Regulation S-P, a regulation that protects the privacy of consumer financial information, currently requires covered institutions to adopt written policies and procedures for the protection of customer records and information, known as the “safeguards rule.” It also requires the proper disposal of consumer report information, known as the “disposal rule.”
However, “these firms have no requirement to notify customers about breaches,” said SEC Chair Gary Gensler. “I think we should close this gap.”
The SEC’s proposal, if adopted, would update the rule’s requirements to address the expanded use of technology and corresponding risks since Regulation S-P was first adopted in 2000. It would require covered institutions to “adopt written policies and procedures for an incident response program to address unauthorized access to or use of customer information,” the SEC said.
The proposed rule also would require, “with certain limited exceptions, covered institutions to provide notice to individuals whose sensitive customer information was or is reasonably likely to have been accessed or used without authorization.” The SEC added, the proposal would require a covered institution to provide this notice “as soon as practicable, but not later than 30 days after the covered institution becomes aware that an incident involving unauthorized access to, or use of, customer information has occurred or is reasonably likely to have occurred.”
Additional Changes
The proposed amendments would make a number of additional changes to Regulation S-P, including broadening and aligning the scope of the safeguards rule and disposal rule to cover “customer information,” a newly defined term. “This change would extend the protections of the safeguards and disposal rules to both nonpublic personal information that a covered institution collects about its own customers and to nonpublic personal information that a covered institution receives about customers of other financial institutions,” the SEC said.
Additionally, it would extend the safeguards rule, “including the proposed enhancements, to transfer agents registered with the Commission or another appropriate regulatory agency, and expanding the existing scope of the disposal rule to include transfer agents registered with another appropriate regulatory agency rather than only those registered with the Commission.”
“I believe that these amendments, if adopted, would help customers maintain their privacy and protect themselves,” Gensler said.
The proposing release will be published in the Federal Register. The public comment period will remain open until 60 days after the date of publication of the proposing release in the Federal Register. 
Jaclyn Jaeger is a contributing editor at Compliance Chief 360° and a freelance business writer based in Manchester, New Hampshire.