On March 15, 2023, the U.S. Securities and Exchange Commission (“SEC”) proposed amendments to Regulation S-P. The proposed amendments would require covered institutions to enhance protections of consumer information by requiring the adoption of written policies and procedures for an incident response program. The amendments would expand the scope of Regulation S-P by requiring covered institutions to provide timely notifications to individuals affected by data breaches and by extending the definition of the information covered by the regulation.
If adopted, the proposed amendments would:
-
Incident Response Program. Require covered institutions to adopt a reasonably designed incident response compliance program that detects breaches, assesses the nature and scope of incidents, and contains and controls incidents.
-
Breach Notifications. Require covered institutions to notify affected individuals when their customer information was or is reasonably likely to have been part of a breach. Notifications must be provided as soon as practicable, but no later than 30 days after the covered institution becomes aware of the breach.
-
Disposal Limitations. Expand Regulation S-P’s requirements for information disposal to transfer agents registered with the SEC and with other agencies.
-
Expanded Scope. Expands the scope of Regulation S-P by defining “customer information” to include records that contain nonpublic personal information received directly or from third-parties.
-
Federal Standard. Implement a Federal minimum standard for customer notifications. Although state laws require covered institutions to notify affected individuals of data breaches, there is a lack of consistency across the states.
The public comment period will remain open until 60 days after the date of publication of the proposing release in the Federal Register.