Rule2024-11116
Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information
Primary source
Metadata and text below are from the Federal Register, a public-domain U.S. government work. Always verify the official published version before relying on it for any legal matter.
Published
June 3, 2024
Effective
August 2, 2024
Issuing agencies
Securities and Exchange Commission
Abstract
The Securities and Exchange Commission ("Commission" or "SEC") is adopting rule amendments that will require brokers and dealers (or "broker-dealers"), investment companies, investment advisers registered with the Commission ("registered investment advisers"), funding portals, and transfer agents registered with the Commission or another appropriate regulatory agency ("ARA") as defined in the Securities Exchange Act of 1934 ("transfer agents") to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately. In addition, the amendments extend the application of requirements to safeguard customer records and information to transfer agents; broaden the scope of information covered by the requirements for safeguarding customer records and information and for properly disposing of consumer report information; impose requirements to maintain written records documenting compliance with the amended rules; and conform annual privacy notice delivery provisions to the terms of an exception provided by a statutory amendment to the Gramm-Leach-Bliley Act ("GLBA").
Full Text
<html>
<head>
<title>Federal Register, Volume 89 Issue 107 (Monday, June 3, 2024)</title>
</head>
<body><pre>
[Federal Register Volume 89, Number 107 (Monday, June 3, 2024)]
[Rules and Regulations]
[Pages 47688-47789]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2024-11116]
[[Page 47687]]
Vol. 89
Monday,
No. 107
June 3, 2024
Part II
Securities and Exchange Commission
-----------------------------------------------------------------------
17 CFR Parts 240, 248, 270, et al.
Regulation S-P: Privacy of Consumer Financial Information and
Safeguarding Customer Information; Final Rule
��Federal Register / Vol. 89, No. 107 / Monday, June 3, 2024 / Rules
and Regulations��
[[Page 47688]]
-----------------------------------------------------------------------
SECURITIES AND EXCHANGE COMMISSION
17 CFR Parts 240, 248, 270, and 275
[Release Nos. 34-100155; IA-6604; IC-35193; File No. S7-05-23]
RIN 3235-AN26
Regulation S-P: Privacy of Consumer Financial Information and
Safeguarding Customer Information
AGENCY: Securities and Exchange Commission.
ACTION: Final rule.
-----------------------------------------------------------------------
SUMMARY: The Securities and Exchange Commission (``Commission'' or
``SEC'') is adopting rule amendments that will require brokers and
dealers (or ``broker-dealers''), investment companies, investment
advisers registered with the Commission (``registered investment
advisers''), funding portals, and transfer agents registered with the
Commission or another appropriate regulatory agency (``ARA'') as
defined in the Securities Exchange Act of 1934 (``transfer agents'') to
adopt written policies and procedures for incident response programs to
address unauthorized access to or use of customer information,
including procedures for providing timely notification to individuals
affected by an incident involving sensitive customer information with
details about the incident and information designed to help affected
individuals respond appropriately. In addition, the amendments extend
the application of requirements to safeguard customer records and
information to transfer agents; broaden the scope of information
covered by the requirements for safeguarding customer records and
information and for properly disposing of consumer report information;
impose requirements to maintain written records documenting compliance
with the amended rules; and conform annual privacy notice delivery
provisions to the terms of an exception provided by a statutory
amendment to the Gramm-Leach-Bliley Act (``GLBA'').
DATES:
Effective date: This rule is effective August 2, 2024.
Compliance date: The applicable compliance dates are discussed in
section II.F of this rule.
FOR FURTHER INFORMATION CONTACT: Emily Hellman, James Wintering,
Special Counsels; Edward Schellhorn, Branch Chief; Devin Ryan,
Assistant Director; John Fahey, Deputy Chief Counsel; Emily Westerberg
Russell, Chief Counsel; Office of Chief Counsel, Division of Trading
and Markets, (202) 551-5550; Kevin Schopp, Senior Special Counsel;
Moshe Rothman, Assistant Director; Office of Clearance and Settlement,
Division of Trading and Markets, (202) 551-5550, Susan Ali and Andrew
Deglin, Counsels; Michael Khalil and Y. Rachel Kuo, Senior Counsels;
Blair Burnett and Bradley Gude, Branch Chiefs; or Brian McLaughlin
Johnson, Assistant Director, Investment Company Regulation Office,
Division of Investment Management, (202) 551-6792, Securities and
Exchange Commission, 100 F Street NE, Washington, DC 20549.
SUPPLEMENTARY INFORMATION: The Commission is adopting amendments to 17
CFR 248.1 through 248.100 (``Regulation S-P'') under Title V of the
GLBA [15 U.S.C. 6801 through 6827], the Fair Credit Reporting Act
(``FCRA'') [15 U.S.C. 1681 through 1681x], the Securities Exchange Act
of 1934 (``Exchange Act'') [15 U.S.C. 78a et seq.], the Investment
Company Act of 1940 (``Investment Company Act'') [15 U.S.C. 80a-1 et
seq.], and the Investment Advisers Act of 1940 (``Investment Advisers
Act'') [15 U.S.C. 80b-1 et seq.].
Table of Contents
I. Introduction and Background
II. Discussion
A. Incident Response Program Including Customer Notification
1. Assessment
2. Containment and Control
3. Notice to Affected Individuals
4. Service Providers
B. Scope of Safeguards Rule and Disposal Rule
1. Scope of Information Protected
2. Extending the Scope of the Safeguards Rule and the Disposal
Rule To Cover All Transfer Agents
3. Maintaining the Current Regulatory Framework for Notice-
Registered Broker-Dealers
C. Recordkeeping
D. Exception From Requirement To Deliver Annual Privacy Notice
E. Existing Staff No-Action Letters and Other Staff Statements
F. Compliance Period
III. Other Matters
IV. Economic Analysis
A. Introduction
B. Broad Economic Considerations
C. Baseline
1. Safeguarding Customer Information: Risks and Practices
2. Regulations and Guidelines
3. Market Structure
D. Benefits and Costs of the Final Rule Amendments
1. Written Policies and Procedures
2. Extending the Scope of the Safeguards Rule and the Disposal
Rule
3. Recordkeeping
4. Exception From Annual Notice Delivery Requirement
E. Effects on Efficiency, Competition, and Capital Formation
F. Reasonable Alternatives Considered
1. Reasonable Assurances From Service Providers
2. Lower Threshold for Customer Notice
3. Encryption Safe Harbor
4. Longer Customer Notification Deadlines
5. Broader National Security and Public Safety Delay in Customer
Notification
V. Paperwork Reduction Act
A. Introduction
B. Amendments to the Safeguards Rule and Disposal Rule
VI. Final Regulatory Flexibility Act Analysis
A. Need for, and Objectives of, the Final Amendments
B. Significant Issues Raised by Public Comments
C. Small Entities Subject to Final Amendments
D. Projected Reporting, Recordkeeping, and Other Compliance
Requirements
E. Agency Action To Minimize Effect on Small Entities
Statutory Authority
I. Introduction and Background
Regulation S-P is a set of privacy rules adopted pursuant to the
GLBA and the Fair and Accurate Credit Transactions Act of 2003 (``FACT
Act'') that govern the treatment of nonpublic personal information
about consumers by certain financial institutions.\1\ The Commission is
adopting rule amendments that are designed to modernize and enhance the
protections that Regulation S-P provides by addressing the expanded use
of technology and corresponding risks that have emerged since the
Commission originally adopted Regulation S-P in 2000. The amendments in
particular update the requirements of the ``safeguards'' and
``disposal'' rules. The safeguards rule requires brokers, dealers,
investment companies,\2\ and registered investment advisers to adopt
written policies and procedures that address administrative, technical,
and physical safeguards to protect customer records and information.\3\
The disposal rule, which applies to transfer agents
[[Page 47689]]
registered with the Commission in addition to the institutions covered
by the safeguards rule, requires proper disposal of consumer report
information.\4\ In addition, under Regulation Crowdfunding, funding
portals must comply with the requirements of Regulation S-P as they
apply to brokers.\5\ Thus, funding portals will also be required to
comply with the applicable amendments to Regulation S-P adopted in this
release.
---------------------------------------------------------------------------
\1\ See 17 CFR 248.1.
\2\ Regulation S-P applies to investment companies as the term
is defined in section 3 of the Investment Company Act (15 U.S.C.
80a-3), whether or not the investment company is registered with the
Commission. See 17 CFR 248.3(r). Thus, a business development
company, which is an investment company but is not required to
register as such with the Commission, is subject to Regulation S-P.
Similarly, employees' securities companies--including those that are
not required to register under the Investment Company Act--are
investment companies and are, therefore, subject to Regulation S-P.
By contrast, issuers that are excluded from the definition of
investment company--such as private funds that are able to rely on
section 3(c)(1) or 3(c)(7) of the Investment Company Act--are not
subject to Regulation S-P.
\3\ 17 CFR 248.30(a). References in this release to ``rule
248.30'' are to 17 CFR 248.30.
\4\ Rule 248.30(b).
\5\ See 17 CFR 227.403(b). Accordingly, unless otherwise stated
(for example, see infra sections IV and V), references in this
release to ``brokers'' or ``broker-dealers'' include funding
portals.
---------------------------------------------------------------------------
The final Regulation S-P amendments are needed to provide enhanced
protection of customer or consumer information and help ensure that
customers of covered institutions receive timely and consistent
notifications in the event of unauthorized access to or use of their
information.\6\ In evaluating amendments to Regulation S-P, we have
considered developments in how firms obtain, share, and maintain
individuals' personal information since the Commission originally
adopted Regulation S-P, which correspond with an increasing risk of
harm to individuals.\7\ This environment of expanded risks and the
importance of reducing or mitigating the potential for harm also
supports our amendments to Regulation S-P.
---------------------------------------------------------------------------
\6\ See Proposing Release at section II.A.4.
\7\ See, e.g., Federal Bureau of Investigation, 2022 internet
Crime Report (Mar. 27, 2023), at 7-8, available at: <a href="https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf">https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf</a> (stating that
the FBI's internet Crime Complaint Center received 800,944
complaints in 2022 (an increase from 351,937 complaints in 2018).
The complaints included 58,859 related to personal data breaches (an
increase from 50,642 breaches in 2018)); the Financial Industry
Regulatory Authority (``FINRA''), 2022 Report on FINRA's Examination
and Risk Monitoring Program: Cybersecurity and Technology Governance
(Feb. 2022), available at: <a href="https://www.finra.org/rules-guidance/guidance/reports/2022-finras-examination-and-risk-monitoring-program">https://www.finra.org/rules-guidance/guidance/reports/2022-finras-examination-and-risk-monitoring-program</a>
(noting increased number and sophistication of cybersecurity attacks
and reminding firms of their obligations to oversee, monitor, and
supervise cybersecurity programs and controls of third-party
vendors); Office of Compliance Inspections and Examinations (now the
Division of Examinations) (``EXAMS''), Risk Alert, Cybersecurity:
Safeguarding Client Accounts against Credential Compromise (Sept.
15, 2020), available at <a href="https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf">https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf</a> (describing increasingly
sophisticated methods used by attackers to gain access to customer
accounts and firm systems). This Risk Alert, and any other
Commission staff statements represent the views of the staff. They
are not a rule, regulation, or statement of the Commission.
Furthermore, the Commission has neither approved nor disapproved
their content. These staff statements, like all staff statements,
have no legal force or effect. They do not alter or amend applicable
law; and they create no new or additional obligations for any
person.
---------------------------------------------------------------------------
In March 2023, the Commission proposed amendments to Regulation S-
P.\8\ In particular, the proposed amendments would amend the safeguards
rule to require any broker or dealer, investment company, registered
investment adviser, or transfer agent (collectively, ``covered
institutions'') to develop, implement, and maintain written policies
and procedures for an incident response program reasonably designed to
detect, respond to, and recover from unauthorized access to or use of
customer information. The proposal included a further requirement that,
as part of this incident response program, covered institutions would
provide notices to individuals whose sensitive customer information
was, or is reasonably likely to have been, accessed or used without
authorization as soon as practicable, but not later than 30 days, after
becoming aware that the incident occurred or is reasonably likely to
have occurred. The proposed notice requirement included provisions that
addressed the use of service providers by covered institutions and
included a provision that would permit covered institutions to delay
providing notice after receiving a written request from the United
States Attorney General (``Attorney General'') that this notice poses a
substantial risk to national security.
---------------------------------------------------------------------------
\8\ See Regulation S-P: Privacy of Consumer Financial
Information and Safeguarding Customer Information, Securities
Exchange Act Release No. 97141 (Mar. 15, 2023) [88 FR 20616 (Apr. 6,
2023)] (``Proposing Release'' or ``proposal''). The Commission voted
to issue the Proposing Release on Mar. 15, 2023. The release was
posted on the Commission website that day, and comment letters were
received beginning the same day. The comment period closed on June
5, 2023. We have considered all comments received since Mar. 15,
2023.
---------------------------------------------------------------------------
The Commission also proposed other amendments to Regulation S-P to
enhance the protection of customers' nonpublic personal information.
The proposed amendments included provisions to expand the scope of the
protections of the safeguards and disposal rules, including extending
the safeguards rule to transfer agents. The proposed amendments also
included requirements for covered institutions to maintain written
records documenting compliance with the proposed amended rules.
Finally, the Commission proposed amendments to conform annual privacy
notice delivery provisions to the terms of an exception provided by a
statutory amendment to the GLBA.
The Commission received comment letters on the proposal from a
variety of commenters, including financial services firms and their
service providers, law firms, investor advocacy groups, professional
and trade associations, public policy research institutes, academics,
and interested individuals.\9\ Most individual and public interest
group commenters and some industry groups generally supported the
proposed amendments.\10\ A few commenters urged the Commission to
consider taking additional steps to strengthen the proposed
requirements, for example, by shortening the period for customer
notification.\11\ Many industry commenters expressed concern with
specific elements of the proposed amendments, however, suggesting that
these amendments would pose operational difficulties.\12\
---------------------------------------------------------------------------
\9\ The comment letters on the proposal are available at <a href="https://www.sec.gov/comments/s7-05-23/s70523.htm">https://www.sec.gov/comments/s7-05-23/s70523.htm</a>.
\10\ See, e.g., Comment Letter of the Investment Adviser
Association (June 5, 2023) (``IAA Comment Letter 1''); Comment
Letter of the Investment Company Institute (May 23, 2023) (``ICI
Comment Letter 1''); Comment Letter of Better Markets (June 5, 2023)
(``Better Markets Comment Letter''); Comment Letter of North
American Securities Administrators Association (May 22, 2023)
(``NASAA Comment Letter''). Some commenters suggested more tailored
requirements for smaller covered institutions. See, e.g., IAA
Comment Letter 1; Comment Letter of the Securities Transfer
Association (June 2, 2023) (``STA Comment Letter 2''); Comment
Letter of the Committee of Annuity Insurers (June 5, 2023) (``CAI
Comment Letter''). As discussed in more detail below, the final
amendments apply to all covered institutions because entities of all
sizes are vulnerable to the types of data security breach incidents
we are trying to address. See infra section VI.
\11\ See, e.g., Better Markets Comment Letter.
\12\ See, e.g., Comment Letter of the Securities Industry and
Financial Markets Association, et al. (June 5, 2023) (``SIFMA
Comment Letter 2''); Comment Letter of the Financial Services
Institute (May 22, 2023) (``FSI Comment Letter''); Comment Letter of
Federated Hermes, Inc. (June 6, 2023) (``Federated Comment
Letter'').
---------------------------------------------------------------------------
Comments on specific aspects of the proposed amendments focused on
a few key themes. First, commenters urged the Commission to take a more
holistic regulatory approach to harmonize the proposed amendments with
other Commission rules and proposals to avoid creating redundant,
overlapping, or conflicting obligations for covered institutions.\13\
We have modified the
[[Page 47690]]
rule from the proposal to address comments.\14\
---------------------------------------------------------------------------
\13\ See, e.g., IAA Comment Letter 1; ICI Comment Letter 1;
Comment Letter of Nasdaq Stock Market LLC (June 2, 2023) (``Nasdaq
Comment Letter''). Commenters also raised these concerns about other
proposed rulemakings that the Commission has not adopted. See, e.g.,
Comment Letter of the Investment Adviser Association (June 17, 2023)
(``IAA Comment Letter 2''); ICI Comment Letter 1. Other commenters
requested more specific guidance regarding how the various policies
and procedure requirements in other Commission proposals would
interact with each other. See, e.g., CAI Comment Letter; SIFMA
Comment Letter 2; IAA Comment Letter 2. To the extent that those
proposals are adopted, the baseline in those subsequent rulemakings
will reflect the existing regulatory requirements at that time.
\14\ Since the publication of the proposing release, the
Commission adopted new rules to enhance and standardize disclosures
regarding cybersecurity risk management, strategy, governance, and
incidents by public companies that are subject to the reporting
requirements of the Securities Exchange Act of 1934 (``Public
Company Cybersecurity Rules''). See Cybersecurity Risk Management,
Strategy, Governance, and Incident Disclosure, Securities Act
Release No. 11216 (July 26, 2023) [88 FR 51896 (Aug. 4, 2023)].
---------------------------------------------------------------------------
For example, covered institutions may be required to adopt written
policies and procedures on similar issues under other provisions of the
Federal securities laws.\15\ A covered institution can, however, adopt
a single set of policies and procedures covering Regulation S-P and
other rules, provided that the policies and procedures meet the
requirements of each rule.\16\ Additionally, we have changed the
proposed requirement to delay providing customer notices when that
notice poses a substantial risk to national security or public safety
in order to align with a similar provision contained in the Public
Company Cybersecurity Rules.\17\
---------------------------------------------------------------------------
\15\ See, e.g., 15 U.S.C. 80b-4a (requiring each adviser
registered with the Commission to have written policies and
procedures reasonably designed to prevent misuse of material non-
public information by the adviser or persons associated with the
adviser); 17 CFR 270.38a-1(a)(1) (requiring investment companies to
adopt compliance policies and procedures); 275.206(4)-7(a)
(requiring investment advisers to adopt compliance policies and
procedures); and Regulation S-ID, 17 CFR part 248, subpart C
(requiring financial institutions subject to the Commission's
jurisdiction with covered accounts to develop and implement a
written identity theft prevention program that is designed to
detect, prevent, and mitigate identity theft in connection with
covered accounts, which must include, among other things, policies
and procedures to respond appropriately to any red flags that are
detected pursuant to the program).
\16\ Two commenters addressed the proposal's application to
dually-registered investment advisers and broker-dealers or firms
operating both business models (collectively, ``dual registrants'').
One of these commenters stated that the proposed amendments to
Regulation S-P allow for streamlining of process because they would
apply uniformly to broker-dealers and investment advisers. FSI
Comment Letter. The other commenter addressed collectively other
Commission cyber proposals and the proposed amendments to Regulation
S-P. The commenter stated that these proposals collectively would
involve significant burden for a dual registrant to bring both
broker-dealer and investment adviser entities into compliance,
urging the Commission to provide an extended compliance period for
all of the proposed rules to provide time for dual registrants to
come into compliance and ``identify some synergies that might make
compliance more effective and economical.'' Cambridge Comment
Letter. As one of these commenters stated, Regulation S-P's
requirements apply uniformly to broker-dealers and advisers,
although each covered institution--including a dual registrant--will
have to tailor its policies and procedures to its business.
\17\ See infra section II.A.3.d(2).
---------------------------------------------------------------------------
Commenters also questioned the need for the proposed amendments in
light of existing State laws that also address data breaches and raised
concerns about differences between the proposed amendments and State
regulatory requirements. One commenter stated that the proposed
amendments were not needed because existing State laws already require
firms to provide notice to individuals in the event of a data
breach.\18\ Some commenters stated that parts of the proposed
amendments would conflict with certain provisions of State laws,\19\
while other commenters stated that parts of the proposed amendments
would duplicate existing State laws.\20\
---------------------------------------------------------------------------
\18\ See CAI Comment Letter.
\19\ See, e.g., IAA Comment Letter 1; Letter from Computershare
(June 5, 2023) (``Computershare Comment Letter''); SIFMA Comment
Letter 2.
\20\ See, e.g., CAI Comment Letter.
---------------------------------------------------------------------------
As discussed more fully later in this section, while we recognize
that existing State laws require covered institutions to notify State
residents of data breaches in some cases, State laws are not consistent
on this point and exclude some entities from certain requirements.\21\
The final amendments will require notification to all customers of a
covered institution affected by a data breach (regardless of State
residency), in order to provide timely and consistent disclosure of
important information to help affected customers respond to a data
breach.\22\ To that end, the final amendments will enhance investor
protection in a number of ways, including by covering a broader scope
of customer information than many States; \23\ providing for a 30-day
notification deadline that is shorter than the timing currently
mandated by many States (including States that have no deadline or
those allowing for various notification delays); \24\ and providing for
a more robust notification trigger than in many States.\25\
---------------------------------------------------------------------------
\21\ See infra section IV.C.2.
\22\ With respect to the interaction of the final rule with
State law, Section 15(i)(1) of the Exchange Act (15 U.S.C.
78o(i)(1)) provides that no law, rule, regulation, or order, or
other administrative action of any State or political subdivision
thereof shall establish capital, custody, margin, financial
responsibility, making and keeping records, bonding, or financial or
operational reporting requirements for brokers, dealers, municipal
securities dealers, government securities brokers, or government
securities dealers that differ from, or are in addition to, the
requirements in those areas established under the Exchange Act.
\23\ See infra section IV.D.1.b(3).
\24\ See infra section IV.D.1.b(2).
\25\ See infra section IV.D.1.b(4).
---------------------------------------------------------------------------
Commenters also raised concerns with differences between the
proposed amendments and other Federal regulators' safeguarding
standards that also include a requirement for a data breach response
plan or program.\26\ The GLBA and FACT Act oblige us to adopt
regulations, to the extent possible, that are consistent and comparable
with those adopted by the Banking Agencies, the Consumer Financial
Protection Bureau (``CFPB''), and the FTC.\27\ Accordingly, the
Commission has also been mindful of the need to set standards for
safeguarding customer records and information that are consistent and
comparable with the corresponding standards set by these agencies in
developing the amendments.\28\ To this end, we have modified the final
amendments from the proposal to promote greater consistency with other
applicable Federal safeguard standards to the extent they do not affect
the investor protection purposes of this rulemaking, as discussed in
more detail below. For example, the final amendments require covered
institutions to ensure that their service providers provide
notification as soon
[[Page 47691]]
as possible, but no later than 72 hours after becoming aware that an
applicable breach has occurred, which is informed by the 72-hour
deadline that is required under the Cyber Incident Reporting for
Critical Infrastructure Act of 2022 (``CIRCIA'').\29\
---------------------------------------------------------------------------
\26\ The Federal Trade Commission (``FTC'') in 2021 amended its
Safeguards Rule (16 CFR part 314 (``FTC Safeguards Rule'')) by,
among other things, adding a requirement for financial institutions
under the FTC's GLBA jurisdiction to establish a written incident
response plan designed to respond to information security events.
See FTC, Standards for Safeguarding Customer Information, 86 FR
70272 (Dec. 9, 2021). As amended, the FTC's rule requires that a
response plan address security events materially affecting the
confidentiality, integrity, or availability of customer information
in the financial institution's control, and that the plan include
specified elements that would include procedures for satisfying an
institution's independent obligation to perform notification as
required by State law. See id. at n.295. The ``Banking Agencies''
include the Office of the Comptroller of the Currency (``OCC''), the
Board of Governors of the Federal Reserve System (``FRB''), the
Federal Deposit Insurance Corporation (``FDIC''), and the former
Office of Thrift Supervision. In 2005, the Banking Agencies and the
National Credit Union Administration (``NCUA'') jointly issued
guidance on responding to incidents of unauthorized access to or use
of customer information. See Interagency Guidance on Response
Programs for Unauthorized Access to Customer Information and
Customer Notice, 70 FR 15736 (Mar. 29, 2005) (``Banking Agencies'
Incident Response Guidance''). The Banking Agencies' Incident
Response Guidance provides, among other things, that when an
institution becomes aware of an incident of unauthorized access to
sensitive customer information, the institution should conduct a
reasonable investigation to determine promptly the likelihood that
the information has been or will be misused. If the institution
determines that misuse of the information has occurred or is
reasonably possible, it should notify affected customers as soon as
possible.
\27\ See generally 15 U.S.C. 6804(a) (directing the agencies
authorized to prescribe regulations under title V of the GLBA to
assure to the extent possible that their regulations are consistent
and comparable); 15 U.S.C. 1681w(a)(2)(A) (directing the agencies
with enforcement authority set forth in 15 U.S.C. 1681s to consult
and coordinate so that, to the extent possible, their regulations
are consistent and comparable).
\28\ See Proposing Release at the text following n.37.
\29\ See final rule 248.30(a)(5)(i); see also infra footnote 245
and accompanying text (discussing how a 72-hour reporting deadline
would align with other regulatory standards). Under CIRCIA, the 72-
hour reporting deadline is for entities to report cyber incidents to
the Cybersecurity and Infrastructure Security Agency (``CISA'').
---------------------------------------------------------------------------
We recognize, however, that there are some areas of divergence
between the final amendments and other Federal regulators' GLBA
safeguarding standards, and we discuss the basis for each provision of
the final rules below, including cases where the amendments differ from
analogous requirements under State law or other Federal
regulations.\30\
---------------------------------------------------------------------------
\30\ Among the changes being adopted, we are revising as
proposed the requirements of 17 CFR 248.17 (``rule 248.17'') to
refer to determinations made by the CFPB rather than the FTC,
consistent with changes made to section 507 of the GLBA by the Dodd-
Frank Wall Street Reform and Consumer Protection Act. See Public Law
111-203, sec. 1041, 124 Stat. 1376 (2010). Upon its adoption, rule
248.17 essentially restated the then-current text of section 507 of
the GLBA, and as such, referenced determinations made by the FTC.
See Privacy of Consumer Financial Information (Regulation S-P),
Exchange Act Release No. 42974 (June 22, 2000) [65 FR 40334 (June
29, 2000)].
---------------------------------------------------------------------------
Many commenters also urged the Commission to coordinate with other
Federal agencies, particularly on reporting deadlines.\31\ For example,
a number of commenters suggested that the Commission coordinate with
CISA as it develops regulations pursuant to CIRCIA.\32\ We have
consulted and coordinated with CISA and, consistent with the
requirements of the GLBA and other statutory requirements,\33\ other
relevant agencies and their representatives for the purpose of
ensuring, to the extent possible, that the amendments are consistent
and comparable with the regulations prescribed by other relevant
agencies.\34\
---------------------------------------------------------------------------
\31\ See, e.g., Comment Letter of Amazon Web Services (June 5,
2023) (``AWS Comment Letter''); Comment Letter of Google Cloud (June
5, 2023) (``Google Comment Letter''); and Nasdaq Comment Letter.
\32\ See, e.g., SIFMA Comment Letter 2; Cambridge Comment
Letter; Google Comment Letter. CISA has provided a notice of
proposed rulemaking that would implement the CIRCIA requirements but
they have not yet been adopted. See also Cyber Incident Reporting
for Critical Infrastructure Act (CIRCIA) Reporting Requirements, 89
FR 23644 (Apr. 4, 2024).
\33\ See Exchange Act Section 17A(d)(3)(A), 15 U.S.C. 78q-
1(d)(3)(A) (providing that ``[w]ith respect to any clearing agency
or transfer agent for which the Commission is not the appropriate
regulatory agency, the Commission and the appropriate regulatory
agency for such clearing agency or transfer agent shall consult and
cooperate with each other . . .'').
\34\ See 15 U.S.C. 6804(a)(2). The relevant agencies include the
OCC, FRB, FDIC, CFPB, FTC, CISA, Commodity Futures Trading
Commission (``CFTC''), Department of Justice (``DOJ''), and the
National Association of Insurance Commissioners.
---------------------------------------------------------------------------
We are adopting amendments to Regulation S-P substantially as
proposed, with some changes in response to comments. The principal
elements of the final amendments, as discussed in more detail below,
are as follows:
<bullet> Incident Response Program. The final safeguards rule
requires covered institutions to develop, implement, and maintain
written policies and procedures for an incident response program that
is reasonably designed to detect, respond to, and recover from
unauthorized access to or use of customer information. The final
amendments will require that a response program include procedures to
assess the nature and scope of any incident and to take appropriate
steps to contain and control the incident to prevent further
unauthorized access or use.
<bullet> Notification Requirement. The response program procedures
in the final amendments also includes a requirement that covered
institutions provide a notification to individuals whose sensitive
customer information was, or is reasonably likely to have been,
accessed or used without authorization. Notice will not be required if
a covered institution determines, after a reasonable investigation of
the facts and circumstances of the incident of unauthorized access to
or use of sensitive customer information, that the sensitive customer
information has not been, and is not reasonably likely to be, used in a
manner that would result in substantial harm or inconvenience. Under
the final amendments, a customer notice must be clear and conspicuous
and provided by a means designed to ensure that each affected
individual can reasonably be expected to receive it. This notice must
be provided as soon as reasonably practicable, but not later than 30
days, after the covered institution becomes aware that unauthorized
access to or use of customer information has, or is reasonably likely
to have, occurred. As discussed in more detail below, the final
amendments will permit covered institutions to delay providing notice
after the Commission receives a written request from the Attorney
General that this notice poses a substantial risk to national security
or public safety.\35\
---------------------------------------------------------------------------
\35\ See infra section II.A.3.d(2).
---------------------------------------------------------------------------
<bullet> Service Providers. The final amendments to the safeguards
rule include new provisions that address the use of service providers
by covered institutions. Under these provisions, covered institutions
will be required to establish, maintain, and enforce written policies
and procedures reasonably designed to require oversight, including
through due diligence and monitoring of service providers, including to
ensure that affected individuals receive any required notices. The
final amendments make clear that while covered institutions may use
service providers to provide any required notice, covered institutions
will retain the obligation to ensure that affected individuals are
notified in accordance with the notice requirements.
<bullet> Scope. The final amendments will more closely align the
information protected under the safeguards rule and the disposal rule
by applying the protections of both rules to ``customer information,''
a newly defined term. The final amendments will also broaden the group
of customers whose information is protected under both rules. Also,
transfer agents will be required to comply with the safeguards rule.
<bullet> Recordkeeping and Annual Notice Amendments. The final
amendments will add requirements for covered institutions, other than
funding portals,\36\ to make and maintain written records documenting
compliance with the requirements of the safeguards rule and the
disposal rule. Further, the final amendments amend the existing
requirement to provide annual privacy notices to codify a statutory
exception.
---------------------------------------------------------------------------
\36\ As discussed below, funding portals are already subject to
recordkeeping requirements with regard to documenting their
compliance with Regulation S-P, which are not being amended by these
final amendments. See infra footnote 385 and accompanying
discussion.
---------------------------------------------------------------------------
II. Discussion
Since Regulation S-P was first adopted in 2000, evolving digital
communications and information storage tools and other technologies
have made it easier for firms to obtain, share, and maintain
individuals' personal information. This increases the risk of
customers' information being accessed or used without authorization,
for example in a cyberattack or if customer information is improperly
disposed of or stolen. In particular, as a frequently-targeted
industry, the financial sector has observed increased exposure to
cyberattacks that threaten not only the financial firms themselves, but
also their customers, especially considering that customer records and
other information that covered
[[Page 47692]]
institutions possess can be particularly sensitive.\37\ The final
amendments will modernize and enhance the protections that Regulation
S-P already provides to address this changed landscape.
---------------------------------------------------------------------------
\37\ See infra section IV.C.1.
---------------------------------------------------------------------------
A. Incident Response Program Including Customer Notification
As set forth in the proposal, security incidents may result in,
among other things, misuse, exposure or theft of a customer's nonpublic
personal information, and potentially leave affected individuals
vulnerable to having their information further compromised. Threat
actors can use customer information to cause harm in a number of ways,
such as by stealing customer identities to sell to other threat actors
on the dark web, publishing customer information on the dark web, using
customer identities to carry out fraud themselves, or taking over a
customer's account for malevolent purposes.
To help protect against harms that may result from a security
incident involving customer information, the Commission proposed and is
adopting amendments to the safeguards rule largely as proposed, with
certain modifications to the notification requirement as discussed
further below.\38\ The amendments will require that covered
institutions' safeguards policies and procedures include an incident
response program for unauthorized access to or use of customer
information, including customer notification procedures.\39\ The
amendments will require the incident response program to be reasonably
designed to detect, respond to, and recover from both unauthorized
access to and unauthorized use of customer information (for the
purposes of this release, an ``incident'').\40\ Any instance of
unauthorized access to or use of customer information will trigger a
covered institution's incident response program. The amendments will
also require that the response program include procedures for notifying
affected individuals whose sensitive customer information was, or is
reasonably likely to have been, accessed or used without
authorization.\41\
---------------------------------------------------------------------------
\38\ See infra section II.A.3.
\39\ See final rule 248.30(a)(3). For clarity, when the
amendments to the safeguards rule refer to ``unauthorized access to
or use'', the word ``unauthorized'' modifies both ``access'' and
``use.''
\40\ See final rule 248.30(a)(3). See also infra section II.B.1
for a discussion of ``customer information.''
\41\ See final rule 248.30(d)(9) for the definition of
``sensitive customer information.'' See also infra section II.A.3.b,
which includes a discussion of ``sensitive customer information.''
Notice must be provided unless a covered institution determines,
after a reasonable investigation of the facts and circumstances of
the incident of unauthorized access to or use of sensitive customer
information that occurred at the covered institution or one of its
service providers that is not itself a covered institution, that
sensitive customer information has not been, and is not reasonably
likely to be, used in a manner that would result in substantial harm
or inconvenience.
---------------------------------------------------------------------------
In this regard, requiring covered institutions to have incident
response programs will help mitigate the risk of harm to affected
individuals stemming from incidents where a customer's information has
been accessed or used without authorization. For example, incident
response programs will help covered institutions to be better prepared
to respond to such incidents, and providing notice to affected
individuals will aid those individuals in taking protective measures
that could mitigate harm that might otherwise result from unauthorized
access to or use of their information. Further, a reasonably designed
incident response program will help facilitate more consistent and
systematic responses to customer information security incidents and
help avoid inadequate responses based on a covered institution's
initial impressions of the scope of the information involved in the
compromise. Requiring the incident response program to address any
incident involving customer information can help a covered institution
better contain and control these incidents and facilitate a prompt
recovery.
As proposed, the amendments will require that a covered
institution's incident response program include policies and procedures
containing certain general elements but will not prescribe specific
steps a covered institution must undertake when carrying out incident
response activities, thereby enabling covered institutions to create
policies and procedures best suited to their particular circumstances.
Specifically, a covered institution's incident response program will be
required to have written policies and procedures to:
(i) Assess the nature and scope of any incident involving
unauthorized access to or use of customer information and identify the
customer information systems and types of customer information that may
have been accessed or used without authorization; \42\
---------------------------------------------------------------------------
\42\ See final rule 248.30(a)(3)(i). The term ``customer
information systems'' would mean the information resources owned or
used by a covered institution, including physical or virtual
infrastructure controlled by such information resources, or
components thereof, organized for the collection, processing,
maintenance, use, sharing, dissemination, or disposition of customer
information to maintain or support the covered institution's
operations. See final rule 248.30(d)(6).
---------------------------------------------------------------------------
(ii) Take appropriate steps to contain and control the incident to
prevent further unauthorized access to or use of customer information;
\43\ and
---------------------------------------------------------------------------
\43\ See final rule 248.30(a)(3)(ii).
---------------------------------------------------------------------------
(iii) Notify each affected individual whose sensitive customer
information was, or is reasonably likely to have been, accessed or used
without authorization in accordance with the notification obligations
discussed below,\44\ unless the covered institution determines, after a
reasonable investigation of the facts and circumstances of the incident
of unauthorized access to or use of sensitive customer information,
that the sensitive customer information has not been, and is not
reasonably likely to be, used in a manner that would result in
substantial harm or inconvenience.\45\
---------------------------------------------------------------------------
\44\ See infra section II.A.3.
\45\ See final rule 248.30(a)(3)(iii).
---------------------------------------------------------------------------
The Commission received multiple comments regarding the proposed
requirement for an incident response program generally.\46\ One
commenter supported requiring the incident response program and
appreciated its similarity to the Banking Agencies' Incident Response
Guidance.\47\ Another commenter stated that there should not be a one-
size-fits-all approach to incident response programs, stating that an
adviser should have discretion to determine how the incident response
program should be implemented, and requested that any final rule make
clear that specific steps for incident response are not required.\48\
Moreover, this commenter requested that the final rule expressly
indicate that in developing their programs, advisers should employ a
principles- and risk-based approach.\49\ This commenter also opposed
the addition of any requirement in the policies and procedures for an
adviser to designate an employee with specific qualifications and
experience (or hire a similarly qualified third party) to coordinate
its incident response program.\50\
---------------------------------------------------------------------------
\46\ Comments for specific components of the incident response
program are discussed in more depth separately. See infra sections
II.A.1-4.
\47\ See ICI Comment Letter 1; see also supra footnote 26
(discussing the Banking Agencies' Incident Response Guidance).
\48\ See IAA Comment Letter 1.
\49\ See id.; see also CAI Comment Letter stating that policies
and procedures should be based on the specific risks of the
particular covered institution and commensurate with the size and
complexity of the covered institution's activities.
\50\ See id.
---------------------------------------------------------------------------
Covered institutions need the flexibility to develop policies and
procedures suited to their size and
[[Page 47693]]
complexity and the nature and scope of their activities. Therefore, we
did not propose, and are not adopting, specific steps a covered
institution must take when carrying out its incident response program,
and we are not specifically designating who must undertake oversight
responsibilities, thus providing covered institutions flexibility to
determine whether and how to appropriately assign or divide such
responsibilities. As proposed and adopted, the amendments will require
that a covered institution's incident response program include policies
and procedures containing certain general elements, so covered
institutions may tailor their policies and procedures to their
individual facts and circumstances. Additionally, advisers, like other
covered institutions, can continue to use a risk-based approach to
tailor their assessment and containment policies and procedures if they
choose to do so, as long as the required elements of the incident
response program are met.
Two commenters opposed the scope of the proposed incident response
program.\51\ Specifically, these commenters stated that, consistent
with the notification requirements, the assessment and containment and
control components of the incident response program should be limited
to sensitive customer information (and not encompass all nonpublic
customer information).\52\ According to one commenter, because
sensitive customer information is the information likely to cause
substantial harm or inconvenience to a customer and that requires
notification to customers, it follows that incident response programs
should be tailored to sensitive customer information.\53\ The other
commenter stated that clients would view the protection of their
sensitive customer information as a critically important aspect of
their relationship with their adviser and that an adviser's efforts and
resources should appropriately be focused on this information.\54\
---------------------------------------------------------------------------
\51\ See Comment Letter of Schulte Roth & Zabel LLP (June 5,
2023) (``Schulte Comment Letter'') and IAA Comment Letter 1.
\52\ See Schulte Comment Letter; IAA Comment Letter 1.
\53\ See Schulte Comment Letter.
\54\ See IAA Comment Letter 1.
---------------------------------------------------------------------------
We are adopting as proposed final rules which require the incident
response program's assessment and containment and control components to
cover a broader scope of information than the notification
requirements. The scope of information covered by the assessment and
containment and control requirements is designed to help ensure all
information covered by the requirements of the GLBA \55\ are
appropriately safeguarded and that sufficient information is assessed
to fulfill the more narrowly tailored obligation to notify affected
individuals. For example, assessment of any incident involving
unauthorized access to or use of customer information will help
facilitate the evaluation of whether sensitive customer information has
been accessed or used without authorization, which informs whether
notice has to be provided. Additionally, a covered institution's
assessment may also be useful for collecting other information that is
required to populate the notice, such as identifying the date or
estimated date of the incident, among other details. Therefore, the
scope of the incident response program is appropriate, and we are
adopting as proposed.
---------------------------------------------------------------------------
\55\ The GLBA directs the Commission to establish standards to
insure the security and confidentiality of customer records and
information; to protect against any anticipated threats or hazards
to the security or integrity of such records; and to protect against
unauthorized access to or use of records or information which could
result in substantial harm or inconvenience to any customer. 15
U.S.C. 6801(b).
---------------------------------------------------------------------------
1. Assessment
The final amendments will require that the incident response
program include procedures for: (1) assessing the nature and scope of
any incident involving unauthorized access to or use of customer
information, and (2) identifying the customer information systems and
types of customer information that may have been accessed or used
without authorization.\56\ We did not receive comments addressing the
assessment portion of the incident response program and are adopting it
as proposed.\57\
---------------------------------------------------------------------------
\56\ See final rule 248.30(a)(3)(i). The proposed requirements
related to assessing the nature and scope of a security incident are
consistent with the components of a response program as set forth in
the Banking Agencies' Incident Response Guidance. See Banking
Agencies' Incident Response Guidance.
\57\ Although no comments discussed only the assessment
requirement, multiple comments discussed the incident response
program generally, which includes the assessment requirement. These
comments are discussed in section II.A.
---------------------------------------------------------------------------
The assessment requirement is designed to require a covered
institution to identify both the customer information systems and types
of customer information that may have been accessed or used without
authorization during the incident, as well as the specific customers
affected, which would be necessary to fulfill the obligation to notify
affected individuals.\58\ Information developed during the assessment
process may also help covered institutions develop a contextual
understanding of the circumstances surrounding an incident, as well as
enhance their technical understanding of the incident, which should be
helpful in guiding incident response activities such as containment and
control measures. The assessment process may also be helpful for
identifying and evaluating existing vulnerabilities that could benefit
from remediation in order to prevent such vulnerabilities from being
exploited in the future. Further, covered institutions generally should
consider reviewing and updating the assessment procedures periodically
to ensure that the procedures remain reasonably designed.\59\
---------------------------------------------------------------------------
\58\ For example, a covered institution's assessment may include
gathering information about the type of access, the extent to which
systems or other assets have been affected, the level of privilege
attained by any unauthorized persons, the operational or
informational impact of the breach, and whether any data has been
lost or exfiltrated.
\59\ See also 17 CFR 270.38a-1, 275.206(4)-7.
---------------------------------------------------------------------------
2. Containment and Control
The final amendments will require that the response program have
procedures for taking appropriate steps to contain and control a
security incident, in order to prevent further unauthorized access to
or use of customer information.\60\ We did not receive comments
discussing the containment and control portion of the incident response
program and are adopting as proposed.\61\
---------------------------------------------------------------------------
\60\ See final rule 248.30(a)(3)(ii). These proposed
requirements are consistent with the components of a response
program as set forth in the Banking Agencies' Incident Response
Guidance. See Banking Agencies' Incident Response Guidance at 15752.
\61\ Although no comments discussed only the containment and
control requirements, multiple comments discussed the incident
response program generally, which includes the containment and
control requirement. These comments are discussed in section II.A.
---------------------------------------------------------------------------
As set forth in the proposal, the objective of containment and
control is to prevent additional damage from unauthorized activity and
to reduce the immediate impact of an incident by removing the source of
the unauthorized activity.\62\ Strategies for containing and
controlling an incident vary depending upon the type of incident and
may include, for example, isolating
[[Page 47694]]
compromised systems or enhancing the monitoring of intruder activities,
searching for additional compromised systems, changing system
administrator passwords, rotating private keys, and changing or
disabling default user accounts and passwords, among other
interventions. Because incident response may involve making complex
judgment calls, such as deciding when to shut down or disconnect a
system, developing and implementing written containment and control
policies and procedures will provide a framework to help facilitate
improved decision making at covered institutions during potentially
high-pressure incident response situations. Further, covered
institutions generally should consider reviewing and updating the
containment and control procedures periodically to ensure that the
procedures remain reasonably designed.\63\
---------------------------------------------------------------------------
\62\ See Proposing Release at Section II.A.2. For a further
discussion of the purposes and practices of such containment
measures, see generally CISA Incident Response Playbook, at 14; see
also Federal Financial Institutions Examination Council (``FFIEC''),
Information Technology Examination Handbook--Information Security
(Sept. 2016), at 52, available at <a href="https://ithandbook.ffiec.gov/media/274793/ffiec_itbooklet_informationsecurity.pdf">https://ithandbook.ffiec.gov/media/274793/ffiec_itbooklet_informationsecurity.pdf</a>.
\63\ See also 17 CFR 270.38a-1, 275.206(4)-7.
---------------------------------------------------------------------------
3. Notice to Affected Individuals
As part of their incident response programs, covered institutions
will be required under the final amendments to provide a clear and
conspicuous notice to affected individuals under certain
circumstances.\64\ We are adopting this requirement substantially as
proposed, with some changes in response to comments.
---------------------------------------------------------------------------
\64\ See final rule 248.30(a)(4).
---------------------------------------------------------------------------
We are adopting as proposed, a requirement for a covered
institution to notify each affected individual whose sensitive customer
information was, or was reasonably likely to have been, accessed or
used without authorization, unless the covered institution has
determined, after a reasonable investigation of the incident, that
sensitive customer information has not been, and is not reasonably
likely to be, used in a manner that would result in substantial harm or
inconvenience. The covered institution will be required to provide a
clear and conspicuous notice to each affected individual by a means
designed to ensure that the individual can reasonably be expected to
receive actual notice in writing. Also as proposed, the final
amendments require the notice to be provided as soon as practicable,
but not later than 30 days, after the covered institution becomes aware
that unauthorized access to or use of customer information has occurred
or is reasonably likely to have occurred. Lastly, in a modification
from the proposal, the final amendments provide for an incrementally
longer period of time than the proposal for a covered institution to
delay providing notice to affected individuals in cases where the
Attorney General has determined that providing the notice would pose a
substantial risk to national security or public safety. These
requirements are discussed in detail below.
a. Standard for Providing Notice and Identification of Affected
Individuals
We are adopting as proposed a requirement for a covered institution
to provide notice to individuals whose sensitive customer information
was, or is reasonably likely to have been, accessed or used without
authorization, unless, after a reasonable investigation of the facts
and circumstances of the incident of unauthorized access to or use of
sensitive customer information, it determines that sensitive customer
information has not been, and is not reasonably likely to be, used in a
manner that would result in substantial harm or inconvenience.\65\ The
final amendments reflect a presumption of notification: a covered
institution must provide a notice unless it determines notification is
not required following a reasonable investigation. Also as proposed, if
an incident of unauthorized access to or use of customer information
has occurred or is reasonably likely to have occurred, but a covered
institution is unable to identify which specific individuals' sensitive
customer information has been accessed or used without authorization,
the final amendments require the covered institution to provide notice
to all individuals whose sensitive customer information resides in the
customer information system that was, or was reasonably likely to have
been, accessed without authorization (``affected individuals'').\66\
---------------------------------------------------------------------------
\65\ Final rule 248.30(a)(4)(i).
\66\ Final rule 248.30(a)(4)(ii). This proposed provision was
not intended to require notification of customers whose sensitive
customer information resided in the affected customer information
system if the covered institution has reasonably determined that
such customers' sensitive customer information was not accessed or
used without authorization. Accordingly, we have modified the final
rule to reflect this intended result. See infra footnote 102 and
accompanying text.
---------------------------------------------------------------------------
While the incident response program is generally required to
address information security incidents involving any form of customer
information,\67\ notification is only required when there has been
unauthorized access to or use of sensitive customer information, a
subset of customer information, because it presents increased risks to
affected individuals.\68\ This notice standard is designed to give
affected individuals an opportunity to mitigate the risk of substantial
harm or inconvenience arising from an information security incident
that potentially implicates their sensitive customer information by
affording them an opportunity to take timely responsive actions, such
as monitoring credit reports for unauthorized activity, placing fraud
alerts on relevant accounts, or changing passwords used to access
accounts. At the same time, the final amendments provide a mechanism
for covered institutions to avoid making unnecessary notifications in
cases where, following a reasonable investigation, the institution
determines that sensitive customer information has not been, and is not
reasonably likely to be, used in a manner that would result in
substantial harm or inconvenience to the affected individual.\69\
---------------------------------------------------------------------------
\67\ See infra section II.B.1.
\68\ See infra section II.A.3.b. Additionally, customer
information that is not disposed of properly could trigger the
requirement to notify affected individuals under final rule
248.30(a)(4)(i). For example, a covered institution whose employee
leaves un-shredded customer files containing sensitive customer
information in a dumpster accessible to the public would be required
to notify affected customers, unless the institution has determined
that sensitive customer information has not been, and is not
reasonably likely to be, used in a manner that would result in
substantial harm or inconvenience.
\69\ See infra section II.A.3.c.
---------------------------------------------------------------------------
Whether an investigation is reasonable will depend on the
particular facts and circumstances of the unauthorized access or use.
For example, unauthorized access or use that is the result of
intentional intrusion by a threat actor may warrant more extensive
investigation than inadvertent unauthorized access or use by an
employee. The investigation may occur in parallel with an initial
assessment and scoping of the incident and may build upon information
generated from those activities. The scope of the investigation
generally should be refined by using available data and the results of
ongoing incident response activities. Information related to the nature
and scope of the incident may be relevant to determining the extent of
the investigation, such as whether the incident is the result of
internal unauthorized access or use of sensitive customer information
or an external intrusion, the duration of the incident, what accounts
have been compromised and at what privilege level, and whether and what
type of customer information may have been copied, transferred, or
retrieved without authorization.\70\
---------------------------------------------------------------------------
\70\ For example, depending on the nature of the incident, it
may be necessary to consider how a malicious intruder might use the
underlying information based on current trends in identity theft.
---------------------------------------------------------------------------
A covered institution cannot avoid its notification obligations in
cases where
[[Page 47695]]
an investigation's results are inconclusive. Instead, the notification
requirement is excused only where a reasonable investigation supports a
determination that sensitive customer information has not been and is
not reasonably likely to be used in a manner that would result in
substantial harm or inconvenience. Thus, in a case where a threat actor
has gained access to a customer information system that stores
sensitive customer information, and the covered institution lacks
information indicating that any particular individual's sensitive
customer information stored in that customer information system was or
was not used in a manner that would result in substantial harm or
inconvenience, a covered institution will be required to provide notice
to affected individuals even though it may not have a sufficient basis
to determine whether the breach would result in substantial harm or
inconvenience.\71\ Pursuant to the amendments, as proposed and adopted,
for any determination that a covered institution makes that notice is
not required, covered institutions other than funding portals will be
required to maintain a record of the investigation and basis for its
determination.\72\
---------------------------------------------------------------------------
\71\ See final rule 248.30(a)(4)(ii).
\72\ See infra section II.C; see also infra footnote 385.
---------------------------------------------------------------------------
As further described below,\73\ a number of commenters supported
the proposal's requirement for covered institutions to provide notices
promptly, emphasizing the importance of ensuring that customers receive
timely notification when their sensitive customer information is
reasonably likely to have been subject to unauthorized access or use so
they have an opportunity to effectively respond to the incident.\74\
One commenter stated that timeliness is key because any delay will
impact consumers' ability to take steps to protect themselves from
identify theft, account compromise, and other downstream impacts
resulting from the initial harm of the unauthorized access or use.\75\
According to this commenter, a breach notification regime is
fundamentally deficient if it does not empower consumers with the
information and tools necessary to take action to protect themselves or
understand what risks they may face as a result of a breach.\76\
---------------------------------------------------------------------------
\73\ See infra section II.A.3.d.
\74\ See, e.g., Better Markets Comment Letter; EPIC Comment
Letter; NASAA Comment Letter; ICI Comment Letter 1; Nasdaq Comment
Letter.
\75\ See EPIC Comment Letter; see also Better Markets Comment
Letter (customers whose information has been exposed need
appropriate and timely notifications to decide for themselves
whether and how to address the breach to avoid being ``victimized
twice'': first when the breach occurs, and then again when ``bad
actors use the information to steal their identity, drain their bank
accounts, or run up their credit cards'').
\76\ See EPIC Comment Letter.
---------------------------------------------------------------------------
Several commenters proposed alternative notification standards,
some expanding the circumstances requiring customer notification, and
others suggesting a narrower notification regime.\77\ One commenter
suggested we require notification for any incident of unauthorized
access to or use of sensitive information, regardless of the risk of
harm or inconvenience.\78\ According to this commenter, customers
should always be notified when their sensitive information is accessed
or used without authorization, which would allow customers to determine
for themselves whether they believe there is a risk of substantial harm
or inconvenience that should prompt action on their part. Similarly,
another commenter suggested that the notification standard should be
expanded from a ``reasonably likelihood'' standard to a ``reasonably
possible'' standard with regard to whether an individual's sensitive
customer information was accessed or used without authorization.\79\
This commenter stated that this change was necessary to protect against
the possibility that a covered institution might conclude it lacked
sufficient information to find the reasonably likely standard satisfied
if, for example, it knows it has been hacked but is unable to determine
the scope of the hack. According to these commenters, the seemingly
higher threshold proposed by the Commission, coupled with their belief
that businesses want to avoid making disclosures that could incur
liability or lose customers, leaves open the potential that customers
will not be notified of some information security compromises that
could threaten their investments.\80\ One commenter suggested that, in
addition to requiring notifications to affected individuals, the rules
should be modified to also require that covered institutions provide
notice to the Commission whenever they are providing notice to affected
individuals.\81\
---------------------------------------------------------------------------
\77\ See, e.g., Better Markets Comment Letter, NASAA Comment
Letter (proposing more expansive standards); SIFMA Comment Letter 2,
CAI Comment Letter, IAA Comment Letter 1 (proposing narrower
standards).
\78\ See Better Markets Comment Letter.
\79\ See NASAA Comment Letter.
\80\ See Better Markets Comment Letter; NASAA Comment Letter;
see also EPIC Comment Letter (``EPIC agrees that businesses have a
natural tendency to want to avoid making disclosures that could
incur liability or lose customers'').
\81\ See Better Markets Comment Letter.
---------------------------------------------------------------------------
By contrast, with regard to narrowing the standard, some commenters
suggested eliminating the presumption of notification altogether, such
that covered institutions would have a notification obligation only
after having affirmatively determined, following an investigation, a
likelihood of a breach or resulting harm to customers.\82\ These
commenters suggested that eliminating the notification presumption, and
allowing for the completion of an investigation, would provide covered
institutions with additional time to respond to and mitigate an
incident as opposed to spending time deliberating over notification
obligations, and would allow for more informed notifications. These
commenters also suggested that this approach would be more consistent
with certain State law regimes that only require notification where an
investigation shows a risk of harm and the Banking Agencies' Incident
Response Guidance.\83\ To address the concern that lengthy
investigations might unduly delay customer notifications, one commenter
suggested revising the rule to separately require covered institutions
``to conduct a prompt investigation of potential incidents,'' which the
commenter stated would better align with certain existing State law
standards while still providing a mechanism for timely
notifications.\84\
---------------------------------------------------------------------------
\82\ See, e.g., SIFMA Comment Letter 2 (notification should only
be required if the covered institution makes an affirmative finding
of substantial harm or inconvenience); CAI Comment Letter (proposing
revised notification trigger to no later than 30 days from a
determination that actual or reasonably likely unauthorized access
to sensitive customer information has occurred); ACLI Comment Letter
(suggesting trigger should instead be only after the completion of a
reasonable investigation and conclusion of the incident response
process).
\83\ The Banking Agencies' Incident Response Guidance advises
that a covered institution should provide notice to affected
customers if, following the conclusion of a reasonable
investigation, it has determined that misuse of sensitive customer
information has occurred or is reasonably possible. See Banking
Agencies' Incident Response Guidance. See also section II.A.3.d(1)
(responding to commenters' concerns that the proposed notification
timing requirements provide an insufficient amount of time for
covered institutions to conduct a reasonable investigation of a data
breach incident and prepare and send notices to affected
individuals).
\84\ See CAI Comment Letter.
---------------------------------------------------------------------------
We considered the alternative approaches suggested by commenters
but determined that adopting the standard as proposed strikes an
appropriate balance in accommodating the relevant competing concerns.
The suggestions to expand the circumstances requiring notification
(either by requiring notification regardless of the risk of harm, or by
expanding notification to include cases where it is ``reasonably
possible'' that an
[[Page 47696]]
individual's sensitive customer information was accessed or used
without authorization) raise over-notification concerns, particularly
given that the adopted standard already has a presumption towards
notification.\85\ We also disagree that the ``reasonably likely''
standard would allow a covered institution that knows it suffered a
breach to avoid providing notice simply by pointing to a lack of
information about the scope of the breach as the commenter recommending
this approach suggested.\86\ To the contrary, under the proposed and
final amendments, if it is reasonably likely that a malicious actor
gained access to a covered institution's information system containing
sensitive customer information but the scope of the breach is unclear
(i.e., the covered institution is unable to determine which specific
individuals' sensitive customer information has been accessed or used
without authorization and cannot make the determinations required under
the rule to avoid sending notices), the covered institution would be
required to provide notice to each individual whose sensitive customer
information resides in the customer information system.\87\ In
addition, providing notice of every incident, regardless of the risk of
harm to affected individuals or the need to take protective measures,
could diminish the impact and effectiveness of the notice in a
situation where enhanced vigilance is necessary. Utilizing a
``reasonably possible'' standard raises similar concerns, as it could
require covered institutions to provide notice in situations where it
is possible, but not reasonably likely, that sensitive customer
information was compromised. This could result in over-notification
where, for example, a customer's sensitive information ultimately was
not accessed or used without authorization, but it was not possible to
rule out that possibility at the time of the incident or in the course
of a reasonable investigation during the 30-day period for notices.
---------------------------------------------------------------------------
\85\ See supra footnotes 78-80 and accompanying text.
\86\ See NASAA Comment Letter.
\87\ See final rule 248.30(a)(4)(i) and (ii).
---------------------------------------------------------------------------
Additionally, we are not adopting a commenter's recommendation that
the Commission require covered institutions to provide notices to the
Commission when they are required to send notices to affected
individuals, as one commenter suggested.\88\ A primary reason for these
amendments was to require a reasonably designed incident response
program, including policies and procedures for assessment, control and
containment, and customer notification, in order to mitigate the
potential harm to individuals whose sensitive information is exposed or
compromised in a data breach.\89\ Providing timely notices to affected
individuals accomplishes this goal without the need for covered
institutions also to provide copies of the notice to the Commission.
---------------------------------------------------------------------------
\88\ See Better Markets Comment Letter.
\89\ Proposing Release at section I.
---------------------------------------------------------------------------
Conversely, the narrower alternative standards suggested by
commenters (i.e., that covered institutions have a notification
obligation only after an investigation, and only if they affirmatively
determine a likelihood of a breach or resulting harm to customers)
could result in an unreasonable risk of significant delays in providing
notice and in notification not being provided to affected individuals.
A principal purpose of these amendments is to provide a notification
regime that allows affected individuals to take actions to avoid or
mitigate the risk of substantial harm or inconvenience.\90\ If customer
notification of a potential breach was delayed to allow a covered
institution to complete an investigation that comes to a definitive
conclusion about the precise details of the breach, even if done
promptly, it would frustrate this goal by postponing (or potentially
limiting or foreclosing) the ability of affected individuals to take
mitigating actions pending the conclusion of that investigation. For
these same reasons, we were not persuaded by those commenters who
suggested that we should allow for the completion of an investigation
in order to align with the Banking Agencies' Incident Response
Guidance. After considering the comments, we continue to believe the
notification standard we proposed (and are adopting in the final
amendments) is necessary to enable affected individuals to make their
own determinations on needed self-protections regarding the
incident.\91\
---------------------------------------------------------------------------
\90\ See Proposing Release at nn.97-98 and accompanying text.
\91\ See Proposing Release at n.100 (discussing reasons for
divergence from Banking Agencies' Incident Response Guidance); see
also infra sections II.A.3.b, II.A.3.e, II.A.4, II.B.2, and IV.C
(also discussing the Banking Agencies' Incident Response Guidance).
---------------------------------------------------------------------------
Regarding commenters' concerns about harmonizing Regulation S-P
with State law requirements, State law notification standards vary
widely such that broad harmonization would be impracticable, and a
benefit of the final amendments is that they provide a consistent
minimum Federal notification standard to protect affected individuals
in an environment of enhanced risk. This will, for example, provide
additional protections for customers in States whose laws do not
mandate notification without an affirmative determination of harm or
provide an outside time by which notification must be provided.\92\
This standard will protect all customers, regardless of their State of
residence and reduce the potential confusion that could result from
customers in one State receiving notice of an incident while customers
in another State do not. Moreover, to the extent a covered institution
will have a notification obligation under both the final amendments and
a similar State law, a covered institution may be able to provide one
notice to satisfy notification obligations under both the final
amendments and the State law, provided that the notice includes all
information required under both the final amendments and the State law,
which may reduce the number of notices an individual receives.\93\
---------------------------------------------------------------------------
\92\ See Proposing Release at nn.107-108 and accompanying text
(discussing variation in State laws); see also infra section IV.C.2
for a fuller discussion of State law variations, and infra section
IV.D.1.b(2) discussing timing of State law notification regimes.
\93\ See also infra section IV.C.2.a(2) (discussing States that
excuse covered entities from individual notification under State law
if the entities comply with the notification requirements of another
regulator).
---------------------------------------------------------------------------
Relatedly, some commenters suggested eliminating or narrowing the
concept of ``affected individuals'' entitled to notification in
situations where a covered institution is unable to identify which
specific individuals' sensitive customer information has been accessed
or used without authorization. Instead of the proposed requirement that
the covered institution must provide notice to all individuals whose
sensitive customer information resides in the customer information
system that was, or was reasonably likely to have been, accessed or
used without authorization, commenters urged narrowing notification to
individuals whose sensitive customer information was, or was reasonably
likely to have been, accessed or used without authorization based on
the covered institution's reasonable investigation.\94\
[[Page 47697]]
These commenters stated that, by requiring a covered institution to
provide all affected individuals notice prior to the conclusion of an
investigation and particularized determination, the proposed
notification standard could result in the over-notification of
individuals whose sensitive customer information may not have been
accessed but was residing on a system that was compromised.\95\ For
example, one commenter posited a situation where a threat actor was
able to compromise an employee's email account through a phishing
email, and access documents accessible through that account's shared
file server. According to this commenter, if the covered institution
were unable to determine which files containing personal information
actually were accessed, the institution would be required to provide
notice in connection with millions of records, even though the ``vast
majority of files and data on that file server would not have been
accessible to the employee or to the threat actor.'' \96\ These
commenters stated that the resulting over-notification could, in turn,
desensitize or unnecessarily disturb individuals whose information was
not actually compromised, and might increase costs and litigation and
reputational risks for the covered institution, its service providers,
or other financial institutions whose contracts reside on the
system.\97\
---------------------------------------------------------------------------
\94\ See, e.g., IAA Comment Letter 1 (suggesting the rule's
affected individuals' provision be modified to remove the reference
to situations where an institution is unable to identify which
specific individual's sensitive customer information has been
accessed or used without authorization, as well as the presumption
that affected individuals include individuals whose sensitive
customer information resides in the breached customer information
system); CAI Comment Letter (suggesting the provision be revised to
remove the requirement to notify all individuals whose information
is on an affected system, and instead require the institution to
notify individuals whose information it reasonably believes was, or
reasonably could have been, subject to unauthorized access based on
the finding of its investigation).
\95\ See, e.g., CAI Comment Letter; Computershare Comment
Letter; IAA Comment Letter 1.
\96\ CAI Comment Letter.
\97\ See also infra section IV.D.1.b.(4) (discussing
reputational costs).
---------------------------------------------------------------------------
For similar reasons to those discussed above,\98\ we were not
persuaded by commenter suggestions to narrow the scope of affected
individuals entitled to notification in cases where a breach has or is
reasonably likely to have occurred, but the covered institution is
unable to identify which specific individuals' sensitive customer
information has been accessed or used without authorization.\99\
Because of the potential that customers might be adversely affected by
the breach, covered institutions should be required to provide notice
to affected individuals in these circumstances so they may make their
own determination as to whether to take remedial actions.
---------------------------------------------------------------------------
\98\ See supra footnotes 90-93 and accompanying text.
\99\ See supra footnotes 94-97 and accompanying text.
---------------------------------------------------------------------------
Contrary to the concerns expressed by some commenters, under the
proposed and final amendments, a covered institution would not need to
provide notice in connection with files or data residing on a system
where it knows that information was not used or accessed.\100\ Rather,
a covered institution is only required to provide notification to an
affected individual where her sensitive customer information was, or is
reasonably likely to have been, accessed or used without
authorization.\101\ Additionally, a covered institution need not
provide notice where, after a reasonable investigation of the facts and
circumstances of the incident, it has determined that sensitive
customer information has not been, and is not reasonably likely to be,
used in a manner that would result in substantial harm or
inconvenience. To address these commenters' concerns, in a change from
the proposal, the final amendments explicitly provide that, in cases
where a covered institution reasonably determines that a specific
individual's sensitive customer information that resides in the
customer information system was not accessed or used without
authorization, the covered institution need not provide notice to that
individual.\102\ Thus, a covered institution would not have an
obligation to provide notice to an affected individual whose files
happened to reside on a breached information system if it was able to
reasonably conclude that those files were not subject to unauthorized
use or access.
---------------------------------------------------------------------------
\100\ See supra footnote 96 and accompanying text.
\101\ See final rule 248.30(a)(4)(i).
\102\ See final rule 248.30(a)(4)(ii).
---------------------------------------------------------------------------
The notification standard should help to improve security outcomes
by incentivizing covered institutions to conduct more thorough
investigations after an incident occurs because the rule does not
permit a covered institution to rebut the presumption of notification
without conducting a reasonable investigation. Further, the rule's
requirement that a covered institution provide notice to all affected
individuals where it is unable to identify which specific individuals'
sensitive customer information has been accessed or used without
authorization should incentivize covered institutions to establish
procedures (for themselves and their service providers) that provide
robust protections for sensitive customer information. For example, it
may encourage covered institutions to employ a principle of least
privilege, so that users' access rights to sensitive customer
information on a particular information system are limited to the
information strictly required to do their jobs.\103\ Protections that
limit the scope of any breaches reduce the investigation and
notification costs (and as a consequence, the potential harm) resulting
from a breach.
---------------------------------------------------------------------------
\103\ See, e.g., Defend Privileges and Accounts, National
Security Agency Cybersecurity Information (``Least privilege is the
restriction of privileges to only those accounts that require them
to perform their duties, while limiting accounts to only those
privileges that are truly necessary. Doing this reduces the exposure
of those privileges to a smaller, more easily manageable set of
accounts. Local administrative accounts and accounts for software
program management and installation are particularly powerful, but
have small scopes of control and should be restricted as much as
possible'') (available at <a href="https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend%20Privileges%20and%20Accounts%20-%20Copy.pdf">https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend%20Privileges%20and%20Accounts%20-%20Copy.pdf</a>).
---------------------------------------------------------------------------
For a covered institution's customer notification procedures to
remain reasonably designed to notify each affected individual whose
sensitive customer information was reasonably likely to have been
compromised, as required by the final amendments, the covered
institution's policies and procedures generally should be designed to
include revisiting notification determinations whenever the covered
institution becomes aware of new facts that are potentially relevant to
the determination.\104\ For example, if at the time of the incident, a
covered institution determines that risk of use in a manner that would
result in substantial harm or inconvenience is not reasonably likely
based on the use of encryption in accordance with industry standards,
but subsequently the encryption is compromised or it is discovered that
the decryption key was also obtained by the threat actor, the covered
institution generally should revisit its determination.
---------------------------------------------------------------------------
\104\ See final rule 248.30(a)(3).
---------------------------------------------------------------------------
As discussed in more detail below, the scope of the final
amendments will apply to customer information in a covered
institution's possession or that is handled or maintained on the
covered institution's behalf, regardless of whether such information
pertains to (a) individuals with whom the covered institution has a
customer relationship or (b) to the customers of other financial
institutions where such information has been provided to the covered
institution.\105\ Some commenters expressed concern that, as a result
of this scope, covered institutions would be required to provide
notification to customers of other institutions with whom they do not
have a preexisting
[[Page 47698]]
relationship.\106\ One of these commenters suggested that it was
unclear how a third-party service provider's notice to a covered
institution of a breach would affect that covered institution's
obligations.\107\ Additionally, some commenters addressed circumstances
where multiple covered institutions would all be required to notify
affected individuals concerning the same incident, asserting that
requiring all covered institutions involved to provide notices to
customers would be burdensome, duplicative, and confusing to
customers.\108\
---------------------------------------------------------------------------
\105\ See infra section II.B.1.
\106\ See ACLI Comment Letter; Federated Hermes Comment Letter;
ICI Comment Letter; SIFMA Comment Letter 2.
\107\ See ACLI Comment Letter.
\108\ See CAI Comment Letter; Computershare Comment Letter.
---------------------------------------------------------------------------
Where a covered institution experiences an incident involving
sensitive customer information related to the customers of another
covered institution, commenters generally suggested that the covered
institution that has the customer relationship with the customer whose
information was affected should be responsible for providing the
required notice.\109\ These commenters asserted that this would be more
efficient because, if the covered institution that experienced the
incident did not have a customer relationship with an affected
individual, that covered institution might not have contact information
for the individual necessary to send a notice.
---------------------------------------------------------------------------
\109\ See SIFMA Comment Letter 2; ACLI Comment Letter; Federated
Hermes Comment Letter; CAI Comment Letter. Two of these commenters
suggested that the covered institution with the customer
relationship may make arrangements with other institutions to
provide the notice on its behalf. SIFMA Comment Letter 2; ACLI
Comment Letter.
---------------------------------------------------------------------------
After considering comments, we are modifying the proposal to avoid
requiring multiple covered institutions to notify the same affected
individuals about a given incident. In an effort to minimize
duplicative notices, rather than requiring the covered institution with
the customer relationship to send the notice as some commenters
suggested, the final amendments only require a covered institution to
provide notice where unauthorized access to or use of sensitive
customer information has occurred at the covered institution or one of
its service providers that is not itself a covered institution.\110\
That covered institution will have information about the incident
itself that is necessary to properly inform affected individuals. Thus,
in response to the commenter question about the relationship between a
covered institution's receipt of a breach notification from a third
party service provider and the covered institution's own
obligations,\111\ where a service provider (that is not itself a
covered institution) provides notice to a covered institution that a
breach in security has occurred resulting in unauthorized access to a
customer information system maintained by the service provider,\112\
that covered institution will be required to initiate its incident
response program under the final amendments \113\ and thereafter, if
applicable, provide notice to affected individuals.\114\ While we
appreciate, as offered by commenters,\115\ that a covered institution
may not have access to the contact information for some customers, it
can coordinate with the covered institution that has a customer
relationship to receive contact information as needed for the
notices.\116\
---------------------------------------------------------------------------
\110\ Final rule 248.30(a)(4). If a covered institution is
acting as a service provider, in addition to its own obligations
under rule 248.30, it must provide notification to the other covered
institution as required by the policies and procedures required in
rule 248.30(a)(5)(i).
\111\ See ACLI Comment Letter.
\112\ See final rule 248.30(a)(5)(i)(B).
\113\ See id.; see also infra Section II.A.4.a.
\114\ See final rule 248.30(a)(4)(iii). As described above, a
covered institution need not provide notice where, after a
reasonable investigation of the facts and circumstances of the
incident, it has determined that sensitive customer information has
not been, and is not reasonably likely to be, used in a manner that
would result in substantial harm or inconvenience. See final rule
248.30(a)(4)(i).
\115\ See ACLI Comment Letter, SIFMA Comment Letter 2.
\116\ Further, as discussed below, a covered instituition will
be permitted to enter into a written agreement with its service
provider to notify affected individuals on its behalf in accordance
with the notice requirements. See final rule 248.30(a)(5)(ii); see
also supra section II.A.4.
---------------------------------------------------------------------------
Moreover, in another modification from the proposal, the final
amendments also provide that a covered institution that is required to
notify affected individuals may satisfy that obligation by ensuring
that the notice is provided.\117\ Accordingly, if a covered institution
experiences an incident affecting another covered institution's
customers, although the covered institution that experienced the
incident is responsible for notification under the final amendments,
the two covered institutions can coordinate with each other as to which
institution will send the notice.
---------------------------------------------------------------------------
\117\ Final rule 248.30(a)(4) (requiring covered institutions to
either provide notice or ensure that such notice is provided).
---------------------------------------------------------------------------
b. Definition of ``Sensitive Customer Information''
As discussed above, covered institutions will be required to notify
customers when ``sensitive customer information'' was, or is reasonably
likely to have been, accessed or used without authorization, subject to
a reasonable investigation. As proposed and as adopted, the final
amendments define the term ``sensitive customer information'' to mean
``any component of customer information alone or in conjunction with
any other information, the compromise of which could create a
reasonably likely risk of substantial harm or inconvenience to an
individual identified with the information.'' \118\ This definition is
calibrated to include types of information that, if exposed, could put
affected individuals at a higher risk of suffering substantial harm or
inconvenience through, for example, fraud or identity theft enabled by
the unauthorized access to or use of the information.\119\ As with the
proposal, the final amendments provide examples of the types of
information that will be considered sensitive customer
information.\120\ These examples include certain customer information
identified with an individual that, without any other identifying
information, could create a substantial risk of harm or inconvenience
to an individual identified with the information,\121\ along with
examples of combinations of identifying information and authenticating
information that could create such a risk to an individual identified
with the information.\122\
---------------------------------------------------------------------------
\118\ See final rule 248.30(d)(9)(i). The definition is limited
to information identified with customers of financial institutions.
See final rule 248.30(d)(5)(i); infra section II.B.1. As proposed,
information pertaining to a covered institution's customers and to
customers of other financial institutions that the other
institutions have provided to the covered institution are subject to
the safeguards rule under the final amendments, including the
incident response program and customer notice requirements. See
final rule 248.30(a); infra section II.B.1.
\119\ See supra section II.A.3.a.
\120\ See final rule 248.30(d)(9)(ii).
\121\ These examples include Social Security numbers and other
types of identifying information that can be used alone to
authenticate an individual's identity such as a driver's license or
identification number, alien registration number, government
passport number, employer or taxpayer identification number,
biometric records, a unique electronic identification number,
address, or routing code, or telecommunication identifying
information or access device.
\122\ These examples include information identifying a customer,
such as a name or online user name, in combination with
authenticating information such as a partial Social Security number,
access code, or mother's maiden name.
---------------------------------------------------------------------------
One commenter supported our proposed definition of sensitive
customer information and emphasized the benefits of a broad
definition.\123\ According to this commenter, this breadth helps
protect customers by ensuring that they can take the necessary steps to
minimize their
[[Page 47699]]
exposure risks and will assist covered institutions in formulating and
improving their security standards. Another commenter suggested the
proposed definition might be too narrow because it includes the
separate concept of substantial harm or inconvenience in the
definition, resulting in under-notification.\124\ This commenter stated
that harms can take many forms, and customers should receive notice of
breaches involving customer information even where that information's
compromise might not have obvious financial implications to the
customer.
---------------------------------------------------------------------------
\123\ See Better Markets Comment Letter.
\124\ See EPIC Comment Letter.
---------------------------------------------------------------------------
Conversely, a number of commenters asserted that the proposed
definition was too broad and could lead to over-notification,
suggesting that the definition be narrowed to focus on information
whose exposure would be more likely to lead to tangible economic
harms.\125\ For example, some commenters suggested that, rather than
providing examples, the definition should list specific data elements
that, when combined with an individual's name, are sufficiently
sensitive to require notification.\126\ These commenters focused on
those data elements that could be used to commit identity theft or
access the customer's financial account, such as a Social Security
number, driver's license or State ID number, or financial account
number combined with information necessary to access the account.
According to one of these commenters, by using illustrative examples
rather than a circumscribed list, covered institutions would face
uncertainty over the definition's meaning and would likely err on the
side of over-inclusion, which could lead to over-notification.\127\ A
number of commenters stated that narrowing the definition would be more
consistent with the Banking Agencies' Incident Response Guidance and
with various State laws.\128\ One commenter also suggested the proposed
use of the term ``compromise'' in the definition was unclear, and
should be replaced with ``unauthorized access or use,'' consistent with
other authorities and language used elsewhere in the proposal.\129\
---------------------------------------------------------------------------
\125\ See, e.g., CAI Comment Letter; IAA Comment Letter 1; SIFMA
Comment Letter 2; ICI Comment Letter 1.
\126\ See CAI Comment Letter; SIFMA Comment Letter 2.
\127\ See CAI Comment Letter.
\128\ See, e.g., SIFMA Comment Letter 2; Computershare Comment
Letter; CAI Comment Letter.
\129\ See CAI Comment Letter.
---------------------------------------------------------------------------
After considering these comments, we are adopting the definition of
``sensitive customer information'' as proposed. We recognize that this
definition is broader than that used by some States and the Banking
Agencies' Incident Response Guidance.\130\ However, in contrast to the
narrower definition used in some States, the definition of sensitive
customer information we are adopting includes identifying information
that, in combination with authenticating information (such as a partial
Social Security number, access code, or mother's maiden name), could
create a substantial risk of harm or inconvenience to the customer
because they may be widely used for authentication purposes.\131\
Similarly, in contrast to the definition provided in the Banking
Agencies' Incident Response Guidance (which includes a customer's name,
address, or telephone number, only in conjunction with other pieces of
information that would permit access to a customer account), the
definition in the Commission's final amendments includes customer
information identified with an individual (such as Social Security
numbers, driver's license numbers, biometric records) that, without any
other identifying information, could create a substantial risk of harm
or inconvenience to an individual identified with the information.\132\
Accordingly, our adopted definition could help affected individuals
take measures to protect themselves.
---------------------------------------------------------------------------
\130\ See Proposing Release at nn.113 and 115 (describing the
differences). But see id. at n.115, stating that a number of States
define the scope of personal information subject to a notification
obligation in a manner that generally aligns with the definition of
sensitive customer information under these final rules.
\131\ See infra footnote 810 and surrounding text (discussing
that 14 States more narrowly define the kind of information that
trigger notice requirements than our adopted definition of sensitive
customer information in that only the compromise of a customer's
name together with one or more enumerated pieces of information
triggers the notice requirement).
\132\ See Proposing Release at n.114 and accompanying text,
stating that Social Security numbers alone, without any other
information linked to the individual, are sensitive because they
have been used by malicious actors in ``Social Security number-
only'' or ``synthetic'' identity theft, to open new financial
accounts, and that a similar sensitivity exists with other types of
identifying information that can be used alone to authenticate an
individual's identity such as a biometric record of a fingerprint or
iris image.
---------------------------------------------------------------------------
Given the varied and evolving nature of security practices across
covered institutions, it would be impractical to provide an exhaustive
list of data elements whose exposure could put affected individuals at
risk of substantial harm or inconvenience. Further, while we are
mindful of concerns about overbreadth and potential over-notification,
those concerns are tempered by the definition's harm component and the
ability of covered entities to rebut the notification presumption
following a reasonable investigation and determination. Given these
considerations, we are not broadening the definition of sensitive
customer information to encompass information whose exposure does not
pose a reasonably likely risk of substantial harm or inconvenience. Nor
do we agree that the definition's use of the verb ``compromise,'' which
is commonly used to mean ``to expose or make liable to danger,'' is
ambiguous in this context or inconsistent with other Federal
authorities.\133\ Individuals are less likely to need to take
protective measures in cases where the exposure of their information is
not likely to involve a substantial harm or inconvenience.\134\
---------------------------------------------------------------------------
\133\ See, e.g., Harmonization of Cyber Incident Reporting to
the Federal Government, Homeland Security Office of Strategy,
Policy, and Plans, Appendix B: Federal Cyber Incident Reporting
Requirements Inventory (Sept. 10, 2023) (summarizing cyber incident
reporting regulations of multiple agencies that use the term
``compromise,'' including Departments of Defense, Justice, and
Energy, the Federal Communications Commission, the Nuclear
Regulatory Commission, and the Federal Energy Regulatory
Commission).
\134\ See infra section II.A.3.c.
---------------------------------------------------------------------------
Finally, several commenters suggested we include an exception or
safe harbor in the definition of sensitive customer information for
encrypted information.\135\ These commenters stated that excepting
encrypted information would protect customers by incentivizing covered
institutions to adopt encryption practices, limit the potential for
voluminous over-reporting of less severe incidents, and align with
existing State data breach notification rules. Some of these commenters
acknowledged that an exception should not apply in cases where there is
reason to believe that the encryption key has been compromised or that
the encryption method is outdated.\136\ One commenter suggested that if
we did not include an exception in the rule text, we should acknowledge
that encryption is a factor that covered institutions may take into
account in determining whether an incident will result in substantial
harm or inconvenience.\137\
---------------------------------------------------------------------------
\135\ See AWS Comment Letter; Google Comment Letter; IAA Comment
Letter 1; SIFMA Comment Letter 2.
\136\ See Google Comment Letter, IAA Comment Letter 1; SIFMA
Comment Letter 2.
\137\ See IAA Comment Letter 1.
---------------------------------------------------------------------------
After considering these comments, we are not excepting encrypted
information from the rule's definition of sensitive customer
information because the rule
[[Page 47700]]
text effectively addresses encrypted information without the need for a
provision specifically tailored to that information. Specifically, in
applying the final rule, a covered institution may consider encryption
as a factor in determining whether the compromise of customer
information could create a reasonably likely harm risk to an individual
identified with the information.\138\ Specifically, we acknowledge that
encryption of information using current industry standard best
practices is a reasonable factor for a covered institution to consider
in making this determination. To the extent such encryption minimizes
the likelihood that the cipher text could be decrypted, it would also
reduce the likelihood that the cipher text's compromise could create a
risk of harm, as long as the associated decryption key is secure.\139\
Covered institutions may also reference commonly used cryptographic
standards to determine whether encryption, in fact, does substantially
impede the likelihood that the cipher text's compromise could create a
risk of harm.\140\ As industry standards continue to develop in the
future, covered institutions generally should review and update, as
appropriate, their encryption practices. While we agree with commenters
that it is important to incentivize the use of encryption consistent
with State law regimes, the final amendments' approach accomplishes
this goal while also addressing concerns that any particular approach
to encryption may become outdated as technologies and security
practices evolve. Relatedly, and for the same reasons, when information
that would otherwise constitute sensitive customer information is
encrypted, the covered institution may consider the security provided
by that encryption in determining whether the cipher text (i.e., the
data rendered in a format not understood by people or machines without
an encryption key) is sensitive customer information. Accordingly,
while the final amendments provide illustrative examples of information
(such as a customer's Social Security number) that can constitute
sensitive customer information when unencrypted,\141\ a covered
institution could nevertheless determine that the encrypted
representation of that information is not sensitive customer
information if the encryption renders the cipher text sufficiently
secure, such that the compromise of that encrypted information does not
create a reasonably likely risk of substantial harm or inconvenience to
an individual.\142\
---------------------------------------------------------------------------
\138\ See Proposing Release at n.116 and accompanying text.
\139\ As discussed in the Proposing Release, most States except
encrypted information in certain circumstances, including, for
example, where the covered institution can determine that the
encryption offers certain levels of protection or the decryption key
has not also been compromised. See Proposing Release at n.117 and
accompanying text.
\140\ We understand that standards included in Federal
Information Processing Standard Publication 140-3 (FIPS 140-3) are
widely referenced by industry participants. See Proposing Release at
n.118.
\141\ See final rule 248.30(d)(9)(ii)(A)(1) through (4) and
248.30(d)(9)(ii)(B).
\142\ To the extent a covered institutioon's determination about
the security of cipher text affects its determination about whether
notice of a breach is required under the final rules, the covered
institution would be required to make and maintain written
documentation of that documentation. See final rule
248.30(c)(1)(iii).
---------------------------------------------------------------------------
c. Substantial Harm or Inconvenience
The GLBA directs the Commission and other Federal financial
regulators to, among other things, establish appropriate standards
requiring financial institutions subject to their jurisdiction to
protect against unauthorized access to or use of customer records or
information which could result in ``substantial harm or inconvenience''
to any customer, without defining what constitutes a substantial harm
or inconvenience under the statute.\143\ The Commission proposed to
define ``substantial harm or inconvenience'' to mean all personal
injuries, as well as instances of financial loss, expenditure of
effort, or loss of time when they are ``more than trivial,'' with the
proposal also providing a non-exhaustive list of examples of included
harms or inconveniences.\144\ This proposed definition included a broad
range of financial and non-financial harms and inconveniences that may
result from the failure to safeguard sensitive customer
information.\145\ After considering comments, and as discussed further
below, we have determined not to define the term ``substantial harm or
inconvenience'' in the final amendments.
---------------------------------------------------------------------------
\143\ See 15 U.S.C. 6801(b). The Banking Agencies' Incident
Response Guidance likewise does not define the term ``substantial
harm or inconvenience.''
\144\ See proposed rule 248.30(e)(11).
\145\ See Proposing Release at n.124.
---------------------------------------------------------------------------
Commenters raised various concerns with the proposed definition.
Some commenters proposed expanding the definition to include a broader
array of harms requiring notification.\146\ For example, one commenter
suggested revising it to enumerate a list of specific personal injuries
requiring notification to help clarify to covered institutions that
there are a range of personal injuries that can result from an exposure
of customer data.\147\ Commenters also suggested we remove the
requirement that personal or financial harms be nontrivial because,
according to these commenters, there might always be some set of
individuals to whom a particular personal or financial harm is
material, and securities firms are not well positioned to determine
what potential personal or financial harms to their customers are
significant enough to require customer notice.\148\ One of these
commenters observed that, while it made sense to apply the concept of
nontriviality to potential harms or inconveniences that would infringe
upon a customer's time and personal labors, risks to the customer's
person and pocketbook are materially different from risks to the
customer's time and energies.\149\ This commenter also suggested
broadening the definition to include the term ``cyberattack'' as one of
the enumerated events that could give rise to the customer notice
obligation.
---------------------------------------------------------------------------
\146\ See EPIC Comment Letter; NASAA Comment Letter; Better
Markets Comment Letter.
\147\ See EPIC Comment Letter (suggesting the definition
specifically list as examples of personal injuries: theft, fraud,
harassment, physical harm, psychological harm, impersonation,
intimidation, damaged reputation, impaired eligibility for credit or
government benefits, or the misuse of information identified with an
individual to obtain a financial product or service, or to access,
log onto, effect a transaction in, or otherwise misuse the
individual's account).
\148\ See NASAA Comment Letter; EPIC Comment Letter (agreeing
with NASAA's comment).
\149\ See NASAA Comment Letter.
---------------------------------------------------------------------------
Alternatively, a number of commenters suggested that the proposed
standard was ambiguous and urged narrowing the definition to reduce the
types of injuries that would require notification.\150\ For example,
one commenter suggested that we not attempt to define ``substantial
harm or inconvenience'' at all, and further expressed concern that the
proposed definition would require notice for harms or inconveniences
that are unrelated to identify theft, the means to access an account
without authority, or other ``tangible harms.'' \151\ Another commenter
proposed narrowing the kinds of financial loss or time and effort
cognizable under the rules from ``more than trivial'' to only
``material'' financial loss or ``significant'' expenditure of effort or
loss of time, suggesting that the proposed definition would be
inconsistent with the usual meaning of the term ``substantial'' and
could include any financial loss that is slightly
[[Page 47701]]
above trivial as substantial.\152\ Another commenter stated that the
use of ``more than trivial'' set a very low bar that could result in
second-guessing and over notification by covered intuitions that could
lead to notification in practically all instances, not just instances
of what the commenter viewed as a substantial harm or
inconvenience.\153\ This commenter also stated that, as drafted, it was
unclear whether the proposed ``more than trivial'' standard was meant
to apply to instances of personal injury or financial loss and
suggested replacing ``more than trivial'' with substantial, while
making clear that the word substantial modified all elements of the
definition. Other commenters suggested narrowing the proposed
definition by removing the term ``inconvenience'' from the definition,
with notification only required in cases of substantial harm that were
more than trivial.\154\
---------------------------------------------------------------------------
\150\ See, e.g., Comment Letter of Cambridge (``Cambridge
Comment Letter''); CAI Comment Letter; IAA Comment Letter 1; SIFMA
Comment Letter 2.
\151\ See SIFMA Comment Letter 2.
\152\ See IAA Comment Letter 1.
\153\ See CAI Comment Letter (``it is hard to imagine any
instance of unauthorized access or use of customer information that
could not create a reasonably likely risk of more than trivial
inconvenience, and therefore not require notification'').
\154\ See Cambridge Comment Letter; Financial Services Institute
Comment Letter.
---------------------------------------------------------------------------
After considering comments, we have determined, consistent with the
approach of the Banking Agencies, not to define the term ``substantial
harm or inconvenience.'' As the range of commenter concerns discussed
above reflects, commenters found the proposed definition simultaneously
too broad and too narrow, suggesting it could consequently lead to both
under-notification and over-notification. Eliminating the proposed
definition avoids this result without diminishing investor protection.
Determining whether a given harm or inconvenience rises to the
level of a substantial harm or a substantial inconvenience would depend
on the particular facts and circumstances surrounding an incident. As
stated in the Proposing Release, we do not intend for covered
institutions to design programs and incur costs to protect customers
from harms of such trivial significance that the customer would be
unconcerned with remediating them.\155\ At the same time, consistent
with the GLBA, the rules are intended to protect against unauthorized
access to or use of customer records or information which could result
in substantial harm or inconvenience to any customer. Given the wide
variety of ways that a data breach can injure a customer,\156\ and the
potentially varied nature of those harms and inconveniences,\157\ the
range of harms outlined in the proposed definition may be a useful
starting point for this determination. A personal injury, financial
loss, expenditure of effort, or loss of time, each could constitute a
substantial harm or inconvenience depending on the particular facts and
circumstances. Some examples of these harms could include theft, fraud,
harassment, physical harm, impersonation, intimidation, damaged
reputation, impaired eligibility for credit, or the misuse of
information identified with an individual to obtain a financial product
or service, or to access, log into, effect a transaction in, or
otherwise misuse the individual's account.
---------------------------------------------------------------------------
\155\ See Proposing Release at Section II.A.4.c.
\156\ See Proposing Release at n.124.
\157\ See, e.g., NASAA Comment Letter; IAA Comment Letter 1.
---------------------------------------------------------------------------
d. Timing Requirements
(1) General Timing Requirements
Consistent with the proposal, the final amendments require covered
institutions to provide notices to affected individuals as soon as
practicable, but not later than 30 days, after becoming aware that
unauthorized access to or use of customer information has occurred or
is reasonably likely to have occurred, except under the limited
circumstances discussed below.\158\ This approach reflects the goal of
giving covered institutions adequate time to make an initial assessment
of an incident and prepare and send notices to affected individuals,
while helping to ensure that those individuals receive sufficient
notice to protect themselves.
---------------------------------------------------------------------------
\158\ See final rule 248.30(a)(4)(iii); see also section
II.A.3.d(2) (discussing the national security and public safety
delay to the notification timing requirements).
---------------------------------------------------------------------------
A few commenters expressed support for the proposed notification
timing requirements.\159\ As described above, these commenters viewed
timeliness as important because any delay in notification could impact
individuals' ability to take steps to protect themselves from the
downstream impacts resulting from the unauthorized access to or use of
their sensitive customer information.\160\ One commenter asserted that
30 days after becoming aware of an incident is more than an ample
amount of time for covered institutions to determine the scope of the
compromised information and compile a list of affected customers that
must be notified.\161\ Accordingly, this commenter suggested that the
Commission should shorten the outside notification date from 30 days
after becoming aware of a data security incident to 14 days, asserting
that the longer an instance of identity theft goes undetected, the
greater the damage that usually follows.
---------------------------------------------------------------------------
\159\ EPIC Comment Letter; Better Markets Comment Letter.
\160\ See supra section II.A.3.a.
\161\ Better Markets Comment Letter.
---------------------------------------------------------------------------
In contrast, some commenters objected to the proposed notification
timing requirements because, in their view, it provided an insufficient
amount of time to notify affected individuals.\162\ These commenters
emphasized the logistical tasks associated with responding to an
information breach, asserting that in some cases it would be impossible
to accomplish these steps within 30 days.\163\ Commenters expressed
that these steps often include remediating the security incident
directly, conducting a risk assessment and investigation to determine
what information may have been affected, obtaining the information
needed to make notification to affected individuals, arranging identity
protection services for affected individuals, and generating and
delivering the notifications to affected individuals, all while
simultaneously engaging in extensive communication with and oversight
from senior management, the board of directors, and external parties
(such as outside counsel, expert consultants, and regulators).\164\
---------------------------------------------------------------------------
\162\ See, e.g., SIFMA Comment Letter 2; IAA Comment Letter 1;
FSI Comment Letter; NASDAQ Comment Letter; CAI Comment Letter.
\163\ For example, one commenter offered the example of a
ransomware attack that successfully shuts down systems and requires
significant remediation to recover backup systems, as well as
rebuilding and redeploying essential systems prior to conducting a
forensic investigation to determine the scope of data subject to
unauthorized access or use. See CAI Comment Letter. According to
this commenter, it would be practically impossible to accomplish
these tasks within 30 days of becoming aware of a possible issue, as
required under the proposed rules.
\164\ See, e.g., CAI Comment Letter, NASDAQ Comment Letter; IAA
Comment Letter 1.
---------------------------------------------------------------------------
Some commenters also suggested that the proposed timing
requirements would lead to covered institutions delivering unnecessary
or incomplete notifications to customers, which would have the result
of confusing or desensitizing customers to such notifications.\165\
Similarly, commenters expressed that requiring a covered institution to
notify affected individuals before the covered institution has had time
to fully assess an incident could result in incorrect or incomplete
conclusions being drawn and
[[Page 47702]]
disclosed.\166\ One commenter suggested, for this reason, that notices
would be subject to continuous revision during an ongoing
investigation.\167\ Accordingly, commenters stated that the Commission
should revise the proposal to allow more time for covered institutions
to provide notices to affected individuals, asserting that premature,
incomplete, or frequent notifications would ultimately mislead and
confuse customers rather than provide clarity about an incident.\168\
---------------------------------------------------------------------------
\165\ See, e.g., ACLI Comment Letter; AWS Comment Letter, NASDAQ
Comment Letter.
\166\ NASDAQ Comment Letter; AWS Comment Letter.
\167\ AWS Comment Letter.
\168\ ACLI Comment Letter; AWS Comment Letter, NASDAQ Comment
Letter.
---------------------------------------------------------------------------
Several commenters suggested alternatives to the proposed timing
requirements.\169\ For instance, a few commenters urged the Commission
to expand the 30-day outside date to 45 or 60 days, stating that this
modification would allow more time for a proper investigation and
notification process.\170\ In addition, a couple of commenters
suggested that the rule should not specify a number of days at
all.\171\ One of these commenters stated that simply requiring a
covered institution to notify affected individuals as soon as possible
after the conclusion of an investigation, without including an outside
date timeframe, would permit appropriate notification in both simple
cases--where notification in less than 30 days may be appropriate--and
more complex cases--where it may take significantly longer to identify
the appropriate notice population and prepare and deliver
notifications.\172\
---------------------------------------------------------------------------
\169\ See, e.g., IAA Comment Letter 1; FSI Comment Letter;
Cambridge Comment Letter; Federated Comment Letter; SIFMA Comment
Letter 2.
\170\ See FSI Comment Letter; Cambridge Comment Letter; IAA
Comment Letter 1.
\171\ Federated Comment Letter; SIFMA Comment Letter 2.
\172\ SIFMA Comment Letter 2.
---------------------------------------------------------------------------
Some commenters suggested that the trigger for notification should
be the completion of a reasonable investigation and conclusion of the
incident response process following the actual or reasonably likely
unauthorized access to or use of sensitive customer information, rather
than the proposal's trigger of a covered institution ``becoming aware''
of a breach of customer information.\173\ These commenters stated this
alternative would allow covered institutions sufficient time to engage
in system and data analysis to determine what data was impacted and
what individuals were affected. Moreover, some commenters stated that
their suggested alternatives would harmonize the rule's approach to
timing with existing data breach requirements and guidance, such as the
Banking Agencies' Incident Response Guidance and some current State
laws.\174\ Lastly, one commenter urged that the 30-day outside
timeframe to provide notices should run from the time that the covered
institution determines that an incident involved ``sensitive customer
information,'' rather than ``customer information'' as proposed.\175\
---------------------------------------------------------------------------
\173\ See SIFMA Comment Letter 2; ACLI Comment Letter; see also
CAI Comment Letter (suggesting that a revised rule could require
covered institutions to conduct a prompt investigation of potential
incidents to address concerns about lengthy investigations unduly
delaying customer notification.).
\174\ See FSI Comment Letter; SIFMA Comment Letter 2 (suggesting
conforming to Banking Agencies' Incident Response Guidance which
does not mandate specific number of days to provide notices); see
also IAA Comment Letter 1 (stating that ``over half of state data
breach notification laws do not specify a number of days to report a
breach and a majority of those states that do require notification
allow for 45-60 days for reporting'').
\175\ IAA Comment Letter 1 (suggesting that referring to
``customer information,'' rather than ``sensitive customer
information,'' in this part of the proposed rule was an inadvertent
omission).
---------------------------------------------------------------------------
After considering comments and alternatives suggested by
commenters, we are adopting the final amendments as proposed. We
considered the concern raised by commenters that it may be logistically
challenging for covered institutions to provide notice to affected
individuals within the proposed rule's notification timing
requirements, particularly for more complex data breach incidents.\176\
We recognize that modifying the timing trigger in the rule to start
after a covered institution has completed an investigation that comes
to a definitive conclusion about the precise details of the breach, as
suggested by some commenters, could avoid over-notification in cases
where a covered institution is able to determine that a given
individual's customer information ultimately was not affected after a
lengthy investigation. We agree with commenters, however, that
timeliness is important in the context of a breach of sensitive
customer information because delay in notification would impact the
ability of affected individuals to take measures to protect themselves.
Accordingly, the final amendments maintain the proposed timing trigger
of after the covered institution ``becomes aware'' that unauthorized
access to or use of customer information has occurred or is reasonably
likely to have occurred.\177\
---------------------------------------------------------------------------
\176\ See, e.g., CAI Comment Letter; ACLI Comment Letter.
\177\ While this ``becoming aware'' standard differs from the
reporting trigger in the Public Company Cybersecurity Rules (which
require public disclosure of public issuer cybersecurity incidents
four business days from when an issuer determines that a
cybersecurity incident that it has experienced is material), that
difference is attributable to the different purposes underlying the
rules. The Public Company Cybersecurity Rules were designed to
inform investment and voting decisions and to reduce information
asymmetry and mispricing in the market, and therefore tie public
disclosure to an issuer making a determination that information
about an incident would be material, meaning there would be a
substantial likelihood that a reasonable shareholder would consider
it important in making an investment decision. As we stated in that
release, ``we reiterate, consistent with the standard set out in the
cases addressing materiality in the securities laws, that
information is material if `there is a substantial likelihood that a
reasonable shareholder would consider it important' in making an
investment decision, or if it would have `significantly altered the
``total mix'' of information made available.' '' See Public Company
Cybersecurity Rules. By contrast, the notice provisions under these
final rules do not require covered institutions to make a
materiality determination, and balance the need for timely
notifications with a regime that allows for reasonable
investigations to avoid over-notification by allowing covered
institutions up to 30 days to conduct a reasonable investigation
after becoming aware of an incident. In light of this 30-day window,
and the fact that covered institutions are not required to make a
materiality determination, there is less need for a trigger based on
a determination standard, and greater risk of harm to affected
individuals if customer notification were further delayed by
requiring that a covered institution come to a determination before
triggering the 30-day notification window.
---------------------------------------------------------------------------
In addition, the final amendments adopt the proposed 30-day outside
date. We disagree that the rule should not include a specified
notification deadline, as such an approach would diminish the goal of
providing customers (regardless of State residency) with early and
consistent notification of data breaches so that they may take remedial
action because many States do not have any specific deadline for
sending notices or provide deadlines exceeding 30 days.\178\
---------------------------------------------------------------------------
\178\ See infra section IV.D.1.b(2).
---------------------------------------------------------------------------
We understand that there are a number of steps a covered
institution may have to take after becoming aware of a data breach
incident to determine if it has met the standard for providing notice.
In the context of the final amendments, 30 days should be sufficient to
conduct an initial assessment and notify affected individuals. While a
covered institution may still be working towards remediating the breach
after the 30-day timeframe, the final amendments require a covered
institution to notify affected customers within the 30-day timeframe so
that affected individuals may take measures to protect themselves. The
final amendments remove the specific requirement in the proposal that
the notice describe what has been done to protect the sensitive
customer information from further
[[Page 47703]]
unauthorized access or use.\179\ This change will help address some of
the timing and logistical concerns raised by commenters because the
process of preparing the requisite notices will be less time intensive,
such that, once a covered institution has made its initial assessment
of the incident and determined the universe of affected individuals, it
should possess the information necessary to provide the requisite
notices.
---------------------------------------------------------------------------
\179\ See final rule 248.30(a)(4)(iv); infra section II.A.3.e.
(discussing in more detail the modification to the notice content
requirements).
---------------------------------------------------------------------------
In addition, with regard to the commenter concern that it may be
logistically challenging to provide a notice within the rule's timing
requirements in cases where a ransomware attack has denied the covered
institution access to its systems,\180\ that comment does not account
for the fact that, under the proposed and final amendments, covered
institutions will now be required to have an incident response program
that includes policies and procedures to, among other things, assess
the nature and scope of any qualifying incidents, identify customer
information systems and types of customer information that may have
been accessed or used without authorization, and respond to and recover
from those incidents.\181\ Thus, as proposed, consistent with the final
amendments, covered institutions will need to anticipate and prepare
for the possibility that they may be denied access to a particular
system (such as in the ransomware example offered by one commenter) and
have procedures in place for complying with the notice requirements
when applicable.
---------------------------------------------------------------------------
\180\ See CAI Comment Letter.
\181\ See supra section II.A; final rule 248.30(a).
---------------------------------------------------------------------------
Consistent with the proposal, the final amendments will require
that covered institutions provide notices ``as soon as practicable,''
but not more than 30 days, after becoming aware that unauthorized
access to or use of customer information has occurred or is reasonably
likely to have occurred. The amount of time that would constitute ``as
soon as practicable'' may vary based on several factors, such as the
time required to assess, contain, and control the incident.\182\ The
requirement to notify affected individuals as soon as practicable but
not more than 30 days in the final amendments is consistent with the
purposes of the GLBA and reflects the importance of expeditious
notification. The amendments are designed to help ensure that customers
receive notification in a timely manner. It would be contrary to this
policy goal for a covered institution to unduly delay notification to
customers, for example by delaying notice until it has definitively
concluded that a data breach incident has occurred, because this could
result in excessively delayed notifications that could unnecessarily
hinder affected customers from engaging their own remedial measures to
protect their data. A covered institution should act promptly and must
not delay its initial assessment of the available details of the
incident as delaying notices could deprive customers of the ability to
take prompt action to protect themselves.
---------------------------------------------------------------------------
\182\ For example, an incident of unauthorized access by a
single employee to a limited set of sensitive customer information
may take only a few days to assess, remediate, and investigate. In
those circumstances a covered institution generally should provide
notices to affected individuals at the conclusion of those tasks and
as soon as the notices have been prepared. See Proposing Release at
n.133.
---------------------------------------------------------------------------
The 30-day outside timeframe under both the proposed and final
rules begins following an incident involving customer information. This
is consistent with the scope of the incident response program, which is
required to address unauthorized access to or use of customer
information. The outside timeframe does not begin from the time that
the covered institution determines that an incident involved
``sensitive customer information,'' as suggested by one commenter.\183\
The commenter's suggested modification would likely delay notification
as compared to the final rule because covered institutions could take
considerable time to determine that an incident involved sensitive
customer information before the outside timeframe would begin and this
could further delay any potential notice to affected individuals.
---------------------------------------------------------------------------
\183\ IAA Comment Letter 1.
---------------------------------------------------------------------------
(2) National Security and Public Safety Delay
The final amendments will allow covered institutions to delay
providing notice if the Attorney General determines that the notice
required under the final amendments poses a substantial risk to
national security or public safety, and notifies the Commission of such
determination in writing, in which case the covered institution may
delay such notice for a time period specified by the Attorney General,
up to 30 days following the date when such notice was otherwise
required to be provided.\184\ Previously referred to as the ``law
enforcement exception'' in the proposal, the national security and
public safety delay has been expanded to incorporate risks related to
public safety in addition to national security. In a modification of
the proposal, in which the Attorney General would have informed only
the covered institution in cases where this delay is granted, in the
final amendments the Attorney General will instead inform the
Commission, in writing, if the Attorney General determines that the
notice poses a substantial risk to national security or public safety.
This modification is designed to ensure that the Commission receives
information related to a delay in notice in an efficient and timely
manner. We have consulted with the Department of Justice to establish
an interagency communication process to allow for the Attorney
General's determination to be communicated to the Commission in a
timely manner. The Department of Justice will notify the covered
institution that communication to the Commission has been made so that
the covered institution may delay providing the notice.
---------------------------------------------------------------------------
\184\ See final rule 248.30(a)(4)(iii).
---------------------------------------------------------------------------
In another change from the proposal, the notice may be delayed for
an additional period of up to 30 days if the Attorney General
determines that the notice continues to pose a substantial risk to
national security or public safety and notifies the Commission of such
determination in writing. In a further change in response to comments,
in extraordinary circumstances, notice may be delayed for a final
additional period of up to 60 days if the Attorney General determines
that notice continues to pose a substantial risk to national security
and notifies the Commission of such determination in writing. Beyond
the final 60-day delay, if the Attorney General indicates that further
delay is necessary, the Commission will consider additional requests
for delay and may grant such delay through a Commission exemptive order
or other action. By contrast, the proposed rules would have allowed a
covered institution to delay notice only for an aggregate period of 30
days following a written request from the Attorney General to the
covered institution, upon the expiration of which the covered
institution would have been required to provide notice immediately. The
modification to the proposed rule is designed to respond to concerns
raised by commenters.\185\
---------------------------------------------------------------------------
\185\ The final amendments will align more closely with the
Public Company Cybersecurity Rules on this point by incorporating a
similar scope and timing for its national security and public safety
delay.
---------------------------------------------------------------------------
One commenter stated that a delay in notifying affected individuals
for law enforcement activity may cause harm to
[[Page 47704]]
customers whose personal information has been exposed.\186\ In
addition, this commenter asserted that notifying affected individuals
would not impede a law enforcement investigation of the data security
incident.
---------------------------------------------------------------------------
\186\ Better Markets Comment Letter.
---------------------------------------------------------------------------
Other commenters, however, urged the Commission to expand the
proposed law enforcement exception because, in their view, the proposed
exception was too narrowly drawn.\187\ Several of these commenters
expressed concern that requests by local or State police, or even other
Federal agencies, would not be sufficient to delay notification under
the proposed rule.\188\ Some commenters stated concerns about the
feasibility and process of reaching out to the Attorney General to
request a delay in support of expanding the exception to permit other
law enforcement agencies to direct a covered institution to delay a
notice.\189\ Commenters also expressed particular concern around
competing requirements, noting that many State regulations include a
more permissive delay and that covered institutions, in an effort to
comply with the proposed exception, may be put into the difficult and
unnecessary position of being subject to conflicting requirements from
the Commission and a State law enforcement entity.\190\ Further,
commenters articulated that the proposed exception is excessively
narrow because it only accommodates law enforcement actions that
address concerns that rise to the level of ``national security.'' \191\
---------------------------------------------------------------------------
\187\ See, e.g., IAA Comment Letter 1; SIFMA Comment Letter 2;
NASDAQ Comment Letter; CAI Comment Letter; FII Comment Letter.
\188\ See, e.g., CAI Comment Letter; ICI Comment Letter 1; FII
Comment Letter; SIFMA Comment Letter 2 (suggesting that the proposed
law enforcement exception should also contemplate foreign law
enforcement and include cooperation with international authorities).
\189\ See ICI Comment Letter; SIFMA Comment Letter 2.
\190\ See, e.g., ICI Comment Letter 1; NASDAQ Comment Letter;
FII Comment Letter; IAA Comment Letter 1 (viewing the proposed
exception as creating broader security risks for clients and
advisers and forcing an adviser to choose between disregarding a law
enforcement request or violating the rule).
\191\ CAI Comment Letter; ICI Comment Letter 1; SIFMA Comment
Letter 2.
---------------------------------------------------------------------------
In addition to concerns regarding the scope of the proposed law
enforcement exception, several commenters opposed the length of time
that a covered institution would be permitted to delay notice under the
proposed rule.\192\ These commenters suggested that there should be no
outside time limitation on the proposed law enforcement exception,
asserting that the judgment of any law enforcement agency investigating
a breach should be an adequate and respected basis for delaying a
regulatory notice regarding such breach. Commenters urged the
Commission to expand the scope and timing requirements of the proposed
law enforcement exception, expressing that they failed to understand
the public purpose that would be served by ignoring the request of a
law enforcement agency to delay notification.\193\
---------------------------------------------------------------------------
\192\ See, e.g., IAA Comment Letter 1; ICI Comment Letter 1;
NASDAQ Comment Letter; SIFMA Comment Letter 2; CAI Comment Letter.
\193\ See, e.g., IAA Comment Letter 1; NASDAQ Comment Letter;
see also SIFMA Comment Letter 2 (stating its view that only for a
limited number of cases would delay be requested or mandated by
other government entities, or court orders, so notification delays
would not become routine or be otherwise abused).
---------------------------------------------------------------------------
In response to commenters' concerns, we have broadened both the
scope and timing requirements of the delay in the final amendments. The
final amendments will allow covered institutions to delay notice in
cases where disclosure would pose a substantial risk to national
security or public safety, contingent on a written notification by the
Attorney General to the Commission.\194\ This provision has been
expanded to incorporate risks related to public safety, and not just
national security, as proposed. This expansion allows for notice delay
in scenarios where there may be significant risk of harm from
disclosure; however, there may not be a substantial risk to national
security. This modification should make the provision sufficiently
expansive to protect against significant risks of harm from
disclosure--such as the risk of alerting malicious actors targeting
critical infrastructure that their activities have been discovered--
while also helping to ensure that individuals are not unduly denied
timely access to information about the unauthorized access to or use of
their sensitive customer information.
---------------------------------------------------------------------------
\194\ A covered institution requesting that the Attorney General
determine that notification under the rule would pose a substantial
risk to national security or public safety does not change the
covered institution's obligation to provide notice to affected
customers within the timing required under the final amendments.
This is because the rule permits a delay only upon the Attorney
General making that determination and communicating it to the
Commission in writing.
---------------------------------------------------------------------------
With respect to commenters who recommended that other Federal
agencies, State and local law enforcement agencies, and foreign law
enforcement authorities also be permitted to trigger a delay or
suggested that the perceived limited nature of this delay would cause
conflict with State authorities, the rule does not preclude any such
entity from requesting that the Attorney General determine that the
disclosure poses a substantial risk to national security or public
safety and communicate that determination to the Commission.
Designating a single law enforcement agency as the point of contact for
both the covered institution and the Commission on such delays is
critical to ensuring that the rule is administrable. Some commenters
stated concerns about the feasibility and process of reaching out to
the Attorney General to request a delay, urging the Commission to
expand the delay to apply to requests made by other law enforcement
agencies in addition to the Attorney General. The FBI, in coordination
with the Department of Justice, has since provided guidance on how
firms can request disclosure delays for national security or public
safety reasons in connection with the Public Company Cybersecurity
Rules.\195\ To the extent needed, further guidance may be issued on how
other law enforcement agencies may contact the Department of Justice to
request a delay.
---------------------------------------------------------------------------
\195\ See FBI Guidance to Victims of Cyber Incidents on SEC
Reporting Requirements, available at: <a href="https://www.fbi.gov/investigate/cyber/fbi-guidance-to-victims-of-cyber-incidents-on-sec-reporting-requirements">https://www.fbi.gov/investigate/cyber/fbi-guidance-to-victims-of-cyber-incidents-on-sec-reporting-requirements</a>.
---------------------------------------------------------------------------
The final amendments also will expand the amount of time that a
covered institution can delay notice under this provision. However, we
are not persuaded, as some commenters suggested, that the rules should
not incorporate a timing component at all because such an approach
would diminish the goal of providing customers (regardless of State
residency) with timely and consistent notification of data breaches so
that they may take remedial action. This includes permitting, in
extraordinary circumstances, a delay for a final additional period of
up to 60 days--following two previous 30-day extensions--if the
Attorney General determines that disclosure continues to pose a
substantial risk to national security and notifies the Commission of
such determination in writing. We are providing for this additional
delay period in the final amendments, beyond what was originally
proposed, and in addition to the two 30-day delays that may precede it,
in recognition that, in extraordinary circumstances, national security
concerns may justify additional delay beyond that warranted by public
safety concerns, due to the relatively more critical nature of national
security concerns.\196\ Beyond the final 60-day
[[Page 47705]]
delay, if the Attorney General indicates to the Commission in writing
that further delay is necessary, the covered institution can request an
additional delay that the Commission may grant through exemptive order
or other action. These modifications acknowledge that additional time
beyond that proposed may be necessary, as called for by commenters,
while balancing national security and public safety concerns against
affected individuals' informational needs.
---------------------------------------------------------------------------
\196\ Under the proposal, in contrast, the covered institution
could delay a notice if the Attorney General informed the covered
institution, in writing, that the notice poses a substantial risk to
national security. The proposal provided that the covered
institution could delay such a notice for a time period specified by
the Attorney General, but not for longer than 15 days, plus an
additional period of up to 15 days if the Attorney General
determines that the notice continues to pose a substantial risk to
national security.
---------------------------------------------------------------------------
e. Notice Contents and Format
The final amendments, consistent with the proposal, require that
notices include key information with details about the incident, the
breached data, and how affected individuals can respond to the breach
to protect themselves. This requirement is designed to help ensure that
covered institutions provide basic information to affected individuals
that will help them avoid or mitigate substantial harm or
inconvenience. In a modification from the proposal, however, the final
amendments will not require the notice to ``[d]escribe what has been
done to protect the sensitive customer information from further
unauthorized access or use.''
Some of the information required by the final amendment, including
information regarding a description of the incident, and the type of
sensitive customer information accessed or used without authorization,
will provide affected individuals with basic information to help them
understand the scope of the incident and its potential ramifications.
As proposed, the final amendments will require covered institutions to
include contact information sufficient to permit an affected individual
to contact the covered institution to inquire about the incident,
including a telephone number (which should be a toll-free number if
available), an email address or equivalent method or means, a postal
address, and the name of a specific office to contact for further
information and assistance, so that affected individuals can easily
seek additional information from the covered institution. All of this
information may help affected individuals assess the risk posed by the
incident and whether to take additional measures to protect against
harm from unauthorized access or use of their information.
Similarly, as proposed, the final amendments will require
information regarding the date of the incident, the estimated date of
the incident, or the date range within which the incident occurred, if
such information is reasonably possible to determine at the time the
notice is provided. This requirement reflects the reality that a
covered institution may have difficulty determining a precise date
range for certain incidents because it may only discover an incident
well after an initial time of access.\197\
---------------------------------------------------------------------------
\197\ See Proposing Release at n.142.
---------------------------------------------------------------------------
In addition, as proposed, the final amendments will require that
covered institutions include certain information to assist affected
individuals in evaluating how they should respond to the incident.
Specifically, if the affected individual has an account with the
covered institution, the final amendments will require the notice to
recommend that the customer review account statements and immediately
report any suspicious activity to the covered institution. The final
amendments will also require the notice to explain what a fraud alert
is and how an affected individual may place a fraud alert in credit
reports. Further, the final amendments will require that the notice
recommend that the affected individual periodically obtain credit
reports from each nationwide credit reporting company and that the
individual have information relating to fraudulent transactions
deleted. The notice must also explain how a credit report can be
obtained free of charge. Lastly, the final amendments require that
notices include information regarding FTC and <a href="http://usa.gov">usa.gov</a> guidance on steps
an affected individual can take to protect against identity theft, a
statement encouraging the individual to report any incidents of
identity theft to the FTC, and the FTC's website address. These
specific requirements are designed to give affected individuals
resources and additional information to help them evaluate how they
should respond to the incident.
As proposed, under the final rules covered institutions will be
required to provide the information specified in the final amendments
in each required notice. While we recognize that relevant information
may vary based on the facts and circumstances of the incident,
customers will benefit from the same minimum set of basic information
in all notices. Accordingly, the final amendments will permit covered
institutions to include additional information but will not permit
omission of the prescribed information. In addition, the final
amendments will require covered institutions to provide notice in a
clear and conspicuous manner and by means designed to ensure that the
customer can reasonably be expected to receive actual notice in
writing.\198\ Pursuant to 17 CFR 248.3, notices will therefore be
required to be reasonably understandable and designed to call attention
to the nature and significance of the information required to be
provided in the notice.\199\ To the extent that a covered institution
includes information in the notice that is not required to be provided
to customers under the final amendments or provides notice
contemporaneously with other disclosures, the covered institution will
still be required to ensure that the notice is designed to call
attention to the important information required to be provided under
the final amendments; the inclusion of any additional information in
the notice may not prevent the required information from being
presented in a clear and conspicuous manner. The requirement to provide
notices in writing, further, will ensure that customers receive the
information in a format appropriate for receiving important
information, with accommodation for those customers who agree to
receive the information electronically.\200\ These requirements are
designed to help ensure that customers are provided informative
notifications and alerted to their importance.
---------------------------------------------------------------------------
\198\ See final rule 248.30(a)(4)(i); see also 17 CFR 248.9(a)
(delivery requirements for privacy and opt out notices) and 17 CFR
248.3(c)(1) (defining ``clear and conspicuous'').
\199\ See 17 CFR 248.3(c)(2) (providing examples explaining what
is meant by the terms ``reasonably understandable'' and ``designed
to call attention'').
\200\ This requirement to provide notice ``in writing'' could be
satisfied either through paper or, for customers who agree to
receive information electronically, though electronic means
consistent with existing Commission guidance on electronic delivery
of documents. See Use of Electronic Media by Broker Dealers,
Transfer Agents, and Investment Advisers for Delivery of
Information; Additional Examples Under the Securities Act of 1933,
Securities Exchange Act of 1934, and Investment Company Act of 1940
[61 FR 24644 (May 15, 1996)]; Use of Electronic Media, [65 FR 25843
(May 4, 2000)].
---------------------------------------------------------------------------
Several commenters broadly supported the proposed notice contents
and format requirements.\201\ One commenter stated that the provision
will lead to notices that contain important information in a clear and
conspicuous manner, which will allow affected individuals to assess the
risk of the incident paired with guidance on
[[Page 47706]]
potential protective measures to take.\202\ Another commenter agreed
with the proposed approach of requiring notices to contain certain
information but not prescribing the specific format for the notices,
asserting that this approach will ``make it easier for covered
institutions to fulfill all their notice obligations under Federal and
State laws with as few notice documents as possible (ideally through a
single notice to all affected customers nationwide).'' \203\
---------------------------------------------------------------------------
\201\ See, e.g., Better Markets Comment Letter, IAA Comment
Letter 1; NASAA Comment Letter.
\202\ Better Markets Comment Letter (stating that the provision
``avoids some common problems with the content of many data breach
notifications, such as confusing language, a lack of details, and
insufficient attention to the practical steps customers should take
in response.'').
\203\ See NASAA Comment Letter (stating that ``[b]eing
prescriptive here could potentially create inconsistencies with
current or future State notice laws, which in turn could cause
covered institutions to feel compelled to deliver entirely
duplicative notices to customers simply for reasons of form.
Customers should not be burdened in this way, and the Reg. S-P
Proposal rightly takes this into account.'').
---------------------------------------------------------------------------
Conversely, a few commenters opposed certain aspects of the notice
content and format requirements.\204\ One commenter expressed concern
related to the proposed requirement for covered institutions to include
in the notice specific efforts they have taken to protect the sensitive
customer information from further unauthorized access or use.\205\ This
commenter articulated that this information could be extremely useful
to threat actors and not particularly useful to affected
individuals.\206\ Another commenter urged the Commission to remove the
requirement for covered institutions to provide ``the date of the
incident, the estimated date of the incident, or the date range,''
asserting that this specific information is not required by the Banking
Agencies' Incident Response Guidance and should not be included in an
amended Regulation S-P.\207\ In addition, two commenters suggested that
the final amendments should provide more flexibility for covered
institutions to determine the manner and method in which they should be
contacted by affected individuals inquiring about an incident.\208\
Lastly, one commenter urged the Commission to consider whether it
should require specific notice obligations at all, asserting that
Federal notice would simply add another layer on top of existing State
data breach notice requirements and would offer limited benefits to
affected individuals.\209\
---------------------------------------------------------------------------
\204\ See, e.g., CAI Comment Letter; ICI Comment Letter 1; IAA
Comment Letter.
\205\ IAA Comment Letter 1.
\206\ Id. (further stating that in many cases ``the adviser will
have already remediated the vulnerability, making the information
even less relevant to a client's decision.'').
\207\ ICI Comment Letter 1.
\208\ CAI Comment Letter; SIFMA Comment Letter 2 (asserting that
the rule should not require each of a telephone number, an email
address, a postal address and a specific office contact, but rather
should allow covered institutions to choose one or more of those
contact options based on how the covered institution normally
interacts with its customers).
\209\ See CAI Comment Letter; see also NASDAQ Comment Letter
(asserting that covered institutions ``should be permitted to comply
with various State and Federal cybersecurity notification
obligations with a single streamlined form.'').
---------------------------------------------------------------------------
After considering comments, we are removing the specific
requirement in the proposal that the notice ``[d]escribe what has been
done to protect the sensitive customer information from further
unauthorized access or use.'' We agree that this information has the
potential to advantage threat actors and does not provide actionable
information for affected individuals. Accordingly, the provision has
been removed from the final amendments, which should reduce the
perceived risk of providing a roadmap for threat actors compared with
the proposal. Covered institutions may, however, voluntarily disclose
details related to the incident's remediation status.
The final amendments do not modify the proposed requirement for
covered institutions to provide information about the date of the
incident, as suggested by one commenter.\210\ Providing this
information to affected individuals, to the extent the information is
reasonably possible to determine, can help affected individuals
identify the point in time in which their sensitive customer
information was compromised, thus providing critical details that
affected individuals can use to take targeted protective measures
(e.g., review account statements) to mitigate the potential harm that
could result from the unauthorized access to or use of their sensitive
customer information. For this reason, we disagree with the commenter
that stated firms should not be required to provide this information in
their notice.
---------------------------------------------------------------------------
\210\ ICI Comment Letter 1.
---------------------------------------------------------------------------
Similarly, the final amendments do not modify the requirement for
notices to include the prescribed contact information sufficient to
permit an affected individual to contact the covered institution to
inquire about the incident. We understand that covered institutions
communicate with their customers using many different methods and
formats. However, providing a telephone number, an email address or
equivalent method or means (e.g., an online submission form), a postal
address, and the name of a specific office to contact, is designed to
provide sufficient optionality for affected individuals, who may have
differing preferences and aptitudes in their use of contact
methods.\211\ Nothing in this requirement, however, prevents a covered
institution from choosing to provide additional contact methods.
---------------------------------------------------------------------------
\211\ In addition, the final rule's requirement to provide
contact information sufficient to permit an affected individual to
inquire about the incident does not preclude a covered institution
from providing the contact information of a third-party service
provider that has been engaged by the covered institution to provide
specialized information or assistance about the unauthorized access
or use of sensitive customer information on the covered
institution's behalf. See CAI Comment Letter (asserting that it is
current business practice for companies to hire vendors who provide
specialized breach response call centers to handle consumer
inquiries).
---------------------------------------------------------------------------
Lastly, the final amendments do not prescribe a specific format for
the notice to affected customers. We agree with the commenter that
asserted that such flexibility will make it easier for covered
institutions to provide notices that meet the requirements of the final
amendments while also meeting the requirements of other notice
obligations, such as certain State requirements, and thereby mitigates
commenter concerns about the potential for more than one notice
covering a given incident.
4. Service Providers
The final amendments require that each covered institution's
incident response program include the establishment, maintenance, and
enforcement of written policies and procedures reasonably designed to
require oversight, including through due diligence on and monitoring,
of service providers, including to ensure that the covered institution
satisfies the customer notification requirements set forth in paragraph
(a)(4) of the final amendments.\212\ In a modification from the
proposal, rather than requiring written policies and procedures
requiring the covered institution to enter into a written contract with
its service providers to take certain appropriate measures, the
policies and procedures required by the final amendments must be
reasonably designed to ensure service providers take appropriate
measures to: (A) protect against unauthorized access to or use of
customer information; and (B) provide notification to the covered
institution as soon as possible, but no later than 72 hours after
becoming aware of a breach in security has occurred resulting in
unauthorized access to a customer information system maintained by the
service provider.\213\
[[Page 47707]]
In a modification from the proposal, upon receipt of such notification,
a covered institution must initiate its incident response program
pursuant to paragraph (a)(3) of this section.\214\ The final amendments
thus modify the proposal by removing the written contract requirement
and shifting the notification deadline for the service provider's
notification of the covered institution from 48 to 72 hours, while
retaining the notice trigger of the service provider ``becoming aware
of'' a breach in security resulting in unauthorized access to a
customer information system maintained by the service provider.\215\
---------------------------------------------------------------------------
\212\ See final rule 248.30(a)(5)(i).
\213\ See id. In the proposal, the covered institution's written
contract with its service provider would have needed to require the
service providers to take appropriate measures designed to protect
against unauthorized access to or use of customer information,
including notification to the covered institution as soon as
possible, but no later than 48 hours after becoming aware of a
breach in security resulting in unauthorized access to a customer
information system maintained by the service provider to enable the
covered institution to implement its response program. See proposed
rule 248.30(b)(5)(i).
\214\ See id. As discussed further below, this modification
responds to comments by incorporating into rule text the
Commission's intention that covered institutions would
``expeditiously'' implement their incident response program
following the receipt of such notification from a service provider,
as discussed in the Proposing Release. See infra footnote 223 and
accompanying discussion on clarifying modifications. See also
Proposing Release at Section II.A.3.
\215\ See final rule 248.30(a)(5)(i).
---------------------------------------------------------------------------
However, the Commission is adopting as proposed final amendments
that provide that a covered institution, as part of its incident
response program, may enter into a written agreement with its service
provider to notify affected individuals on the covered institution's
behalf in accordance with paragraph (a)(4) of the final
amendments.\216\ In a modification from the proposal, the final
amendments provide that even where a covered institution uses a service
provider in accordance with paragraphs (a)(5)(i) and (ii) of the final
amendments, the covered institution's obligation to ensure that
affected individuals are notified in accordance with paragraph (a)(4)
of the final amendments rests with the covered institution.\217\
---------------------------------------------------------------------------
\216\ See final rule 248.30(a)(5)(ii).
\217\ See final rule 248.30(a)(5)(iii). As discussed further
below, this modification is intended to clarify covered
institutions' responsibilities under the final amendments by
incorporating into rule text the Commission's intended scope, as
discussed in the Proposing Release. See discussion on Delegation of
Notice and Covered Institutions' Customer Notification Obligations
infra Section II.A.4.c. and footnote 264, including accompanying
discussion on clarifying modifications.
---------------------------------------------------------------------------
Finally, the Commission is also defining a ``service provider'' at
adoption to mean any person or entity that receives, maintains,
processes, or otherwise is permitted access to customer information
through its provision of services directly to a covered
institution.\218\ As discussed further below, this definition removes
language from the proposed definition relating to third parties, but
does so solely to make plain that the definition of a ``service
provider'' can include affiliates of a covered institution.\219\
---------------------------------------------------------------------------
\218\ See final rule 248.30(d)(10).
\219\ As stated below, this modification from the proposal
responds to comments by incorporating into rule text the
Commission's intended scope of the ``service provider'' definition,
as discussed in the Proposing Release. See discussion on the Service
Provider definition infra footnote 271, including accompanying
discussion on clarifying modifications. See also proposed rule
248.30(e)(10).
---------------------------------------------------------------------------
a. Covered Institutions' Incident Response Program Obligations
Regarding Service Providers
In a change from the proposed rule, the Commission is adopting the
final amendments without requiring covered institutions to enter into a
written contract with their service providers.\220\ Instead, the final
amendments require that a covered institution's incident response
program ``include the establishment, maintenance, and enforcement of
written policies and procedures reasonably designed to require
oversight, including through due diligence and monitoring, of the
covered institution's service providers, including to ensure that the
covered institution notifies affected individuals as set forth in
paragraph (a)(4),'' in the event of a breach at the service
provider.\221\ Further, while the final amendments do not require
covered institutions to enter into a written contract, the final
amendments incorporate the protections that would have been required in
the proposed written contract \222\ by requiring that a covered
institution's policies and procedures be reasonably designed to ensure
service providers take the appropriate measures to: (A) protect against
unauthorized access to or use of customer information, and (B) provide
notification to the covered institution in the event of a breach
resulting in unauthorized access to a customer information system
maintained by the service provider, in accordance with the timing and
notice trigger conditions discussed further below. Finally, in a
modification from the proposal, upon receipt of such notification, a
covered institution must initiate its incident response program adopted
pursuant to paragraph (a)(3) of this section.\223\
---------------------------------------------------------------------------
\220\ See proposed rule 248.30(b)(5)(i). See also supra footnote
213 and accompanying discussion.
\221\ See final rule 248.30(a)(5)(i). In the Proposing Release,
we requested comment on whether the proposed written contract
requirement should instead require that a covered institution adopt
policies and procedures that ``require due diligence of or some type
of reasonable assurances from its service providers.'' See Proposing
Release at section II.A.3. We also encouraged commenters to review
our separate proposal to prohibit registered investment advisers
from outsourcing certain services or functions without first meeting
minimum due diligence and monitoring requirements to determine
whether that proposal might affect their comments on the Proposing
Release. See Proposing Release at section G.2, n.300; see also
Outsourcing by Investment Advisers, Investment Advisers Act Release
No. 6176 (Oct. 26, 2022) [87 FR 68816 (Nov. 16, 2022)]. The due
diligence standards we are adopting are intended to address related
concerns raised by commenters who requested that we adopt a more
principles-based set of requirements.
\222\ See supra footnote 213 and accompanying discussion of the
substantive obligations that were included in the proposal's written
contract requirement.
\223\ See final rule 248.30(a)(5)(i).
---------------------------------------------------------------------------
Two commenters expressed varying degrees of support for requiring a
written contract between a covered institution and its service
providers.\224\ One such commenter expressed support for requiring a
specific contractual agreement with a service provider, stating that
the information covered by the service provider provision is already
subject to a contractual agreement between the covered institution and
the service provider.\225\ The other commenter agreed that service
providers should be contractually required to take appropriate risk-
based measures and due diligence to protect against unauthorized access
to or use of customer information, but suggested that for flexibility
in oversight covered institutions should be permitted to rely on
``reasonable assurances'' from service providers that they have taken
appropriate measures to protect customer information.\226\
---------------------------------------------------------------------------
\224\ See ICI Comment Letter. While this commenter supported a
written contract requirement, it did assert that the Commission
should adopt a longer compliance period due to the necessity of
renegotiating existing contracts with service providers to align the
breach notification provisions in those contracts to the rule's
requirements. This comment is separately addressed below. See also
SIFMA Comment Letter 2.
\225\ See ICI Comment Letter. Specifically, this commenter
stated that the information that is covered by proposed rule
248.30(b)(5) ``is already subject to a contractual agreement between
the covered institution and the service provider.'' Id. This
commenter further explained it is opposing the contractual
requirement because of its very narrow scope, specifically stating
that ``as drafted, [the requirement] would only apply to any service
provider that receives, maintains, processes, or otherwise is
permitted access to customer information through the service
provider's provision of services directly to the covered
institution.'' Id.
\226\ See SIFMA Comment Letter 2.
---------------------------------------------------------------------------
[[Page 47708]]
Several commenters opposed this proposed requirement.\227\
Specifically, two commenters asserted that the written contract
requirement would harm covered institutions, which may not have the
negotiating power or leverage to demand specific contractual provisions
from large third-party service providers, particularly where specific
provisions are ``inconsistent with the business imperatives'' of the
service provider and/or in the case of small covered institutions.\228\
A number of commenters also suggested alternatives to either adopting a
written contract requirement or, if such a requirement is adopted, to
mandating specified contractual requirements.\229\ Two commenters
suggested that rather than requiring specific practices to be included
within a written contract, the Commission should structure the final
amendments to enable covered institutions to take a risk-based approach
to due diligence and third-party risk management that integrates
reliance on independent certifications, attestations, and industry
standards as a sufficient means of assessing and determining whether
the service provider is appropriately addressing these risks to an
adequate standard.\230\ Meanwhile, another commenter who opposed the
contractual requirement suggested the Commission should provide covered
institutions with the flexibility to oversee their service providers
``based on the nature and size of their businesses and in light of the
risks posed by the facts and circumstances.'' \231\ Finally, one
commenter suggested that it was unclear how a third-party service
provider's notice to a covered institution would affect a covered
institution's own obligations.\232\
---------------------------------------------------------------------------
\227\ See, e.g., AWS Comment Letter; IAA Comment Letter 1
(stating that [covered institutions] should not be required to enter
into written agreements with service providers); Google Comment
Letter; STA Comment Letter 2; and CAI Comment Letter (stating that
many leading service providers (such as cloud service providers) do
not negotiate the standard terms of their services with customers
and those standard terms generally would not meet the proposed
contractual requirements).
\228\ See IAA Comment Letter 2; see also STA Comment Letter 2.
\229\ See SIFMA Comment Letter 2; AWS Comment Letter; Google
Comment Letter; and IAA Comment Letter 1.
\230\ See AWS Comment Letter (suggesting that in order to
address the practical difficulties of compliance, the Commission
should provide covered institutions with a flexible approach to
achieving compliance with the service provider provisions that
relies on the use of independent certifications, attestations, and
adherence to industry standards); see also Google Comment Letter
(suggesting that rather than prescribing the specific practices that
must be included in the contract, (a) contracts should require
service providers to implement and maintain appropriate measures
that are consistent with industry standards, and (b) each covered
entity should oversee its providers to assess if the provider
addresses the relevant practices to an adequate standard--noting
this activity can be supported with third party certifications and
standards).
\231\ See IAA Comment Letter 1.
\232\ See ACLI Comment Letter.
---------------------------------------------------------------------------
Eliminating the written contract requirement from the final
amendments, while enhancing the policies and procedures obligation,
strikes an appropriate balance between providing covered institutions
with greater flexibility in achieving compliance with the requirements
of this rule within the context of their service provider
relationships, while also helping to ensure the investor protections
afforded by the final amendments are maintained when covered
institutions utilize service providers.
In particular, as adopted, the enhanced policies and procedures
obligations will enable covered institutions to identify and utilize
the most appropriate means for their business of achieving compliance
with the final amendments through policies and procedures reasonably
designed to require oversight, including through due diligence and
monitoring, of their service providers. Providing this flexibility will
help address commenters' concerns about imposing a written contractual
agreement for covered institutions, particularly those that are small
entities, which may not have sufficient negotiating power or leverage
to demand specific contractual provisions from a large third-party
service provider. At the same time, the enhanced policies and
procedures requirements will provide for effective safeguarding of
customer information when it is received, maintained, processed, or
otherwise accessed by a service provider, as well as timely notice to
customers affected by a breach at a covered institution's service
provider, by requiring that the policies and procedures be reasonably
designed to: (1) require oversight, including through due diligence and
monitoring, of service providers, including to ensure that the covered
institution notifies affected individuals as required in paragraph
(a)(4) and (2) ensure service providers take appropriate measures to
protect against the unauthorized access to or use of customer
information and provide covered institutions with timely notification
of a breach so that the covered institution can carry out their
incident response program.
While the final amendments thus provide increased flexibility as to
a covered institution's means of overseeing its service providers, the
modification the Commission is making at adoption does not lower the
standard of a covered institution's substantive oversight obligations.
Some covered institutions may find that such oversight can be
accomplished more easily and less expensively through less formal
arrangements in certain circumstances, based on the covered
institution's relationship with its service provider, as well as the
scope of the services that are now or will be provided over the course
of the relationship.\233\ However, regardless of the means and
arrangements employed, the covered institution must ensure that any
service provider it decides to utilize takes appropriate measures to
(A) protect against unauthorized access to or use of customer
information, and (B) provide breach notifications to the covered
institution as required by these final amendments.
---------------------------------------------------------------------------
\233\ Although a written contract is not required under the
final amendments, covered institutions should generally consider
whether a written contract that memorializes the expectations of
both covered institutions and their service providers is
appropriate.
---------------------------------------------------------------------------
Further, while it may be helpful to a covered institution in
achieving compliance with the final amendments to receive ``reasonable
assurances'' from its service providers that they have taken
appropriate measures to both protect customer information and provide
timely notification to the covered institution in the event of a
relevant breach of the service provider's customer information systems,
reliance solely on such assurances may be insufficient depending on the
facts and circumstances, for example when a covered institution knows,
or has reason to know, that such assurance is inaccurate. Instead, the
final rules require the establishment, maintenance, and enforcement of
written policies and procedures reasonably designed to require
oversight, including through due diligence and monitoring, of the
service provider to ensure the covered institution will be able to
satisfy the obligations of paragraph (a)(4). Further, covered
institutions generally should consider reviewing and updating these
policies and procedures periodically throughout their relationship with
a service provider, including updates designed to address any
information learned during the course of their monitoring.
The final amendments provide covered institutions with flexibility
in overseeing their service provider relationships, while helping to
ensure the additional investor protections intended by these final
amendments are
[[Page 47709]]
still achieved. Consistent with this risk-based approach, covered
institutions may wish to consider employing such tools as independent
certifications and attestations obtained from the service provider, as
suggested by some commenters, as part of their policies and procedures
to require oversight, including through due diligence and monitoring,
of the service provider. However, the covered institution's written
policies and procedures must be reasonably designed under the
circumstances, and the covered institution's oversight of its service
providers pursuant to those written policies and procedures generally
should be tailored to the facts and circumstances of the two parties'
relationship, which may or may not include the use of such tools.
Further, as stated above, we are modifying the proposed rule to
state that upon a covered institution's receipt of a service provider's
notification, the covered institution must initiate its incident
response program required by paragraph (a)(3) of the rule.\234\ The
Commission is adopting this modification in response to comment
requesting clarification of a covered institution's obligations upon
receipt of service provider breach notifications.\235\ Further, this
modification helps further align the final amendments with the intended
purpose of the service provider's breach notifications, as discussed in
the Proposing Release.\236\ While receipt of such notice automatically
triggers the covered institution's obligation to initiate the
procedures of its incident response program, such notice is not a
necessary predicate to trigger this obligation for incidents occurring
at the service provider. A covered institution also must initiate its
incident response program where the covered institution has otherwise
independently detected an incident of unauthorized access to or use of
customer information at the service provider.\237\
---------------------------------------------------------------------------
\234\ See final rule 248.30(a)(5)(i).
\235\ See ACLI Comment Letter.
\236\ This modification is consistent with the intended purpose
of this notification, as discussed in the Proposing Release. See
Proposing Release at Section II.A.3 stating that the purpose of
breach notifications to be provided by service providers to a
covered institution is ``to enable the covered institution to
implement its incident response program expeditiously.''
\237\ See final rule 248.30(a)(3). See also discussion on
covered institutions' required Incident Response Program Including
Customer Notification supra Section II.A.
---------------------------------------------------------------------------
Finally, some commenters asked that we consider making any new
obligations with respect to a written contract requirement forward-
looking so as not to disrupt contracts already in existence by
requiring renegotiation, and that we should further extend the
compliance date to address this.\238\ As we are adopting the rule
without a written contract requirement, these comments have become
moot.\239\
---------------------------------------------------------------------------
\238\ See, e.g., Computershare Comment Letter; Google Comment
Letter; ICI Comment Letter.
\239\ See discussion of compliance date infra section II.F.
---------------------------------------------------------------------------
b. Deadline for Service Provider Notice to Covered Institutions and
Notice Trigger
As described above, the final amendments require that a covered
institution's policies and procedures be reasonably designed to ensure
service providers take appropriate measures to provide covered
institutions with notice ``as soon as possible, but no later than 72
hours after becoming aware of a breach in security has occurred
resulting in unauthorized access to a customer information system
maintained by the service provider.'' \240\ This modification extends
the proposed timeframe for service providers to provide such notice to
72 hours, but maintains the proposed notice triggering event to
initiate this timeframe of the service provider becoming aware of a
breach.'' \241\
---------------------------------------------------------------------------
\240\ See final rule 248.30(a)(5)(i). In the proposed rule, such
notice would have been required ``as soon as possible, but no later
than 48 hours after becoming aware of a breach, in the event of any
breach in security resulting in unauthorized access to a customer
information system maintained by the service provider.'' See
proposed rule 248.30(a)(5)(i).
\241\ See Proposing Release at section II.A.3.
---------------------------------------------------------------------------
Commenters addressed both the notification deadline and the
triggering event for notifications to be provided by service providers
to covered institutions in the event of a relevant breach involving
unauthorized access to a customer information system maintained by the
service provider. As to the notification deadline, one commenter
supported requiring service providers to notify a covered institution
within 48 hours of a breach impacting the covered institution or
affected individuals, stating its understanding is that this is ``not
an uncommon arrangement'' today between covered institutions and
service providers maintaining their nonpublic personal information
(e.g., between investment companies and transfer agents).\242\ Another
commenter raised concerns that a standard of ``as soon as possible, but
no later than 48 hours after becoming aware of a breach,'' when paired
with a written contract requirement, might impose formidable challenges
to covered institutions in mandating such contractual provisions with
service providers who are not explicitly subject to Commission
jurisdiction, and may have their own policies and procedures addressing
breaches.\243\ Several commenters suggested the Commission adopt a 72-
hour notification deadline.\244\ In particular, one such commenter
stated that this notification provision should be extended to ``as soon
as possible but no later than 72 hours,'' to harmonize the Commission's
standard with a number of related Federal, State, and international
regulatory deadlines governing required service provider notification
to financial institutions in the event of a cyber incident, and also
further the White House's and Congress's express policy of harmonizing
cyber incident reporting requirements.\245\ Finally, this commenter
stated that a consistent 72-hour reporting deadline would promote more
effective cybersecurity incident response and cyber threat information
sharing than shorter, or varied reporting periods, and that a 48-hour
deadline in the commenter's experience would lead to ``premature
reporting'' that increases the likelihood of reporting inaccurate or
incomplete information and tends to create confusion and
uncertainty.\246\
---------------------------------------------------------------------------
\242\ See ICI Comment Letter.
\243\ See Computershare Comment Letter.
\244\ See Letter from Microsoft Corporation (June 5, 2023)
(``Microsoft Comment Letter''); AWS Comment Letter (this commenter
``encourage[d] the Commission'' to consider a longer reporting
deadline than 48 hours to ``support the dedication of resources
needed to discover and mitigate potential harm caused by an
incident,'' and highlighted the 72-hour reporting timeframe that
``CIRCIA contemplates. . .for national critical infrastructure,
including the financial services sector'' in the alternative.).
\245\ See Microsoft Comment Letter (explaining that use of this
72-hour reporting deadline would align the SEC's rules with other
notification requirements that may apply to entities covered by the
Proposed Rules, and identifying additional authorities that use the
72-hour deadline, such as the CIRCIA, Pub. L. 117-103, 136 Stat. 49
(2022); Executive Order 14028, ``Improving the Nation's
Cybersecurity,'' 86 FR 26,633 (May 12, 2021), directing the Federal
government to incorporate a 72-hour reporting period into the
Federal Acquisition Regulation (``FAR''); the Defense Federal
Acquisition Regulation Supplement (``DFARS''), 48 CFR 204.7302(b)
and 252.204-7012(c); the New York State Department of Financial
Services' (``NYDFS'') Cybersecurity Requirements for Financial
Service Companies, 23 NYCRR section 500.17(a); the European Union's
General Data Protection Regulation (``GDPR''), Regulation (EU) 2016/
679; and Article 23 of the EU's new Network and Information Security
Directive (``NIS 2 Directive''), Directive (EU) 2022/2555).
\246\ Id.
---------------------------------------------------------------------------
In contrast, some commenters recommended modifying the proposal to
remove any specified duration for a reporting deadline.\247\ Several
[[Page 47710]]
commenters suggested that rather than an inflexible time deadline, the
Commission should require that notification be provided without
unreasonable delay after a reasonable investigation has been performed
by the service provider.\248\ Another commenter stated that rather than
mandating any form of a deadline, the time period should be left to
covered institutions and service providers to negotiate, accounting for
the nature of services and customer data.\249\
---------------------------------------------------------------------------
[…truncated; see source link]Indexed from Federal Register on June 3, 2024.
This is legal information, not legal advice. Laws vary by jurisdiction and change frequently. Always verify current law with official sources and consult a licensed attorney in your jurisdiction for advice on your specific situation.