid%20Lessons%20Learned.pdf">https://www.finra.org/sites/default/files/NoticeComment/American%20Securities%20Association%20%5BKelli%20McMorrow%5D%20-%202021.02.16%20-%20ASA%20FINRA%20Covid%20Lessons%20Learned.pdf</a>.
\154\ See proposed rule 248.30(b)(2).
\155\ See proposed rule 240.30(c).
---------------------------------------------------------------------------
[[Page 20636]]
In light of these considerations, we request comment on whether the
remote work arrangements of the personnel of covered institutions
should be addressed under both the safeguards rule and the disposal
rule, including as to the following:
68. Should the proposed safeguards rule and/or the proposed
disposal rule be amended in any way to account for the use of remote
work arrangements by covered institutions? If so, how? How would such
amendments impact the costs and benefits of the proposed rule?
69. Are there any additional costs and/or benefits of the proposed
rule related to remote work arrangements that the Commission should be
aware of? If so, in particular, how would those be impacted by whether
or not remote work arrangements by covered institutions have increased,
decreased, or remained the same? If so, please explain, and please
provide any data available.
70. Are there any specific aspects of the proposed safeguards rule
or the disposal rule, relating to compliance with either rule where the
covered institution permits employees to work remotely, on which the
Commission should provide guidance to covered institutions? If so,
please explain.
C. Scope of Information Protected Under the Safeguards Rule and
Disposal Rule
The Commission adopted the safeguards rule and the disposal rule at
different times under different statutes--respectively, the GLBA and
the FACT Act--that differ in the scope of information they cover. We
are proposing to broaden and more closely align the information covered
by the safeguards rule and the disposal rule by applying the
protections of both rules to ``customer information,'' a newly defined
term. We also propose to add a new section that describes the extent of
information covered under both rules, which includes nonpublic personal
information that a covered institution collects about its own customers
and that it receives from a third party financial institution about a
financial institution's customers.
We preliminarily believe the scope of information protected by the
safeguards rule and the disposal rule should be broader and more
closely aligned to provide better protection against unauthorized
disclosure of personal financial information, consistent with the
purposes of the GLBA \156\ and the FACT Act.\157\ Applying both the
safeguards rule and the disposal rule to a more consistent set of
defined ``customer information'' also could reduce any burden that may
have been created by the application of the safeguards rule and the
disposal rule to different scopes of information. Further, protecting
nonpublic personal information of customers that a financial
institution shares with a covered institution furthers congressional
policy to protect personal financial information on an ongoing
basis.\158\ Applying the safeguards rule and the disposal rule to
customer information that a covered institution receives from other
financial institutions should ensure customer information safeguards
are not lost because a third party financial institution shares that
information with a covered institution.
---------------------------------------------------------------------------
\156\ The Commission has ``broad rulemaking authority'' to
effectuate ``the policy of the Congress that each financial
institution has an affirmative and continuing obligation to respect
the privacy of its customers and to protect the security and
confidentiality of these customers' nonpublic personal
information.'' Trans Union LLC v. FTC, 295 F.3d 42, 46 (D.C. Cir.
2002) (quoting 15 U.S.C. 6801(a)).
\157\ The disposal rule was intended to reduce the risk of fraud
or related crimes, including identity theft, by ensuring that
records containing sensitive financial or personal information are
appropriately redacted or destroyed before being discarded. See 108
Cong. Rec. S13,889 (Nov. 4, 2003) (statement of Sen. Nelson).
\158\ See 15 U.S.C. 6801(a) (``It is the policy of the Congress
that each financial institution has an affirmative and continuing
obligation to respect the privacy of its customers and to protect
the security and confidentiality of those customers' nonpublic
personal information.'') (emphasis added).
---------------------------------------------------------------------------
1. Definition of Customer Information
Currently, Regulation S-P's protections under the safeguards rule
and disposal rule apply to different, and at times overlapping, sets of
information.\159\ Specifically, as required under the GLBA, the
safeguards rule requires broker-dealers, investment companies, and
registered investment advisers (but not transfer agents) to maintain
written policies and procedures to protect ``customer records and
information,'' \160\ which is not defined in the GLBA or in Regulation
S-P. The disposal rule requires every covered institution properly to
dispose of ``consumer report information,'' a different term, which
Regulation S-P defines consistently with the FACT Act provisions.\161\
---------------------------------------------------------------------------
\159\ See Disposal Rule Adopting Release, supra note 32, at 69
FR 71323 n.13.
\160\ See 17 CFR 248.30; 15 U.S.C. 6801(b)(1).
\161\ 17 CFR 248.30(b)(2). Section 628(a)(1) of the FCRA
directed the Commission to adopt rules requiring the proper disposal
of ``consumer information, or any compilation of consumer
information, derived from consumer reports for a business purpose.''
15 U.S.C. 1681w(a)(1). Regulation S-P currently uses the term
``consumer report information'' and defines it to mean a record in
any form about an individual ``that is a consumer report or is
derived from a consumer report.'' 17 CFR 248.30(b)(1)(ii).
``Consumer report'' has the same meaning as in section 603(d) of the
Fair Credit Reporting Act (15 U.S.C. 1681(d)). 17 CFR
248.30(b)(1)(i). We are proposing to change the term ``consumer
report information'' currently in Regulation S-P to ``consumer
information'' (without changing the definition) to conform to the
term used by other Federal financial regulators in their guidance
and rules. See, e.g. 16 CFR 682.1(b) (FTC); 17 CFR 162.2(g) (CFTC);
12 CFR Appendix B to Part 30: Interagency Guidelines Establishing
Information Security Standards (``OCC Information Security
Guidance''), at I.C.2.b; 12 CFR Appendix D-2 to Part 208 (``FRB
Information Security Guidance''), at I.C.2.b.
---------------------------------------------------------------------------
To align more closely the information protected by both rules, we
propose to amend rule 248.30 by replacing the term ``customer records
and information'' in the safeguards rule with a newly defined term
``customer information'' and by adding customer information to the
coverage of the disposal rule.
For covered institutions other than transfer agents,\162\ the
proposed rule would define ``customer information'' to encompass any
record containing ``nonpublic personal information'' (as defined in
Regulation S-P) about ``a customer of a financial institution,''
whether in paper, electronic or other form that is handled or
maintained by the covered institution or on its behalf.\163\ This
definition in the coverage of the safeguards rule is intended to be
consistent with the objectives of the GLBA, which focuses on protecting
``nonpublic personal information'' of those who are ``customers'' of
financial institutions.\164\ The proposed definition would also conform
more closely to the definition of ``customer information'' in the
safeguards rule adopted by the FTC.\165\
---------------------------------------------------------------------------
\162\ We propose a separate definition of ``customer
information'' applicable to transfer agents. See infra section
II.C.3.
\163\ See proposed rule 248.30(e)(5)(i). As noted below in note
175, transfer agents typically do not have consumers or customers
for purposes of Regulation S-P because their clients generally are
not individuals, but are the issuer in which investors, including
individuals, hold shares. With respect to a transfer agent
registered with the Commission, under the proposal customer means
any natural person who is a securityholder of an issuer for which
the transfer agent acts or has acted as transfer agent. See proposed
rule 248.30(e)(4)(ii).
\164\ See 15 U.S.C. 6801(a).
\165\ See 16 CFR 314.2(d) (FTC safeguards rule defining
``customer information'' to mean ``any record containing nonpublic
personal information, as defined in 16 CFR 313.3(n) about a customer
of a financial institution, whether in paper, electronic, or other
form, that is handled or maintained by or on behalf of you or your
affiliates''). The proposed rules would not require covered
institutions to be responsible for their affiliates' policies and
procedures for safeguarding customer information because we believe
that covered institutions affiliates generally are financial
institutions subject to the safeguards rules of other Federal
financial regulators.
---------------------------------------------------------------------------
[[Page 20637]]
Additionally, adding customer information to the coverage of the
disposal rule is also intended to be consistent with the objectives of
the GLBA. Under the GLBA, an institution has a ``continuing
obligation'' to protect the security and confidentiality of customers'
nonpublic personal information.\166\ The proposed rule clarifies that
this obligation continues through disposal of customer information. The
proposed rule is also intended to be consistent with the objectives of
the FACT Act. The FACT Act focuses on protecting ``consumer
information,'' a category of information that will remain within the
scope of the disposal rule.\167\ Adding customer information to the
disposal provisions will simplify compliance with the FACT Act by
eliminating an institution's need to determine whether its customer
information is also consumer information subject to the disposal rule.
Institutions should also be less likely to fail to dispose of consumer
information properly by misidentifying it as customer information only.
In addition, including customer information in the coverage of the
disposal rule would conform the rule more closely to the Banking
Agencies' Safeguards Guidance.\168\ These proposed amendments are
intended to be consistent with the Commission's statutory mandates
under the GLBA and the FACT Act to adopt final financial privacy
regulations and disposal regulations, respectively, that are consistent
with and comparable to those adopted by other Federal financial
regulators.\169\
---------------------------------------------------------------------------
\166\ See 15 U.S.C. 6801(a).
\167\ See 15 U.S.C. 1681w(a)(1) and proposed rule 248.30(c)(1).
``Consumer information'' is not included within the scope of the
safeguards rule, except to the extent it overlaps with any
``customer information,'' because the safeguards rule is adopted
pursuant to the GLBA and therefore is limited to information about
``customers.''
\168\ See, e.g., OCC Information Security Guidance, supra note
161 (OCC guidelines providing that national banks and Federal
savings associations' must develop, implement, and maintain
appropriate measures to properly dispose of customer information and
consumer information.''); FRB Information Security Guidance, supra
note 161 (similar Federal Reserve Board provisions for state member
banks).
\169\ See 15 U.S.C. 6804(a) (directing the agencies authorized
to prescribe regulations under title V of the GLBA to assure to the
extent possible that their regulations are consistent and
comparable); and 15 U.S.C. 1681w(2)(B) (directing the agencies with
enforcement authority set forth in 15 U.S.C. 1681s to consult and
coordinate so that, to the extent possible, their regulations are
consistent and comparable).
---------------------------------------------------------------------------
We request comment on the proposed definition of ``customer
information,'' including the following:
71. Is the proposed definition of ``customer information,'' which
includes any records containing nonpublic personal information about a
customer of a financial institution that is handled or maintained by
the covered institution or on its behalf, too narrow? If so, how should
we expand the definition? Should the definition also include customer
information maintained on behalf of a covered institutions' affiliates?
72. Do covered institutions share customer information with
affiliates that are neither financial institutions subject to the
safeguards rules of other Federal financial regulators nor service
providers? If so, please explain. If so, should customer information be
subject to the same protections when a covered institution shares it
with such an affiliate?
73. Are there any aspects of the proposed definition that may be
too broad? If so, how is it broad? For example, should the definition
limit customer information to nonpublic personal information about an
institution's own customers that is maintained by or on behalf of the
covered institution?
74. Is the safeguards rule too narrow? Should it extend to consumer
information that is not customer information (e.g., information from a
consumer report about an employee or prospective employee)?
75. Under the proposed amendments, the disposal rule would apply to
both customer information and consumer information. Is the proposed
amended disposal rule too broad? If so, how should we narrow the
coverage? For example, should the disposal rule protect customer
information that is not consumer information, i.e., nonpublic personal
information, such as transaction information, that does not appear in a
consumer report? Are there benefits to having the safeguards rule and
the disposal rule apply to a more consistent set of information?
76. For covered institutions that are owned or controlled by
affiliates based in another jurisdiction, what is the risk that
customer information, including sensitive customer information, may be
shared and used by such other affiliates? Would such practices raise
concerns about potential harm related to the use or possession of
customer information by such foreign affiliates? Should the rule
include additional requirements that would restrict the transmission of
such customer information to foreign affiliates and others? If so, what
should these be?
2. Safeguards Rule and Disposal Rule Coverage of Customer Information
We also propose to amend rule 248.30 to add a new section that
would provide that the safeguards rule
[…truncated; see source link]Indexed from Federal Register on April 6, 2023.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.