2024-11116. Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information

AGENCY:

Securities and Exchange Commission.

ACTION:

Final rule.

SUMMARY:

The Securities and Exchange Commission (“Commission” or “SEC”) is adopting rule amendments that will require brokers and dealers (or “broker-dealers”), investment companies, investment advisers registered with the Commission (“registered investment advisers”), funding portals, and transfer agents registered with the Commission or another appropriate regulatory agency (“ARA”) as defined in the Securities Exchange Act of 1934 (“transfer agents”) to adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately. In addition, the amendments extend the application of requirements to safeguard customer records and information to transfer agents; broaden the scope of information covered by the requirements for safeguarding customer records and information and for properly disposing of consumer report information; impose requirements to maintain written records documenting compliance with the amended rules; and conform annual privacy notice delivery provisions to the terms of an exception provided by a statutory amendment to the Gramm-Leach-Bliley Act (“GLBA”).

DATES:

Effective date: This rule is effective August 2, 2024.

Compliance date: The applicable compliance dates are discussed in section II.F of this rule.

FOR FURTHER INFORMATION CONTACT:

Emily Hellman, James Wintering, Special Counsels; Edward Schellhorn, Branch Chief; Devin Ryan, Assistant Director; John Fahey, Deputy Chief Counsel; Emily Westerberg Russell, Chief Counsel; Office of Chief Counsel, Division of Trading and Markets, (202) 551-5550; Kevin Schopp, Senior Special Counsel; Moshe Rothman, Assistant Director; Office of Clearance and Settlement, Division of Trading and Markets, (202) 551-5550, Susan Ali and Andrew Deglin, Counsels; Michael Khalil and Y. Rachel Kuo, Senior Counsels; Blair Burnett and Bradley Gude, Branch Chiefs; or Brian McLaughlin Johnson, Assistant Director, Investment Company Regulation Office, Division of Investment Management, (202) 551-6792, Securities and Exchange Commission, 100 F Street NE, Washington, DC 20549.

SUPPLEMENTARY INFORMATION:

The Commission is adopting amendments to 17 CFR 248.1 through 248.100 (“Regulation S-P”) under Title V of the GLBA [15 U.S.C. 6801 through 6827], the Fair Credit Reporting Act (“FCRA”) [15 U.S.C. 1681 through 1681x], the Securities Exchange Act of 1934 (“Exchange Act”) [15 U.S.C. 78a et seq.], the Investment Company Act of 1940 (“Investment Company Act”) [15 U.S.C. 80a-1 et seq.], and the Investment Advisers Act of 1940 (“Investment Advisers Act”) [15 U.S.C. 80b-1 et seq.].

I. Introduction and Background

II. Discussion

A. Incident Response Program Including Customer Notification

1. Assessment

2. Containment and Control

3. Notice to Affected Individuals

4. Service Providers

B. Scope of Safeguards Rule and Disposal Rule

1. Scope of Information Protected

2. Extending the Scope of the Safeguards Rule and the Disposal Rule To Cover All Transfer Agents

3. Maintaining the Current Regulatory Framework for Notice-Registered Broker-Dealers

C. Recordkeeping

D. Exception From Requirement To Deliver Annual Privacy Notice

E. Existing Staff No-Action Letters and Other Staff Statements

F. Compliance Period

III. Other Matters

IV. Economic Analysis

A. Introduction

B. Broad Economic Considerations

C. Baseline

1. Safeguarding Customer Information: Risks and Practices

2. Regulations and Guidelines

3. Market Structure

D. Benefits and Costs of the Final Rule Amendments

1. Written Policies and Procedures

2. Extending the Scope of the Safeguards Rule and the Disposal Rule

3. Recordkeeping

4. Exception From Annual Notice Delivery Requirement

E. Effects on Efficiency, Competition, and Capital Formation

F. Reasonable Alternatives Considered

1. Reasonable Assurances From Service Providers

2. Lower Threshold for Customer Notice

3. Encryption Safe Harbor

4. Longer Customer Notification Deadlines

5. Broader National Security and Public Safety Delay in Customer Notification

V. Paperwork Reduction Act

A. Introduction

B. Amendments to the Safeguards Rule and Disposal Rule

VI. Final Regulatory Flexibility Act Analysis

A. Need for, and Objectives of, the Final Amendments

B. Significant Issues Raised by Public Comments

C. Small Entities Subject to Final Amendments

D. Projected Reporting, Recordkeeping, and Other Compliance Requirements

E. Agency Action To Minimize Effect on Small Entities

Statutory Authority

I. Introduction and Background

Regulation S-P is a set of privacy rules adopted pursuant to the GLBA and the Fair and Accurate Credit Transactions Act of 2003 (“FACT Act”) that govern the treatment of nonpublic personal information about consumers by certain financial institutions.^[1] The Commission is adopting rule amendments that are designed to modernize and enhance the protections that Regulation S-P provides by addressing the expanded use of technology and corresponding risks that have emerged since the Commission originally adopted Regulation S-P in 2000. The amendments in particular update the requirements of the “safeguards” and “disposal” rules. The safeguards rule requires brokers, dealers, investment companies,^[2] and registered investment advisers to adopt written policies and procedures that address administrative, technical, and physical safeguards to protect customer records and information.^[3] The disposal rule, which applies to transfer agents Start Printed Page 47689 registered with the Commission in addition to the institutions covered by the safeguards rule, requires proper disposal of consumer report information.^[4] In addition, under Regulation Crowdfunding, funding portals must comply with the requirements of Regulation S-P as they apply to brokers.^[5] Thus, funding portals will also be required to comply with the applicable amendments to Regulation S-P adopted in this release.

The final Regulation S-P amendments are needed to provide enhanced protection of customer or consumer information and help ensure that customers of covered institutions receive timely and consistent notifications in the event of unauthorized access to or use of their information.^[6] In evaluating amendments to Regulation S-P, we have considered developments in how firms obtain, share, and maintain individuals' personal information since the Commission originally adopted Regulation S-P, which correspond with an increasing risk of harm to individuals.^[7] This environment of expanded risks and the importance of reducing or mitigating the potential for harm also supports our amendments to Regulation S-P.

In March 2023, the Commission proposed amendments to Regulation S-P.^[8] In particular, the proposed amendments would amend the safeguards rule to require any broker or dealer, investment company, registered investment adviser, or transfer agent (collectively, “covered institutions”) to develop, implement, and maintain written policies and procedures for an incident response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The proposal included a further requirement that, as part of this incident response program, covered institutions would provide notices to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization as soon as practicable, but not later than 30 days, after becoming aware that the incident occurred or is reasonably likely to have occurred. The proposed notice requirement included provisions that addressed the use of service providers by covered institutions and included a provision that would permit covered institutions to delay providing notice after receiving a written request from the United States Attorney General (“Attorney General”) that this notice poses a substantial risk to national security.

The Commission also proposed other amendments to Regulation S-P to enhance the protection of customers' nonpublic personal information. The proposed amendments included provisions to expand the scope of the protections of the safeguards and disposal rules, including extending the safeguards rule to transfer agents. The proposed amendments also included requirements for covered institutions to maintain written records documenting compliance with the proposed amended rules. Finally, the Commission proposed amendments to conform annual privacy notice delivery provisions to the terms of an exception provided by a statutory amendment to the GLBA.

The Commission received comment letters on the proposal from a variety of commenters, including financial services firms and their service providers, law firms, investor advocacy groups, professional and trade associations, public policy research institutes, academics, and interested individuals.^[9] Most individual and public interest group commenters and some industry groups generally supported the proposed amendments.^[10] A few commenters urged the Commission to consider taking additional steps to strengthen the proposed requirements, for example, by shortening the period for customer notification.^[11] Many industry commenters expressed concern with specific elements of the proposed amendments, however, suggesting that these amendments would pose operational difficulties.^[12]

Comments on specific aspects of the proposed amendments focused on a few key themes. First, commenters urged the Commission to take a more holistic regulatory approach to harmonize the proposed amendments with other Commission rules and proposals to avoid creating redundant, overlapping, or conflicting obligations for covered institutions.^[13] We have modified the Start Printed Page 47690 rule from the proposal to address comments.^[14]

For example, covered institutions may be required to adopt written policies and procedures on similar issues under other provisions of the Federal securities laws.^[15] A covered institution can, however, adopt a single set of policies and procedures covering Regulation S-P and other rules, provided that the policies and procedures meet the requirements of each rule.^[16] Additionally, we have changed the proposed requirement to delay providing customer notices when that notice poses a substantial risk to national security or public safety in order to align with a similar provision contained in the Public Company Cybersecurity Rules.^[17]

Commenters also questioned the need for the proposed amendments in light of existing State laws that also address data breaches and raised concerns about differences between the proposed amendments and State regulatory requirements. One commenter stated that the proposed amendments were not needed because existing State laws already require firms to provide notice to individuals in the event of a data breach.^[18] Some commenters stated that parts of the proposed amendments would conflict with certain provisions of State laws,^[19] while other commenters stated that parts of the proposed amendments would duplicate existing State laws.^[20]

As discussed more fully later in this section, while we recognize that existing State laws require covered institutions to notify State residents of data breaches in some cases, State laws are not consistent on this point and exclude some entities from certain requirements.^[21] The final amendments will require notification to all customers of a covered institution affected by a data breach (regardless of State residency), in order to provide timely and consistent disclosure of important information to help affected customers respond to a data breach.^[22] To that end, the final amendments will enhance investor protection in a number of ways, including by covering a broader scope of customer information than many States; ^[23] providing for a 30-day notification deadline that is shorter than the timing currently mandated by many States (including States that have no deadline or those allowing for various notification delays); ^[24] and providing for a more robust notification trigger than in many States.^[25]

Commenters also raised concerns with differences between the proposed amendments and other Federal regulators' safeguarding standards that also include a requirement for a data breach response plan or program.^[26] The GLBA and FACT Act oblige us to adopt regulations, to the extent possible, that are consistent and comparable with those adopted by the Banking Agencies, the Consumer Financial Protection Bureau (“CFPB”), and the FTC.^[27] Accordingly, the Commission has also been mindful of the need to set standards for safeguarding customer records and information that are consistent and comparable with the corresponding standards set by these agencies in developing the amendments.^[28] To this end, we have modified the final amendments from the proposal to promote greater consistency with other applicable Federal safeguard standards to the extent they do not affect the investor protection purposes of this rulemaking, as discussed in more detail below. For example, the final amendments require covered institutions to ensure that their service providers provide notification as soon Start Printed Page 47691 as possible, but no later than 72 hours after becoming aware that an applicable breach has occurred, which is informed by the 72-hour deadline that is required under the Cyber Incident Reporting for Critical Infrastructure Act of 2022 (“CIRCIA”).^[29]

We recognize, however, that there are some areas of divergence between the final amendments and other Federal regulators' GLBA safeguarding standards, and we discuss the basis for each provision of the final rules below, including cases where the amendments differ from analogous requirements under State law or other Federal regulations.^[30]

Many commenters also urged the Commission to coordinate with other Federal agencies, particularly on reporting deadlines.^[31] For example, a number of commenters suggested that the Commission coordinate with CISA as it develops regulations pursuant to CIRCIA.^[32] We have consulted and coordinated with CISA and, consistent with the requirements of the GLBA and other statutory requirements,^[33] other relevant agencies and their representatives for the purpose of ensuring, to the extent possible, that the amendments are consistent and comparable with the regulations prescribed by other relevant agencies.^[34]

We are adopting amendments to Regulation S-P substantially as proposed, with some changes in response to comments. The principal elements of the final amendments, as discussed in more detail below, are as follows:

Incident Response Program. The final safeguards rule requires covered institutions to develop, implement, and maintain written policies and procedures for an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information. The final amendments will require that a response program include procedures to assess the nature and scope of any incident and to take appropriate steps to contain and control the incident to prevent further unauthorized access or use.
Notification Requirement. The response program procedures in the final amendments also includes a requirement that covered institutions provide a notification to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. Notice will not be required if a covered institution determines, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. Under the final amendments, a customer notice must be clear and conspicuous and provided by a means designed to ensure that each affected individual can reasonably be expected to receive it. This notice must be provided as soon as reasonably practicable, but not later than 30 days, after the covered institution becomes aware that unauthorized access to or use of customer information has, or is reasonably likely to have, occurred. As discussed in more detail below, the final amendments will permit covered institutions to delay providing notice after the Commission receives a written request from the Attorney General that this notice poses a substantial risk to national security or public safety.^[35]

Service Providers. The final amendments to the safeguards rule include new provisions that address the use of service providers by covered institutions. Under these provisions, covered institutions will be required to establish, maintain, and enforce written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring of service providers, including to ensure that affected individuals receive any required notices. The final amendments make clear that while covered institutions may use service providers to provide any required notice, covered institutions will retain the obligation to ensure that affected individuals are notified in accordance with the notice requirements.
Scope. The final amendments will more closely align the information protected under the safeguards rule and the disposal rule by applying the protections of both rules to “customer information,” a newly defined term. The final amendments will also broaden the group of customers whose information is protected under both rules. Also, transfer agents will be required to comply with the safeguards rule.
Recordkeeping and Annual Notice Amendments. The final amendments will add requirements for covered institutions, other than funding portals,^[36] to make and maintain written records documenting compliance with the requirements of the safeguards rule and the disposal rule. Further, the final amendments amend the existing requirement to provide annual privacy notices to codify a statutory exception.

II. Discussion

Since Regulation S-P was first adopted in 2000, evolving digital communications and information storage tools and other technologies have made it easier for firms to obtain, share, and maintain individuals' personal information. This increases the risk of customers' information being accessed or used without authorization, for example in a cyberattack or if customer information is improperly disposed of or stolen. In particular, as a frequently-targeted industry, the financial sector has observed increased exposure to cyberattacks that threaten not only the financial firms themselves, but also their customers, especially considering that customer records and other information that covered Start Printed Page 47692 institutions possess can be particularly sensitive.^[37] The final amendments will modernize and enhance the protections that Regulation S-P already provides to address this changed landscape.

A. Incident Response Program Including Customer Notification

As set forth in the proposal, security incidents may result in, among other things, misuse, exposure or theft of a customer's nonpublic personal information, and potentially leave affected individuals vulnerable to having their information further compromised. Threat actors can use customer information to cause harm in a number of ways, such as by stealing customer identities to sell to other threat actors on the dark web, publishing customer information on the dark web, using customer identities to carry out fraud themselves, or taking over a customer's account for malevolent purposes.

To help protect against harms that may result from a security incident involving customer information, the Commission proposed and is adopting amendments to the safeguards rule largely as proposed, with certain modifications to the notification requirement as discussed further below.^[38] The amendments will require that covered institutions' safeguards policies and procedures include an incident response program for unauthorized access to or use of customer information, including customer notification procedures.^[39] The amendments will require the incident response program to be reasonably designed to detect, respond to, and recover from both unauthorized access to and unauthorized use of customer information (for the purposes of this release, an “incident”).^[40] Any instance of unauthorized access to or use of customer information will trigger a covered institution's incident response program. The amendments will also require that the response program include procedures for notifying affected individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.^[41]

In this regard, requiring covered institutions to have incident response programs will help mitigate the risk of harm to affected individuals stemming from incidents where a customer's information has been accessed or used without authorization. For example, incident response programs will help covered institutions to be better prepared to respond to such incidents, and providing notice to affected individuals will aid those individuals in taking protective measures that could mitigate harm that might otherwise result from unauthorized access to or use of their information. Further, a reasonably designed incident response program will help facilitate more consistent and systematic responses to customer information security incidents and help avoid inadequate responses based on a covered institution's initial impressions of the scope of the information involved in the compromise. Requiring the incident response program to address any incident involving customer information can help a covered institution better contain and control these incidents and facilitate a prompt recovery.

As proposed, the amendments will require that a covered institution's incident response program include policies and procedures containing certain general elements but will not prescribe specific steps a covered institution must undertake when carrying out incident response activities, thereby enabling covered institutions to create policies and procedures best suited to their particular circumstances. Specifically, a covered institution's incident response program will be required to have written policies and procedures to:

(i) Assess the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of customer information that may have been accessed or used without authorization; ^[42]

(ii) Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information; ^[43] and

(iii) Notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization in accordance with the notification obligations discussed below,^[44] unless the covered institution determines, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.^[45]

The Commission received multiple comments regarding the proposed requirement for an incident response program generally.^[46] One commenter supported requiring the incident response program and appreciated its similarity to the Banking Agencies' Incident Response Guidance.^[47] Another commenter stated that there should not be a one-size-fits-all approach to incident response programs, stating that an adviser should have discretion to determine how the incident response program should be implemented, and requested that any final rule make clear that specific steps for incident response are not required.^[48] Moreover, this commenter requested that the final rule expressly indicate that in developing their programs, advisers should employ a principles- and risk-based approach.^[49] This commenter also opposed the addition of any requirement in the policies and procedures for an adviser to designate an employee with specific qualifications and experience (or hire a similarly qualified third party) to coordinate its incident response program.^[50]

Covered institutions need the flexibility to develop policies and procedures suited to their size and Start Printed Page 47693 complexity and the nature and scope of their activities. Therefore, we did not propose, and are not adopting, specific steps a covered institution must take when carrying out its incident response program, and we are not specifically designating who must undertake oversight responsibilities, thus providing covered institutions flexibility to determine whether and how to appropriately assign or divide such responsibilities. As proposed and adopted, the amendments will require that a covered institution's incident response program include policies and procedures containing certain general elements, so covered institutions may tailor their policies and procedures to their individual facts and circumstances. Additionally, advisers, like other covered institutions, can continue to use a risk-based approach to tailor their assessment and containment policies and procedures if they choose to do so, as long as the required elements of the incident response program are met.

Two commenters opposed the scope of the proposed incident response program.^[51] Specifically, these commenters stated that, consistent with the notification requirements, the assessment and containment and control components of the incident response program should be limited to sensitive customer information (and not encompass all nonpublic customer information).^[52] According to one commenter, because sensitive customer information is the information likely to cause substantial harm or inconvenience to a customer and that requires notification to customers, it follows that incident response programs should be tailored to sensitive customer information.^[53] The other commenter stated that clients would view the protection of their sensitive customer information as a critically important aspect of their relationship with their adviser and that an adviser's efforts and resources should appropriately be focused on this information.^[54]

We are adopting as proposed final rules which require the incident response program's assessment and containment and control components to cover a broader scope of information than the notification requirements. The scope of information covered by the assessment and containment and control requirements is designed to help ensure all information covered by the requirements of the GLBA ^[55] are appropriately safeguarded and that sufficient information is assessed to fulfill the more narrowly tailored obligation to notify affected individuals. For example, assessment of any incident involving unauthorized access to or use of customer information will help facilitate the evaluation of whether sensitive customer information has been accessed or used without authorization, which informs whether notice has to be provided. Additionally, a covered institution's assessment may also be useful for collecting other information that is required to populate the notice, such as identifying the date or estimated date of the incident, among other details. Therefore, the scope of the incident response program is appropriate, and we are adopting as proposed.

1. Assessment

The final amendments will require that the incident response program include procedures for: (1) assessing the nature and scope of any incident involving unauthorized access to or use of customer information, and (2) identifying the customer information systems and types of customer information that may have been accessed or used without authorization.^[56] We did not receive comments addressing the assessment portion of the incident response program and are adopting it as proposed.^[57]

The assessment requirement is designed to require a covered institution to identify both the customer information systems and types of customer information that may have been accessed or used without authorization during the incident, as well as the specific customers affected, which would be necessary to fulfill the obligation to notify affected individuals.^[58] Information developed during the assessment process may also help covered institutions develop a contextual understanding of the circumstances surrounding an incident, as well as enhance their technical understanding of the incident, which should be helpful in guiding incident response activities such as containment and control measures. The assessment process may also be helpful for identifying and evaluating existing vulnerabilities that could benefit from remediation in order to prevent such vulnerabilities from being exploited in the future. Further, covered institutions generally should consider reviewing and updating the assessment procedures periodically to ensure that the procedures remain reasonably designed.^[59]

2. Containment and Control

The final amendments will require that the response program have procedures for taking appropriate steps to contain and control a security incident, in order to prevent further unauthorized access to or use of customer information.^[60] We did not receive comments discussing the containment and control portion of the incident response program and are adopting as proposed.^[61]

As set forth in the proposal, the objective of containment and control is to prevent additional damage from unauthorized activity and to reduce the immediate impact of an incident by removing the source of the unauthorized activity.^[62] Strategies for containing and controlling an incident vary depending upon the type of incident and may include, for example, isolating Start Printed Page 47694 compromised systems or enhancing the monitoring of intruder activities, searching for additional compromised systems, changing system administrator passwords, rotating private keys, and changing or disabling default user accounts and passwords, among other interventions. Because incident response may involve making complex judgment calls, such as deciding when to shut down or disconnect a system, developing and implementing written containment and control policies and procedures will provide a framework to help facilitate improved decision making at covered institutions during potentially high-pressure incident response situations. Further, covered institutions generally should consider reviewing and updating the containment and control procedures periodically to ensure that the procedures remain reasonably designed.^[63]

3. Notice to Affected Individuals

As part of their incident response programs, covered institutions will be required under the final amendments to provide a clear and conspicuous notice to affected individuals under certain circumstances.^[64] We are adopting this requirement substantially as proposed, with some changes in response to comments.

We are adopting as proposed, a requirement for a covered institution to notify each affected individual whose sensitive customer information was, or was reasonably likely to have been, accessed or used without authorization, unless the covered institution has determined, after a reasonable investigation of the incident, that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. The covered institution will be required to provide a clear and conspicuous notice to each affected individual by a means designed to ensure that the individual can reasonably be expected to receive actual notice in writing. Also as proposed, the final amendments require the notice to be provided as soon as practicable, but not later than 30 days, after the covered institution becomes aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. Lastly, in a modification from the proposal, the final amendments provide for an incrementally longer period of time than the proposal for a covered institution to delay providing notice to affected individuals in cases where the Attorney General has determined that providing the notice would pose a substantial risk to national security or public safety. These requirements are discussed in detail below.

a. Standard for Providing Notice and Identification of Affected Individuals

We are adopting as proposed a requirement for a covered institution to provide notice to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, unless, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, it determines that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.^[65] The final amendments reflect a presumption of notification: a covered institution must provide a notice unless it determines notification is not required following a reasonable investigation. Also as proposed, if an incident of unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred, but a covered institution is unable to identify which specific individuals' sensitive customer information has been accessed or used without authorization, the final amendments require the covered institution to provide notice to all individuals whose sensitive customer information resides in the customer information system that was, or was reasonably likely to have been, accessed without authorization (“affected individuals”).^[66]

While the incident response program is generally required to address information security incidents involving any form of customer information,^[67] notification is only required when there has been unauthorized access to or use of sensitive customer information, a subset of customer information, because it presents increased risks to affected individuals.^[68] This notice standard is designed to give affected individuals an opportunity to mitigate the risk of substantial harm or inconvenience arising from an information security incident that potentially implicates their sensitive customer information by affording them an opportunity to take timely responsive actions, such as monitoring credit reports for unauthorized activity, placing fraud alerts on relevant accounts, or changing passwords used to access accounts. At the same time, the final amendments provide a mechanism for covered institutions to avoid making unnecessary notifications in cases where, following a reasonable investigation, the institution determines that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience to the affected individual.^[69]

Whether an investigation is reasonable will depend on the particular facts and circumstances of the unauthorized access or use. For example, unauthorized access or use that is the result of intentional intrusion by a threat actor may warrant more extensive investigation than inadvertent unauthorized access or use by an employee. The investigation may occur in parallel with an initial assessment and scoping of the incident and may build upon information generated from those activities. The scope of the investigation generally should be refined by using available data and the results of ongoing incident response activities. Information related to the nature and scope of the incident may be relevant to determining the extent of the investigation, such as whether the incident is the result of internal unauthorized access or use of sensitive customer information or an external intrusion, the duration of the incident, what accounts have been compromised and at what privilege level, and whether and what type of customer information may have been copied, transferred, or retrieved without authorization.^[70]

A covered institution cannot avoid its notification obligations in cases where Start Printed Page 47695 an investigation's results are inconclusive. Instead, the notification requirement is excused only where a reasonable investigation supports a determination that sensitive customer information has not been and is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience. Thus, in a case where a threat actor has gained access to a customer information system that stores sensitive customer information, and the covered institution lacks information indicating that any particular individual's sensitive customer information stored in that customer information system was or was not used in a manner that would result in substantial harm or inconvenience, a covered institution will be required to provide notice to affected individuals even though it may not have a sufficient basis to determine whether the breach would result in substantial harm or inconvenience.^[71] Pursuant to the amendments, as proposed and adopted, for any determination that a covered institution makes that notice is not required, covered institutions other than funding portals will be required to maintain a record of the investigation and basis for its determination.^[72]

As further described below,^[73] a number of commenters supported the proposal's requirement for covered institutions to provide notices promptly, emphasizing the importance of ensuring that customers receive timely notification when their sensitive customer information is reasonably likely to have been subject to unauthorized access or use so they have an opportunity to effectively respond to the incident.^[74] One commenter stated that timeliness is key because any delay will impact consumers' ability to take steps to protect themselves from identify theft, account compromise, and other downstream impacts resulting from the initial harm of the unauthorized access or use.^[75] According to this commenter, a breach notification regime is fundamentally deficient if it does not empower consumers with the information and tools necessary to take action to protect themselves or understand what risks they may face as a result of a breach.^[76]

Several commenters proposed alternative notification standards, some expanding the circumstances requiring customer notification, and others suggesting a narrower notification regime.^[77] One commenter suggested we require notification for any incident of unauthorized access to or use of sensitive information, regardless of the risk of harm or inconvenience.^[78] According to this commenter, customers should always be notified when their sensitive information is accessed or used without authorization, which would allow customers to determine for themselves whether they believe there is a risk of substantial harm or inconvenience that should prompt action on their part. Similarly, another commenter suggested that the notification standard should be expanded from a “reasonably likelihood” standard to a “reasonably possible” standard with regard to whether an individual's sensitive customer information was accessed or used without authorization.^[79] This commenter stated that this change was necessary to protect against the possibility that a covered institution might conclude it lacked sufficient information to find the reasonably likely standard satisfied if, for example, it knows it has been hacked but is unable to determine the scope of the hack. According to these commenters, the seemingly higher threshold proposed by the Commission, coupled with their belief that businesses want to avoid making disclosures that could incur liability or lose customers, leaves open the potential that customers will not be notified of some information security compromises that could threaten their investments.^[80] One commenter suggested that, in addition to requiring notifications to affected individuals, the rules should be modified to also require that covered institutions provide notice to the Commission whenever they are providing notice to affected individuals.^[81]

By contrast, with regard to narrowing the standard, some commenters suggested eliminating the presumption of notification altogether, such that covered institutions would have a notification obligation only after having affirmatively determined, following an investigation, a likelihood of a breach or resulting harm to customers.^[82] These commenters suggested that eliminating the notification presumption, and allowing for the completion of an investigation, would provide covered institutions with additional time to respond to and mitigate an incident as opposed to spending time deliberating over notification obligations, and would allow for more informed notifications. These commenters also suggested that this approach would be more consistent with certain State law regimes that only require notification where an investigation shows a risk of harm and the Banking Agencies' Incident Response Guidance.^[83] To address the concern that lengthy investigations might unduly delay customer notifications, one commenter suggested revising the rule to separately require covered institutions “to conduct a prompt investigation of potential incidents,” which the commenter stated would better align with certain existing State law standards while still providing a mechanism for timely notifications.^[84]

We considered the alternative approaches suggested by commenters but determined that adopting the standard as proposed strikes an appropriate balance in accommodating the relevant competing concerns. The suggestions to expand the circumstances requiring notification (either by requiring notification regardless of the risk of harm, or by expanding notification to include cases where it is “reasonably possible” that an Start Printed Page 47696 individual's sensitive customer information was accessed or used without authorization) raise over-notification concerns, particularly given that the adopted standard already has a presumption towards notification.^[85] We also disagree that the “reasonably likely” standard would allow a covered institution that knows it suffered a breach to avoid providing notice simply by pointing to a lack of information about the scope of the breach as the commenter recommending this approach suggested.^[86] To the contrary, under the proposed and final amendments, if it is reasonably likely that a malicious actor gained access to a covered institution's information system containing sensitive customer information but the scope of the breach is unclear ( i.e., the covered institution is unable to determine which specific individuals' sensitive customer information has been accessed or used without authorization and cannot make the determinations required under the rule to avoid sending notices), the covered institution would be required to provide notice to each individual whose sensitive customer information resides in the customer information system.^[87] In addition, providing notice of every incident, regardless of the risk of harm to affected individuals or the need to take protective measures, could diminish the impact and effectiveness of the notice in a situation where enhanced vigilance is necessary. Utilizing a “reasonably possible” standard raises similar concerns, as it could require covered institutions to provide notice in situations where it is possible, but not reasonably likely, that sensitive customer information was compromised. This could result in over-notification where, for example, a customer's sensitive information ultimately was not accessed or used without authorization, but it was not possible to rule out that possibility at the time of the incident or in the course of a reasonable investigation during the 30-day period for notices.

Additionally, we are not adopting a commenter's recommendation that the Commission require covered institutions to provide notices to the Commission when they are required to send notices to affected individuals, as one commenter suggested.^[88] A primary reason for these amendments was to require a reasonably designed incident response program, including policies and procedures for assessment, control and containment, and customer notification, in order to mitigate the potential harm to individuals whose sensitive information is exposed or compromised in a data breach.^[89] Providing timely notices to affected individuals accomplishes this goal without the need for covered institutions also to provide copies of the notice to the Commission.

Conversely, the narrower alternative standards suggested by commenters ( i.e., that covered institutions have a notification obligation only after an investigation, and only if they affirmatively determine a likelihood of a breach or resulting harm to customers) could result in an unreasonable risk of significant delays in providing notice and in notification not being provided to affected individuals. A principal purpose of these amendments is to provide a notification regime that allows affected individuals to take actions to avoid or mitigate the risk of substantial harm or inconvenience.^[90] If customer notification of a potential breach was delayed to allow a covered institution to complete an investigation that comes to a definitive conclusion about the precise details of the breach, even if done promptly, it would frustrate this goal by postponing (or potentially limiting or foreclosing) the ability of affected individuals to take mitigating actions pending the conclusion of that investigation. For these same reasons, we were not persuaded by those commenters who suggested that we should allow for the completion of an investigation in order to align with the Banking Agencies' Incident Response Guidance. After considering the comments, we continue to believe the notification standard we proposed (and are adopting in the final amendments) is necessary to enable affected individuals to make their own determinations on needed self-protections regarding the incident.^[91]

Regarding commenters' concerns about harmonizing Regulation S-P with State law requirements, State law notification standards vary widely such that broad harmonization would be impracticable, and a benefit of the final amendments is that they provide a consistent minimum Federal notification standard to protect affected individuals in an environment of enhanced risk. This will, for example, provide additional protections for customers in States whose laws do not mandate notification without an affirmative determination of harm or provide an outside time by which notification must be provided.^[92] This standard will protect all customers, regardless of their State of residence and reduce the potential confusion that could result from customers in one State receiving notice of an incident while customers in another State do not. Moreover, to the extent a covered institution will have a notification obligation under both the final amendments and a similar State law, a covered institution may be able to provide one notice to satisfy notification obligations under both the final amendments and the State law, provided that the notice includes all information required under both the final amendments and the State law, which may reduce the number of notices an individual receives.^[93]

Relatedly, some commenters suggested eliminating or narrowing the concept of “affected individuals” entitled to notification in situations where a covered institution is unable to identify which specific individuals' sensitive customer information has been accessed or used without authorization. Instead of the proposed requirement that the covered institution must provide notice to all individuals whose sensitive customer information resides in the customer information system that was, or was reasonably likely to have been, accessed or used without authorization, commenters urged narrowing notification to individuals whose sensitive customer information was, or was reasonably likely to have been, accessed or used without authorization based on the covered institution's reasonable investigation.^[94] Start Printed Page 47697 These commenters stated that, by requiring a covered institution to provide all affected individuals notice prior to the conclusion of an investigation and particularized determination, the proposed notification standard could result in the over-notification of individuals whose sensitive customer information may not have been accessed but was residing on a system that was compromised.^[95] For example, one commenter posited a situation where a threat actor was able to compromise an employee's email account through a phishing email, and access documents accessible through that account's shared file server. According to this commenter, if the covered institution were unable to determine which files containing personal information actually were accessed, the institution would be required to provide notice in connection with millions of records, even though the “vast majority of files and data on that file server would not have been accessible to the employee or to the threat actor.” ^[96] These commenters stated that the resulting over-notification could, in turn, desensitize or unnecessarily disturb individuals whose information was not actually compromised, and might increase costs and litigation and reputational risks for the covered institution, its service providers, or other financial institutions whose contracts reside on the system.^[97]

For similar reasons to those discussed above,^[98] we were not persuaded by commenter suggestions to narrow the scope of affected individuals entitled to notification in cases where a breach has or is reasonably likely to have occurred, but the covered institution is unable to identify which specific individuals' sensitive customer information has been accessed or used without authorization.^[99] Because of the potential that customers might be adversely affected by the breach, covered institutions should be required to provide notice to affected individuals in these circumstances so they may make their own determination as to whether to take remedial actions.

Contrary to the concerns expressed by some commenters, under the proposed and final amendments, a covered institution would not need to provide notice in connection with files or data residing on a system where it knows that information was not used or accessed.^[100] Rather, a covered institution is only required to provide notification to an affected individual where her sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.^[101] Additionally, a covered institution need not provide notice where, after a reasonable investigation of the facts and circumstances of the incident, it has determined that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience. To address these commenters' concerns, in a change from the proposal, the final amendments explicitly provide that, in cases where a covered institution reasonably determines that a specific individual's sensitive customer information that resides in the customer information system was not accessed or used without authorization, the covered institution need not provide notice to that individual.^[102] Thus, a covered institution would not have an obligation to provide notice to an affected individual whose files happened to reside on a breached information system if it was able to reasonably conclude that those files were not subject to unauthorized use or access.

The notification standard should help to improve security outcomes by incentivizing covered institutions to conduct more thorough investigations after an incident occurs because the rule does not permit a covered institution to rebut the presumption of notification without conducting a reasonable investigation. Further, the rule's requirement that a covered institution provide notice to all affected individuals where it is unable to identify which specific individuals' sensitive customer information has been accessed or used without authorization should incentivize covered institutions to establish procedures (for themselves and their service providers) that provide robust protections for sensitive customer information. For example, it may encourage covered institutions to employ a principle of least privilege, so that users' access rights to sensitive customer information on a particular information system are limited to the information strictly required to do their jobs.^[103] Protections that limit the scope of any breaches reduce the investigation and notification costs (and as a consequence, the potential harm) resulting from a breach.

For a covered institution's customer notification procedures to remain reasonably designed to notify each affected individual whose sensitive customer information was reasonably likely to have been compromised, as required by the final amendments, the covered institution's policies and procedures generally should be designed to include revisiting notification determinations whenever the covered institution becomes aware of new facts that are potentially relevant to the determination.^[104] For example, if at the time of the incident, a covered institution determines that risk of use in a manner that would result in substantial harm or inconvenience is not reasonably likely based on the use of encryption in accordance with industry standards, but subsequently the encryption is compromised or it is discovered that the decryption key was also obtained by the threat actor, the covered institution generally should revisit its determination.

As discussed in more detail below, the scope of the final amendments will apply to customer information in a covered institution's possession or that is handled or maintained on the covered institution's behalf, regardless of whether such information pertains to (a) individuals with whom the covered institution has a customer relationship or (b) to the customers of other financial institutions where such information has been provided to the covered institution.^[105] Some commenters expressed concern that, as a result of this scope, covered institutions would be required to provide notification to customers of other institutions with whom they do not have a preexisting Start Printed Page 47698 relationship.^[106] One of these commenters suggested that it was unclear how a third-party service provider's notice to a covered institution of a breach would affect that covered institution's obligations.^[107] Additionally, some commenters addressed circumstances where multiple covered institutions would all be required to notify affected individuals concerning the same incident, asserting that requiring all covered institutions involved to provide notices to customers would be burdensome, duplicative, and confusing to customers.^[108]

Where a covered institution experiences an incident involving sensitive customer information related to the customers of another covered institution, commenters generally suggested that the covered institution that has the customer relationship with the customer whose information was affected should be responsible for providing the required notice.^[109] These commenters asserted that this would be more efficient because, if the covered institution that experienced the incident did not have a customer relationship with an affected individual, that covered institution might not have contact information for the individual necessary to send a notice.

After considering comments, we are modifying the proposal to avoid requiring multiple covered institutions to notify the same affected individuals about a given incident. In an effort to minimize duplicative notices, rather than requiring the covered institution with the customer relationship to send the notice as some commenters suggested, the final amendments only require a covered institution to provide notice where unauthorized access to or use of sensitive customer information has occurred at the covered institution or one of its service providers that is not itself a covered institution.^[110] That covered institution will have information about the incident itself that is necessary to properly inform affected individuals. Thus, in response to the commenter question about the relationship between a covered institution's receipt of a breach notification from a third party service provider and the covered institution's own obligations,^[111] where a service provider (that is not itself a covered institution) provides notice to a covered institution that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider,^[112] that covered institution will be required to initiate its incident response program under the final amendments ^[113] and thereafter, if applicable, provide notice to affected individuals.^[114] While we appreciate, as offered by commenters,^[115] that a covered institution may not have access to the contact information for some customers, it can coordinate with the covered institution that has a customer relationship to receive contact information as needed for the notices.^[116]

Moreover, in another modification from the proposal, the final amendments also provide that a covered institution that is required to notify affected individuals may satisfy that obligation by ensuring that the notice is provided.^[117] Accordingly, if a covered institution experiences an incident affecting another covered institution's customers, although the covered institution that experienced the incident is responsible for notification under the final amendments, the two covered institutions can coordinate with each other as to which institution will send the notice.

b. Definition of “Sensitive Customer Information”

As discussed above, covered institutions will be required to notify customers when “sensitive customer information” was, or is reasonably likely to have been, accessed or used without authorization, subject to a reasonable investigation. As proposed and as adopted, the final amendments define the term “sensitive customer information” to mean “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” ^[118] This definition is calibrated to include types of information that, if exposed, could put affected individuals at a higher risk of suffering substantial harm or inconvenience through, for example, fraud or identity theft enabled by the unauthorized access to or use of the information.^[119] As with the proposal, the final amendments provide examples of the types of information that will be considered sensitive customer information.^[120] These examples include certain customer information identified with an individual that, without any other identifying information, could create a substantial risk of harm or inconvenience to an individual identified with the information,^[121] along with examples of combinations of identifying information and authenticating information that could create such a risk to an individual identified with the information.^[122]

One commenter supported our proposed definition of sensitive customer information and emphasized the benefits of a broad definition.^[123] According to this commenter, this breadth helps protect customers by ensuring that they can take the necessary steps to minimize their Start Printed Page 47699 exposure risks and will assist covered institutions in formulating and improving their security standards. Another commenter suggested the proposed definition might be too narrow because it includes the separate concept of substantial harm or inconvenience in the definition, resulting in under-notification.^[124] This commenter stated that harms can take many forms, and customers should receive notice of breaches involving customer information even where that information's compromise might not have obvious financial implications to the customer.

Conversely, a number of commenters asserted that the proposed definition was too broad and could lead to over-notification, suggesting that the definition be narrowed to focus on information whose exposure would be more likely to lead to tangible economic harms.^[125] For example, some commenters suggested that, rather than providing examples, the definition should list specific data elements that, when combined with an individual's name, are sufficiently sensitive to require notification.^[126] These commenters focused on those data elements that could be used to commit identity theft or access the customer's financial account, such as a Social Security number, driver's license or State ID number, or financial account number combined with information necessary to access the account. According to one of these commenters, by using illustrative examples rather than a circumscribed list, covered institutions would face uncertainty over the definition's meaning and would likely err on the side of over-inclusion, which could lead to over-notification.^[127] A number of commenters stated that narrowing the definition would be more consistent with the Banking Agencies' Incident Response Guidance and with various State laws.^[128] One commenter also suggested the proposed use of the term “compromise” in the definition was unclear, and should be replaced with “unauthorized access or use,” consistent with other authorities and language used elsewhere in the proposal.^[129]

After considering these comments, we are adopting the definition of “sensitive customer information” as proposed. We recognize that this definition is broader than that used by some States and the Banking Agencies' Incident Response Guidance.^[130] However, in contrast to the narrower definition used in some States, the definition of sensitive customer information we are adopting includes identifying information that, in combination with authenticating information (such as a partial Social Security number, access code, or mother's maiden name), could create a substantial risk of harm or inconvenience to the customer because they may be widely used for authentication purposes.^[131] Similarly, in contrast to the definition provided in the Banking Agencies' Incident Response Guidance (which includes a customer's name, address, or telephone number, only in conjunction with other pieces of information that would permit access to a customer account), the definition in the Commission's final amendments includes customer information identified with an individual (such as Social Security numbers, driver's license numbers, biometric records) that, without any other identifying information, could create a substantial risk of harm or inconvenience to an individual identified with the information.^[132] Accordingly, our adopted definition could help affected individuals take measures to protect themselves.

Given the varied and evolving nature of security practices across covered institutions, it would be impractical to provide an exhaustive list of data elements whose exposure could put affected individuals at risk of substantial harm or inconvenience. Further, while we are mindful of concerns about overbreadth and potential over-notification, those concerns are tempered by the definition's harm component and the ability of covered entities to rebut the notification presumption following a reasonable investigation and determination. Given these considerations, we are not broadening the definition of sensitive customer information to encompass information whose exposure does not pose a reasonably likely risk of substantial harm or inconvenience. Nor do we agree that the definition's use of the verb “compromise,” which is commonly used to mean “to expose or make liable to danger,” is ambiguous in this context or inconsistent with other Federal authorities.^[133] Individuals are less likely to need to take protective measures in cases where the exposure of their information is not likely to involve a substantial harm or inconvenience.^[134]

Finally, several commenters suggested we include an exception or safe harbor in the definition of sensitive customer information for encrypted information.^[135] These commenters stated that excepting encrypted information would protect customers by incentivizing covered institutions to adopt encryption practices, limit the potential for voluminous over-reporting of less severe incidents, and align with existing State data breach notification rules. Some of these commenters acknowledged that an exception should not apply in cases where there is reason to believe that the encryption key has been compromised or that the encryption method is outdated.^[136] One commenter suggested that if we did not include an exception in the rule text, we should acknowledge that encryption is a factor that covered institutions may take into account in determining whether an incident will result in substantial harm or inconvenience.^[137]

After considering these comments, we are not excepting encrypted information from the rule's definition of sensitive customer information because the rule Start Printed Page 47700 text effectively addresses encrypted information without the need for a provision specifically tailored to that information. Specifically, in applying the final rule, a covered institution may consider encryption as a factor in determining whether the compromise of customer information could create a reasonably likely harm risk to an individual identified with the information.^[138] Specifically, we acknowledge that encryption of information using current industry standard best practices is a reasonable factor for a covered institution to consider in making this determination. To the extent such encryption minimizes the likelihood that the cipher text could be decrypted, it would also reduce the likelihood that the cipher text's compromise could create a risk of harm, as long as the associated decryption key is secure.^[139] Covered institutions may also reference commonly used cryptographic standards to determine whether encryption, in fact, does substantially impede the likelihood that the cipher text's compromise could create a risk of harm.^[140] As industry standards continue to develop in the future, covered institutions generally should review and update, as appropriate, their encryption practices. While we agree with commenters that it is important to incentivize the use of encryption consistent with State law regimes, the final amendments' approach accomplishes this goal while also addressing concerns that any particular approach to encryption may become outdated as technologies and security practices evolve. Relatedly, and for the same reasons, when information that would otherwise constitute sensitive customer information is encrypted, the covered institution may consider the security provided by that encryption in determining whether the cipher text ( i.e., the data rendered in a format not understood by people or machines without an encryption key) is sensitive customer information. Accordingly, while the final amendments provide illustrative examples of information (such as a customer's Social Security number) that can constitute sensitive customer information when unencrypted,^[141] a covered institution could nevertheless determine that the encrypted representation of that information is not sensitive customer information if the encryption renders the cipher text sufficiently secure, such that the compromise of that encrypted information does not create a reasonably likely risk of substantial harm or inconvenience to an individual.^[142]

c. Substantial Harm or Inconvenience

The GLBA directs the Commission and other Federal financial regulators to, among other things, establish appropriate standards requiring financial institutions subject to their jurisdiction to protect against unauthorized access to or use of customer records or information which could result in “substantial harm or inconvenience” to any customer, without defining what constitutes a substantial harm or inconvenience under the statute.^[143] The Commission proposed to define “substantial harm or inconvenience” to mean all personal injuries, as well as instances of financial loss, expenditure of effort, or loss of time when they are “more than trivial,” with the proposal also providing a non-exhaustive list of examples of included harms or inconveniences.^[144] This proposed definition included a broad range of financial and non-financial harms and inconveniences that may result from the failure to safeguard sensitive customer information.^[145] After considering comments, and as discussed further below, we have determined not to define the term “substantial harm or inconvenience” in the final amendments.

Commenters raised various concerns with the proposed definition. Some commenters proposed expanding the definition to include a broader array of harms requiring notification.^[146] For example, one commenter suggested revising it to enumerate a list of specific personal injuries requiring notification to help clarify to covered institutions that there are a range of personal injuries that can result from an exposure of customer data.^[147] Commenters also suggested we remove the requirement that personal or financial harms be nontrivial because, according to these commenters, there might always be some set of individuals to whom a particular personal or financial harm is material, and securities firms are not well positioned to determine what potential personal or financial harms to their customers are significant enough to require customer notice.^[148] One of these commenters observed that, while it made sense to apply the concept of nontriviality to potential harms or inconveniences that would infringe upon a customer's time and personal labors, risks to the customer's person and pocketbook are materially different from risks to the customer's time and energies.^[149] This commenter also suggested broadening the definition to include the term “cyberattack” as one of the enumerated events that could give rise to the customer notice obligation.

Alternatively, a number of commenters suggested that the proposed standard was ambiguous and urged narrowing the definition to reduce the types of injuries that would require notification.^[150] For example, one commenter suggested that we not attempt to define “substantial harm or inconvenience” at all, and further expressed concern that the proposed definition would require notice for harms or inconveniences that are unrelated to identify theft, the means to access an account without authority, or other “tangible harms.” ^[151] Another commenter proposed narrowing the kinds of financial loss or time and effort cognizable under the rules from “more than trivial” to only “material” financial loss or “significant” expenditure of effort or loss of time, suggesting that the proposed definition would be inconsistent with the usual meaning of the term “substantial” and could include any financial loss that is slightly Start Printed Page 47701 above trivial as substantial.^[152] Another commenter stated that the use of “more than trivial” set a very low bar that could result in second-guessing and over notification by covered intuitions that could lead to notification in practically all instances, not just instances of what the commenter viewed as a substantial harm or inconvenience.^[153] This commenter also stated that, as drafted, it was unclear whether the proposed “more than trivial” standard was meant to apply to instances of personal injury or financial loss and suggested replacing “more than trivial” with substantial, while making clear that the word substantial modified all elements of the definition. Other commenters suggested narrowing the proposed definition by removing the term “inconvenience” from the definition, with notification only required in cases of substantial harm that were more than trivial.^[154]

After considering comments, we have determined, consistent with the approach of the Banking Agencies, not to define the term “substantial harm or inconvenience.” As the range of commenter concerns discussed above reflects, commenters found the proposed definition simultaneously too broad and too narrow, suggesting it could consequently lead to both under-notification and over-notification. Eliminating the proposed definition avoids this result without diminishing investor protection.

Determining whether a given harm or inconvenience rises to the level of a substantial harm or a substantial inconvenience would depend on the particular facts and circumstances surrounding an incident. As stated in the Proposing Release, we do not intend for covered institutions to design programs and incur costs to protect customers from harms of such trivial significance that the customer would be unconcerned with remediating them.^[155] At the same time, consistent with the GLBA, the rules are intended to protect against unauthorized access to or use of customer records or information which could result in substantial harm or inconvenience to any customer. Given the wide variety of ways that a data breach can injure a customer,^[156] and the potentially varied nature of those harms and inconveniences,^[157] the range of harms outlined in the proposed definition may be a useful starting point for this determination. A personal injury, financial loss, expenditure of effort, or loss of time, each could constitute a substantial harm or inconvenience depending on the particular facts and circumstances. Some examples of these harms could include theft, fraud, harassment, physical harm, impersonation, intimidation, damaged reputation, impaired eligibility for credit, or the misuse of information identified with an individual to obtain a financial product or service, or to access, log into, effect a transaction in, or otherwise misuse the individual's account.

d. Timing Requirements

(1) General Timing Requirements

Consistent with the proposal, the final amendments require covered institutions to provide notices to affected individuals as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred, except under the limited circumstances discussed below.^[158] This approach reflects the goal of giving covered institutions adequate time to make an initial assessment of an incident and prepare and send notices to affected individuals, while helping to ensure that those individuals receive sufficient notice to protect themselves.

A few commenters expressed support for the proposed notification timing requirements.^[159] As described above, these commenters viewed timeliness as important because any delay in notification could impact individuals' ability to take steps to protect themselves from the downstream impacts resulting from the unauthorized access to or use of their sensitive customer information.^[160] One commenter asserted that 30 days after becoming aware of an incident is more than an ample amount of time for covered institutions to determine the scope of the compromised information and compile a list of affected customers that must be notified.^[161] Accordingly, this commenter suggested that the Commission should shorten the outside notification date from 30 days after becoming aware of a data security incident to 14 days, asserting that the longer an instance of identity theft goes undetected, the greater the damage that usually follows.

In contrast, some commenters objected to the proposed notification timing requirements because, in their view, it provided an insufficient amount of time to notify affected individuals.^[162] These commenters emphasized the logistical tasks associated with responding to an information breach, asserting that in some cases it would be impossible to accomplish these steps within 30 days.^[163] Commenters expressed that these steps often include remediating the security incident directly, conducting a risk assessment and investigation to determine what information may have been affected, obtaining the information needed to make notification to affected individuals, arranging identity protection services for affected individuals, and generating and delivering the notifications to affected individuals, all while simultaneously engaging in extensive communication with and oversight from senior management, the board of directors, and external parties (such as outside counsel, expert consultants, and regulators).^[164]

Some commenters also suggested that the proposed timing requirements would lead to covered institutions delivering unnecessary or incomplete notifications to customers, which would have the result of confusing or desensitizing customers to such notifications.^[165] Similarly, commenters expressed that requiring a covered institution to notify affected individuals before the covered institution has had time to fully assess an incident could result in incorrect or incomplete conclusions being drawn and Start Printed Page 47702 disclosed.^[166] One commenter suggested, for this reason, that notices would be subject to continuous revision during an ongoing investigation.^[167] Accordingly, commenters stated that the Commission should revise the proposal to allow more time for covered institutions to provide notices to affected individuals, asserting that premature, incomplete, or frequent notifications would ultimately mislead and confuse customers rather than provide clarity about an incident.^[168]

Several commenters suggested alternatives to the proposed timing requirements.^[169] For instance, a few commenters urged the Commission to expand the 30-day outside date to 45 or 60 days, stating that this modification would allow more time for a proper investigation and notification process.^[170] In addition, a couple of commenters suggested that the rule should not specify a number of days at all.^[171] One of these commenters stated that simply requiring a covered institution to notify affected individuals as soon as possible after the conclusion of an investigation, without including an outside date timeframe, would permit appropriate notification in both simple cases—where notification in less than 30 days may be appropriate—and more complex cases—where it may take significantly longer to identify the appropriate notice population and prepare and deliver notifications.^[172]

Some commenters suggested that the trigger for notification should be the completion of a reasonable investigation and conclusion of the incident response process following the actual or reasonably likely unauthorized access to or use of sensitive customer information, rather than the proposal's trigger of a covered institution “becoming aware” of a breach of customer information.^[173] These commenters stated this alternative would allow covered institutions sufficient time to engage in system and data analysis to determine what data was impacted and what individuals were affected. Moreover, some commenters stated that their suggested alternatives would harmonize the rule's approach to timing with existing data breach requirements and guidance, such as the Banking Agencies' Incident Response Guidance and some current State laws.^[174] Lastly, one commenter urged that the 30-day outside timeframe to provide notices should run from the time that the covered institution determines that an incident involved “sensitive customer information,” rather than “customer information” as proposed.^[175]

After considering comments and alternatives suggested by commenters, we are adopting the final amendments as proposed. We considered the concern raised by commenters that it may be logistically challenging for covered institutions to provide notice to affected individuals within the proposed rule's notification timing requirements, particularly for more complex data breach incidents.^[176] We recognize that modifying the timing trigger in the rule to start after a covered institution has completed an investigation that comes to a definitive conclusion about the precise details of the breach, as suggested by some commenters, could avoid over-notification in cases where a covered institution is able to determine that a given individual's customer information ultimately was not affected after a lengthy investigation. We agree with commenters, however, that timeliness is important in the context of a breach of sensitive customer information because delay in notification would impact the ability of affected individuals to take measures to protect themselves. Accordingly, the final amendments maintain the proposed timing trigger of after the covered institution “becomes aware” that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.^[177]

In addition, the final amendments adopt the proposed 30-day outside date. We disagree that the rule should not include a specified notification deadline, as such an approach would diminish the goal of providing customers (regardless of State residency) with early and consistent notification of data breaches so that they may take remedial action because many States do not have any specific deadline for sending notices or provide deadlines exceeding 30 days.^[178]

We understand that there are a number of steps a covered institution may have to take after becoming aware of a data breach incident to determine if it has met the standard for providing notice. In the context of the final amendments, 30 days should be sufficient to conduct an initial assessment and notify affected individuals. While a covered institution may still be working towards remediating the breach after the 30-day timeframe, the final amendments require a covered institution to notify affected customers within the 30-day timeframe so that affected individuals may take measures to protect themselves. The final amendments remove the specific requirement in the proposal that the notice describe what has been done to protect the sensitive customer information from further Start Printed Page 47703 unauthorized access or use.^[179] This change will help address some of the timing and logistical concerns raised by commenters because the process of preparing the requisite notices will be less time intensive, such that, once a covered institution has made its initial assessment of the incident and determined the universe of affected individuals, it should possess the information necessary to provide the requisite notices.

In addition, with regard to the commenter concern that it may be logistically challenging to provide a notice within the rule's timing requirements in cases where a ransomware attack has denied the covered institution access to its systems,^[180] that comment does not account for the fact that, under the proposed and final amendments, covered institutions will now be required to have an incident response program that includes policies and procedures to, among other things, assess the nature and scope of any qualifying incidents, identify customer information systems and types of customer information that may have been accessed or used without authorization, and respond to and recover from those incidents.^[181] Thus, as proposed, consistent with the final amendments, covered institutions will need to anticipate and prepare for the possibility that they may be denied access to a particular system (such as in the ransomware example offered by one commenter) and have procedures in place for complying with the notice requirements when applicable.

Consistent with the proposal, the final amendments will require that covered institutions provide notices “as soon as practicable,” but not more than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. The amount of time that would constitute “as soon as practicable” may vary based on several factors, such as the time required to assess, contain, and control the incident.^[182] The requirement to notify affected individuals as soon as practicable but not more than 30 days in the final amendments is consistent with the purposes of the GLBA and reflects the importance of expeditious notification. The amendments are designed to help ensure that customers receive notification in a timely manner. It would be contrary to this policy goal for a covered institution to unduly delay notification to customers, for example by delaying notice until it has definitively concluded that a data breach incident has occurred, because this could result in excessively delayed notifications that could unnecessarily hinder affected customers from engaging their own remedial measures to protect their data. A covered institution should act promptly and must not delay its initial assessment of the available details of the incident as delaying notices could deprive customers of the ability to take prompt action to protect themselves.

The 30-day outside timeframe under both the proposed and final rules begins following an incident involving customer information. This is consistent with the scope of the incident response program, which is required to address unauthorized access to or use of customer information. The outside timeframe does not begin from the time that the covered institution determines that an incident involved “sensitive customer information,” as suggested by one commenter.^[183] The commenter's suggested modification would likely delay notification as compared to the final rule because covered institutions could take considerable time to determine that an incident involved sensitive customer information before the outside timeframe would begin and this could further delay any potential notice to affected individuals.

(2) National Security and Public Safety Delay

The final amendments will allow covered institutions to delay providing notice if the Attorney General determines that the notice required under the final amendments poses a substantial risk to national security or public safety, and notifies the Commission of such determination in writing, in which case the covered institution may delay such notice for a time period specified by the Attorney General, up to 30 days following the date when such notice was otherwise required to be provided.^[184] Previously referred to as the “law enforcement exception” in the proposal, the national security and public safety delay has been expanded to incorporate risks related to public safety in addition to national security. In a modification of the proposal, in which the Attorney General would have informed only the covered institution in cases where this delay is granted, in the final amendments the Attorney General will instead inform the Commission, in writing, if the Attorney General determines that the notice poses a substantial risk to national security or public safety. This modification is designed to ensure that the Commission receives information related to a delay in notice in an efficient and timely manner. We have consulted with the Department of Justice to establish an interagency communication process to allow for the Attorney General's determination to be communicated to the Commission in a timely manner. The Department of Justice will notify the covered institution that communication to the Commission has been made so that the covered institution may delay providing the notice.

In another change from the proposal, the notice may be delayed for an additional period of up to 30 days if the Attorney General determines that the notice continues to pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. In a further change in response to comments, in extraordinary circumstances, notice may be delayed for a final additional period of up to 60 days if the Attorney General determines that notice continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. Beyond the final 60-day delay, if the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such delay through a Commission exemptive order or other action. By contrast, the proposed rules would have allowed a covered institution to delay notice only for an aggregate period of 30 days following a written request from the Attorney General to the covered institution, upon the expiration of which the covered institution would have been required to provide notice immediately. The modification to the proposed rule is designed to respond to concerns raised by commenters.^[185]

One commenter stated that a delay in notifying affected individuals for law enforcement activity may cause harm to Start Printed Page 47704 customers whose personal information has been exposed.^[186] In addition, this commenter asserted that notifying affected individuals would not impede a law enforcement investigation of the data security incident.

Other commenters, however, urged the Commission to expand the proposed law enforcement exception because, in their view, the proposed exception was too narrowly drawn.^[187] Several of these commenters expressed concern that requests by local or State police, or even other Federal agencies, would not be sufficient to delay notification under the proposed rule.^[188] Some commenters stated concerns about the feasibility and process of reaching out to the Attorney General to request a delay in support of expanding the exception to permit other law enforcement agencies to direct a covered institution to delay a notice.^[189] Commenters also expressed particular concern around competing requirements, noting that many State regulations include a more permissive delay and that covered institutions, in an effort to comply with the proposed exception, may be put into the difficult and unnecessary position of being subject to conflicting requirements from the Commission and a State law enforcement entity.^[190] Further, commenters articulated that the proposed exception is excessively narrow because it only accommodates law enforcement actions that address concerns that rise to the level of “national security.” ^[191]

In addition to concerns regarding the scope of the proposed law enforcement exception, several commenters opposed the length of time that a covered institution would be permitted to delay notice under the proposed rule.^[192] These commenters suggested that there should be no outside time limitation on the proposed law enforcement exception, asserting that the judgment of any law enforcement agency investigating a breach should be an adequate and respected basis for delaying a regulatory notice regarding such breach. Commenters urged the Commission to expand the scope and timing requirements of the proposed law enforcement exception, expressing that they failed to understand the public purpose that would be served by ignoring the request of a law enforcement agency to delay notification.^[193]

In response to commenters' concerns, we have broadened both the scope and timing requirements of the delay in the final amendments. The final amendments will allow covered institutions to delay notice in cases where disclosure would pose a substantial risk to national security or public safety, contingent on a written notification by the Attorney General to the Commission.^[194] This provision has been expanded to incorporate risks related to public safety, and not just national security, as proposed. This expansion allows for notice delay in scenarios where there may be significant risk of harm from disclosure; however, there may not be a substantial risk to national security. This modification should make the provision sufficiently expansive to protect against significant risks of harm from disclosure—such as the risk of alerting malicious actors targeting critical infrastructure that their activities have been discovered—while also helping to ensure that individuals are not unduly denied timely access to information about the unauthorized access to or use of their sensitive customer information.

With respect to commenters who recommended that other Federal agencies, State and local law enforcement agencies, and foreign law enforcement authorities also be permitted to trigger a delay or suggested that the perceived limited nature of this delay would cause conflict with State authorities, the rule does not preclude any such entity from requesting that the Attorney General determine that the disclosure poses a substantial risk to national security or public safety and communicate that determination to the Commission. Designating a single law enforcement agency as the point of contact for both the covered institution and the Commission on such delays is critical to ensuring that the rule is administrable. Some commenters stated concerns about the feasibility and process of reaching out to the Attorney General to request a delay, urging the Commission to expand the delay to apply to requests made by other law enforcement agencies in addition to the Attorney General. The FBI, in coordination with the Department of Justice, has since provided guidance on how firms can request disclosure delays for national security or public safety reasons in connection with the Public Company Cybersecurity Rules.^[195] To the extent needed, further guidance may be issued on how other law enforcement agencies may contact the Department of Justice to request a delay.

The final amendments also will expand the amount of time that a covered institution can delay notice under this provision. However, we are not persuaded, as some commenters suggested, that the rules should not incorporate a timing component at all because such an approach would diminish the goal of providing customers (regardless of State residency) with timely and consistent notification of data breaches so that they may take remedial action. This includes permitting, in extraordinary circumstances, a delay for a final additional period of up to 60 days—following two previous 30-day extensions—if the Attorney General determines that disclosure continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. We are providing for this additional delay period in the final amendments, beyond what was originally proposed, and in addition to the two 30-day delays that may precede it, in recognition that, in extraordinary circumstances, national security concerns may justify additional delay beyond that warranted by public safety concerns, due to the relatively more critical nature of national security concerns.^[196] Beyond the final 60-day Start Printed Page 47705 delay, if the Attorney General indicates to the Commission in writing that further delay is necessary, the covered institution can request an additional delay that the Commission may grant through exemptive order or other action. These modifications acknowledge that additional time beyond that proposed may be necessary, as called for by commenters, while balancing national security and public safety concerns against affected individuals' informational needs.

e. Notice Contents and Format

The final amendments, consistent with the proposal, require that notices include key information with details about the incident, the breached data, and how affected individuals can respond to the breach to protect themselves. This requirement is designed to help ensure that covered institutions provide basic information to affected individuals that will help them avoid or mitigate substantial harm or inconvenience. In a modification from the proposal, however, the final amendments will not require the notice to “[d]escribe what has been done to protect the sensitive customer information from further unauthorized access or use.”

Some of the information required by the final amendment, including information regarding a description of the incident, and the type of sensitive customer information accessed or used without authorization, will provide affected individuals with basic information to help them understand the scope of the incident and its potential ramifications. As proposed, the final amendments will require covered institutions to include contact information sufficient to permit an affected individual to contact the covered institution to inquire about the incident, including a telephone number (which should be a toll-free number if available), an email address or equivalent method or means, a postal address, and the name of a specific office to contact for further information and assistance, so that affected individuals can easily seek additional information from the covered institution. All of this information may help affected individuals assess the risk posed by the incident and whether to take additional measures to protect against harm from unauthorized access or use of their information.

Similarly, as proposed, the final amendments will require information regarding the date of the incident, the estimated date of the incident, or the date range within which the incident occurred, if such information is reasonably possible to determine at the time the notice is provided. This requirement reflects the reality that a covered institution may have difficulty determining a precise date range for certain incidents because it may only discover an incident well after an initial time of access.^[197]

In addition, as proposed, the final amendments will require that covered institutions include certain information to assist affected individuals in evaluating how they should respond to the incident. Specifically, if the affected individual has an account with the covered institution, the final amendments will require the notice to recommend that the customer review account statements and immediately report any suspicious activity to the covered institution. The final amendments will also require the notice to explain what a fraud alert is and how an affected individual may place a fraud alert in credit reports. Further, the final amendments will require that the notice recommend that the affected individual periodically obtain credit reports from each nationwide credit reporting company and that the individual have information relating to fraudulent transactions deleted. The notice must also explain how a credit report can be obtained free of charge. Lastly, the final amendments require that notices include information regarding FTC and usa.gov guidance on steps an affected individual can take to protect against identity theft, a statement encouraging the individual to report any incidents of identity theft to the FTC, and the FTC's website address. These specific requirements are designed to give affected individuals resources and additional information to help them evaluate how they should respond to the incident.

As proposed, under the final rules covered institutions will be required to provide the information specified in the final amendments in each required notice. While we recognize that relevant information may vary based on the facts and circumstances of the incident, customers will benefit from the same minimum set of basic information in all notices. Accordingly, the final amendments will permit covered institutions to include additional information but will not permit omission of the prescribed information. In addition, the final amendments will require covered institutions to provide notice in a clear and conspicuous manner and by means designed to ensure that the customer can reasonably be expected to receive actual notice in writing.^[198] Pursuant to 17 CFR 248.3, notices will therefore be required to be reasonably understandable and designed to call attention to the nature and significance of the information required to be provided in the notice.^[199] To the extent that a covered institution includes information in the notice that is not required to be provided to customers under the final amendments or provides notice contemporaneously with other disclosures, the covered institution will still be required to ensure that the notice is designed to call attention to the important information required to be provided under the final amendments; the inclusion of any additional information in the notice may not prevent the required information from being presented in a clear and conspicuous manner. The requirement to provide notices in writing, further, will ensure that customers receive the information in a format appropriate for receiving important information, with accommodation for those customers who agree to receive the information electronically.^[200] These requirements are designed to help ensure that customers are provided informative notifications and alerted to their importance.

Several commenters broadly supported the proposed notice contents and format requirements.^[201] One commenter stated that the provision will lead to notices that contain important information in a clear and conspicuous manner, which will allow affected individuals to assess the risk of the incident paired with guidance on Start Printed Page 47706 potential protective measures to take.^[202] Another commenter agreed with the proposed approach of requiring notices to contain certain information but not prescribing the specific format for the notices, asserting that this approach will “make it easier for covered institutions to fulfill all their notice obligations under Federal and State laws with as few notice documents as possible (ideally through a single notice to all affected customers nationwide).” ^[203]

Conversely, a few commenters opposed certain aspects of the notice content and format requirements.^[204] One commenter expressed concern related to the proposed requirement for covered institutions to include in the notice specific efforts they have taken to protect the sensitive customer information from further unauthorized access or use.^[205] This commenter articulated that this information could be extremely useful to threat actors and not particularly useful to affected individuals.^[206] Another commenter urged the Commission to remove the requirement for covered institutions to provide “the date of the incident, the estimated date of the incident, or the date range,” asserting that this specific information is not required by the Banking Agencies' Incident Response Guidance and should not be included in an amended Regulation S-P.^[207] In addition, two commenters suggested that the final amendments should provide more flexibility for covered institutions to determine the manner and method in which they should be contacted by affected individuals inquiring about an incident.^[208] Lastly, one commenter urged the Commission to consider whether it should require specific notice obligations at all, asserting that Federal notice would simply add another layer on top of existing State data breach notice requirements and would offer limited benefits to affected individuals.^[209]

After considering comments, we are removing the specific requirement in the proposal that the notice “[d]escribe what has been done to protect the sensitive customer information from further unauthorized access or use.” We agree that this information has the potential to advantage threat actors and does not provide actionable information for affected individuals. Accordingly, the provision has been removed from the final amendments, which should reduce the perceived risk of providing a roadmap for threat actors compared with the proposal. Covered institutions may, however, voluntarily disclose details related to the incident's remediation status.

The final amendments do not modify the proposed requirement for covered institutions to provide information about the date of the incident, as suggested by one commenter.^[210] Providing this information to affected individuals, to the extent the information is reasonably possible to determine, can help affected individuals identify the point in time in which their sensitive customer information was compromised, thus providing critical details that affected individuals can use to take targeted protective measures ( e.g., review account statements) to mitigate the potential harm that could result from the unauthorized access to or use of their sensitive customer information. For this reason, we disagree with the commenter that stated firms should not be required to provide this information in their notice.

Similarly, the final amendments do not modify the requirement for notices to include the prescribed contact information sufficient to permit an affected individual to contact the covered institution to inquire about the incident. We understand that covered institutions communicate with their customers using many different methods and formats. However, providing a telephone number, an email address or equivalent method or means ( e.g., an online submission form), a postal address, and the name of a specific office to contact, is designed to provide sufficient optionality for affected individuals, who may have differing preferences and aptitudes in their use of contact methods.^[211] Nothing in this requirement, however, prevents a covered institution from choosing to provide additional contact methods.

Lastly, the final amendments do not prescribe a specific format for the notice to affected customers. We agree with the commenter that asserted that such flexibility will make it easier for covered institutions to provide notices that meet the requirements of the final amendments while also meeting the requirements of other notice obligations, such as certain State requirements, and thereby mitigates commenter concerns about the potential for more than one notice covering a given incident.

4. Service Providers

The final amendments require that each covered institution's incident response program include the establishment, maintenance, and enforcement of written policies and procedures reasonably designed to require oversight, including through due diligence on and monitoring, of service providers, including to ensure that the covered institution satisfies the customer notification requirements set forth in paragraph (a)(4) of the final amendments.^[212] In a modification from the proposal, rather than requiring written policies and procedures requiring the covered institution to enter into a written contract with its service providers to take certain appropriate measures, the policies and procedures required by the final amendments must be reasonably designed to ensure service providers take appropriate measures to: (A) protect against unauthorized access to or use of customer information; and (B) provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware of a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider.^[213] Start Printed Page 47707 In a modification from the proposal, upon receipt of such notification, a covered institution must initiate its incident response program pursuant to paragraph (a)(3) of this section.^[214] The final amendments thus modify the proposal by removing the written contract requirement and shifting the notification deadline for the service provider's notification of the covered institution from 48 to 72 hours, while retaining the notice trigger of the service provider “becoming aware of” a breach in security resulting in unauthorized access to a customer information system maintained by the service provider.^[215]

However, the Commission is adopting as proposed final amendments that provide that a covered institution, as part of its incident response program, may enter into a written agreement with its service provider to notify affected individuals on the covered institution's behalf in accordance with paragraph (a)(4) of the final amendments.^[216] In a modification from the proposal, the final amendments provide that even where a covered institution uses a service provider in accordance with paragraphs (a)(5)(i) and (ii) of the final amendments, the covered institution's obligation to ensure that affected individuals are notified in accordance with paragraph (a)(4) of the final amendments rests with the covered institution.^[217]

Finally, the Commission is also defining a “service provider” at adoption to mean any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.^[218] As discussed further below, this definition removes language from the proposed definition relating to third parties, but does so solely to make plain that the definition of a “service provider” can include affiliates of a covered institution.^[219]

a. Covered Institutions' Incident Response Program Obligations Regarding Service Providers

In a change from the proposed rule, the Commission is adopting the final amendments without requiring covered institutions to enter into a written contract with their service providers.^[220] Instead, the final amendments require that a covered institution's incident response program “include the establishment, maintenance, and enforcement of written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of the covered institution's service providers, including to ensure that the covered institution notifies affected individuals as set forth in paragraph (a)(4),” in the event of a breach at the service provider.^[221] Further, while the final amendments do not require covered institutions to enter into a written contract, the final amendments incorporate the protections that would have been required in the proposed written contract ^[222] by requiring that a covered institution's policies and procedures be reasonably designed to ensure service providers take the appropriate measures to: (A) protect against unauthorized access to or use of customer information, and (B) provide notification to the covered institution in the event of a breach resulting in unauthorized access to a customer information system maintained by the service provider, in accordance with the timing and notice trigger conditions discussed further below. Finally, in a modification from the proposal, upon receipt of such notification, a covered institution must initiate its incident response program adopted pursuant to paragraph (a)(3) of this section.^[223]

Two commenters expressed varying degrees of support for requiring a written contract between a covered institution and its service providers.^[224] One such commenter expressed support for requiring a specific contractual agreement with a service provider, stating that the information covered by the service provider provision is already subject to a contractual agreement between the covered institution and the service provider.^[225] The other commenter agreed that service providers should be contractually required to take appropriate risk-based measures and due diligence to protect against unauthorized access to or use of customer information, but suggested that for flexibility in oversight covered institutions should be permitted to rely on “reasonable assurances” from service providers that they have taken appropriate measures to protect customer information.^[226]

Several commenters opposed this proposed requirement.^[227] Specifically, two commenters asserted that the written contract requirement would harm covered institutions, which may not have the negotiating power or leverage to demand specific contractual provisions from large third-party service providers, particularly where specific provisions are “inconsistent with the business imperatives” of the service provider and/or in the case of small covered institutions.^[228] A number of commenters also suggested alternatives to either adopting a written contract requirement or, if such a requirement is adopted, to mandating specified contractual requirements.^[229] Two commenters suggested that rather than requiring specific practices to be included within a written contract, the Commission should structure the final amendments to enable covered institutions to take a risk-based approach to due diligence and third-party risk management that integrates reliance on independent certifications, attestations, and industry standards as a sufficient means of assessing and determining whether the service provider is appropriately addressing these risks to an adequate standard.^[230] Meanwhile, another commenter who opposed the contractual requirement suggested the Commission should provide covered institutions with the flexibility to oversee their service providers “based on the nature and size of their businesses and in light of the risks posed by the facts and circumstances.” ^[231] Finally, one commenter suggested that it was unclear how a third-party service provider's notice to a covered institution would affect a covered institution's own obligations.^[232]

Eliminating the written contract requirement from the final amendments, while enhancing the policies and procedures obligation, strikes an appropriate balance between providing covered institutions with greater flexibility in achieving compliance with the requirements of this rule within the context of their service provider relationships, while also helping to ensure the investor protections afforded by the final amendments are maintained when covered institutions utilize service providers.

In particular, as adopted, the enhanced policies and procedures obligations will enable covered institutions to identify and utilize the most appropriate means for their business of achieving compliance with the final amendments through policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of their service providers. Providing this flexibility will help address commenters' concerns about imposing a written contractual agreement for covered institutions, particularly those that are small entities, which may not have sufficient negotiating power or leverage to demand specific contractual provisions from a large third-party service provider. At the same time, the enhanced policies and procedures requirements will provide for effective safeguarding of customer information when it is received, maintained, processed, or otherwise accessed by a service provider, as well as timely notice to customers affected by a breach at a covered institution's service provider, by requiring that the policies and procedures be reasonably designed to: (1) require oversight, including through due diligence and monitoring, of service providers, including to ensure that the covered institution notifies affected individuals as required in paragraph (a)(4) and (2) ensure service providers take appropriate measures to protect against the unauthorized access to or use of customer information and provide covered institutions with timely notification of a breach so that the covered institution can carry out their incident response program.

While the final amendments thus provide increased flexibility as to a covered institution's means of overseeing its service providers, the modification the Commission is making at adoption does not lower the standard of a covered institution's substantive oversight obligations. Some covered institutions may find that such oversight can be accomplished more easily and less expensively through less formal arrangements in certain circumstances, based on the covered institution's relationship with its service provider, as well as the scope of the services that are now or will be provided over the course of the relationship.^[233] However, regardless of the means and arrangements employed, the covered institution must ensure that any service provider it decides to utilize takes appropriate measures to (A) protect against unauthorized access to or use of customer information, and (B) provide breach notifications to the covered institution as required by these final amendments.

Further, while it may be helpful to a covered institution in achieving compliance with the final amendments to receive “reasonable assurances” from its service providers that they have taken appropriate measures to both protect customer information and provide timely notification to the covered institution in the event of a relevant breach of the service provider's customer information systems, reliance solely on such assurances may be insufficient depending on the facts and circumstances, for example when a covered institution knows, or has reason to know, that such assurance is inaccurate. Instead, the final rules require the establishment, maintenance, and enforcement of written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of the service provider to ensure the covered institution will be able to satisfy the obligations of paragraph (a)(4). Further, covered institutions generally should consider reviewing and updating these policies and procedures periodically throughout their relationship with a service provider, including updates designed to address any information learned during the course of their monitoring.

The final amendments provide covered institutions with flexibility in overseeing their service provider relationships, while helping to ensure the additional investor protections intended by these final amendments are Start Printed Page 47709 still achieved. Consistent with this risk-based approach, covered institutions may wish to consider employing such tools as independent certifications and attestations obtained from the service provider, as suggested by some commenters, as part of their policies and procedures to require oversight, including through due diligence and monitoring, of the service provider. However, the covered institution's written policies and procedures must be reasonably designed under the circumstances, and the covered institution's oversight of its service providers pursuant to those written policies and procedures generally should be tailored to the facts and circumstances of the two parties' relationship, which may or may not include the use of such tools.

Further, as stated above, we are modifying the proposed rule to state that upon a covered institution's receipt of a service provider's notification, the covered institution must initiate its incident response program required by paragraph (a)(3) of the rule.^[234] The Commission is adopting this modification in response to comment requesting clarification of a covered institution's obligations upon receipt of service provider breach notifications.^[235] Further, this modification helps further align the final amendments with the intended purpose of the service provider's breach notifications, as discussed in the Proposing Release.^[236] While receipt of such notice automatically triggers the covered institution's obligation to initiate the procedures of its incident response program, such notice is not a necessary predicate to trigger this obligation for incidents occurring at the service provider. A covered institution also must initiate its incident response program where the covered institution has otherwise independently detected an incident of unauthorized access to or use of customer information at the service provider.^[237]

Finally, some commenters asked that we consider making any new obligations with respect to a written contract requirement forward-looking so as not to disrupt contracts already in existence by requiring renegotiation, and that we should further extend the compliance date to address this.^[238] As we are adopting the rule without a written contract requirement, these comments have become moot.^[239]

b. Deadline for Service Provider Notice to Covered Institutions and Notice Trigger

As described above, the final amendments require that a covered institution's policies and procedures be reasonably designed to ensure service providers take appropriate measures to provide covered institutions with notice “as soon as possible, but no later than 72 hours after becoming aware of a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider.” ^[240] This modification extends the proposed timeframe for service providers to provide such notice to 72 hours, but maintains the proposed notice triggering event to initiate this timeframe of the service provider becoming aware of a breach.” ^[241]

Commenters addressed both the notification deadline and the triggering event for notifications to be provided by service providers to covered institutions in the event of a relevant breach involving unauthorized access to a customer information system maintained by the service provider. As to the notification deadline, one commenter supported requiring service providers to notify a covered institution within 48 hours of a breach impacting the covered institution or affected individuals, stating its understanding is that this is “not an uncommon arrangement” today between covered institutions and service providers maintaining their nonpublic personal information ( e.g., between investment companies and transfer agents).^[242] Another commenter raised concerns that a standard of “as soon as possible, but no later than 48 hours after becoming aware of a breach,” when paired with a written contract requirement, might impose formidable challenges to covered institutions in mandating such contractual provisions with service providers who are not explicitly subject to Commission jurisdiction, and may have their own policies and procedures addressing breaches.^[243] Several commenters suggested the Commission adopt a 72-hour notification deadline.^[244] In particular, one such commenter stated that this notification provision should be extended to “as soon as possible but no later than 72 hours,” to harmonize the Commission's standard with a number of related Federal, State, and international regulatory deadlines governing required service provider notification to financial institutions in the event of a cyber incident, and also further the White House's and Congress's express policy of harmonizing cyber incident reporting requirements.^[245] Finally, this commenter stated that a consistent 72-hour reporting deadline would promote more effective cybersecurity incident response and cyber threat information sharing than shorter, or varied reporting periods, and that a 48-hour deadline in the commenter's experience would lead to “premature reporting” that increases the likelihood of reporting inaccurate or incomplete information and tends to create confusion and uncertainty.^[246]

In contrast, some commenters recommended modifying the proposal to remove any specified duration for a reporting deadline.^[247] Several Start Printed Page 47710 commenters suggested that rather than an inflexible time deadline, the Commission should require that notification be provided without unreasonable delay after a reasonable investigation has been performed by the service provider.^[248] Another commenter stated that rather than mandating any form of a deadline, the time period should be left to covered institutions and service providers to negotiate, accounting for the nature of services and customer data.^[249]

As to the triggering event requiring service providers to notify covered institutions of a relevant breach, one commenter urged the Commission to shift from the service provider “becoming aware” of a breach that entailed unauthorized access to customer information, to the service provider “determining” that such a breach had occurred.^[250] This commenter asserted that the process of “becoming aware” will involve time and resources to investigate and that changing to a “determining” standard may minimize pressure on the service provider to report prior to performing sufficient investigation, while helping harmonize regulatory approaches across the financial sector, as it would align with similar requirements adopted by Federal banking agencies related to notice provided by bank service providers.^[251] Another commenter stated the Commission should, in addition to shifting to a 72-hour reporting deadline, amend the trigger initiating this reporting deadline to the moment the service provider “has a reasonable basis to conclude that a notifiable incident has occurred or is occurring.” ^[252]

Other commenters suggested narrowing the scope of incidents that would trigger required notice by service providers to a covered institution.^[253] One commenter asserted that incident response program requirements should only address and be triggered by incidents that involve unauthorized access to or use of a subset of customer information ( e.g., sensitive customer information).^[254] Another commenter stated that the proposal would result in notices to a covered institution if there has been unauthorized access to the service provider's customer information system, regardless of whether the covered institution's customers were in any way affected by the breach.^[255] Instead, the commenter stated that the Commission should limit the scope of incidents requiring notification to a covered institution to only those resulting in unauthorized access to that covered institution's “customer information” maintained by the service provider.^[256]

After consideration, the Commission is extending the deadline for providing notification from 48 to 72 hours. Although we appreciate that the 48-hour standard in the proposed amendments may not be an uncommon arrangement between covered institutions and their service providers in the market today, extending this deadline by 24 hours will provide service providers with additional time to conduct more effective investigations of a breach at the service provider, resulting in more relevant and accurate notifications to the covered institution. Further, the 72-hour standard brings this notification deadline in alignment with other existing regulatory standards, which should reduce costs to service providers and covered institutions without sacrificing the investor protection benefits of the rule.^[257]

The Commission disagrees that there should be no specified notification deadline and that covered institutions and service providers should be able to negotiate the appropriate timing for such notification. As discussed above, upon receipt of the breach notification from the service provider, a covered institution must initiate its incident response program adopted pursuant to paragraph (a)(3) of the final amendments.^[258] As covered institutions cannot reasonably be expected to initiate their incident response programs for incidents occurring at a service provider that the covered institution is not yet aware have occurred, providing the indefinite timeline commenters suggest could significantly hinder the effectiveness of covered institutions' incident response programs.^[259] For example, delays in the service provider's notification to the covered institution of a breach could result in further delays in the initiation of the incident containment and control procedures the covered institution has adopted pursuant to its incident response program obligations, consequently diminishing their effectiveness. Further, any excess delay in the service provider's notification to the covered institution and resulting delay in the covered institution's initiation of its incident response program, could significantly hinder the goal of the final amendments of providing customers with timely notification of data breaches so that they may take remedial action. In light of this, reasonably designed policies and procedures generally should also account for instances where the covered institution determines that a service provider has failed to provide notice to the covered institution within 72 hours as required. In such circumstances, in addition to initiating its incident response program upon receipt of the notice as required, a covered institution generally should reevaluate its policies and procedures governing its relationship with the service provider and make adjustments as necessary to ensure the service provider will take the required appropriate measures going forward.

Further, the Commission is adopting as proposed the “becoming aware of” standard for triggering a service provider's breach notifications to a covered institution. This standard is Start Printed Page 47711 intended to enable the covered institution to implement its incident response program expeditiously. While the Commission believes it is appropriate, as discussed above, to extend the timeframe for service provider notifications from 48 to 72 hours, adopting either a “having a reasonable basis to conclude” standard or a “determining” standard could frustrate the investor protection goals of these final amendments. Specifically, adopting either of these alternative standards could result in undue delays in a service provider's notification to the covered institution beyond the point at which the service provider is already aware that a relevant breach has occurred. Such a delay would frustrate the goal of both enabling covered institutions to initiate their incident response program expeditiously, as well as the goal of providing timely notification to affected individuals. For similar reasons, given that the “determining” standard used by Federal banking regulators involves a different context—notice to the banking organization of downgraded or degraded services—adopting it here solely to harmonize regulatory approaches would be inappropriate.^[260] Accordingly, the final amendments maintain the proposed “becoming aware of” standard for triggering a service provider's notification.

The Commission also is not limiting the scope of incidents to be reported to covered institutions to only those involving “sensitive customer information” or alternatively to breaches that result in unauthorized access to “customer information” maintained by the service provider rather than those that result in unauthorized access to a service provider's “customer information system.” Under the final amendments, a covered institution's incident response program must be reasonably designed to “detect, respond to, and recover from unauthorized access to or use of customer information,” and must include provisions to assess such incidents to “identify the customer information systems and types of customer information that may have been accessed or used without authorization” and take appropriate steps to “contain and control the incident to prevent further unauthorized access to or use of customer information.” ^[261] As discussed above, in doing so, we are requiring that covered institutions' incident response programs address any incident involving customer information—not merely those involving sensitive customer information—and also account for the identification of affected customer information systems in addition to the types of customer information that may have been accessed or used without authorization.^[262] For the same reasons, we are not limiting the scope of reportable incidents to only those breaches in security at the service provider that result in unauthorized access to sensitive customer information, or alternatively to only those breaches that result in unauthorized access to “customer information” maintained by the service provider.

c. Delegation of Notice and Covered Institutions' Customer Notification Obligations

The Commission is adopting as proposed language that permits covered institutions, as part of their incident response programs, to enter into a written agreement with their service providers to notify affected individuals on the covered institution's behalf.^[263] However, the Commission is also adopting a new paragraph that states that, notwithstanding any covered institution's use of a service provider, the covered institution's obligation to ensure that affected individuals are notified in accordance with this rule rests with the covered institution.^[264]

One commenter stated that it is appropriate to permit a covered institution to enter into a written agreement with its service provider to notify affected individuals on the covered institution's behalf, so long as the notification is actually ultimately provided to customers in a manner that satisfies the covered institution's notice obligations.^[265] The Commission agrees that there may be situations where a covered institution's service provider is better situated than the covered institution to provide a customer a breach notification. Thus, the Commission is adopting paragraph (a)(5)(ii) as proposed.^[266]

At the same time, the Commission is adopting a new paragraph (a)(5)(iii) to specify that even where a covered institution uses a service provider, the obligation to ensure that affected individuals are notified in accordance with the rule rests with the covered institution.^[267] While the proposing release included similar language,^[268] the final rule explicitly provides that the covered institution will be obligated to satisfy the customer notification requirements of paragraph (a)(4) in the event of a relevant breach occurring at the service provider. The Commission Start Printed Page 47712 agrees that in providing flexibility to covered institutions by permitting them to enter into a written agreement with their service providers to notify affected individuals on the covered institution's behalf, such notification to customers should be provided in a manner that satisfies the covered institution's notice obligations. Accordingly, where a covered institution has entered into a written agreement with its service provider to provide notice on the covered institution's behalf, the covered institution must ensure that the service provider has satisfied the customer notification obligations.^[269] To accomplish this, the covered institution's policies and procedures should consider including steps for conducting reasonable due diligence to confirm that the service provider has provided notice to affected customers. In addition to maintaining a copy of any notice transmitted to affected individuals by the service provider on the covered institution's behalf as required by the covered institution's (other than funding portals) recordkeeping obligations under the final amendments,^[270] effective due diligence might also include obtaining confirmation of delivery of such notification in the form of attestations or certifications made by the service provider. Covered institutions could also consider confirming with a sample of affected customers that they received such service provider notifications.

In addition, where the covered institution has entered into a written agreement with its service provider to provide notice on the covered institution's behalf pursuant to paragraph (a)(5)(ii), and the covered institution determines that the service provider has not provided such notifications in a manner that satisfies the conditions of paragraph (a)(4), the covered institution must still ensure that notification is provided to the customer, and the covered institution's policies and procedures generally should be designed to address these instances. To accomplish this, the covered institution generally should conduct timely due diligence to identify any lack of notification by the service provider to the customer and remedy the matter in advance of the deadline set out in paragraph (a)(4).

d. Service Provider Definition

The Commission is adopting the definition of “service provider” to mean “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.” ^[271] This definition thereby includes affiliates of covered institutions if they are permitted access to this information through their provision of services. The scope of this definition is intended to help protect against the risk of harm that may arise from service providers' access to a covered institution's customer information and customer information systems.^[272]

A number of commenters addressed the scope of the proposed definition. Several commenters suggested narrowing the scope of the service provider definition by revising it to exclude affiliates or other GLBA regulated entities.^[273] Similarly, three commenters asserted that the Commission should revise the definition to exclude affiliates and other entities under common control with the covered institution, as those affiliates are typically subject to the same cybersecurity and privacy programs, including service provider management, which are frequently structured and operate on a group-wide basis.^[274] One of these commenters also stated the Commission should also exclude entities subject to the GLBA that have direct contractual relationships with the client.^[275] This commenter separately asserted that the service provider definition should be narrowed to only cover those persons or entities that are a third party and receive, maintain, process, or otherwise are permitted access to sensitive customer information, so that covered institutions can prioritize “higher-risk service providers” and not expend resources unnecessarily on an overly broad set of service providers.^[276] Finally, one commenter requested that the Commission “clarify the scope of the service provider definition, including whether service providers would include financial counterparties such as brokers, clearing and settlement firms, and custodial banks.” ^[277]

As stated above, we are modifying the definition of service provider from the proposal to remove reference to third parties in response to commenters to incorporate into rule text the Commission's intended scope of the “service provider' definition, as discussed in the Proposing Release.^[278] It would not be appropriate to narrow the definition to exclude affiliates or non-affiliates that are also subject to the GLBA, as commenters have suggested. While a covered institution's affiliates may collectively operate under the same cybersecurity and privacy programs, such uniformity in approach does not diminish the risk of harm to the institution's customers in the event of a cyber incident involving unauthorized access to or use of customer information at the affiliate.^[279] This risk is similarly not diminished where a cyber incident involving unauthorized access to or use of customer information occurs at a covered institution's unaffiliated service provider that is subject to the GLBA, even where the service provider has a direct contractual relationship with the client. In such instances, maintaining such an entity's inclusion within the service provider definition will help ensure that the covered institution is made aware of cyber incidents that occur at the service provider to aid in both the covered institution's oversight of its service providers, as well as satisfaction of its customer notification and broader customer information safeguarding obligations under the final Start Printed Page 47713 amendments. It is thus important for the service provider definition to remain sufficiently broad to address these risks by setting out clear obligations for all parties possessing legitimate access to customer information regarding both the safeguarding of that information, and, where necessary, ensuring notification to the affected customers in the event of a breach involving unauthorized access to or use of customer information. However, while we are not narrowing the scope of the “service provider” definition to exclude either affiliates of the covered institution or unaffiliated service providers that are independently subject to the GLBA, pursuant to paragraph (a)(5)(ii) of these final amendments the covered institution and a service provider may enter into a written agreement for the service provider to notify affected individuals on its behalf in in the event of a breach at the service provider, as discussed above.^[280]

Further, it would not be appropriate to narrow the service provider definition to only address those persons or entities that operate as “higher-risk service providers” that receive, maintain, process, or are otherwise permitted access to sensitive customer information, as one commenter suggested. As discussed above, the scope of information covered by the assessment and containment and control requirements of the final amendments is designed to help ensure all information covered by the requirements in the GLBA is appropriately safeguarded, and that sufficient information is assessed to fulfill the more narrowly tailored obligation to notify affected individuals.^[281] Specifically, consistent with the GLBA, the final amendments are tailored to require that a covered institution's written policies and procedures must be reasonably designed to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer, not merely all sensitive customer information.^[282] Narrowing the service provider definition in a manner that would fail to cover the full scope of information that the GLBA requires to be covered in a covered institution's safeguarding policies and procedures, as would result from commenters' suggestion, would be inappropriate.^[283] Further, we are also concerned that limiting the service provider definition to only address those persons or entities that receive, maintain, process, or are otherwise permitted access to sensitive customer information, as commenters suggest, would result in insufficient notification to covered institutions in the event of a breach at a service provider. The purpose of this service provider notification is to enable the covered institution to begin carrying out its response program, which requires an assessment of the nature and scope of any incident involving unauthorized access to or use of customer information, not merely those involving sensitive customer information.^[284] For these reasons, the Commission is adopting the service provider definition as modified.

The Commission also acknowledges the request to clarify the scope of what is included within the service provider definition, including “whether service providers would include financial counterparties such as brokers, clearing and settlement firms, and custodial banks.” In alignment with the service provider definition we are adopting, covered institutions should make this determination based on the facts and circumstances about the substance of the relationship with the covered institution, rather than the form of the entity in question. Where financial counterparties receive, maintain, or otherwise are permitted access to customer information through the provision of services directly to the covered institution, they meet the service provider definition as adopted.

B. Scope of Safeguards Rule and Disposal Rule

1. Scope of Information Protected

We are adopting amendments to rule 248.30 that define the scope of information covered by the safeguards and disposal rules. These amendments will broaden and more closely align the scope of both rules by applying them to the information of not only a covered institution's own customers, but also the customers of other financial institutions that has been provided to the covered institution.^[285] These amendments further specify that the rules also apply to customer information handled or maintained on behalf of the covered institution.^[286] We are adopting these changes substantively as proposed, with changes to the structure of the rule in response to comments as discussed in more detail below.

Specifically, the amendments:

Adopt a new definition of “customer information” defining the scope of information covered by both the safeguards and disposal rules. These amendments provide greater specificity regarding what constitutes customer information that must be protected under the safeguards rule. They also expand the scope of the disposal rule, which currently applies only to consumer information (defined as “consumer report information” in theStart Printed Page 47714 current rule) so that it applies to both customer and consumer information.
Provide that customer information protected under both the safeguards and disposal rules includes both customer information in the possession of a covered institution as well as customer information handled or maintained on its behalf.
Provide that both customer and consumer information include information that pertains to individuals with whom the covered institution has a customer relationship, as well as to the customers of other financial institutions where such information has been provided to the covered institution. We are adopting this expansion as proposed but, as discussed below, have reorganized the rule provisions effectuating the change in response to comments.

Definition of Customer Information

Currently, Regulation S-P's protections under the safeguards rule and disposal rule apply to different, and at times overlapping, sets of information.^[287] Specifically, as required under the GLBA, the safeguards rule currently requires broker-dealers, investment companies, and registered investment advisers (but not transfer agents) to maintain written policies and procedures to protect “customer records and information,” ^[288] which is not defined in the GLBA or in Regulation S-P. The disposal rule requires every covered institution properly to dispose of “consumer report information,” a different term, which Regulation S-P defines consistently with the FACT Act provisions.^[289]

To align more closely the information protected by both rules, as proposed, we are amending rule 248.30 by replacing the term “customer records and information” in the safeguards rule with a newly defined term “customer information” and by adding customer information to the coverage of the disposal rule. For covered institutions other than transfer agents, the term “customer information” will mean, as proposed, “any record containing nonpublic personal information as defined in section 248.3(t) about a customer of a financial institution, whether in paper, electronic, or other form.” ^[290]

Commenters did not object to the proposed definition of “customer information.” As discussed in the Proposing Release, the customer information definition in the coverage of the safeguards rule is intended to be consistent with the objectives of the GLBA, which focuses on protecting “nonpublic personal information” of those who are “customers” of financial institutions.^[291] The customer information definition is also based on the definition of “customer information” in the safeguards rule adopted by the FTC.^[292]

Additionally, adding customer information to the coverage of the disposal rule is also consistent with the objectives of the GLBA. Under the GLBA, an institution has a “continuing obligation” to protect the security and confidentiality of customers' nonpublic personal information.^[293] The final amendments specify that this obligation continues through disposal of customer information. The final amendments also are consistent with the objectives of the FACT Act, which focuses on protecting “consumer information,” a category of information that will remain within the scope of the disposal rule.^[294] Adding customer information to the disposal provisions will simplify compliance with the FACT Act by eliminating a covered institution's need to determine whether its customer information is also consumer information subject to the disposal rule. Covered institutions should also be less likely to fail to dispose of consumer information properly by misidentifying it as customer information only. In addition, including customer information in the coverage of the disposal rule would conform the rule more closely to the Banking Agencies' Safeguards Guidance.^[295] Commenters did not address the expansion of the disposal rule to cover customer information.

One commenter sought clarification regarding the proposal's coverage of customer information handled or maintained on behalf of a covered institution. This commenter stated that proposed paragraph (a) of rule 248.30, which set out the scope of information collectively covered under the safeguards and disposal rules, could be interpreted to limit the application of the rules to customer information in the possession of the covered institution, while proposed paragraph (e)(5) defined customer information to include information that is handled or maintained on behalf of the covered institution. The proposal included both customer information in the possession of a covered institution as well as customer information handled or maintained on its behalf in both the safeguards and disposal rules. This is because rule 248.30 provided the rules applied to “customer information” and, as the commenter observed, the proposal defined customer information to include “any record containing Start Printed Page 47715 nonpublic personal information as defined in § 248.3(t) about a customer of a financial institution, whether in paper, electronic or other form, that is handled or maintained by the covered institution or on its behalf.” Applying these rules to information handled or maintained on behalf of a covered institution is necessary so that the incident response program applies to information about a covered institution's customers that is handled or maintained by a service provider on the covered institution's behalf and to require that such information is disposed of properly.

In response to this comment, we have removed the dedicated scope paragraph (a) from the proposed rule and moved all the requirements for customer information and consumer information into the definitions of those terms, now in renumbered paragraphs (d)(5)(1) and (d)(1) respectively. Accordingly, and substantively as proposed, the definition of consumer information covers information that a covered institution maintains or otherwise possesses for a business purpose, and the customer information definition covers information in the possession of a covered institution or that is handled or maintained by the covered institution or on its behalf.^[296] These structural changes do not change the scope of the proposed rule, but rather consolidate in each definition the scope of covered information as opposed to referring to information possessed by a covered institution in one paragraph of the rule and referring to information handled on its behalf in another.

Safeguards Rule and Disposal Rule Coverage of Customer Information

We also are adopting the requirement, substantively as proposed, that both the safeguards rule and the disposal rule apply to the information specified in those definitions regardless of whether such information pertains to (a) individuals with whom the covered institution has a customer relationship or (b) the customers of other financial institutions where such information has been provided to the covered institution.^[297] As discussed above, however, we are structurally reflecting this requirement in the definitions of customer information and consumer information, rather than in proposed paragraph (a).

Comments were mixed on expanding the safeguards and disposal rules to cover nonpublic personal information received by covered institutions from third party financial institutions. Some commenters supported the expansion.^[298] Two of these commenters stated that sensitive nonpublic information should be protected regardless of how it came into a covered institution's possession.^[299] Other commenters opposed the proposed expansion, suggesting that the rules should be limited to the customer information of the covered institution's own customers and stating that the safeguards rule in its current form is appropriately calibrated.^[300] One of these commenters stated that requiring notification of customers of other financial institutions under the proposed expansion would be confusing to customers and impractical for covered institutions.^[301]

After considering comments, the final amendments provide that the safeguards rule and disposal rule apply to both nonpublic personal information that a covered institution collects about its own customers and to nonpublic personal information it receives from another financial institution about that institution's customers. Currently, in contrast, Regulation S-P defines “customer” as “a consumer who has a customer relationship with you.” The safeguards rule, therefore, only protects the “records and information” of individuals who are customers of the particular institution and not others, such as individuals who are customers of another financial institution. The disposal rule, on the other hand, requires proper disposal of certain records about individuals without regard to whether the individuals are customers of the particular institution. The final amendments better align the scope of the safeguards and disposal rules by requiring that a covered institution protect the information of individuals even if those individuals are not customers of that particular institution but customers of another financial institution.

The amendments also are designed to help ensure that the nonpublic personal information of covered institution customers is better protected from unauthorized disclosure on an ongoing basis, regardless of what entity is maintaining or handling that information.^[302] For example, information that a registered investment adviser has received from the custodian of a former client's assets would be covered under both the safeguard and disposal rules if the former client remains a customer of either the custodian or of another financial institution, even though the individual no longer has a customer relationship with the investment adviser.^[303] Applying the safeguards rule and the disposal rule to customer information that a covered institution receives from other financial institutions will help ensure customer information safeguards are not lost because a third party financial institution shares that information with a covered institution.

2. Extending the Scope of the Safeguards Rule and the Disposal Rule To Cover All Transfer Agents

As discussed in more detail below, the final amendments, which are the same as proposed except for the modifications to the structure of the rules discussed above,^[304] extend both the safeguards rule and the disposal rule to apply to any transfer agent registered with the Commission or another appropriate regulatory agency.^[305] We are extending these provisions to transfer agents because, as discussed in the Proposing Release, transfer agents maintain sensitive, detailed information related to securityholders.^[306] Like other market participants, systems maintained by transfer agents are subject to threats and hazards to the security or integrity of those systems. Likewise, the individuals whose information is maintained by those transfer agents' systems are subject to similar risks of substantial harm and inconvenience as individuals whose customer information is maintained by other covered institutions. Yet, prior to the amendments, the safeguards rule did Start Printed Page 47716 not apply to any transfer agents, and the disposal rule applied only to those transfer agents registered with the Commission. To address these risks, and help ensure that individuals whose customer information is held by a transfer agent are protected and receive appropriate notice of a breach in the same manner as individuals whose customer information is held by any other covered institution, the final amendments apply both the safeguards rule and the disposal rule to all transfer agents, even if the transfer agent is registered with another appropriate regulatory agency. The final amendments do this by including “transfer agents registered with the Commission or another appropriate regulatory agency” in the definition of a “covered institution,” in the same manner as we proposed.^[307]

As proposed, the final amendments also account for the fact that transfer agents' clients generally are the issuers whose securities are held by investors, not the individual investors themselves, by defining “customer” with respect to a transfer agent registered with the Commission or another appropriate regulatory agency as any natural person who is a securityholder of an issuer for which the transfer agent acts or has acted as a transfer agent. Some commenters supported extending these rules to all transfer agents. These commenters stated that doing so would: (i) be consistent with current market practice; (ii) benefit investors; and (iii) create a single, equal standard for all transfer agents.^[308] Other commenters opposed extension of the safeguards rule and disposal rule to all transfer agents. In general, these commenters stated that doing so would: (i) exceed the scope of the Commission's authority; (ii) fail to recognize that a transfer agent's customer is an issuer of securities; (iii) potentially conflict with State law; (iv) confuse securityholders; and (v) impose unnecessary costs on transfer agents.^[309] As discussed below, the Commission agrees with the commenters who supported extending the safeguards rule and disposal rule to all transfer agents and is adopting the amendments as proposed.

Extending to All Transfer Agents, Including Transfer Agents Subject to Existing Federal and State Requirements, and Scope of the Commission's Authority

We received some comments in support of our proposed extension of scope to include transfer agents. One commenter stated that extending the protections of the safeguards rule and the disposal rule to all transfer agents would benefit the public and protect investors, due to the sensitive information they possess, and would equalize the standards that are applicable to transfer agents.^[310] This commenter stated that due to their role, transfer agents have information related to securityholders that may include names, addresses, phone numbers, email addresses, employers, employment history, bank account information, credit card information, transaction histories, and securities holdings.^[311] This commenter further stated that the systems transfer agents maintain are subject to the same risks of a breach as other covered institutions, and therefore the individuals whose customer information transfer agents maintain are subject to the same risks as customers of other covered institutions.^[312] Finally, the commenter stated that extending the safeguards rule and disposal rule to all transfer agents will promote regulatory parity and fair competition among firms, regardless of their registration status.^[313]

Similarly, one commenter supported including transfer agents and requiring breach notifications,^[314] and another commenter stated that establishing incident response and minimum data breach reporting requirements for transfer agents would be a significant step toward a stronger and more comprehensive national data breach regime.^[315]

Other comments, however, objected to scoping transfer agents into the Safeguards Rule. For example, one commenter suggested that applying the rules to all transfer agents could subject transfer agents registered with an appropriate regulatory agency that is not the Commission to conflicting data security requirements from those regulators, resulting in regulatory confusion.^[316] One commenter stated that extending the rules to all transfer agents would exceed the scope of the Commission's authority.^[317] Similarly, two commenters stated that the Commission should exempt certain transfer agents from the safeguards rule, such as transfer agents subject to existing State and Federal banking laws addressing privacy and safeguarding customer information, or those that do not engage in paying agent services.^[318] One of these commenters stated that transfer agents “do not have the type or scope of personal information which could lead to further complications for securityholders” because transfer agents are not subject to know-your-customer obligations, do not have extensive background information concerning securityholders, and generally do not have possession of shareholder assets or have information which could be used to take or transfer assets of shareholders.^[319] One of these commenters also stated that it is already subject to banking laws and inter-agency guidelines that address privacy, breach notification, and disposal of personal information, such as the Banking Agencies' Incident Response Guidance.^[320]

The Commission does not agree that extending the rules to all transfer agents would result in regulatory confusion. As discussed above, the GLBA and FACT Act oblige us to adopt regulations, to the extent possible, that are consistent and comparable with those adopted by the Banking Agencies, the CFPB, and the FTC.^[321] The Commission has been mindful of the need to set standards for safeguarding customer records and information that are consistent and comparable with the corresponding standards set by these agencies, and to this end, we have modified the final amendments from the proposal to promote greater consistency with other applicable Federal safeguard standards where such changes do not affect the investor protection purposes of this rulemaking, as discussed in more detail above.^[322] Thus, although there are some differences, the final amendments are largely aligned with the Banking Start Printed Page 47717 Agencies' Incident Response Guidance and Safeguards Guidance to which some transfer agents supervised by one of the Banking Agencies are already subject.^[323] We recognize, however, that transfer agents registered with the Banking Agencies are already subject to the Banking Agencies' Incident Response Guidance and Safeguards Guidance and therefore may need to review their existing procedures under the Banking Agencies' Guidance for compliance with the final amendments. To the extent there are differences between their existing procedures and the final amendments, given the Commission's efforts to promote consistency between the final amendments and other Federal safeguards standards, it will be possible for transfer agents to update their existing policies, procedures, and practices to ensure consistency with both the Banking Agencies' Guidance and the final amendments.^[324] Finally, even if the final amendments impose additional requirements on some transfer agents already subject to the Banking Agencies' Guidance, it is appropriate to establish a minimum nationwide standard for the notification of securityholders who are affected by a transfer agent data breach that is tailored to the Commission's mission and the specific requirements.^[325] For these reasons, the Commission does not agree that it should exempt from the safeguards rule transfer agents that are subject to existing Federal banking laws addressing privacy and safeguarding customer information.

Moreover, the Commission is not exempting from the safeguards rule transfer agents that do not engage in paying agent services. The population of transfer agents that maintain sensitive, detailed and individualized information related to securityholders is not limited to those transfer agents that engage in paying agent services. Providing the exemption suggested by this commenter would deprive securityholders whose sensitive customer information is maintained by a non-paying agent transfer agent of the important protections afforded under the final amendments.

The Commission does not agree that extending the rules to all transfer agents would exceed the scope of the Commission's authority. As discussed in the proposal, when the Commission initially proposed and adopted the disposal rule, it did so to implement the congressional directive in section 216 of the FACT Act to adopt regulations to require any person who maintains or possesses a consumer report or consumer information derived from a consumer report for a business purpose to properly dispose of the information.^[326] The Commission determined at that time that, through the FACT Act, Congress intended to instruct the Commission to adopt a disposal rule to apply to transfer agents registered with the Commission.^[327] The Commission also stated at that time that the GLBA did not include transfer agents within the list of covered entities for which the Commission was required to adopt privacy rules.^[328] The Commission extended the disposal rule only to those transfer agents registered with the Commission to carry out its directive under the FACT Act, while deferring to the FTC to utilize its “residual jurisdiction” under the same congressional mandate, to enact both a disposal rule and broader privacy rules that might apply to transfer agents registered with another appropriate regulatory agency.^[329]

The Commission, however, has broad authority under Section 17A of the Exchange Act that is independent of either the FACT Act or the GLBA, to prescribe rules and regulations for transfer agents as necessary or appropriate in the public interest, for the protection of investors, for the safeguarding of securities and funds, or otherwise in furtherance of the purposes of Title I of the Exchange Act.^[330] Specifically, whether transfer agents initially register with the Commission or another appropriate regulatory agency,^[331] section 17A(d)(1) of the Exchange Act authorizes the Commission to prescribe such rules and regulations as may be necessary or appropriate in the public interest, for the protection of investors, or otherwise in furtherance of the purposes of the Exchange Act with respect to any transfer agents registered with either the Commission or another appropriate regulatory agency. Once a transfer agent is registered with any appropriate regulatory agency, the Commission “is empowered with broad rulemaking authority over all aspects of a transfer agent's activities as a transfer agent.” ^[332] Pursuant to its statutory authority, the Commission has adopted rules that address various aspects of transfer agents' activities, including annual disclosures, transaction processing, responses to written inquiries, recordkeeping, safeguarding of funds and securities, lost securityholder searches, among others.^[333] These and the Commission's other transfer agent rules ^[334] currently apply to and are enforceable against all registered transfer agents, including those that initially registered with an appropriate regulatory agency other than the Commission.^[335]

The FTC has not adopted disposal and privacy rules to govern transfer agents registered with an appropriate regulatory agency that is not the Commission. The Commission is exercising its authority under section 17A(d)(1) of the Exchange Act to extend the safeguards rule to apply to any transfer agent registered with either the Commission or another appropriate regulatory agency and to extend the disposal rule to apply to transfer agents registered with another appropriate regulatory agency. The Commission does so to address the risks of market disruptions and investor harm posed by Start Printed Page 47718 cybersecurity and other operational risks faced by transfer agents. Extending the safeguards rule and disposal rule to address those risks is in the public interest, and necessary for the protection of investors and for the safeguarding of funds and securities.

As explained in the proposal, transfer agents are subject to many of the same risks of data system breach or failure that other market participants face.^[336] For example, transfer agents are vulnerable to a variety of software, hardware, and information security risks that could threaten the ownership interests of securityholders or disrupt trading within the securities markets.^[337] A software, hardware, or information security breach or failure at a transfer agent could result in the corruption or loss of securityholder information, erroneous securities transfers, or the release of confidential securityholder information to unauthorized individuals. A concerted cyber attack or other breach could have the same consequences, or result in the theft of securities and other crimes. A transfer agent's failure to account for such risks and take appropriate steps to mitigate them can directly lead to the loss of funds or securities, including through theft or misappropriation, due to the information about securityholders that transfer agents maintain.^[338]

At the same time, the scope and volume of funds and securities that are processed or held by transfer agents have increased dramatically since Regulation S-P was first adopted.^[339] The risk of loss of such funds and securities presents significant risks to issuers, securityholders, other industry participants, and the U.S. financial system as a whole. For example, transfer agents that provide paying agent services on behalf of issuers play a significant role within that system. According to Form TA-2 filings in 2023, transfer agents distributed approximately $3.68 trillion in securityholder dividends and bond principal and interest payments. Critically, because Form TA-2 does not include information relating to the value of purchase, redemption, and exchange orders by mutual fund transfer agents, the $3.68 trillion amount stated above does not include these amounts. If the value of such transactions by mutual fund transfer agents was captured by Form TA-2 it is possible that the $3.68 trillion number would be significantly higher.^[340]

Moreover, contrary to some commenters' statements, transfer agents do maintain personal information about individual securityholders that could be used to take or transfer assets of securityholders or otherwise lead to further complications for securityholders. As stated in the proposal, transfer agents may obtain, share, and maintain personal information on behalf of securityholders who hold securities in registered form ( i.e., in their own name rather than indirectly through a broker).^[341] For example, any registered transfer agent that maintains a master securityholder file on behalf of an issuer must post to that file debits and credits containing minimum and appropriate certificate detail representing every security transferred, purchased, redeemed, or issued.^[342] Pursuant to Exchange Act Rule 17Ad-9, certificate detail must include, among other things, the name and address of the registered securityholder, the number of shares or principal dollar amount of the equity or debt security, and any other identifying information about the securityholder or the securityholder's securities that the transfer agent reasonably deems essential to its recordkeeping system for the efficient and effective research of record differences.^[343] This can include date of birth, social security or tax payer identification number, phone numbers, email addresses, information about relatives, and other sensitive personal information.^[344] Transfer agents also maintain additional personal information about securityholders in connection with ancillary account, administrative, and other services transfer agents provide to securityholders on behalf of issuers, such as plan administration, proxy services, corporate action processing, and disbursement of dividend and interest payments.^[345] This is the same type of customer information collected and maintained by other covered institutions and warrants the same level of protection. For example, the Commission is aware of instances in which threat actors have utilized securityholder information obtained from a transfer agent to steal securities and funds from those securityholders.^[346]

For these reasons, the Commission is extending the safeguards rule and disposal rule to cover all registered transfer agents because it is in the public interest and will help protect investors and safeguard their securities and funds. Extending the safeguards rule to cover any registered transfer agent addresses the risks to the security and integrity of customer information associated with the systems those transfer agents maintain. This in turn helps prevent securityholders' customer information from being compromised, which, as discussed above, could threaten the ownership interest of securityholders or disrupt trading within the securities markets. Extending the final amendments to all registered transfer agents also helps establish minimum nationwide standards for the notification of securityholders who are affected by a transfer agent data breach that leads to the unauthorized access or use of their information so that affected securityholders could take additional mitigating actions to protect their customer information, ownership interest in securities, and trading activity. Finally, as discussed above, extending the disposal rule to cover those transfer agents registered with another appropriate regulatory agency helps ensure all registered transfer agents are subject to the same minimum nationwide standard, tailored to the Commission's mission and requirements, and will protect investors and safeguard their securities and funds by reducing the risk of fraud or related crimes, including identity theft, which can lead to the loss of securities and funds. Start Printed Page 47719

Definition of a Transfer Agent's Customer

As stated above, the final amendments include a definition of customer that is specific to transfer agents, which is being adopted as proposed, except for a clarification noted below. For a transfer agent, customer means any natural person who is a securityholder of an issuer for which the transfer agent acts or has acted as a transfer agent.^[347] The Commission is clarifying that this definition applies for purposes of section 248, meaning that it does not apply to any other rules, including those specific to transfer agents codified at 17 CFR 240.17Ad. Unless specified, securityholders of issuers are not customers of transfer agents for purposes of other rules. The Commission is adopting this definition because, as discussed above, although transfer agents' customers generally are issuers of securities, transfer agents collect and maintain non-public personal information about the individual registered owners who hold those issuers' securities in connection with various services and activities they engage in on behalf of issuers.

Some commenters supported this definition and approach of treating securityholders of an issuer as a transfer agent's customer, while other commenters did not. One commenter stated that this approach would close a “regulatory gap”—despite possessing and maintaining sensitive information about securityholders, no transfer agents are currently subject to the safeguards rule, and only transfer agents registered with the Commission are subject to the disposal rule.^[348] Similarly, one commenter supported protecting customer information by subjecting that information to Regulation S-P, regardless of how it comes into the covered institution's possession.^[349] On the other hand, one commenter opposed this proposed definition, stating that the need for a specific defined term for transfer agents indicated that the amendments were not well suited for transfer agents.^[350] Three commenters stated that securityholders of issuers are not customers of the transfer agent, rather the issuer is the customer of the transfer agent.^[351]

The Commission agrees that customer information held by a covered institution must be protected, regardless of how that customer information comes into the covered institution's possession. As discussed in the proposal and above, transfer agents obtain, share, and maintain personal information on behalf of securityholders who hold securities in registered form ( i.e., in their own name rather than indirectly through a broker).^[352] They also collect detailed personal information in connection with various services provided directly to individual securityholders, such as facilitating legal and other transfers of securities, replacing lost or stolen securities certificates, facilitating corporate communications with investors, providing cost-basis calculations for tax purposes, and other services.^[353] The fact that a transfer agent may not have a direct contractual relationship with an individual securityholder does not eliminate the need for transfer agents to protect the sensitive personal information about individual securityholders that is collected and maintained by the transfer agent.

Contrary to some commenters' statements, adopting a transfer agent-specific definition of customer does not indicate that the safeguards rule and disposal rule are not well-suited for transfer agents. Rather, it helps ensure that the rule is appropriately tailored to address transfer agents and the specific type of customer information they collect and maintain. Tailoring specific rule provisions to specific types of entities to address their unique functions, structures, and businesses does not render the rule inappropriate to the entity for which the provisions are being tailored, nor is it an approach that is unique to transfer agents or to Regulation S-P. For example, since the adoption of Exchange Act Rule 17Ad-12, transfer agents have been required to safeguard any funds and securities, including securityholder funds and securities, in the transfer agent's possession or control.^[354] This is the case although securityholders may not be direct customers of transfer agents. As another example, final rule 248.30(d)(5)(i) defines customer information, for any covered institution other than a transfer agent as any record containing nonpublic personal information as defined in final rule 248.3(t) about a customer of a financial institution, whether in paper, electronic or other form, in the possession of a covered institution or that is handled or maintained by the covered institution or on its behalf, regardless of whether such information pertains to (a) individuals with whom the covered institution has a customer relationship, or (b) the customers of other financial institutions where such information has been provided to the covered institution.^[355] The fact that the securityholder whose funds and securities the transfer agent is in possession of is not a direct customer of the transfer agent does not eliminate the need for the transfer agent to safeguard those funds and securities. The same is true for customer information in the possession of a transfer agent or that is handled or maintained by the transfer agent or on its behalf.

Finally, two commenters stated that the Commission should propose a rule specific to transfer agents as part of the existing rules that apply specifically to transfer agents.^[356] In these commenters' views, such a rule would impose obligations similar to the final amendments but would apply only to transfer agents. One of these commenters further explained that it would support general safeguarding of securityholder information requirements, similar to those set forth in the safeguard rule, if the Commission enacted them as part of the regulations specific to transfer agents codified at 17 CFR 240.17Ad.^[357]

The Commission is not taking the approach suggested by the commenters. The final amendments will accomplish a similar result to a transfer agent-specific rule, while helping to ensure consistent requirements among covered institutions. Further, the commenters did not explain how such a rule would differ from the final amendments, other than being in a different set of Commission regulations, or how such a rule would be a material improvement over the approach being adopted as proposed. The Commission does not agree that adopting something different from the final amendments is necessary to achieve the “Commission's privacy and cybersecurity goals in a manner specific to the business and role of transfer agents.” ^[358] Rather, doing so would undermine the Commission's Start Printed Page 47720 goal of establishing a consistent minimum nationwide standard. Further, where necessary, the Commission has already tailored the final amendments in a manner specific to transfer agents. As noted above, the final amendments include a definition of customer that it is specific to transfer agents. Finally, to the extent one of commenters' goals is ensuring that all transfer agent rules are codified in the same place, specifically 17 CFR 240.17Ad, commenters' suggestion would not further that goal. Transfer agents registered with the Commission are already subject to the disposal rule, which is not part of the existing rule set codified at 17 CFR 240.17Ad, and a new safeguards or disposal rule within that section would necessarily cite to Regulation S-P for defined terms and other references.

Application of Laws, Requirements, and Contractual Provisions

Some commenters raised concerns about potential conflicts with, or duplication, of State law requirements. One commenter stated that securityholders of issuers are not customers of the transfer agent and imposing obligations on them creates conflicting and duplicative requirements to those already in place through State laws to safeguard securityholders' personal information.^[359] Another commenter stated that under State law, transfer agents do not notify securityholders of a breach but issuers do.^[360] Specifically, this commenter stated that all fifty States have laws that require transfer agents to notify their issuer clients of unauthorized access to personal information of securityholders, and issuers may then be required to notify securityholders depending on whether the standards of the State law have been met. This commenter also stated that its existing policies, procedures, and contractual obligations are designed to track these State law requirements and that certain provisions in transfer agents' contracts with issuer clients could prohibit transfer agents from notifying securityholders of data breaches in the manner required by the amendments.^[361] Both commenters stated that the Commission should consider preempting State laws to minimize the potential for multiple and competing obligations, and if not, prepare and produce a cost-benefit analysis to identify the specific ways in which the amendments would be an improvement over existing law.^[362] This commenter further explained that the issuer client would notify securityholders depending on whether the standards of the State law have been met.^[363]

While we acknowledge the commenters' concerns, the final amendments permit transfer agents and issuers to develop arrangements to address them. Nothing in the final amendments will prohibit or limit transfer agents' ability to enter into or modify their contracts with issuer clients in a manner that allows the transfer agent to comply with applicable legal requirements. Indeed, some transfer agents already send customer notices on behalf of their issuer clients. As one commenter stated in requesting that the Commission permit covered institutions to have their service providers send breach notices to affected individuals on their behalf, it is a common practice today for investment companies to have their transfer agents assume responsibility for sending affected customers breach notices.^[364] The Commission acknowledges that, to the extent a transfer agent has contractual provisions with issuer clients that prevent securityholders from receiving notice of a breach directly from the transfer agent, the transfer agent may determine to amend those contractual provisions to comply with the final amendments. Further, as discussed above, in a modification from the proposal, the final amendments provide that a covered institution that is required to notify affected individuals may satisfy that obligation by ensuring that the notice is provided by another party (as opposed to providing the notice itself). Accordingly, if a transfer agent experiences an incident affecting securityholders of another covered institution, it would have the option of coordinating with the covered institution as to which institution will actually send the notice.^[365]

As explained in the proposal, the Commission understands that State laws generally require persons or entities that own or license computerized data that includes private information to notify residents of the State when a data breach results in the compromise of their private information.^[366] In addition, State laws generally require persons and entities that do not own or license such computerized data, but that maintain such computerized data for other entities, to notify the affected entity in the event of a data breach (so as to allow that entity to notify affected individuals). However, the specific requirements regarding the timing of the notice, content of the notice, types of data covered, and other aspects may vary.^[367] Indeed, one commenter highlighted the variation and uncertainty among different State law requirements.^[368] Thus, while transfer agents may already be complying with one or more State notification laws, variations in these State laws could result in residents of one State receiving notice while residents of another do not receive notice, or receive it later, or receive different information for the same data breach incident. The final amendments address this concern by imposing a Federal minimum standard for customer notification, which will help ensure timely, consistent notice to affected securityholders regardless of their State of residence.

Impact of Notices From Transfer Agents

One commenter stated that the proposal would equalize standards governing transfer agents, and in doing so, promote investor protection.^[369] On the other hand, several commenters stated that the proposed rule regarding transfer agents would confuse securityholders. One commenter suggested that requiring a transfer agent to identify and contact customers of another institution may cause those customers to be confused and concerned.^[370] Two commenters similarly stated that the notification requirement is likely to confuse securityholders because it would result in securityholders receiving notice from both the transfer agent and the issuer with respect to the same breach.^[371] One commenter further stated that a transfer agent should only be required to notify an issuer of an incident.^[372]

We acknowledge that due to existing State law provisions, individuals affected by a breach at a transfer agent may receive notice from the issuer and the transfer agent with respect to the same breach. Moreover, transfer agents subject to the Banking Agencies' Incident Response Guidance may send notices under those provisions as well, and it is possible that an issuer may also send notices to securityholders, pursuant to State law or other Start Printed Page 47721 requirements. We acknowledge that these existing provisions, coupled with the requirements of the final amendments, may result in multiple notices being sent for the same incident. That said, as explained above, we have modified the final amendments to minimize the likelihood of multiple notices being sent by covered institutions for the same incident.^[373]

Regardless, we do not agree that individuals who receive a notice from both a transfer agent and the issuer with respect to the same breach or who are contacted by a transfer agent on behalf of another institution will be confused. Any potential confusion could be ameliorated through a clear description of the specific incident that would allow an individual to determine whether it is covered by a notice from any covered institution.^[374] Rather than create confusion, as some commenters assert, the final amendments will establish a Federal minimum standard for covered institutions, thereby reducing any extant or potential confusion. As discussed in the proposal, there are variations in existing State laws regarding a firm's duty to investigate a data breach, the specific events that trigger when notice of a breach is required, the timing of any such notices, and other details of a notice. The Federal minimum standard established by the final amendments will eliminate this confusion by ensuring that all affected securityholders receive an appropriate notice, regardless of the securityholder's State of residence, thereby enhancing investor protection overall. This benefit justifies the remote risk of potential confusion suggested by some commenters.

3. Maintaining the Current Regulatory Framework for Notice-Registered Broker-Dealers

The final amendments will, as proposed, contain a number of amendments to Regulation S-P that result in the continuation of the same regulatory treatment for notice-registered broker-dealers as they were subject to under the existing safeguards rule and disposal rule.^[375] Specifically, notice-registered broker-dealers are explicitly excluded from the scope of the disposal rule,^[376] but subject to the safeguards rule. However, under substituted compliance provisions, notice-registered broker-dealers are deemed to comply with the safeguards rule (and all other aspects of Regulation S-P, other than the disposal rule) if they are subject to, and comply with, the financial privacy rules of the CFTC,^[377] including similar obligations to safeguard customer information.^[378] The Commission initially adopted substituted compliance provisions with regard to the safeguards rule in acknowledgment that notice-registered broker-dealers are subject to primary oversight by the CFTC, and to mirror similar substituted compliance provisions afforded by the CFTC to broker-dealers registered with the Commission.^[379] When the Commission later adopted the disposal rule, it excluded notice-registered broker-dealers from the rule's scope, stating its belief that Congress did not intend for the Commission's FACT Act rules to apply to entities subject to primary oversight by the CFTC.^[380] For these reasons, the Commission tailored the proposal to ensure there would be no change in the treatment of notice-registered broker-dealers under the safeguards rule and the disposal rule.^[381]

No comments were received regarding the treatment of notice-registered broker-dealers under the safeguards rule and the disposal rule. For the reasons outlined in the Proposing Release, the Commission is adopting the amendments as proposed.^[382] Specifically, as proposed, the definition of a “covered institution” includes “any broker or dealer,” without excluding notice-registered broker-dealers, thus ensuring that Regulation S-P's substituted compliance provisions still apply to notice-registered broker-dealers with respect to the safeguards rule.^[383] In addition, the final amendments include the “covered institution” defined term within the disposal rule, while retaining the disposal rule's existing exclusion for notice-registered broker-dealers.^[384]

C. Recordkeeping

We are adopting amendments to require covered institutions to make and maintain written records documenting compliance with the requirements of the safeguards rule and of the disposal rule as outlined in the table below (collectively, “recordkeeping requirements”).^[385] We are adopting these amendments substantially as proposed, but, in response to a comment, with modifications designed to provide additional specificity to the scope of certain of the recordkeeping requirements as discussed below. The table below reflects the time periods that covered institutions will be Start Printed Page 47722 required to preserve these records, which are as proposed. These times vary by covered institution but are consistent with existing recordkeeping rules for these entities to the extent they have pre-existing recordkeeping obligations.

Table 1—Recordkeeping Requirements
Covered institution	Rule	Retention period
Registered Investment Companies	17 CFR 270.31a-1(b) 17 CFR 270.31a-2(a)	Policies and Procedures. A copy of policies and procedures in effect, or that at any time in the past six years were in effect, in an easily accessible place.
		Other records. Six years, the first two in an easily accessible place.
Unregistered Investment Companies ¹	17 CFR 248.30(c)	Policies and Procedures. A copy of policies and procedures in effect, or that at any time in the past six years were in effect, in an easily accessible place.
		Other records. Six years, the first two in an easily accessible place.
Registered Investment Advisers	17 CFR 275.204-2(a)	All records for five years, the first two in an easily accessible place.²
Broker-Dealers	17 CFR 240.17a-4(e)	All records for three years, in an easily accessible place.
Transfer Agents	17 CFR 240.17ad-7(k)	All records for three years, in an easily accessible place.
Note:
¹ Regulation S-P applies to investment companies as the term is defined in section 3 of the Investment Company Act (15 U.S.C. 80a-3), whether or not the investment company is registered with the Commission. See17 CFR 248.3(r). Thus, a business development company, which is an investment company but is not required to register as such with the Commission, is subject to Regulation S-P. Similarly, employees' securities companies—including those that are not required to register under the Investment Company Act—are investment companies and are, therefore, subject to Regulation S-P. By contrast, issuers that are excluded from the definition of investment company—such as private funds that are able to rely on section 3(c)(1) or 3(c)(7) of the Investment Company Act—are not subject to Regulation S-P.
² All books and records required to be made under the provision of 17 CFR 275.204-2(a) must be maintained and preserved in an easily accessible place for a period of not less than five years. 17 CFR 275.204-2(e).

These recordkeeping requirements should aid covered institutions in periodically reassessing the effectiveness of their safeguarding and disposal programs by helping to ensure that those institutions have the records needed to perform that assessment. Additionally, maintenance of these records for sufficiently long periods of time and in accessible locations will help the Commission and its staff to monitor compliance with the requirements of the amended rules. We received one comment broadly in support of these recordkeeping requirements.^[386]

The text of the proposed recordkeeping rules were worded differently for different covered institutions. For example, the proposed recordkeeping rule text for broker-dealers and transfer agents detailed the specific records to be kept whereas the proposed rule for advisers stated that advisers would be required to make and keep true, accurate and current a copy of the written records documenting compliance with the requirements of the safeguards and disposal rules.^[387] The Commission sought comment on whether the detailed requirements proposed for broker-dealers and transfer agents should be included in the recordkeeping rules for other covered entities. While no commenter specifically responded to this request, one commenter did suggest that a clarification of the adviser recordkeeping rule could assist in understanding their obligations under the rule.^[388] We are modifying the text of the proposed recordkeeping rules for registered investment advisers and registered and unregistered investment companies to provide in the final amendments the same detailed description as found in the rule text for broker-dealers and transfer agents. This should provide specificity as to what records are required to be kept under all of the recordkeeping rules.^[389] In addition, and in a change from the proposal, we are modifying the final rules to require a covered institution to retain any written documentation from the Attorney General related to a delay in notice.^[390] This should help ensure that a covered institution can justify a valid delay in sending notifications to affected individuals and aid the Commission's examination and oversight program.

The records that will be required under these amendments are:

Written policies and procedures required to be adopted and implemented pursuant to final rule 248.30(a)(1), which requires policies and procedures to address administrative, technical, and physical safeguards for the protection of customer information;
Written documentation of any detected unauthorized access to or use of customer information, as well as any response to, and recovery from such unauthorized access to or use of customer information required by final rule 248.30(a)(3);
Written documentation of any investigation and determination made regarding whether notification to affected individuals is required pursuant to final rule 248.30(a)(4), including the basis for any determination made, any written documentation from the Attorney General related to a delay in notice, as well as a copy of any notice transmitted following such determination; ^[391]

Written policies and procedures required to be adopted and implemented pursuant to final rule 248.30(a)(5)(i), which requires policies and procedures to oversee, monitor, and conduct due diligence on service providers, including to ensure that the covered institution is notified when a breach in security has occurred at the service provider;
Written documentation of any contract or agreement between a covered institution and a service provider entered into pursuant to final rule 248.30(a)(5); and
Written policies and procedures required to be adopted and implemented pursuant to final rule 248.30(b)(2), which requires policies and procedures to address the proper disposal of consumer information and customer information.

The records that will be required include records of policies and procedures under the safeguards rule that address administrative, technical, and physical safeguards for the protection of customer information.^[392] The requirements will also include Start Printed Page 47723 records documenting, among other things: (i) a covered institution's assessments of the nature and scope of any incidents involving unauthorized access to or use of customer information; (ii) steps taken to contain and control such incidents; and (iii) a covered institution's notifications to affected individuals consistent with the requirements of the final amendments as discussed above, or, where applicable, any determination that notification is not required after a reasonable investigation of the incident.^[393] Records required to be made and maintained will also include records of those written policies and procedures associated with the service provider notification requirements of the final amendments as well as related records of written contracts and agreements between the covered institution and the service provider.^[394]

The disposal rule, as amended, will require that every covered institution adopt and implement written policies and procedures that address the proper disposal of consumer information and customer information.^[395] The only record required under the final amendments for purposes of the disposal rule is these written policies and procedures.^[396]

D. Exception From Requirement To Deliver Annual Privacy Notice

Currently, Regulation S-P generally requires broker-dealers, investment companies, and registered investment advisers to provide customers with annual notices informing them about the institutions' privacy practices (“annual privacy notice”).^[397] The Commission is adopting as proposed amendments to conform Regulation S-P to the requirements of the Fixing America's Surface Transportation Act (“FAST Act”),^[398] which provides an exception to the annual privacy notice required by Regulation S-P, provided certain requirements are met. As proposed, we are amending Regulation S-P to include an exception to the annual privacy notice requirement if the institution (1) only provides non-public personal information to non-affiliated third parties when an exception to third-party opt-out applies and (2) the institution has not changed its policies and practices with regard to disclosing non-public personal information from its most recent disclosure sent to customers.^[399] The amendments also, as proposed, provide the timing for when an institution must resume providing annual privacy notices in the event that the institution changes its policies and practices such that the exception no longer applies. We received one comment supporting the proposed exception and timing requirements.^[400]

We are adopting as proposed amendments to the annual notice provision requirement of Regulation S-P to include the exception to the annual notice delivery added by the statutory exception Congress enacted in the FAST Act. The statutory exception states that a financial institution that meets the requirements for the annual privacy notice exception will not be required to provide annual privacy notices “until such time” as that financial institution fails to comply with the conditions to the exception, but does not specify a date by which the annual privacy notice delivery must resume.^[401] The amended timing requirements are designed to be consistent with the existing timing requirements for privacy notice delivery in Regulation S-P. Specifically, if the change in policies and practices will also result in the institution being required to send a revised privacy notice under the current requirements, the revised notice will be treated as an initial notice for the purpose of the timing requirement and the institution will be required to resume notices at the same time it otherwise provides annual privacy notices.^[402] If a revised notice is not required, the institution will be required to resume providing annual privacy notices within 100 days of the change. The amendments allow institutions to preserve their existing approach to selecting a delivery date for annual privacy notices, thereby avoiding the potential burdens of determining delivery dates based on a new approach and any 100-day period will accommodate the institution delivering the privacy notice alongside any quarterly reporting to customers. The amendments also are intended to be consistent with existing privacy notice delivery requirements of the CFTC, CFPB, and FTC.^[403]

E. Existing Staff No-Action Letters and Other Staff Statements

As stated in the Proposing Release, certain staff letters and other staff statements addressing Regulation S-P and other matters covered by the final amendments may be withdrawn or rescinded in connection with this adoption. Upon the compliance date of these rules, staff letters and other staff statements, or portions thereof, will be withdrawn or rescinded to the extent that they are moot, superseded, or otherwise inconsistent with the rules. This may include the letters and statements below. To the extent any staff statement is inconsistent or conflicts with the requirements of the rules, even if not specifically identified below, that statement is superseded.

Table 2—Letters and Statements
Name of letter or statement	Date issued
Staff Responses to Questions about Regulation S-P	Jan. 23, 2003.
Certain Disclosures of Information to the CFP Board	Mar. 11, 2011; Dec. 11, 2014.
Investment Adviser and Broker-Dealer Compliance Issues Related to Regulation S-P—Privacy Notices and Safeguard Policies	Apr. 16, 2019.

F. Compliance Period

The Commission is providing an 18-month compliance period after the date of publication in the Federal Register for larger entities, and a 24-month compliance period after the date of publication in the Federal Register for Start Printed Page 47724 smaller entities. Table 3 below outlines which entities will be considered “larger entities” for these purposes. Smaller entities will be those covered institutions that do not meet these standards. The Commission generally has approved similar tiered compliance dates with respect to smaller versus larger entities in the past and, in our experience, these thresholds are a reasonable means of distinguishing larger and smaller entities for purposes of tiered compliance dates for rules affecting these entities.^[404]

Table 3—Designation of Larger Entities
Entity	Qualification to be considered a “larger entity”
Investment companies together with other investment companies in the same group of related investment companies ¹	Net assets of $1 billion or more as of the end of the most recent fiscal year.
Registered investment advisers ²	$1.5 billion or more in assets under management.
Broker-dealers ³	All broker-dealers that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act.
Transfer agents ⁴	All transfer agents that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act.
Note:
¹ “Group of related investment companies” is as defined in 17 CFR 270.0-10. We estimate that, as of September 2023, 77% of registered investment companies would be considered to be larger entities. This estimate is based on data reported in response to Items B.5, C.19, and F.11 on Form N-CEN.
² We estimate that, as of September 2023, 23% of registered investment advisers would be considered to be larger registered investment advisers. This estimate is based on data reported in response to Items 2.A and 5.F.2.(c) on Form ADV.
³ A broker or dealer is a small entity if it: (i) had total capital of less than $500,000 on the date in its prior fiscal year as of which its audited financial statements were prepared or, if not required to file audited financial statements, on the last business day of its prior fiscal year; and (ii) is not affiliated with any person that is not a small entity. This threshold was chosen to include all broker-dealers who do not fall within the definition of a small entity under the Regulatory Flexibility Act (5 U.S.C. 553). Based upon FOCUS filings for the third quarter of 2023, we estimate approximately 77% of broker-dealers, not including funding portals, would be considered larger entities. Based upon staff analysis and review of public filings, we estimate approximately 3% of funding portals would be considered larger entities.
⁴ A transfer agent is a small entity if it: (i) received less than 500 items for transfer and less than 500 items for processing during the preceding six months; (ii) transferred items only of issuers that are small entities; (iii) maintained master shareholder files that in the aggregate contained less than 1,000 shareholder accounts or was the named transfer agent for less than 1,000 shareholder accounts at all times during the preceding fiscal year; and (iv) is not affiliated with any person that is not a small entity. 17 CFR 240.0-10. This threshold was chosen to include all transfer agents who do not fall within the definition of a small entity under the Regulatory Flexibility Act. Based on the number of transfer agents that reported a value of fewer than 1,000 for items 4(a) and 5(a) on Form TA-2 filed with the Commission as of September 30, 2023, we estimate approximately 132 transfer agents may be considered small entities, of 315 total registered transfer agents. See infra section VI.

We proposed a 12-month transition period from the effective date for all covered institutions, regardless of asset size, and we solicited comment on whether the compliance period should be shorter or longer, and whether it should be the same for all covered institutions. Commenters that addressed this aspect of the proposal urged the Commission to provide additional time, generally suggesting a two-year or three-year period to provide time for covered institutions to prepare to comply with the rule's requirements.^[405] Commenters suggested that the proposed compliance period underestimates the time it would take to implement any final rule.^[406] In particular, commenters expressed that advisers will need to holistically reassess their current service provider infrastructure and may need time to find new service providers or renegotiate terms of service provider agreements in order to comply with the rule's requirements.^[407] Separately, two commenters urged the Commission to consider a tiered compliance period that staggers the compliance date based on firm size, with larger firms having to comply with the rule's requirements prior to smaller firms.^[408] These commenters asserted that a longer compliance period for smaller broker-dealers and investment advisers would allow these firms to benefit from the implementation of larger industry participants.

We have taken commenter concerns into account in determining the compliance schedule,^[409] and we are adopting a compliance period of 18-months following the date of publication of the final amendments in the Federal Register for larger entities, and 24-months following the date of publication in the Federal Register for smaller entities.^[410] The compliance period we are adopting is designed to Start Printed Page 47725 strike the appropriate balance between allowing covered institutions adequate time to establish or adjust their data notification compliance practices and allowing customers and investors to benefit from the amended RegulationS-P framework. Taking concerns of smaller entities into account, smaller entities will benefit from having an additional six months to come into compliance with the final amendments, based on feedback from commenters and to the extent that smaller entities may face additional or different challenges in coming into compliance with the final amendments than larger entities. Although we are providing for a longer compliance period than proposed, we are not providing more than 18 or 24 months, as suggested by some commenters, because we have made modifications from the proposal that should alleviate commenters' concerns related to time needed to establish and implement processes to comply with the final amendments. In a modification from the proposal, the final amendments will no longer require covered institutions to have a written contract with its service providers mandating that service providers take appropriate measures to protect against unauthorized access to or use of customer information, but will instead require covered institutions to establish written policies and procedures reasonably designed to oversee, monitor, and conduct due diligence on service providers.^[411] Accordingly, the compliance dates will provide an appropriate amount of time for covered institutions to comply with the final amendments.

III. Other Matters

Pursuant to the Congressional Review Act,^[412] the Office of Information and Regulatory Affairs has designated the final amendments as a “major rule” as defined by 5 U.S.C. 804(2). If any of the provisions of these rules, or the application thereof to any person or circumstance, is held to be invalid, such invalidity shall not affect other provisions or application of such provisions to other persons or circumstances that can be given effect without the invalid provision or application.

IV. Economic Analysis

A. Introduction

The Commission is mindful of the economic effects, including the benefits and costs, of the adopted amendments. Section 3(f) of the Exchange Act, section 2(c) of the Investment Company Act, and section 202(c) of the Investment Advisers Act provide that when engaging in rulemaking that requires us to consider or determine whether an action is necessary or appropriate in or consistent with the public interest, to also consider, in addition to the protection of investors, whether the action will promote efficiency, competition, and capital formation. Section 23(a)(2) of the Exchange Act also requires us to consider the effect that the rules will have on competition and prohibits us from adopting any rule that would impose a burden on competition not necessary or appropriate in furtherance of the Exchange Act. The analysis below addresses the likely economic effects of the final amendments, including the anticipated and estimated benefits and costs of the amendments and their likely effects on efficiency, competition, and capital formation. The Commission also discusses the potential economic effects of certain alternatives to the approaches taken in this adoption.

The final amendments require every broker-dealer,^[413] every funding portal,^[414] every investment company, every registered investment adviser, and every transfer agent to notify affected customers of certain data breaches.^[415] To that end, the final amendments require these covered institutions to develop, implement, and maintain written policies and procedures that include an incident response program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information,^[416] and that includes a customer notification component for cases where sensitive customer information has been, or is reasonably likely to have been, accessed or used without authorization.^[417] The final amendments also define the scope of information covered by the safeguards rule and by the disposal rule,^[418] and extend the covered population to all transfer agents registered with the Commission or with another appropriate regulatory agency.^[419] Finally, the final amendments impose various related recordkeeping requirements,^[420] and include in the regulation an existing statutory exception to annual privacy notice requirements.^[421]

The final amendments will affect covered institutions as well as customers who will receive the required notices. The final amendments will also have indirect effects on service providers that receive, maintain, process, or otherwise are permitted access to customer information on behalf of covered institutions: under the final amendments, unauthorized access to or use of sensitive customer information via service providers will fall under the customer notification requirement. The final amendments require that a covered institution's incident response program include the establishment, maintenance, and enforcement of written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers.^[422] These policies and procedures must be reasonably designed to ensure that service providers take appropriate measures to protect against unauthorized access to or use of customer information and provide notification to the covered institution of a breach of security resulting in Start Printed Page 47726 unauthorized access to a customer information system maintained by the service provider.^[423]

The main economic effects of the final amendments will result from the notification and incident response program requirements applicable to all covered institutions.^[424] For reasons discussed later in this section, the extension of Regulation S-P to transfer agents will have more limited economic effects.^[425] Finally, we anticipate the recordkeeping requirements and the incorporation of the existing statutory exception to annual privacy notice requirements to have minimal economic effects, as discussed further below.^[426]

The main economic benefits of the final notification and incident response program requirements, as well as the extension of Regulation S-P to include all transfer agents, will result from enhanced protection of customer information. Customers will directly benefit from the opportunity to take appropriate mitigating actions to protect their accounts and information in the event of unauthorized access to or use of their sensitive information. Direct benefits will result from covered institutions allocating additional resources towards policies and procedures, information safeguards, and cybersecurity to comply with the final requirements. There may lastly be indirect benefits from covered institutions undertaking these actions to the extent they seek to avoid reputational harm resulting from the mandated notifications. These additional resources will contribute to reducing the exposure of covered institutions, and of the broader financial system, to incidents resulting in unauthorized access to or use of customer information.^[427] The main economic costs from these new requirements will be compliance costs related to the development and implementation of the required policies and procedures, reputational costs borne by firms that would not otherwise have notified customers of a data breach, and indirect costs from increased expenditures on additional safeguards for covered institutions who will choose to make such investments to avoid such reputational costs.^[428]

We anticipate that the economic benefits and costs of the final notification requirements will—in the aggregate—be limited because all States already require some form of customer notification of certain data breaches,^[429] and because many entities are likely to already have response programs in place.^[430] Many customers already receive some level of data breach notification under other laws. This means that the benefits and costs, both direct and indirect, will only accrue from actions taken by covered institutions that are not already required by existing rules or caused by existing competitive forces. The final amendments will, however, afford many individuals greater protections by, for example, defining “sensitive customer information” more broadly than the current definitions used by certain States; ^[431] providing for a 30-day notification outside timeframe that is shorter than the timing currently mandated by many States, including States providing for no deadline or those allowing for various delays; ^[432] and providing for a more robust notification trigger than in many States.^[433] The final amendments also limit the time a service provider can take to notify a covered institution of a breach to 72 hours, which is a shorter period of time than mandated by many States, allowing covered institutions to notify their customers faster if such notification is required under the final amendments.^[434] Further, in certain States, State customer notification laws do not apply to entities subject to or in compliance with the GLBA, and the final amendments will help ensure that customers residing in these States receive notice of a breach if it occurs.^[435] The final amendments will help ensure that all customers, regardless of where they reside, receive a minimum of information regarding a given breach affecting their information and are therefore equally able to take appropriate mitigating actions.

For these reasons, the final requirements will improve customers' knowledge of when their sensitive information has been compromised. Specifically, we expect that the adopted Federal minimum standard for notifying customers of certain types of data breaches, along with the preparation of written policies and procedures for incident response, will result in more customers being notified of these data breaches as well as faster notifications for some customers, and that both of these effects will improve customers' ability to act to protect their personal information. Moreover, such improved notification will—in many cases—become public and impose additional reputational costs on covered institutions that fail to safeguard customers' sensitive information. We expect that these potential additional reputational costs will increase the disciplining effect on covered institutions, incentivizing them to improve customer information safeguards and reduce their exposure to data breaches, thereby improving the resilience of the financial system more broadly.^[436] This will reduce economic inefficiency in that it will better align customers' and covered institutions' incentives to safeguard customer information, but will also result in new indirect costs for covered institutions who choose to undertake these improvements in order to avoid those potential reputational costs. In addition, by revealing when breaches occur, the final amendments will help provide customers with information on the effectiveness of covered institutions' customer information safeguards, further helping customers make better-informed decisions when choosing a covered institution.^[437]

To the extent that a covered institution does not have policies and procedures to safeguard customer information and respond to unauthorized access to or use of customer information, it will bear the costs to develop and implement the Start Printed Page 47727 required policies and procedures for the incident response program.^[438] Moreover, transfer agents—who were not subject to any of the customer information safeguard provisions of Regulation S-P prior to this adoption—will face additional compliance costs related to the development of policies and procedures that address administrative, technical, and physical safeguards for the protection of customer information.^[439]

As adopting policies and procedures involves fixed costs, doing so is very likely to impose a proportionately larger compliance cost on smaller covered institutions as compared to larger covered institutions.^[440] This may reduce smaller covered institutions' ability to compete with their larger peers, for whom the fixed costs are spread over more customers.^[441] However, given the considerable competitive challenges arising from economies of scale and scope already faced by smaller firms, we do not anticipate that the costs associated with this adoption will significantly alter these challenges. Similarly, although the final amendments may lead to improvements to capital formation, existing State rules are similar in many respects to the amendments, and so we do not expect the amendments to have a significant impact on capital formation vis-à-vis the baseline.^[442]

Many of the benefits and costs discussed below are difficult to quantify. Doing so would involve estimating the losses likely to be incurred by a customer in the absence of mitigation measures, the efficacy of mitigation measures implemented with a given delay, and the expected delay before notification can be provided under the final amendments. In general, data needed to arrive at such estimates are not available to the Commission. Thus, while we have attempted to quantify economic effects where possible, much of the discussion of economic effects is qualitative in nature.

B. Broad Economic Considerations

In a market with complete information, customers are able to perfectly observe the quality of the goods and services being provided and the processes and service provider relationships by which they are being provided. Fully informed customers can then decide what level of quality of good or service to consume, based on their own personal preferences. In this context, one element of a financial service's quality is the customer information safeguards of the firm providing the service, which capture the likelihood of a customer's information being exposed in the event of a breach, as well as the firm's response to such a breach if it were to occur.^[443] Under this assumption, a customer is then able to choose a financial firm that offers a service of a quality that meets his or her preferences.^[444]

In the context of covered institutions—firms whose services frequently involve custody of highly sensitive customer information—the assumption of complete information is unrealistic. Customers have little visibility into the internal processes of a firm and those of its service providers, so it is impractical for them to directly observe the level of customer information safeguards that a firm is employing.^[445] In addition, customers generally do not know how a firm would respond to a breach, including whether and to what extent a firm would inform its customers about such breach.^[446] In fact, firms often lack incentives to voluntarily disclose when information breaches occur (and likely have substantial incentives to avoid such disclosures). Hence, customer information could be compromised without the customers being informed or with the customers being only partially informed.^[447] As a result, prospective customers have limited ability to choose a covered institution that is offering the service that most closely meets their needs. In addition, current customers may be paying for a service that is of lower quality than they expect.^[448] In both cases, customers have limited ability to avoid covered institutions that fail to protect customer information to the level expected by these customers.^[449] Hence, this information asymmetry prevents market forces from penalizing covered institutions that fail to protect customer information, and therefore prevents market forces from yielding economically efficient outcomes. This market failure serves as the economic rationale for this regulatory intervention.

The information asymmetry can lead to three inefficiencies. First, the information asymmetry about specific information breaches that have occurred prevents individual customers whose information has been compromised from taking timely actions ( e.g., increased monitoring of account activity or placing blocks on credit reports) necessary to mitigate the potential Start Printed Page 47728 consequences of such breaches. Second, the information asymmetry about covered institutions' efforts at avoiding and limiting the consequences of such breaches can lead to customers choosing financial firms with levels of safeguards different from what they expect, which can result in customers choosing firms that they would not have otherwise chosen if provided with better information. Third, this asymmetry can also reduce covered institutions' incentives to sufficiently safeguard customer information. As a result, they could devote too little effort ( i.e., “underspend”) toward safeguarding this information, thereby increasing the probability of the information being compromised in the first place.^[450] This scenario is often characterized as a moral hazard problem. When an agent's actions cannot be observed or directly contracted for by the principal, it is difficult to induce the agent to supply the proper amounts of productive inputs.^[451] In other words, information asymmetry prevents covered institutions (the agents) that spend more effort on safeguarding customer information from having customers (the principals) recognize their extra efforts and therefore prevents the covered institutions from realizing some of the benefits associated with this additional effort.^[452] This reduces the incentives for covered institutions to exert effort towards safeguarding information.^[453]

We expect the final amendments may mitigate the inefficiencies described above in several ways. First, by helping facilitate timely and informative notices to customers when their information is compromised, the amendments may mitigate information asymmetries around the compromise of information and improve customers' ability to take appropriate remedial actions. Second, by revealing when such events occur, the amendments may help customers draw inferences about a covered institution's efforts toward protecting customer information, which might help inform their choice of covered institution and reduce the probability of customers inadvertently choosing a firm that is less likely to meet their preferences or needs.^[454] This, in turn, might provide firms with greater incentives to exert effort toward protecting customer information,^[455] thereby mitigating the moral hazard problem. And, by imposing a regulatory requirement to develop, implement, and maintain policies and procedures, the final amendments might further enhance firms' cybersecurity preparations and will restrict firms' ability to limit efforts in these areas.

The effectiveness of the final amendments at mitigating these problems will depend on several factors. First, the effectiveness of the amendments will depend on the degree to which breach notification provides customers with sufficient actionable information in a sufficient timeframe to help them mitigate the effects of the compromise of sensitive customer information. Second, it will depend on customers' ability to draw inferences on a covered institution's protection of customer information based on the notifications they receive, or the absence thereof.^[456] Third, it will also depend on the degree to which the prospect of issuing such notices—and the prospect of the reputational harm, litigation, and regulatory scrutiny that could ensue—helps alleviate underspending on safeguarding customer information.^[457] These factors themselves depend on the extent to which covered institutions already have in place processes and practices that satisfy the final requirements and therefore on the extent to which the amendments will induce improvements to existing practices relative to the baseline.^[458]

Some commenters supported generally the economic rationale in the Proposing Release.^[459] Some of these commenters expressed that the asymmetric information market failure was present in this context.^[460] Some Start Printed Page 47729 commenters stated that this market failure could lead to inefficiencies.^[461] One commenter stated that firms “either seek to skirt notification requirements altogether or provide vague or confusing notifications,” preventing affected individuals from taking timely actions, and that firms' self-interest could lead them to fail to notify customers affected by a breach.^[462] Another commenter stated its view that firms have a natural tendency to want to avoid making disclosures that could incur liability or lead to a loss of customers.^[463] Another commenter stated that beginning in the fourth quarter of 2021, less information started being included in data breach notices and that in 2022, only 34 percent of notices included information about the breaches and their victims.^[464] This commenter further added that this lack of actionable information in breach notices prevented individuals from effectively judging the risks they faced and from taking the appropriate actions to protect themselves.^[465] One commenter supported the economic rationale of the Proposing Release, stating that stronger notification requirements could effectively incentivize covered institutions to improve their data security practices in order to avoid the reputational harm associated with distributing breach notices.^[466]

Other commenters disagreed with the economic rationale in the Proposing Release and stated that covered institutions' level of customer information safeguards and/or breach notification practices were already adequate, and that existing regulation made the amendments unnecessary.^[467] We disagree with these commenters that the amendments are unnecessary, even if some covered institutions may already have policies and procedures in place that satisfy the final amendments' requirements. We have discussed, here and in the Proposing Release, the information asymmetries that prevent customers from knowing whether or how they will be notified of a data breach and from choosing firms based on the level of their customer information safeguards.^[468] Furthermore, in addition to describing existing requirements and guidance available to (and potentially adopted by) covered institutions addressing customer information safeguards and customer notification, we have described (here and in the Proposing Release) a variety of practices and State law requirements that could lead to different notification outcomes depending on where the customer resides.^[469] In particular, we have described a variety of delays and inconsistencies in notification under existing requirements.^[470] Hence, the Proposing Release described in detail the existing regulatory framework and analyzed the benefits and costs of the proposed amendments relative to this framework. In addition, as discussed above, some commenters provided additional evidence of deficiencies in existing practices.^[471] Moreover, in response to commenters, we have supplemented the analysis of the amendments' benefits and costs, describing in greater detail the changes made by the final amendments over the baseline.^[472] We summarize these changes below. We have also supplemented the analysis of the expected benefits and costs of expanding the scope of the safeguards and disposal rules to include transfer agents.^[473]

In particular, the variety of practices and State law requirements that could lead to different notification outcomes under existing requirements provides a further rationale for the rule and motivated specific differences in the final amendments relative to State laws. We discuss the effects of these differences in detail below,^[474] but for example, the required timing of notification in the final amendments is stricter than under many State laws. The analysis in section IV.D.1.b(2) provides evidence that currently, many customers receive notification long after the event. The amendments are designed to help ensure that customers receive notification in a timely manner. In addition, the notification obligation covers a set of customer information that is broader than in many State laws, thereby covering more data breaches. Moreover, the final amendments require certain information to be included in the notice sent to customers. This requirement will help ensure that customers receive relevant information, allowing them to take appropriate mitigating actions in case of a breach. Hence, while the final amendments contain some requirements that are similar to those in some existing State laws, the final requirements are stricter than many State laws and may therefore lead to customers receiving additional, timelier, and more relevant notices than under existing regulations.^[475] In addition, variations in State law requirements highlight the need for a consistent Federal minimum standard for covered institutions. Such a standard will protect all customers regardless of their State of residence and reduce the potential confusion that could result from customers in one State receiving Start Printed Page 47730 notice of an incident while customers in another State do not.

Other commenters stated that the analysis in the Proposing Release underestimated the costs of the amendments.^[476] Some commenters also stated that the proposed amendments in general would be very costly to implement for smaller covered institutions.^[477] As discussed more fully below, we expect some of the changes made to the final amendments to result in lower costs relative to the proposal.^[478] For example, the changes made to the service provider provisions of the amendments (requiring that covered institutions oversee service providers instead of requiring written contracts between covered institutions and their service providers, and requiring that the covered institution's policies and procedures be reasonably designed to ensure service providers take appropriate measures to notify covered institutions of an applicable breach in security within 72 hours instead of 48 hours) may reduce some costs relative to the proposal and facilitate their implementation, especially for smaller covered institutions.^[479] In addition, in a change from proposal, we are adopting longer compliance periods for all covered institutions, and an even longer compliance period for smaller covered institutions,^[480] who are less likely to already have policies and procedures broadly consistent with the final amendments.

C. Baseline

The baseline against which the costs, the benefits, and the effects on efficiency, competition, and capital formation of the final amendments are measured consists of current requirements for customer notification and information safeguards, current practice as it relates to customer notification and information safeguards, and the current market structure and regulatory framework. The economic analysis appropriately considers existing regulatory requirements, including recently adopted Commission rules as well as State, Federal, and foreign laws and regulations, as part of the economic baseline against which the costs and benefits of the final amendments are measured.^[481]

Several commenters requested that the Commission consider interactions between the economic effects of the proposal and other recent Commission proposals.^[482] The Commission adopted several of the rules mentioned by commenters, namely the Electronic Recordkeeping Adopting Release,^[483] the Form N-PX Adopting Release,^[484] the Settlement Cycle Adopting Release,^[485] the May 2023 SEC Form PF Adopting Release,^[486] the Public Company Cybersecurity Rules,^[487] the Money Market Fund Adopting Release,^[488] the Investment Company Names Adopting Start Printed Page 47731 Release,^[489] the Beneficial Ownership Adopting Release,^[490] the Private Fund Advisers Adopting Release,^[491] the Securitizations Conflicts Adopting Release,^[492] and the February 2024 Form PF Adopting Release.^[493] These adopted rules are part of the baseline against which this economic analysis considers the benefits and costs of the final amendments. In response to commenters, this economic analysis also considers potential economic effects arising from the extent to which there is any overlap between the compliance period for the final amendments and the compliance periods for these other adopted rules.^[494]

The parties directly affected by the final amendments, the “covered institutions,” ^[495] include every broker-dealer (3,476 entities),^[496] every funding portal (92 entities),^[497] every investment company (13,766 distinct legal entities),^[498] every investment adviser (15,565 entities) registered with the Commission,^[499] and every transfer agent (315 entities) registered with the Commission or another appropriate regulatory agency.^[500] In addition, the final amendments will affect current and prospective customers of covered institutions as well as certain service providers to covered institutions.^[501] The final amendments will impact hundreds of millions of customers. For example, as discussed in more detail in subsequent sections, carrying broker-dealers report a total of 233 million customer accounts,^[502] registered investment advisers report a total of more than 51 million individual clients,^[503] and transfer agents report around 250 million individual accounts.^[504]

1. Safeguarding Customer Information: Risks and Practices

Over the last two decades, the widespread adoption of digitization and the migration toward internet-based products and services has radically changed the manner in which firms interact with customers. This trend has also applied to the financial services industry.^[505] Alongside this progress, the industry has observed increased exposure to cyberattacks that threaten not only the financial firms themselves, but also their customers. Hence, the trend toward digitization has increasingly turned the problem of safeguarding customer records and information into one of cybersecurity. ^[506] Start Printed Page 47732 Cyber threat intelligence surveys find the financial sector to be a highly attacked industry,^[507] making the problem of cybersecurity particularly acute for financial firms. The customer records and information in their possession can be quite sensitive ( e.g., personal identifying information, bank account numbers, financial transactions) and their compromise could lead to substantial harm.^[508]

Certain recent changes in the industry, including changes discussed by commenters, have continued the trend toward digitization and the importance of cybersecurity. For example, the shift to remote work has brought new cybersecurity challenges. One commenter stated that 91 percent of data security professionals saw negative risk implications from remote and hybrid work.^[509] The same commenter cited a report finding that in 2022, the cost of a data breach was on average nearly $1 million higher when remote work was a factor in the breach and more than $1 million higher in organizations with a share of employees working remotely between 80 percent and 100 percent compared with organizations where less than 20 percent of employees worked remotely.^[510] Remote work arrangements have significantly expanded following the onset of the COVID-19 pandemic in the United States in 2020,^[511] and a recent study found the financial services industry to be the fifth most flexible industry in terms of work location flexibility.^[512]

The financial sector is one of the biggest spenders on cybersecurity measures: a recent survey found that financial firms spent an average of approximately 13.6 percent of their technology budget on cybersecurity in 2023, compared to an overall average across industries of 11.6 percent.^[513] While spending on cybersecurity measures in the financial services industry is considerable, it may nonetheless be inadequate—even in the estimation of financial firms themselves. According to one recent survey, 58 percent of financial firms self-reported “underspending” on cybersecurity measures.^[514] In addition, some covered institutions increasingly use third-party vendors to provide a wide range of functions, which may implicate a review of those service providers' cybersecurity controls.^[515]

Before adopting these amendments, the Commission did not require covered institutions to notify customers (or the Commission) in the event of a data breach, and so statistics relating to data breaches that occurred at covered institutions were not readily available. However, data compiled from notifications required under various State laws indicate that in 2022 the number of data breaches reported in the U.S. was 1,802—a 3 percent decrease over 2021, but a 63 percent increase over 2020.^[516] Of these, 268 (15 percent) were reported by firms in the financial services industry.^[517] However, the report estimating these statistics states that the 1,802 breaches reported are a minimum estimate and states that in the U.S., the number of breach notices issued per business day in 2022 (7 notices) was much lower than in the European Union (356 notices) in 2021 (the last year for which data is available).^[518] One commenter cited a report stating that nearly half of U.S. consumers had been affected by data breaches where a firm holding their personal data was hacked, compared to a global average of 33 percent of consumers.^[519]

The average total cost of a data breach for a U.S. firm in 2023 was estimated to be $9.48 million by one report.^[520] While the report does not provide estimates for U.S. financial services firms specifically, it estimated that world-wide, the cost of a data breach for financial services firms averaged $5.90 million, and that average costs for U.S. firms were approximately twice the world-wide average.^[521] Hence, we can estimate that for U.S. financial firms, the cost of a data breach was about $12 million. The bulk of these costs is attributed to detection and escalation (36 percent), lost business (29 percent), and post-breach response (27 percent); customer notification is estimated to account for only a small fraction (8 percent) of these costs.^[522] For the U.S. Start Printed Page 47733 financial industry as a whole, this implies an estimate of aggregate notification costs under the baseline of between $200 million and $250 million.^[523] Because these estimates are based on data breach incidence rates for all firms, and because financial firms are part of one of the most attacked industries,^[524] the actual aggregate notification costs are likely higher than this estimated range.

Some commenters supported the Proposing Release's assessment that data breaches are an important risk currently faced by covered institutions and their customers.^[525] One commenter cited an article describing a data breach at a financial institution that had cost that institution more than $150 million.^[526] Commenters also mentioned additional types of risks. One commenter stated that in addition to the financial costs imposed on firms by data breaches, individuals whose sensitive information is compromised also suffer harms, both financial and psychological, as many become victims of identity theft.^[527] Another commenter stated that the consequences of these breaches were staggering and that the Commission's proposals to establish minimum standards for incident response and breach notification could help with mitigation.^[528] The same commenter cited a report by the Government Accountability Office indicating that past victims of identity theft, which can be a consequence of data breaches, have “lost job opportunities, been refused loans, or even been arrested for crimes they did not commit as a result of identity theft.” ^[529]

2. Regulations and Guidelines

Two features of the existing regulatory framework are most relevant to the amendments: existing regulations that require covered institutions to notify customers in the event that their information is compromised; and existing regulations and guidelines that affect covered institutions' practices for safeguarding customers' information. While the relevance of the former is obvious, the latter is potentially more significant: regulations aimed at improving firms' practices for safeguarding customer information reduce the need for data breach notifications in the first place. In this section, we summarize these two aspects of the regulatory framework as well as existing annual notice delivery requirements.

a. State Law Customer Notification Requirements

(1) Scope of Requirements

All 50 States and the District of Columbia impose some form of data breach notification requirement under State law. These laws vary in detail from State to State but have certain common features. State laws trigger data breach notification obligations when some type of “personal information” of a State's resident is either accessed or acquired in an unauthorized manner, subject to various common exceptions. For the vast majority of States (46), a notification obligation is triggered only when there is unauthorized acquisition, while a handful of States (5) require notification whenever there is unauthorized access.^[530]

Generally, States can be said to adopt either a basic or an enhanced definition of personal information. A typical example of a basic definition specifies personal information as the customer name linked to one or more pieces of nonpublic information such as Social Security number, driver's license number (or other State identification number), or financial account number together with any required credentials to permit access to said account.^[531] A typical enhanced definition includes additional types of nonpublic information that trigger the notification requirement; examples include: passport number, military identification number, or other unique identification number issued on a government document commonly used to verify the identity of a specific individual; unique biometric data generated from measurements or technical analysis of human body characteristics, such as a fingerprint, retina, or iris image, used to authenticate a specific individual.^[532] Enhanced definitions also trigger notification requirements when a username or email address in combination with a password or security question and answer that would permit access to an online account is compromised.^[533] Most States (37) adopt some form of enhanced definition, while a minority (14) adopt a basic definition.

One commenter stated that all States provided an exception to the notification requirement if the data compromised were encrypted.^[534] We found that States may include an explicit encryption or redaction exception in their definition of personal information,^[535] in their definition of breach,^[536] or in the determination that notification of affected individuals is necessary.^[537] Multiple States include at least two of these exceptions. States Start Printed Page 47734 vary, however, in the whether and how they define encryption or redaction.^[538]

Most States (43) provide an exception to the notification requirement if, following a breach of security, the entity investigates and determines that there is no reasonable likelihood that the individual whose personal information was breached has experienced or will experience certain harms (“no-harm exception”).^[539] Twenty of these States do not have a presumption of notification and instead require notification only if, for example, an investigation reveals a risk of harm or misuse.^[540] Although the types of harms vary by State, they most commonly include: “harm” generally (13), identity theft or other fraud (10), or misuse of personal information (8). Figure 1 plots the frequency of the various types of harms referenced in States' no-harm exceptions.

(2) Timing, Content, and Method of Notification

In general, State laws provide a general principle for timing of notification ( e.g., delivery shall be made “without unreasonable delay,” or “in the most expedient time possible and without unreasonable delay”).^[541] Some States augment the general principle with a specific deadline ( e.g., notice must be made “in the most expedient time possible and without unreasonable delay, but not later than 30 days after the date of determination that the breach occurred” unless certain exceptions apply).^[542] All States allow for a delay if it is requested by a law enforcement agency.^[543] Additionally, some States allow for a delay if necessary to determine the nature and scope of the breach or to restore the reasonable integrity of the information system.^[544] Figure 2 plots the frequency of different notification deadlines in Start Printed Page 47735 State laws. For States with specific deadlines, the figure distinguishes between States that allow an exception to determine the nature and scope of the breach or to restore the reasonable integrity of the information system, and those that do not.

One commenter stated that, where State laws have a 30-day notice requirement, the 30-day periods generally do not begin to run until a determination has been made that the incident affected residents of that State that will require notice, and that the Commission's proposed 30-day requirement would be triggered much sooner in the process.^[545] The same commenter also stated that notices are currently sent to individuals whose information is reasonably believed to have potentially been affected after the findings of an investigation are determined.^[546] To help analyze and respond to these comments, and also to provide additional context for our analysis of the possible effects of the final amendments,^[547] we conducted supplemental analysis of the frequency of different triggers for the specific deadline requirement in the 20 States that specify such a deadline. The results of this analysis are in Figure 3 and demonstrate variation in triggering events. For example, State laws specify that the notification of customers be made “not later than sixty days from the discovery of the breach,” ^[548] or “no later than 30 days after the determination of a breach or reason to believe a breach occurred.” ^[549] Many of these triggers use words such as “determination” or “confirmation,” which, consistent with the commenter's observation, suggests investigation that might cause the specific deadline to be triggered later than the Commission's proposed or adopted notification trigger, although “discovery of breach”—used in five States—could potentially be earlier.^[550]

One commenter stated that most State data breach notification laws did not specify a number of days to report a breach, and that of the States that did have a specific timeframe, many had an exception allowing for compliance with the GLBA in lieu of adherence to their timeframes.^[551] To help analyze and respond to this comment, and also to provide additional context for our analysis of the possible effects of the final amendments, we conducted supplemental analysis of the overlap between States that have a specific deadline and States that include a GLBA exception.^[552] We found that of the 20 States that have a specific deadline, 10 do not include a GLBA exception.^[553]

Additionally, one commenter stated the establishment of a Federal minimum standard for data breach notification would satisfy State notice laws that provide exemptions for firms subject to such a requirement.^[554] To help analyze and respond to this comment, and also to provide additional context for our analysis of the possible effects of the final amendments,^[555] we conducted supplemental analysis of this question. We have found that some States excuse entities from individual notification under State law if the entities comply with the notification requirements of a Federal regulator or, in some cases, another State. Some States allow these substitute notifications to replace their own state-specific requirements on notice content and timing,^[556] while others only allow it if the provisions are at least as protective as State law.^[557]

Some commenters stated that different State laws currently have different requirements as to what content must be included in a notice to customers.^[558] One of these commenters further stated that, as a result, covered institutions may, when they experience a data breach incident today, send different notification letters to residents of different States for the same incident.^[559] To help analyze and Start Printed Page 47737 respond to these comments, and to provide additional context for our analysis of the possible effects of the final amendments,^[560] we conducted supplemental analysis of the frequency at which different items are currently required by State laws to be included in notices to customers. This analysis, shown in Figure 4, supports commenters' observation that different States have different requirements. While half of the States do not have such requirements, many States (25) provide minimum content to be included in the notices sent to individuals whose information has been affected by a breach. The most common required items include the type of information affected, contact information for consumer reporting agencies, and the date of the breach. Figure 4 plots the frequency of different items required by State laws to be included in the notices.

States also differ in their requirements regarding the method that must be used to notify affected individuals.^[561] While all States allow for a written notification, most States impose conditions if the notice is sent electronically. For example, 37 States provide that a notice can be sent electronically only if the notice is consistent with the Electronic Signatures in Global and National Commerce Act.^[562] Fifteen States have as a condition that a primary method of communication between the entity and the affected residents be by electronic means.^[563] Five States impose no condition for electronic notices,^[564] and 2 States only require that the notifying institution have the email address of the affected individuals.^[565] In addition, 26 States allow for the notice to be made over the phone.^[566] Of these 26 States, 7 provide that a condition for a telephonic notice is that contact is made directly with the affected individuals.^[567]

All States allow, under some conditions, for substitute notification instead of the required methods of notification discussed above. The most common conditions include a specified large number of individuals to notify and/or a minimum dollar cost to notify the affected individuals. These conditions vary widely across States.^[568] In most States, a substitute notice consists of all of the following elements: email notification to the affected individuals, a notice on the institution's website, and notification to major statewide media.^[569] However, other States have fewer requirements.^[570]

(3) Notification by Service Providers

Some data breach incidents involve service providers. Covered institutions may use service providers to perform certain business activities and functions, such as trading and order management, information technology functions, and cloud computing services. As a result of this outsourcing, service providers may receive, maintain, or process customer information, or be permitted to access it, and therefore a security incident at the service provider could expose information at or belonging to the covered institution. In general, State laws require persons and entities that maintain computerized data for other entities, but do not own or license that data, to notify the data-owning entity in the event of a data breach (so as to allow that entity to notify affected individuals).^[571] However, several State laws provide that a covered institution may contract with the service provider such that the service provider directly notifies affected individuals of a data breach.^[572] In addition, some States impose the responsibility of notifying affected individuals on entities that maintain or possess the data even if they do not own or license it.^[573]

Some commenters opposed the proposed provision that would have required service providers to notify covered institutions of a breach of sensitive customer information within 48 hours.^[574] A commenter further stated that our analysis of the effects of this requirement was incomplete.^[575] We conducted supplemental analysis of the notification timeframe required by State laws for entities that do not own or license the compromised data to help analyze and respond to these comments, and to provide additional context for our analysis of the possible effects of the final amendments.^[576]

In general, State laws provide a window for notification of the entity that owns or licenses the data by the entity that maintains the data.^[577] Ten States provide a specific deadline of either 24 hours (one State),^[578] 10 days (four States),^[579] 45 days (four States),^[580] or 60 days (one State).^[581] Thirty-eight States provide instead a general principle such as “as soon as practicable” or “without unreasonable delay.” ^[582] In particular, 24 States require the notification to take place immediately after the discovery of the breach or the determination that a breach has occurred.^[583] Figure 5 plots the frequency of these different provisions across State laws. This variation across State laws in timelines for (1) notification of the entity that owns or licenses the data by the entity that maintains the data and (2) notification of the affected individuals by the entity that owns or licenses the data can result in widely different lengths of time between the discovery of a breach and the time the affected individuals are notified. In addition, variations in these State laws could result in residents of one State receiving notice while residents of another receive no notice for the same data breach incident.^[584]

Some of the service providers that will be affected by the final amendments are covered institutions themselves.^[585] Also, some entities that are covered institutions but not service providers under the final amendments could, under State law, be entities that maintain but do not own or license that data, meaning they may have an obligation under State law to notify the data owner.^[586] In particular, commenters stated that transfer agents were generally considered service providers of the securities issuers under State laws.^[587] State laws typically require transfer agents to notify the securities issuers in case of security breach, which in turn must notify the affected customers. One commenter stated that transfer agents were, in addition, often required by contract to notify their securities issuer clients in case of data breach.^[588] Another commenter stated that it was not uncommon for covered institutions to require, by contract or agreement, that their service providers, including transfer agents, notify them in case of security breach.^[589] Hence, we expect that all or almost all covered institutions and their service providers are already complying with one or more notification requirements, pursuant to either State law or contract.^[590]

b. Customer Information Safeguards

Regulation S-P, prior to the adoption of the amendments, required all covered institutions to adopt written policies and procedures reasonably designed to: “(i) insure [sic] the security and confidentiality of customer records and information; (ii) protect against any anticipated threats or hazards to the security or integrity of customer records and information; and (iii) protect against unauthorized access to or use of customer records and information that could result in substantial harm or inconvenience to any customer.” ^[591] In addition, Regulation S-P established limitations on how covered institutions may disclose nonpublic personal information about a consumer to nonaffiliated third parties.^[592] It also established limitations on the further disclosure of nonpublic personal information received by a covered institution from a nonaffiliated financial institution, as well as limitations on the further disclosure of nonpublic personal information disclosed from a covered institution to a nonaffiliated third party.^[593] Before this adoption, Regulation S-P did not include specific provisions for how covered institutions were to satisfy their obligations to safeguard customer records and information when utilizing service providers.

Covered institutions that hold transactional accounts for consumers may also be subject to Regulation S-ID.^[594] Such entities must develop and implement a written identity theft program that includes policies and procedures to identify relevant types of identity theft red flags, detect the occurrence of those red flags, and respond appropriately to the detected red flags.^[595]

In addition, broker-dealers that operate alternative trading systems exceeding specified volume thresholds are SCI entities subject to Regulation SCI and required, among other things, to have certain policies and procedures reasonably designed to ensure that their market systems have adequate levels of capacity, integrity, resiliency, availability, and security and take appropriate corrective action when “SCI events” occur.^[596] SCI entities are required to disseminate information to their members or participants about certain types of SCI events.^[597] Upon the SCI entity having a reasonable basis to conclude that a certain type of SCI event (such as a “systems intrusion” that is not de minimis) has occurred, it is generally required to promptly disseminate information about the SCI event to those members and participants that the SCI entity has reasonably estimated may have been affected. If such “SCI event” is “major,” the information disseminated must be to all of the entity's members or participants.^[598] When required, the notification must include a summary description of the systems intrusion, including a description of the corrective action taken by the SCI entity and when the systems intrusion has been or is expected to be resolved, unless the SCI entity determines that dissemination of such information would likely compromise the security of the SCI entity's SCI systems or indirect SCI systems, or an investigation of the systems intrusion, and documents the reasons for such determination.^[599] Therefore, information about an “SCI event” caused by a cybersecurity incident may be required to be disseminated to some or all an SCI entity's members or participants pursuant to Regulation SCI.

The safeguards rule of Regulation S-P did not, before this adoption, apply to transfer agents. In addition, the disposal rule did not apply to transfer agents registered with a regulatory agency other than the Commission.^[600] Thus, for these institutions, the final amendments create new requirements to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer information and to take reasonable measures to protect against unauthorized access to or use of consumer information and customer information in connection with its disposal.^[601] Some transfer agents registered with a regulatory agency other than the Commission may already be subject to some of the Federal regulation described below. In addition, many States impose requirements regarding the safeguarding and the disposal of customer information.^[602] Hence, many transfer agents are likely to already have policies and procedures in the areas covered by these new requirements.

Some covered institutions may also be subject to other regulators' rules and guidelines implicating customer information safeguards. Transfer agents supervised by one of the Banking Agencies may be subject to the Banking Agencies' Incident Response Guidance and to the Banking Agencies' Safeguards Guidance, for example.^[603] The Banking Agencies' Incident Response Guidance requires covered financial institutions to develop a response program covering assessment, notification to relevant regulators and law enforcement, incident containment, and customer notice.^[604] These guidelines require customer notification if a financial institution determines that misuse of sensitive customer information “has occurred or is reasonably possible.” ^[605] They also require notices to occur “as soon as possible,” but permit delays if “an appropriate law enforcement agency determines that notification will interfere with a criminal investigation and provides the institution with a written request for the delay.” ^[606] Under the guidelines, “sensitive customer information” means “a customer's name, address, or telephone number, in conjunction with the customer's Social Security number, driver's license number, account number, credit or debit card number, or a personal identification number or password that would permit access to the customer's account.” ^[607] In addition, “any combination of components of customer information that would allow someone to log onto or access the customer's account, such as user name and password or password and account number” is also considered sensitive customer information under the guidelines.^[608] The Banking Agencies' Safeguards Guidance directs every financial institution covered by the Start Printed Page 47741 guidelines to require its service providers by contract to implement appropriate measures designed to protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.^[609] In addition, the Banking Agencies' Incident Response Guidance directs that an institution's contract with its service provider should require the service provider to take appropriate actions to address incidents of unauthorized access to the financial institution's customer information, including notification to the institution as soon as possible of any such incident, to enable the institution to expeditiously implement its response program.^[610]

The Banking Agencies' Safeguards Guidance requires certain financial institutions to implement a comprehensive written information security program that includes administrative, technical, and physical safeguards appropriate to the size and complexity of the entity and the nature and scope of its activities.^[611] This guidance requires that the information security program be designed to (1) ensure the security and confidentiality of customer information; (2) protect against any anticipated threats or hazards to the security or integrity of such information; (3) protect against unauthorized access to or use of such information that could result in substantial harm or inconvenience to any customer; and (4) ensure the proper disposal of customer information and consumer information.^[612]

Private funds may be subject to the FTC's recently amended FTC Safeguards Rule, which contains data security requirements to protect customer financial information.^[613] The FTC Safeguards Rule generally requires financial institutions to develop, implement, and maintain a comprehensive information security program,^[614] defined as the administrative, technical, and physical safeguards the financial institution uses to access, collect, distribute, process, protect, store, use, transmit, dispose of, or otherwise handle customer information.^[615] The rule also requires that the comprehensive information security program contain various elements, including an incident response plan.^[616] In addition, it requires financial institutions to take reasonable steps to select and retain service providers capable of maintaining appropriate safeguards for customer information and to require those service providers by contract to implement and maintain such safeguards.^[617] Since the date of our proposal, the FTC Safeguards Rule has been updated to require financial institutions to notify the FTC as soon as possible, and no later than 30 days after discovery, of a security breach involving the unencrypted information of at least 500 consumers.^[618] Although the FTC Safeguards Rule does not contain a customer notification requirement, the FTC indicated that it “intends to enter notification event reports into a publicly available database” unless a law enforcement official requests delay.^[619]

In addition, many entities covered by this rule may be subject to other, more general information protection requirements.^[620] In particular, companies operating in foreign jurisdictions may need to comply with information protection requirements in their foreign markets. For example, the GDPR requires entities that process the personal data of EU citizens or residents to, among other things, do so in a manner that ensures appropriate security, integrity, and confidentiality.^[621] Other recent regulations in foreign jurisdictions may subject covered institutions to further rules intended to address cybersecurity risk management by financial institutions and some of their service providers.^[622] Hence, we expect that some of the entities covered by the final amendments, or their service providers, already have customer information safeguards in place because of other information protection regimes.

A variety of guidance is available to institutions seeking to address information security risk, particularly through the development of policies and procedures. These include NIST and CISA voluntary standards, both of which include assessment, containment, and notification elements similar to those included in these amendments.^[623] We do not have extensive data spanning all types of covered institutions on their use of these or similar guidelines or on their development of written policies and procedures to address incident response, and no commenter suggested such data. However, past Commission examination sweeps of broker-dealers and investment advisers suggest that such practices are widespread.^[624] Thus, we expect that institutions seeking to develop written policies and procedures likely would have encountered these and similar standards and may have included the critical elements of Start Printed Page 47742 assessment and containment, as well as notification.

c. Annual Notice Delivery Requirement

Under the baseline,^[625] a broker-dealer, funding portal, investment company, or registered investment adviser must generally provide an initial privacy notice to its customers not later than when the institution establishes the customer relationship and annually after that for as long as the customer relationship continues.^[626] If an institution chooses to share nonpublic personal information with a nonaffiliated third party other than as disclosed in an initial privacy notice, the institution must generally send a revised privacy notice to its customers.^[627]

The types of information required to be included in the initial, annual, and revised privacy notices are identical. Each privacy notice must describe the categories of information the institution shares and the categories of affiliates and non-affiliates with which it shares nonpublic personal information.^[628] The privacy notices also must describe the type of information the institution collects, how it protects the confidentiality and security of nonpublic personal information, a description of any opt out right, and certain disclosures the institution makes under the FCRA.^[629]

3. Market Structure

The final amendments will affect five categories of covered institutions: broker-dealers other than notice-registered broker-dealers, funding portals, registered investment advisers, investment companies, and transfer agents registered with the Commission or another appropriate regulatory agency. These institutions compete in several distinct markets and offer a wide range of services, including effecting customers' securities transactions, providing liquidity, pooling investments, transferring ownership in securities, advising on financial matters, managing portfolios, and consulting to pension funds. Many of the larger covered institutions belong to more than one category ( e.g., a dually registered broker-dealer/investment adviser), and thus operate in multiple markets. In the rest of this section, we first outline the market for each class of covered institution and then consider service providers.

a. Broker-Dealers

Broker-dealers include both brokers (persons engaged in the business of effecting transactions in securities for the account of others),^[630] as well as dealers (persons engaged in the business of buying and selling securities for their own accounts).^[631] Most brokers and dealers maintain customer relationships, and are thus likely to come into the possession of sensitive customer information.^[632] In the market for broker-dealer services, a relatively small set of large- and medium-sized broker-dealers dominate while thousands of smaller broker-dealers compete in niche or regional segments of the market.^[633] Broker-dealers provide a variety of services related to the securities business, including (1) managing orders for customers and routing them to various trading venues; (2) providing advice to customers that is in connection with and reasonably related to their primary business of effecting securities transactions; (3) holding customers' funds and securities; (4) handling clearance and settlement of trades; (5) intermediating between customers and carrying/clearing brokers; (6) dealing in corporate debt and equities, government bonds, and municipal bonds, among other securities; (7) privately placing securities; and (8) effecting transactions in mutual funds that involve transferring funds directly to the issuer. Some broker-dealers may specialize in just one narrowly defined service, while others may provide a wide variety of services.

Based on an analysis of FOCUS filings and Form BD filings, there were 3,476 registered broker-dealers during the third quarter of 2023.^[634] Of these, 303 were dually registered as investment advisers.^[635] There were over 233 million customer accounts reported by carrying brokers.^[636] However, the majority of broker-dealers are not “carrying broker-dealers” and therefore do not report the numbers of customer accounts.^[637] Therefore, we expect that this figure of 233 million understates the total number of customer accounts because many of the accounts at carrying broker-dealers have corresponding accounts with non-carrying brokers. Both carrying and non-carrying broker-dealers potentially possess sensitive customer information for the accounts that they maintain.^[638] Because non-carrying broker-dealers do not report on the numbers of customer accounts, it is not possible to ascertain with any degree of confidence the distribution of customer accounts across the broader broker-dealer population.

b. Funding Portals

Funding portals act as intermediaries in facilitating securities-based crowdfunding transactions that are subject to Regulation Crowdfunding.^[639] Securities-based crowdfunding involves using the internet to raise capital through small individual contributions from a large number of people. The crowdfunding transaction must be conducted through an intermediary registered with the Commission, but a statutory exemption allows that intermediary to forgo registration as a broker-dealer. Therefore some, but not all, crowdfunding intermediaries are registered broker-dealers while others are funding portals.

Funding portals are registered with the Commission and are members of FINRA.^[640] They must provide investors Start Printed Page 47743 with educational materials, take measures to reduce the risk of fraud, make information available about the issuer and the offering, and provide communication channels to permit discussions about offerings on the funding portal's platform, among other related services.^[641] In facilitating crowdfunding transactions, funding portals may come into possession of investors' sensitive customer information, as investors are required to open an account with the funding portal before the funding portal may accept an investment commitment from them.^[642] Funding portals may have possession of sensitive customer information but, unlike broker-dealers, funding portals are statutorily prohibited from holding, managing, possessing, or handling investor funds or securities.^[643] These funding portals are required to direct investors to transmit money or other consideration for the securities directly to a qualified third party that has agreed in writing to hold the funds for the benefit of investors and the issuer and to promptly transmit or return the funds to the person entitled to the funds.^[644]

As of December 31, 2023, there were 92 registered funding portals that were members of FINRA (excluding funding portals that had withdrawn their registration and FINRA membership).^[645] The crowdfunding intermediary market is highly concentrated.^[646] For example, based on staff analysis from May 16, 2016 (inception of Regulation Crowdfunding) through December 31, 2023, five intermediaries accounted for 70 percent of all initiated offerings, including one funding portal accounting for 29 percent of all initiated offerings.^[647]

c. Investment Advisers

Registered investment advisers provide a variety of services to their clients, including financial planning advice, portfolio management, pension consulting, selecting other advisers, publication of periodicals and newsletters, security rating and pricing, market timing, and conducting educational seminars.^[648] Although advisers engaged in any of these activities are likely to possess sensitive customer information, the degree of sensitivity will vary widely across advisers. Some advisers may only hold the customer's address, payment details, and the customer's overall financial condition, while others may hold account numbers, tax identification numbers, access credentials to brokerage accounts, and other highly sensitive information.

Based on Form ADV filings received up to October 5, 2023, there are 15,565 investment advisers registered with the Commission with a total of more than 51 million individual clients and $114 trillion in assets under management.^[649] Practically all (97 percent) of these advisers reported providing portfolio management services to their clients.^[650] Over half (57 percent) reported having custody of clients' cash or securities either directly or through a related person,^[651] with client funds in custody totaling $43 trillion.^[652]

Figure 6 plots the cumulative distribution of the number of individual clients handled by investment advisers registered with the Commission. The distribution is highly skewed: 13 advisers each reported having more than one million clients while 95 percent of advisers reported having fewer than 2,000 clients. Many such advisers are quite small, with half reporting fewer than 62 clients.^[653]

Similarly, most investment advisers registered with the Commission are limited geographically. These advisers must generally make a “notice filing” with a State in which they have a place of business or six or more clients.^[654] Figure 7 plots the frequency distribution of the number of such filings. Based on notice filings, 57 percent of investment advisers registered with the Commission operated in fewer than four States, and 37 percent operated in only one State.^[655]

d. Investment Companies

Investment companies are companies that issue securities and are primarily engaged in the business of investing in securities. Investment companies invest money they receive from investors on a collective basis, and each investor shares in the profits and losses in proportion to that investor's interest in the investment company. Investment companies subject to the final amendments include registered open-end and closed-end funds, business development companies (“BDCs”), Unit Investment Trusts (“UITs”), employee securities' companies (“ESCs”), and management company separate accounts (“MCSAs”). Because they are not operating companies, investment companies do not have “customers” as such, and thus are unlikely to possess significant amounts of nonpublic “customer” information in the conventional sense. They may, however, have access to nonpublic information about their investors.^[656]

Table 4 summarizes the investment company universe that will be subject to the final amendments. In total, as of September 30, 2023, there were 13,766 investment companies, including 12,183 open-end management investment companies, 682 closed-end managed investment companies, 702 UITs,^[657] 141 BDCs,^[658] approximately 43 ESCs, and 15 MCSAs. Many of the investment companies that will be subject to the final amendments are part of a “family” of investment companies.^[659] Such families often share infrastructure for operations ( e.g., accounting, auditing, custody, legal), and potentially marketing and distribution. We expect that many of the compliance costs and other economic costs discussed in the following sections will likely be borne at the family level.^[660] We estimate that there were up to 1,131 distinct operational entities (families and unaffiliated investment companies) in the investment company universe.^[661]

e. Transfer Agents

Transfer agents maintain records of security ownership and are responsible for processing changes of ownership (“transfers”), communicating information from the firm to its security-holders ( e.g., sending annual reports), replacing lost stock certificates, etc. However, in practice, most securities registered in the U.S. are held in “street name,” where the ultimate ownership information is not maintained by the transfer agent but rather in a hierarchal ledger. In this structure, securities owned by individuals are not registered in the name of the individual with the transfer agent. Rather, the individual's broker maintains the records of the individual's ownership claim on securities. Brokers, in turn, have claims on securities held by a single nominee owner who maintains records of the claims of the various brokers.^[662] In such cases, the transfer agent is not aware of the ultimate owner of the securities and therefore does not hold sensitive information belonging to those owners, as only the broker holds this information.

Despite the prevalence of securities held in street name, a large number of individuals nonetheless hold securities directly through a transfer agent. Securities held directly may be held either in the form of a physical stock certificate or in book-entry form through the Direct Registration System (“DRS”). In either case, the transfer agent would need to maintain sensitive information about the individuals who own the securities. For example, to handle a request for replacement certificate, the transfer agent would need to confirm the identity of the individual making such a request and to maintain a record of such confirmation. Similarly, to effect DRS transfers, a transfer agent would need to provide a customer's identification information in the message to the DRS.

In 2023, there were 251 transfer agents registered with the Commission, with an additional 64 registered with the Banking Agencies.^[663] As discussed above,^[664] differences in the baseline regulation of these transfer agents affect their current notification obligations.^[665] Among the 315 transfer agents, 132 are considered small entities.^[666] By registration, 100 of these small transfer Start Printed Page 47747 agents are registered with the Commission and 32 are registered with the Banking Agencies.^[667]

On average, each transfer agent reported around 1 million individual accounts, with the largest reporting 61 million.^[668] Figure 8 plots the cumulative distribution of the number of individual accounts reported by registered transfer agents. Approximately one third of registered transfer agents reported no individual accounts,^[669] and 58 percent reported fewer than ten thousand individual accounts.^[670]

f. Service Providers

Covered institutions' relationships with a wide range of service providers will be affected. Specialized service providers with offerings geared toward outsourcing of covered institutions' core functions will generally fall under the requirements. Those offering customer relationship management, customer billing, portfolio management, customer portals ( e.g., customer trading platforms), customer acquisition, tax document preparation, proxy voting, and regulatory compliance ( e.g., AML/KYC) will likely fall under the requirements. Some of these specialized service providers will be themselves covered institutions.^[673] In addition, various less-specialized service providers might potentially fall under the requirements. Service providers offering Software-as-a-Service (SaaS) solutions for email, file storage, and similar general-purpose services might potentially be in a position to receive, maintain, or process customer information. Similarly, providers of Infrastructure-as-a-Service (IaaS), Platform-as-a-Service (PaaS), as well as those offering more “traditional” consulting services ( e.g., IT contractors) will in many cases be “otherwise [ ] permitted access to customer information” and might fall under the provisions.

In the Proposing Release, we stated that the financial services industry is increasingly relying on service providers through various forms of outsourcing.^[674] We also stated that we were unable to quantify or characterize in much detail the structure of the relevant service provider markets due to data limitations.^[675] One commenter stated that this resulted in an analysis that fails to meaningfully address the associated costs.^[676] While this commenter did not identify any additional data sources, in response we have conducted a further review of industry literature.^[677] While we Start Printed Page 47748 continue to find certain data limitations, we also have identified certain additional informative data points on covered institutions' reliance on service providers.^[678] A recent notice issued by FINRA states that FINRA's members, which include broker-dealers, “are increasingly using third-party vendors to perform a wide range of core business and regulatory oversight functions,” a trend that has accelerated with the COVID-19 pandemic.^[679] One report describes the results of a 2022 survey of 248 advisers and independent broker-dealers.^[680] The survey found that 32 percent of the registered investment advisers and 50 percent of the independent broker-dealers that responded to the survey reported outsourcing investment management functions, and that while these proportions had not changed significantly in the past decade, half of the respondents who do outsource some of these functions reported an increase in their use of service providers. In addition, a different recent report finds that 33 percent of asset managers surveyed outsource their entire back-office function and 20 percent outsource their entire middle-office function.^[681] By the nature of their business models, most of the operations of investment companies are carried out by service providers.^[682] Finally, many transfer agents outsource many functions.^[683] Hence, all types of covered institutions affected by the final amendments commonly retain service providers to some extent.

D. Benefits and Costs of the Final Rule Amendments

The final amendments can be divided into four main components. First, they create a requirement for covered institutions to adopt policies and procedures for the protection of customer information. The policies and procedures must include an incident response program to address unauthorized access to or use of customer information, including by providing notification to individuals affected by an incident during which their sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The response program must also include the establishment, maintenance, and enforcement of written policies and procedures reasonably designed to require oversight of service providers, including to ensure service providers take appropriate measures to protect against unauthorized access to or use of customer information. Second, the amendments define the information covered by the safeguards rule and the disposal rule,^[684] and extend the application of the safeguards rule to transfer agents. Third, the amendments require covered institutions (other than funding portals) to maintain and retain records documenting compliance with the amended rules.^[685] Fourth, they incorporate into regulation an existing statutory exemption for annual privacy notices. Below we discuss the benefits and the costs of each component in turn.

Some commenters criticized, generally, the discussion of benefits and costs in the Proposing Release. One commenter stated that the Commission should “undertake a more expansive, accurate, and quantifiable assessment of the specific and cumulative costs, burdens, and economic effects that would be placed on investment advisers by the proposed requirements, as well as of the potential unintended consequences for their clients.” ^[686] Another commenter stated a need for more in-depth analysis of how the proposed amendments might impact transfer agents, their customers (issuers of securities), and securityholders.^[687] Other commenters did not directly disagree with the analysis in the Proposing Release, but stated that the proposed amendments would place a high overall burden on covered institutions, including smaller institutions.^[688]

In response to these commenters, we have supplemented the analysis of the benefits and the costs of the final amendments regarding the timing requirement for notification of customers affected by a breach, including by providing more details on how the requirements differ from the baseline; ^[689] different elements required to be included in a notice to affected individuals; ^[690] different requirements relating to service providers; ^[691] and the extension of the rule's scope to include all transfer agents.^[692] As discussed below, we have also made changes to the final amendments that will reduce compliance costs for all covered institutions, including those that are smaller in size.^[693]

Several commenters stated that the Commission should consider the cumulative costs of implementing the proposed amendments and other recent Commission rules and proposed rules.^[694] Specifically, one commenter stated that “there can be no doubt that the costs of compliance—direct and indirect—rise with each regulation and directly impact the ability of [covered institutions] to invest in other aspects of their businesses” and that the Commission should “consider the cumulative effects that” the final amendments and other adopted rules will have on covered institutions' “operational limitations and, more importantly, resource constraints, in determining the compliance dates.” ^[695] That commenter and others mentioned proposals which culminated in several adopted rules.^[696]

Consistent with its long-standing practice, the Commission's economic analysis in each adopting release Start Printed Page 47749 considers the incremental benefits and costs for the specific rule—that is, the benefits and costs stemming from that rule compared to the baseline. The Commission acknowledges the possibility that complying with more than one rule may entail costs that could exceed the costs if the rules were to be complied with separately. Four of the rules identified by commenters have compliance dates that occur before the effective date of the final amendments,^[697] such that there is no overlap in compliance periods. The compliance periods for the other rules overlap in part, but the compliance dates adopted by the Commission in recent rules are generally spread out over an approximately three-year period from 2023 to 2026,^[698] which could limit the number of implementation activities occurring simultaneously. Where overlap in compliance periods exists, the Commission acknowledges that there may be additional costs on those covered institutions subject to one or more other rules as well as implications of those costs, such as impacts on entities' ability to invest in other aspects of their businesses.^[699]

Covered institutions subject to the final amendments in this rulemaking may be subject to one or more of the other adopted rules commenters named depending on whether those institutions' activities fall within the scope of the other rules. Specifically, the rules and amendments in the February 2024 Form PF Adopting Release, and those rules and amendments in the Private Fund Advisers Adopting Release for which the compliance dates have not already passed, apply to advisers to private funds: as private fund advisers are a subset of the covered institutions affected by the amendments, only a subset of covered institutions face compliance costs associated with these recent rules and amendments.^[700] The Public Company Cybersecurity Rules apply only to public companies, not all covered institutions.^[701] The amendments adopted in the Money Market Fund Adopting Release place a compliance burden on money market funds and certain liquidity fund advisers registered with the Commission, which are also a subset of covered institutions.^[702] The Investment Company Names Adopting Release amended requirements for those registered investment companies and BDCs with names with terms suggesting that the fund has particular characteristics, which are a subset of the funds affected by the final amendments.^[703] The Beneficial Ownership Adopting Release amended disclosure requirements that apply only to persons who beneficially own more than five percent of a covered class of equity securities.^[704] The rule adopted in the Securitization Conflicts Adopting Release affects only certain entities (and their affiliates and subsidiaries) that participate in securitization transactions.^[705] We acknowledge that covered institutions subject to multiple rules may still experience increased costs associated with implementing multiple rules at once as well as implications of those costs, such as impacts on those institutions' ability to invest in other aspects of their businesses.

1. Written Policies and Procedures

In this section, we discuss the effects of written policies and procedures requirements in the final amendments, focusing on those relating to the incident response program required under the final amendments. Specifically, while the final amendments require covered institutions to develop, implement, and maintain written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer information,^[706] general written policies and procedures to protect customer information are already part of the baseline.^[707] The primary new requirements pertain to written policies and procedures that must include an incident response program to address unauthorized access to or use of customer information.

We expect that requiring written policies and procedures for the response program will improve the effectiveness of response programs in multiple ways, which will benefit covered institutions and their customers. Written policies and procedures are a practical prerequisite for organizations to implement standard operating procedures and have been recognized as effective at improving outcomes in critical environments.^[708] We expect that this will also be the case for response programs for data breach incidents. Written policies and procedures can help ensure that the covered institution's personnel know what corrective actions to take and when in the event of a data breach. Written policies and procedures can also help ensure that the incident is handled in an optimal manner. Moreover, establishing incident response procedures ex ante can facilitate discussion among the covered institution's staff and expose flaws in the incident response procedures before they are used in a real response. This may also lead to covered institutions improving their customer information safeguards, which could reduce the likelihood of unauthorized access to or use of customer information in the first place.^[709]

We do not anticipate that the final requirement for written policies and procedures will result in substantial new benefits from its application to large covered institutions, those with a national presence, or those already subject to comparable Federal regulations. As stated above,^[710] all States and the District of Columbia generally require businesses to notify their customers when certain customer information is compromised. States do not typically require the adoption of written policies and procedures for the handling of such incidents.^[711] However, despite the lack of explicit statutory requirements, covered institutions—especially those with a national presence—may have developed and implemented written policies and procedures for a response program that incorporates various standard elements, including for assessment, containment, and notification.^[712] Given the numerous and distinct State data breach laws, it would be difficult for larger covered institutions operating in multiple States to comply effectively with existing State laws without having some written policies and procedures in place. As such covered institutions are generally larger, they are more likely to have compliance staff dedicated to designing and implementing regulatory policies and procedures, which could include policies and procedures regarding incident response. Moreover, to the extent that covered institutions that have already developed written policies and procedures for incident response have based such policies and procedures on common cyber incident response frameworks ( e.g., NIST Computer Security Incident Handling Guide, CISA Cybersecurity Incident Response Playbook),^[713] generally accepted industry best practices, or other applicable regulatory guidelines,^[714] these large covered institutions' written policies and procedures are likely to include the elements of assessment, containment, and notification, and to be substantially consistent with the requirements of the final amendments. Thus, we do not anticipate that the final requirement for written policies and procedures will result in substantial new benefits from its application to these institutions.

For the same reasons, this requirement is unlikely to impose significant new costs for these institutions. As discussed below, we estimate that certain costs associated with developing and implementing policies and procedures to comply with the final amendments will be, on average, $15,445 per year per covered institution.^[715] Here, we expect the main costs associated with the final requirement to be the costs of reviewing, and possibly updating, existing policies and procedures to ensure that they satisfy the new requirements. Hence, we expect these reviews and updates will result in these covered institutions incurring direct compliance costs generally smaller than the costs of developing and implementing new policies and procedures. If covered institutions respond to this requirement by improving their customer information safeguards beyond what is required by the final amendments, they will incur additional costs.^[716] We expect that the costs incurred by these covered institutions as a result of this requirement will ultimately be passed on to customers of these institutions.^[717]

We expect that the final written policies and procedures requirements will have more substantial benefits and costs for smaller covered institutions without a national presence, such as small registered investment advisers and broker-dealers who cater to a clientele based on geography, as compared to larger covered institutions. Before this adoption, some of these covered institutions may have had lower incentives to develop and implement written policies and procedures for a response program and may therefore have been less likely to have such policies and procedures in place for several reasons. First, the incentives to develop and implement policies and procedures for a response program may vary for covered institutions of different sizes. Some smaller covered institutions may already prioritize response programs, for example because the firm views reputational costs of a cybersecurity breach or other type of unauthorized access to or use of customer information as posing the potential for serious harm to the firm. However, for other smaller covered institutions, the firm and its managers may view response programs as lower priority because, for example, the potential reputational cost of an unauthorized access to or use of customer information may be relatively smaller than it would be for a larger firm. This would be the case to the extent that the firm and its managers perceive that the firm has a lower franchise value (the present value of the future profits that a firm is expected to earn as a going concern) and lower brand equity (the value of potential customers' perceptions of the firm). Thus, the costs of potential reputational harm may be perceived to be lower than at larger firms. Moreover, the cost of developing and implementing written policies and procedures for a response program is proportionately large compared to larger covered institutions since it involves fixed costs.

Second, some covered institutions could potentially have, before this adoption, complied effectively with the relevant State data breach notification laws without adopting written policies and procedures to deal with customer notification: they may only have needed to consider—on an ad hoc basis—the notification requirements of the small number of States in which their customers reside.^[718] Hence, for such covered institutions, the cost of developing policies and procedures will be relatively larger, but the benefits for Start Printed Page 47751 the customers of these institutions will also be larger.

We expect that for such covered institutions, the final amendments will likely impose additional compliance costs related to written policies and procedures for safeguarding customer information.^[719] Certain costs associated with developing and implementing policies and procedures to comply with the final amendments are estimated to be $15,445 generally per year per covered institution, but may vary depending on the size of the institution and the current state of their existing policies and procedures.^[720] Furthermore, as for larger covered institutions, if these covered institutions respond to this requirement by improving their customer information safeguards beyond what is required by the final amendments, they will incur additional costs. While these smaller covered institutions might potentially pass some of the costs resulting from the final amendments on to customers in the form of higher fees, their ability to do so may be limited due to the presence of larger competitors with more customers across which to spread costs.^[721] In addition, covered institutions that improve their customer notification procedures in response to the final amendments might suffer reputational costs resulting from the additional notifications.^[722]

Some commenters stated that many covered institutions already had policies and procedures in place.^[723] These commenters also stated that these policies and procedures would need to be reviewed and updated to comply with the amendments, but to different extents. On the one hand, one commenter stated that its members already complied with much of the proposal's content through State regulations, such as the requirements that companies maintain written cybersecurity policies and procedures, respond to cyber incidents, notify authorities and consumers of certain cyber incidents, and dispose of consumer data.^[724] A second commenter stated that the customer notification requirements would need to be incorporated into existing policies and procedures.^[725] These commenters' perspectives are consistent with our view that the final rules will impose a fairly limited burden for covered institutions bringing existing policies and procedures into compliance with the new requirements. On the other hand, a different commenter stated that written incident response program policies and procedures and recordkeeping requirements would need to be created and implemented,^[726] indicating higher potential burden. Hence, we continue to expect that the policies and procedures requirements will potentially have different effects on different covered institutions.^[727] In a change from the proposal and after considering commenters' concerns, we are now adopting a longer compliance period for all covered institutions relative to the proposal, and an even longer compliance period of 24 months for smaller covered institutions, which are less likely to already have policies and procedures broadly consistent with the final amendments.^[728]

Two commenters discussed how the proposed amendments would affect an entity that is dually registered as an investment adviser and broker-dealer. One commenter stated that it appreciated the approach of the proposal, which applies uniformly to the two types of covered institutions and would allow for streamlining of processes.^[729] Another commenter stated that bringing both sides of the entity into compliance with the proposed amendments would impose a significant burden and require a dual registrant to modify both sides of the entity' compliance frameworks.^[730] We do not expect a significant burden, because we expect that these institutions could generally implement a single set of procedures to comply with many of the provisions of the final amendments, which would limit these additional burdens.^[731] To the extent entities registered as more than one category of covered institution arrange their business such that there are separate policies and procedures for each category, those entities may encounter additional cost burden when complying with the final amendments. For example, an entity that creates two different incident response programs for its advisory and broker-dealer operations could bear as much as twice the cost burden as the same entity would bear when creating one incident response program,^[732] although there may be efficiencies to the extent that development of one program informs the other. The final amendments, however, do not prevent that entity from using the same incident response program across its categories of covered institutions.

In the remainder of this section, we first consider the benefits and costs associated with requiring covered institutions to have a response program generally. We then analyze the benefits and the costs of the notification requirements vis-à-vis the notification requirements already in force under the various existing State laws. We conclude this section with an analysis of the benefits and costs of the response program's service provider provisions.

a. Response Program

The final amendments require covered institutions' written policies and procedures to include a response program “reasonably designed to detect, respond to, and recover from unauthorized access to or use of Start Printed Page 47752 customer information, including customer notification procedures.” ^[733] The response program must address incident assessment, containment, as well as customer notification and oversight of service providers.^[734]

The question of how best to structure the response to an incident resulting in unauthorized access to or use of customer information has received considerable attention from firms, IT consultancies, government agencies, standards bodies, and industry groups, resulting in numerous reports with recommendations and summaries of best practices.^[735] While the emphasis of these reports varies, certain key components are common across many incident response programs. For example, NIST's Computer Security Incident Handling Guide identifies four main phases to cyber incident handling: (1) preparation; (2) detection and analysis; (3) containment, eradication, and recovery; and (4) post-incident activity.^[736] The assessment, containment, and notification prongs of the final policies and procedures requirements correspond to the latter three phases of the NIST recommendations. Similar analogues are found in other reports, recommendations, and other regulators' guidelines.^[737] Thus, the required procedures of the incident response program are substantially consistent with industry best practices and these other regulatory documents that seek to develop effective policies and procedures in this area.

While some commenters suggested that some specific provisions of the amendments be better aligned with existing regulation,^[738] other commenters stated that the Commission's proposal would generally align the amendments with other regulatory frameworks such as the Banking Agencies' Incident Response Guidance.^[739] One of these commenters stated that consistency across regulatory requirements facilitates firms' operations, provides for efficiencies in their operations, and better serves customers.^[740] In the final amendments, we have revised some requirements from the proposal to better align them with existing regulatory framework. For example, one commenter stated that a 72-hour deadline would improve alignment with other existing requirements and that this would significantly reduce complexity and compliance burdens for covered institutions and their service providers.^[741] Consistent with other regulatory frameworks,^[742] the final amendments require that covered institutions ensure that their service providers take appropriate measures to provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred.^[743]

Similar to the written policies and procedures requirement, we expect the benefits and the costs of the response program requirements to vary across covered institutions. In general, costs will be larger for entities that do not have any related incident response programs or related policies and procedures. For those entities, costs may include needing to familiarize themselves with the new requirements, initial set-up costs for new systems to monitor when customers need to be notified, new notification systems, and development and implementation of new policies and procedures associated with response programs. Therefore, on the one hand, the effects of the requirements are likely to be small for covered institutions with a national presence who are likely to already have such programs in place.^[744] For such institutions, we expect direct compliance costs to be largely limited to reviews and, if needed, updates of existing policies and procedures.^[745] On the other hand, we expect greater benefits and costs for smaller, more geographically limited covered institutions since they are less likely to have an existing incident response program. The benefits ensuing from these institutions incorporating incident response programs to their written policies and procedures can be expected to arise from improved efficacy in notifying affected customers and—more generally—from improvements in the manner in which such incidents are handled. The response program requirements might potentially provide substantial benefit in a specific incident, for example in the case of a data breach at an institution that does not currently have an incident response program and is unprepared to promptly respond in keeping with law and best practice. Such an institution will also bear the full costs associated with adopting and implementing procedures complying with the final amendments.^[746]

In addition to helping ensure that customers are notified when their data are breached,^[747] having reasonably designed strategies for incident assessment and containment ex ante might reduce the frequency and scale of breaches through more effective intervention and improved managerial awareness, providing further indirect benefits. Any such improvements to covered institutions' processes will benefit their customers ( e.g., by reducing harms to customers resulting from data breaches), as well as the covered institutions themselves ( e.g., by reducing the expected costs of handling data breaches), representing further indirect benefits of the rule.

We lack data on efficacy of incident assessment, incident containment, or customer notification that would allow us to quantify the economic benefits of the final requirements, and no commenter suggested such data. Similarly, we lack data, and no commenter suggested such data, that would allow us to quantify the indirect economic costs, such as reputational cost of any potential increase in the frequency of customer notification or the indirect costs of customer information protection improvements that may be undertaken to avoid such reputational costs. In the aggregate, however, considering the amendments in the context of the baseline, these benefits and costs are likely to be limited. As we have discussed above,^[748] all States have previously enacted data breach notification laws with substantially similar aims and, therefore, we think it likely that many institutions have response programs to support compliance with these laws. In addition, we anticipate that larger covered institutions with a national presence—which account for the bulk of Start Printed Page 47753 covered institutions' customers—have already developed written incident response programs consistent with the proposed requirements in most respects.^[749] Thus, the benefits and costs of requiring written incident response programs will be the most significant for smaller covered institutions without a national presence—institutions whose policies affect relatively few customers.

In support of the proposed response program requirement, some commenters stated that response programs had benefits beyond the notification of affected individuals. One commenter stated that effective cybersecurity practices and system safeguards, including incident response and notification, were critical for the financial markets and services industry and the regulators tasked with oversight of this sector.^[750] Another commenter stated that the costs associated with the incident response programs and more robust notification regime served an important forcing function for entities that might otherwise not adequately invest in safeguards on the front end.^[751] This commenter also cited a report stating that having an incident plan is one of the steps organizations can take to protect their data.^[752] In addition, in support of the Proposing Release, commenters cited sources offering additional context and evidence of the benefits of incident response programs. A report cited by a commenter states that businesses with an incident response team that tested their incident response plan saw an average of $2.66 million lower breach costs compared to organizations without an incident response team and that did not test their incident response plan.^[753] A more recent version of the same report states that businesses which both had an incident response team and tested their incident response plan took 54 fewer days to identify and contain a data breach, compared to businesses that did not have a response team nor test their incident response plan (252 days as compared to 306 days).^[754] This information generally supports our view that incident response programs will have benefits for both covered institutions and their customers. However, because the amendments' requirements differ from those analyzed in these reports, we are unable to use these estimates to precisely quantify the benefits of the amendments in terms of prevention of and response to data breach incidents involving customer information. Nevertheless, to the extent that different reasonably designed incident response programs yield benefits of similar magnitudes, the final amendments will have benefits of similar magnitude for the covered institutions that do not currently have an incident response program in place, with associated benefits for the customers of these institutions.

b. Notification Requirements

The final requirements provide for a Federal minimum standard for data breach notification, applicable to the sensitive customer information of all customers of covered institutions (including customers of other financial institutions whose information has been provided to a covered institution),^[755] regardless of their state of residence. The information value of a data breach notification standard is a function of its various provisions and how these provisions interact to provide customers with thorough, timely, and accurate information about how and when their information has been compromised. Customers receiving notices that are more thorough, timely, and accurate have a better chance of taking effective remedial actions, such as placing holds on credit reports, changing passwords, and monitoring account activity.^[756] These customers will also be better able to make informed decisions about whether to continue to do business with institutions that have been unable to prevent their information from being compromised. Similarly, non-customers who learn of a data breach, for example from individuals notified as a result of the final amendments, might use this information to evaluate their potential use of a covered institution.

As discussed above, all 50 States and the District of Columbia already have data breach notification laws that apply, in varying ways, to compromises of their residents' information.^[757] Thus, the benefits of the adopted Federal minimum standard for notification of customers (vis-à-vis the baseline) will vary depending on each customer's State of residence, with the greatest benefits accruing to customers that reside in States with the least informative customer notification requirements.^[758]

Unfortunately, with the data available, it is not practicable to decompose the marginal contributions of the various State law provisions to the overall “strength” of State data breach laws. Consequently, it is not possible for us to quantify on a state-by-state basis the benefits of the adopted Federal minimum standard to customers residing in the various States. In considering the benefits of the final notification requirement, we limit consideration to the “strength” of individual provisions of the final amendments vis-à-vis the corresponding provisions under State laws and consider the number of customers that might potentially benefit from each.

Similarly—albeit to a somewhat lesser extent—the costs to covered institutions will also vary depending on the geographical distribution of each covered institution's customers. Generally, the costs associated with the final amendments will be greater for covered institutions whose customers reside in States with less informative customer notification laws than for those whose customers reside in States with broader and more informative notification laws. In particular, smaller covered institutions whose customers are concentrated in States where State data breach laws result in less informative customer notification are likely to face higher costs since they may have to issue additional notices to comply with the amendments. The costs Start Printed Page 47754 associated with notice issuance comprise both administrative costs and reputational costs. Certain costs arising from notice issuance are covered in the Paperwork Reduction Act analysis in section V and are estimated to be on average $5,178 per year per covered institution.^[759] We lack data, and no commenter suggested such data, that would allow us to quantify the reputational cost resulting from any potential increase in the frequency of customer notification or the indirect costs of customer information protection improvements that may be undertaken by covered institutions to avoid such reputational costs.

Although some commenters stated that a Federal notification requirement was not needed given existing State law requirements,^[760] other commenters supported this proposed provision.^[761] One commenter stated that a significant advantage would be that in several States, it would relieve covered institutions from having to issue state-specific breach notices under State law.^[762] Another commenter further stated that a Federal breach notification requirement “would satisfy State notice laws that provide exemptions for firms subject to such a requirement, which will help to a degree to reduce the confusion and notification burdens arising from the patchwork of State data breach notification requirements.” ^[763] Another commenter stated that the benefits of a Federal minimum standard would outweigh the burden of the new notification requirements.^[764]

In the rest of this section, we consider key provisions of the final notification requirements, their potential benefits to customers (vis-à-vis existing State notification laws), and their costs.

(1) GLBA Safe Harbors

A number of State data breach laws provide exceptions to notification for entities subject to and in compliance with the GLBA. These “GLBA Safe Harbors” may result in customers not receiving any data breach notification from registered investment advisers, broker-dealers, funding portals, investment companies, or transfer agents. The final amendments will help ensure customers receive notice of breach in cases where they may not currently because notice is not required under State law.

Based on an analysis of State laws, we found that 19 States provide a GLBA Safe Harbor.^[765] Together, these States account for 24 percent of the U.S. population, or approximately 17 million potential customers who may benefit from this provision.^[766] While we do not have data on the exact geographical distribution of customers across all covered institutions, we are able to identify registered investment advisers whose customers reside exclusively in GLBA Safe Harbor States.^[767] We estimate that there are 679 such advisers, representing 4.4 percent of the registered adviser population, and that these advisers represent in total more than 97,000 clients.^[768] We expect that a similar percentage of broker-dealers would be found to be operating exclusively in GLBA Safe Harbor States.

Changing the effect of the GLBA Safe Harbors is not likely to impose significant direct compliance costs on most covered institutions. For the reasons outlined above, many covered institutions have customers residing in States without a GLBA Safe Harbor and we therefore expect them to have existing procedures for notifying customers under State law. Additionally, some jurisdictions require notification policies or actual notification as condition of the safe harbor.^[769] However, covered institutions whose customer base is limited to GLBA Safe Harbor States may not have implemented any procedures to notify customers in the event of a data breach. These covered institutions may face higher costs than entities with some notification procedures already in place, but the customers of these institutions will benefit the most from the final amendments by receiving notice they may not have otherwise received.

One commenter agreed that some State laws provided exemptions from their notice requirements under the GLBA but disagreed that this implied benefits for the amendments, stating that the proposed amendments would not preempt State notification requirements and would instead add another variation on existing requirements to be accounted for by covered institutions, with limited real benefits to affected individuals.^[770] The final amendments will create new and to various extents different notification requirements for covered institutions with customers residing in States without GLBA exemptions. However, we disagree with this commenter's assertion that benefits to affected individuals will be limited. As discussed above, State laws vary in detail from State to State.^[771] We discuss below how the final amendments will impose a Federal minimum standard for customer notification and how we expect this standard to benefit customers.

(2) Accelerated Timing of Customer Notification

The final amendments require covered institutions to provide notice to customers in the event of some data breaches as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.^[772] As discussed in section IV.C.2.a, existing State laws vary in terms of notification timing. Most States (31) do not include a specific deadline for Start Printed Page 47755 notifying customers, but rather require that the notice be given in an expedient manner and/or that it be provided without unreasonable delay. These States account for 60 percent of the U.S. population, with approximately 42 million potential customers residing in these States.^[773] Four States have a 30-day deadline; we estimate that close to 8 million potential customers reside in these States. The remaining 16 States provide for longer notification deadlines. For the estimated 20 million potential customers residing in these 16 States, the final amendments' 30-day outside timeframe might tighten the notification timeframes.^[774] In addition, the 30-day outside timeframe is likely to tighten notification timeframes for the approximately 42 million potential customers residing in States with no specific deadline.

Even though the timing language in State laws without specific deadlines generally suggests that notices must be prompt, we have evidence that the notices are frequently sent significantly later than 30 days after the affected institution learns of the breach. The Proposing Release references data from California and Washington, which we explain in more detail below. California requires that such notice be given “in the most expedient time possible and without unreasonable delay.” ^[775] Nevertheless, data from the California Office of the Attorney General, regarding notices sent to more than 500 California residents for any one incident, indicate that for the notices for which these data are available, the average time from discovery to notification was 144 days in 2022, and 91 percent of these notices were sent later than 30 days after the discovery of the breach.^[776] Hence, we expect that the aggregate effects of a 30-day notification outside timeframe might be significant for the 42 million potential customers residing in States with no specific deadline.^[777]

In addition, because the final amendments will not provide for broad exceptions to the 30-day notification requirement,^[778] in many cases the amendments will tighten notification timeframes even for the 8 million potential customers residing in States with a 30-day deadline. For example, in Washington, the State law requires that the notice be given “without unreasonable delay, and no more than thirty calendar days after the breach was discovered.” ^[779] However, the law also allows for a delay “at the request of law enforcement” or “due to any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.” ^[780] Data from the Washington Attorney General's Office indicate that for the notices for which these data are available, the average time from discovery to notification was 137 days in 2022 and the median time was 93 days.^[781] Eighty-seven percent of these notices were sent later than 30 days after the discovery of the breach, presumably as a result of these exceptions.^[782] Hence, we expect that the timing requirements of the final amendments will result in many notices being sent earlier even in some States with a 30-day deadline.

Tighter notification deadlines should increase customers' ability to take effective measures to counter threats resulting from their sensitive information being compromised. Such measures may include placing holds on credit reports or engaging in more active monitoring of account and credit report activity.

In practice, however, when it takes a long time to discover a data breach, a relatively short delay between discovery and customer notification may have little impact on customers' ability to take effective countermeasures.^[783] Based on the data from the California Office of the Attorney General, the average number of days between the start of a breach and its discovery was 46 days in 2022, with a median of 7 days and a standard deviation of 126 days.^[784] In addition, data from the Washington Attorney General's Office show that in 2022, there were on average 94 days between the time a breach occurred and its discovery, with a median of 10 days and a standard deviation of 319 days.^[785] Start Printed Page 47756 This suggests that time to discovery is likely to prevent issuance of timely customer notices in many but not all cases. As plotted in Figure 9, while some firms take many months—even years—to discover a data breach, others do so in a matter of days: 66 percent of firms were able to detect a breach within 2 weeks and 77 percent were able to do so within 30 days.^[786] Thus, while the adopted 30-day notification outside timeframe may not always substantially improve the timeliness of customer notices, in many cases it may improve timeliness.

While we do not expect that the 30-day outside timeframe for customer notification will impose significant direct costs relative to a longer timeframe (or relative to having no fixed timeframe), the shorter outside timeframe might potentially lead to indirect costs arising from notification potentially interfering with incident containment efforts. Based on data from the Washington Attorney General's Office for the fiscal year of 2022, “containment” of data breaches generally occurs quickly—7.6 days on average.^[787] However, according to IBM's study for 2022, it takes an average of 70 days to “contain” a data breach.^[788] The discrepancy suggests that there exists some ambiguity in the interpretation of “containment,” raising the possibility that the 30-day notification outside timeframe might require customer notification to occur before some aspects of incident containment have been completed and potentially interfering with efforts to do so.^[789]

Some commenters opposed the proposed timeframe for customer notifications.^[790] One commenter stated that the proposed outside timeframe of 30 days after becoming aware of a breach was insufficient time to provide a meaningful notification to impacted individuals, particularly in complex cases.^[791] Another commenter stated that the proposed 30-day outside timeframe was “unjustified and arbitrary” and that it was “likely to be insufficient for proper investigation and notification.” ^[792] Another commenter stated that the proposed timing requirement was overly rigid and did not account for the wide variety and complexity of cybersecurity incidents, and that 30 days after becoming aware of a possible incident was not enough time to accomplish the many steps required to be able to issue notifications to affected individuals.^[793] This commenter detailed these steps as “needing to respond to and remediate the security incident directly, conduct a forensic investigation to determine what information may have been affected, analyze the affected data to determine what sensitive customer information is contained in affected data, extract or obtain the information needed to make notification to affected users, hire vendors and arrange identity protection services for affected individuals, and actually send the notifications.” ^[794] These commenters, as well as other commenters, suggested longer or less specific timeframes.^[795]

A different commenter instead stated that the final required timeframe should not be longer than 30 days, citing an article stating that “an analysis of the current State data breach notification laws shows that requiring notification within thirty days of a breach to affected consumers would be appropriate.” ^[796] This article further adds that a “thirty-day time limit will give an organization ample time to conduct a full investigation” and “ensure that consumers are notified of a breach in a timely manner so they can take the proper steps to mitigate any losses and protect their personal information from further exposure to cybercriminals through credit freezes, credit monitoring, and the like.” The same commenter suggested that the deadline be shortened to 14 days after becoming aware of an incident.^[797]

After considering these comments, we are adopting the notification timeframe as proposed. Under the final amendments, covered institutions will be required to provide notice to affected customers as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. Commenters stated that this notification timeframe may result in customers receiving notices that are less accurate or receiving some notices that are unnecessary. The final amendments' notification timeframe may, in some cases, result in customers receiving less informative notices than they would have received under a longer notification timeframe, since covered institutions will have less time to understand the incident before sending the notice. This 30-day timeframe may also result in instances where a notification will be sent but, had the covered institution been able to fully investigate the breach in the prescribed timeframe, the covered institution would have been able to determine that notification was not required.^[798] If unnecessary notifications are sent, as commenters suggest could occur, these instances may result in customers taking unnecessary mitigating actions, and the costs of these actions will be a cost of the final amendments.^[799] These instances will also result in additional costs associated with customer notification, such as administrative costs related to preparing and distributing notices and potential reputational costs (including indirect costs of customer information protection improvements that may be undertaken to avoid such reputational costs) for covered institutions; we have accounted for these additional costs associated with notification in our estimates of some of the costs arising from notice issuance.^[800] However, the 30-day notification timeframe preserves the benefits of the proposed, relatively short notification timeframe and allows customers to take rapid and effective mitigating actions.^[801]

In some circumstances, requiring customers to be notified within 30 days may hinder law enforcement investigation of an incident by potentially making an attacker aware of the attack's detection.^[802] It could also make other threat actors aware of vulnerabilities in a covered institution's systems, which they could then try to exploit. The final amendments allow a covered institution to delay notification of customers if the Attorney General determines that the notice required poses a substantial risk to national security or public safety and notifies the Commission of such determination in writing.^[803] The main benefit of this delay is to decrease the likelihood of the potential situations described above where law enforcement is hindered. The delay might, in some cases, lead to a better protection of national security and public safety. Another benefit of the delay is that it might give covered institutions more time to assess the scope of the incident and gather the information to be included in the notice to customers in particularly complex cases. However, the delay provisions might also, in some cases, result in customers being notified later, which Start Printed Page 47758 would decrease the benefits of such notification, as described above.^[804] Where investigations do not rise to the level of meeting the prescribed conditions for delayed notification, customer notification could alert attackers that their intrusion has been detected and could potentially impact law enforcement's investigation.

Because we do not have data on the frequency with which an investigation will rise to the level of meeting the final amendments' conditions for delayed notification, and because we do not have data on the scope of the effect on national security or public safety of breaches being revealed to the attackers, nor did commenters identify such data, we are unable to precisely estimate the costs and benefits of this provision. However, we expect that such events will be relatively rare.^[805]

(3) Broader Scope of Information Triggering Notification

In the final amendments, “sensitive customer information” is defined more broadly than in most State laws, yielding a customer notification trigger that is broader in scope than the various State law notification triggers included under the baseline.^[806] The broader scope of information triggering the notice requirements will cover more data breaches impacting customers than the notice requirements under the baseline. This broader scope might benefit customers who will be made aware of more cases where their information has been compromised. At the same time, the broader scope might lead to false alarms—cases where the “sensitive customer information” divulged does not ultimately harm the customer. Such false alarms might be problematic if they reduce customers' responsiveness to data breach notices. In addition, the scope will also likely imply additional costs for covered institutions, which may need to adapt their processes for safeguarding information to encompass a broader range of customer information and may need to issue additional notices.^[807]

In the final amendments, “sensitive customer information” is defined as “any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” ^[808] The definition's basis in “any component of customer information” creates a broader scope than under State notification laws. In addition to identification numbers, PINs, and passwords, many other pieces of nonpublic information have the potential to satisfy this standard. For example, many financial institutions have processes for establishing identity that require the user to provide a number of pieces of information that—on their own—are not especially sensitive ( e.g., mother's maiden name, name of a first pet, make and model of first car), but which—together—could allow access to a customer's account. The compromise of some subset of such information will thus potentially require a covered institution to notify customers under the final amendments.

The definitions of information triggering notice requirements under State laws are generally much more circumscribed and can be said to fall into one of two types: basic and enhanced. Basic definitions are used by 14 States, which account for 21 percent of the U.S. population.^[809] In these States, only the compromise of a customer's name together with one or more enumerated pieces of information triggers the notice requirement. Typically, the enumerated information is limited to Social Security number, a driver's license number, or a financial account number combined with an access code. For the estimated 15 million potential customers residing in these States,^[810] a covered institution's compromise of the customer's account login and password would not necessarily result in a notice, nor would a compromise of his credit card number and PIN.^[811] Such compromises could nonetheless lead to substantial harm or inconvenience. Thus, the final amendments will significantly enhance the notification requirements applicable to these customers.

States adopting enhanced definitions for information triggering notice requirements extend the basic definition to include username/password and username/security question combinations.^[812] These definitions may also include additional enumerated items whose compromise (when linked with the customer's name) can trigger the notice requirement ( e.g., biometric data, tax identification number, and passport number).^[813] For the estimated 55 million potential customers residing in the States with enhanced definitions,^[814] the benefits from the final amendments will be somewhat more limited. However, even for these customers, the amendments will tighten the effective notification requirement. There are many pieces of information not covered by the enhanced definitions whose compromise might potentially lead to substantial harm or inconvenience. For example, under California law, the compromise of information such as a customer's email address in combination with a security question and answer would only trigger the notice requirement if that information would—in itself—permit access to an online account. Under many such State laws, the compromise of information such as a customer's name, combined with his or her transaction history, account balance, or other information not specifically enumerated would not necessarily trigger the notice requirement.

The broader scope of information triggering a notice requirement under the final amendments will benefit customers. As discussed above, many pieces of information not covered under State data breach laws could, when compromised, cause substantial harm or inconvenience. Under the amendments, data breaches involving such information might require customer notification in cases where State law does not, and thus potentially increase customers' ability to take actions to mitigate the effects of such breaches. At the same time, there is some risk that the broader minimum standard will lead to notifications resulting from data compromises that—while troubling—are ultimately less likely to cause substantial harm or inconvenience.^[815] A Start Printed Page 47759 large number of such unnecessary notices might undermine the effectiveness of the notice regime.^[816]

The broader minimum standard for notification is likely to result in higher costs for covered institutions. There will be increased administrative costs related to preparing and distributing notices for covered institutions who will send out additional notices as a result of the scope of information triggering a notice requirement under the final amendments. As discussed below, we estimate that certain costs associated with the preparation and distribution of notices will be, on average, $5,178 per year per covered institution.^[817]

In addition, it is possible that covered institutions have developed processes and systems designed to provide enhanced information safeguards for the specific types of information enumerated in the various State laws. For example, it is likely that IT systems deployed by financial institutions only retain information such as passwords or answers to security questions in hashed form, reducing the potential for such information to be compromised. Similarly, it is likely that such systems limit access to information such as Social Security numbers to a limited set of employees. It may be costly for covered institutions to upgrade these systems to expand the scope of enhanced information safeguards.^[818] In some cases, it may be impractical to expand the scope of such systems. For example, while it may be feasible for covered institutions to strictly limit access to Social Security numbers, passwords, or answers to secret questions, it may not be feasible to apply such limits to account numbers, transaction histories, account balances, related accounts, or other potentially sensitive customer information. In these cases, the adopted minimum standard might not have a significant prophylactic effect and might lead to an increase in reputation and litigation costs for covered institutions resulting from more frequent breach notifications.

Furthermore, because the definition of sensitive customer information is based on a determination that the compromise of this information could create a “reasonably likely risk of substantial harm or inconvenience to an individual identified with the information,” ^[819] it could increase costs related to incident evaluation, outside legal services, and litigation risk. While we lack data, and no commenter suggested such data, that would allow us to quantify all of these costs, we discuss below certain costs associated with developing and implementing policies and procedures to comply with the final amendments, including costs for internal and external counsel.^[820] This subjectivity could reduce consistency in the propensity of covered institutions to provide notice to customers, reducing the utility of such notices in customers' inferences about covered institutions' safeguarding efforts.

Some commenters opposed the proposed amendments' definition of sensitive customer information, suggesting either a better alignment with existing regulation,^[821] or that the final amendments specify a list of customer information included in the definition.^[822] Covered institutions will have to devote some resources determining what specific pieces of information are included in the scope of the final notification requirements. However, different types of covered institutions may keep different types of customer information, the information collected by covered institutions might change in the future, and the type of information that could create a reasonably likely risk of substantial harm or inconvenience to an individual might also change in the future. Thus, having a wide and general range of sensitive customer information trigger the amendments' notice requirement will provide benefits to the affected customers, who may not receive a notice under the baseline. In addition, as discussed above, existing regulations adopt widely different definitions of customer information triggering a breach notification, making alignment difficult.^[823]

(4) Notification Trigger

The final amendments include a requirement for a covered institution to provide notice to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, unless, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, the covered institution has determined that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.^[824] As discussed above, the final amendments reflect a presumption of notification: a covered institution must provide a notice unless it determines notification is not required following a reasonable investigation.^[825] Moreover, if the covered institution is unable to determine which customers are affected by a data breach, a notice to all potentially affected customers is required.^[826] The resulting presumptions of notification are important because although it is usually possible to determine what information could have been compromised in a data breach, it is often not possible to determine what information was compromised or to estimate the potential for such information to be used in a way that is likely to cause harm.^[827] Because of this, it may not be feasible to establish the likelihood of sensitive customer information being used in a manner that would result in substantial harm or inconvenience or of sensitive customer information pertaining to a specific individual being accessed or used without authorization. Consequently, in the absence of the presumptions of notification, it may be possible for covered institutions to avoid notifying customers in cases where it is unclear what information was compromised or whether sensitive customer information was or is reasonably likely to be used in Start Printed Page 47760 a manner that would result in substantial harm or inconvenience.

Currently, 20 States' notification laws do not include a presumption of notification.^[828] We do not have data with which to estimate reliably the effect of these presumptions on the propensity of covered institutions to issue customer notifications, and no commenter suggested such data. However, we expect that for the estimated 20 million potential customers residing in the 20 States without a presumption of notification,^[829] some notifications that will be required under the final amendments would not occur under the baseline. Thus, we anticipate that the final amendments will improve these customers' ability to take actions to mitigate the effects of data breaches. In addition, the final amendments' presumptions for notification rest on a concept of “substantial harm or inconvenience” that is likely to be wider than the equivalent concept of “harm” used in some State laws.^[830] Hence, we also expect that the presumptions of notification will have potential benefits even for the customers residing in some of the States with a presumption of notification.

The increased sensitivity of the notification trigger resulting from the presumptions of notification will result in additional costs for covered institutions, who will bear higher reputational costs (including indirect costs of customer information protection improvements that may be undertaken to avoid such reputational costs) as well as some additional direct compliance costs ( e.g., mailing notices, responding to customer questions, etc.) due to more breaches requiring customer notification. While we are unable to quantify all of these additional costs,^[831] we estimate that certain costs associated with the preparation and distribution of notices will be, on average, $5,178 per year per covered institution.^[832]

Some commenters disagreed with the proposed requirement that if a covered institution were unable to determine which customers were affected by a data breach, it would have had to notify all individuals whose sensitive customer information resided in the customer information system that was, or was reasonably likely to have been, accessed or used without authorization.^[833] One commenter stated that this would result in significant over-notification of individuals, and that this would unnecessarily disturb and frighten individuals who likely were not affected.^[834] The commenter also stated that the proposed requirements would significantly increase costs and litigation risk for covered institutions and possibly their service providers and other financial institutions whose information resides on the system.^[835] Another commenter stated that this proposed provision would create reputational risks for transfer agents and that it believed resources would be better spent investigating the incident and determining the impacted securityholders.^[836] Another commenter stated that this proposed requirement would be unnecessarily burdensome for covered institutions and that it could have negative consequences for clients, noting that there would be a risk that too much information could be overwhelming and lead to desensitization.^[837]

Another commenter disagreed with the proposed requirement that a covered institution would have had to notify customers whose information was compromised unless the covered institution could determine that the event would not result in a risk of substantial harm or inconvenience for these individuals, suggesting instead that the standard be harmonized further with the Banking Agencies' Incident Response Guidance and with many State laws so as to require notification only if the covered institution affirmatively could find risk of harm.^[838] This commenter stated that the proposed presumption of notification could lead to excessive and unnecessary notifications to consumers where a low likelihood of harm were present, which could result in consumers spending time and effort needlessly monitoring accounts or taking actions such as instituting a credit freeze, and simultaneously desensitize consumers to a notification for an actual breach where significant harm could result.^[839]

After considering these comments, we have determined that the presumptions of notification should be included in the final amendments. On the one hand, we acknowledge, as commenters stated,^[840] that unnecessary notifications could occur and negatively affect covered institutions and their customers as a result of these presumptions. Unnecessary notifications will result in costs for covered institutions, including the costs associated with notification such as administrative costs related to preparing and distributing notices as well as reputational costs, litigation risk, or diversion of resources identified by commenters.^[841] More broadly, as stated by commenters,^[842] unnecessary notification could reduce customers' responsiveness to data breach notices, for example by decreasing customers' ability to discern which notices require action. Unnecessary notification could also desensitize customers to notices, thereby leading to a decrease in the reputational costs of notification. This could decrease covered institutions' incentives to invest in customer information safeguards in order to avoid such reputational costs.^[843] However, the risks of unnecessary notification reducing the benefits of the rule are mitigated by the fact that notification is not required in cases where the covered institution can determine, after a reasonable investigation, that there is no risk of substantial harm or inconvenience for the customers whose information has been compromised. In addition, in a change from the proposal, the final amendments explicitly provide that a covered institution need not provide notice to an individual whose sensitive customer information resides in the customer information system that was, or was reasonably likely to have been, accessed or used without authorization if the covered institution reasonably determines that this individual's sensitive customer Start Printed Page 47761 information was not accessed or used without authorization.^[844]

On the other hand, adopting these presumptions of notification will allow potentially affected customers to take appropriate mitigating actions. In support of the proposed presumption of notification, another commenter stated that any risk that a presumption to notify individuals could lead to a volume of notices that would inure affected individuals to the notices and result in their not taking proactive action would be outweighed by the risk that individuals would not be notified at all and would not have the opportunity to decide for themselves whether to take action.^[845] To support this statement, this commenter referenced a study stating that requiring a determination of misuse to trigger disclosure permits additional discretion to the breached entity which, coupled with the existence of a disclosure disincentive,^[846] might bias an institution's investigation of a data leak and might lead to a conclusion that consumer notification was not required.^[847] We agree with this commenter. In addition, as discussed above, allowing covered institutions to conduct a full investigation before determining whether customers need to be notified could significantly reduce the benefits of such notification, and thus of the final amendments, by delaying the notice.^[848]

(5) Content and Method of Notice

The proposed amendments included a list of information that would have had to be included in a customer notice.^[849] Many of these content requirements remain in the final amendments.^[850] While some commenters agreed generally with the proposed notice content requirements,^[851] other commenters disagreed with the proposed inclusion of some elements and stated that our analysis of these requirements in the Proposing Release was insufficient.^[852] In response to these commenters, we conducted supplemental analysis of the frequency at which different items are required in existing State laws, and are including a supplemental analysis of the costs and benefits of each of the required elements vis-à-vis this baseline.^[853]

The main benefit of requiring specific content to be included in the notice is to help ensure that customers residing in different States receive similar information when their information is compromised in the same breach. Because State law requirements differ in terms of required content, covered institutions may send different notices to different individuals.^[854] The final amendments will help ensure that all customers receive a minimum of information regarding a given breach affecting their information and are therefore equally able to take appropriate mitigating actions.

The final amendments provide that the notice must include a description of the incident, including the information that was breached and the approximate date at which it occurred, as well as contact information where customers can inquire about the incident. In addition, the notice must include information on recommended actions affected customers can take. We expect that these required items will help customers take appropriate mitigating action to protect themselves from further effect of the breach. Including these elements might require some covered institutions to modify their existing processes for notification, which will incur some costs.^[855] We expect that these costs will be passed on to customers.

The first required item is a general description of the incident and the type of sensitive customer information that was or is reasonably believed to have been accessed or used without authorization.^[856] We received no comment on this specific requirement. Obtaining this information is crucial for customers as it will allow them to assess the level of risk and to take appropriate mitigating actions. This will also allow them to avoid spending time and resources on mitigating actions related to information that was not affected by the breach. We expect that most covered institutions who already have notification processes already include this information, since 22 States require that the notice describe the type of information affected by the breach and 13 States require a description of the incident to be included.^[857] As a result, we expect that the benefits will be the greatest for customers of institutions who do not operate nationally and operate only in States without such requirements. We estimate that there are approximately 51 million potential customers residing in the 38 States that do not require a description of the incident, and 35 million potential customers residing in the 29 States that do not require the type of customer information compromised to be included in the notice.^[858] We expect the costs to be the highest for the covered institutions operating only in those States.

The second item required by the final amendments is the date of the incident, the estimated date of the incident, or the date range within which the incident occurred, if the information is reasonably possible to determine at the time the notice is provided.^[859] One commenter disagreed with this proposed requirement, stating that it would imply that covered institutions subject to both Regulation S-P and the Banking Agencies' Incident Response Guidance would have to revise their long-standing breach notices to add the information.^[860] This commenter also stated that the Proposing Release did not detail a basis for this inclusion. Including the date of the breach, even if it is the approximate date, will provide useful information to the affected customers and help them make better decisions about the mitigating actions to take. In particular, customers could review their account statements back to the date where the breach happened.^[861] An additional benefit of this inclusion will be to provide information to customers about how effectively a Start Printed Page 47762 covered institution was able to detect and assess a breach. This will help reduce the information asymmetry about a covered institution's customer information safeguards and help customers be better informed when deciding which covered institutions to retain for their financial services needs.

There are 13 States requiring the notice to include an approximate date (or date range) for the breach, and 38 States without such a requirement.^[862] These 38 States account for 70 percent of the U.S. population and 49 million estimated potential customers.^[863] For these customers, the final amendments might result in their receiving information they would not have otherwise received. Because 13 States already require that the notice include an approximate date, we expect that the costs will be minimal for the covered institutions that operate nationally. For the covered institutions that do not operate nationally, the final amendments might require them to adapt their procedures to include additional information in the notices to customers.

The third item required by the final amendments is “contact information sufficient to permit an affected individual to contact the covered institution to inquire about the incident, including the following: a telephone number (which should be a toll-free number if available), an email address or equivalent method or means, a postal address, and the name of a specific office to contact for further information and assistance.” ^[864] One commenter disagreed with this proposed requirement, stating that it was unclear what purpose or benefit this requirement would have for the affected individuals and adding that it would place significant burdens on the internal operations of the covered institution.^[865] Another commenter also disagreed with this proposed requirement, stating that covered institutions should have flexibility in determining the contact information to provide, based on how they normally interact with their customers, and suggesting that the final amendments only require one of the listed contact methods.^[866] The requirement to include multiple contact methods provides valuable options for affected customers, who may have differing preferences and aptitudes in their use of contact methods.^[867] We do not expect that this requirement will overly burden covered institutions, even for those institutions that will need to adapt their processes to the new requirements.^[868] In addition, nothing in this requirement prevents a covered institution from providing additional contact methods.

The final amendments also require the notice to include a recommendation that the customer review account statements and immediately report suspicious activity to the covered institution (if the individual has an account with the covered institution); an explanation of what a fraud alert is and how an individual may place one; a recommendation that the individual periodically obtain credit reports; an explanation of how the individual may obtain a credit report free of charge; and information about the availability of online guidance from the FTC and usa.gov regarding steps an individual can take to protect against identity theft, a statement encouraging the individual to report any incidents of identity theft to the FTC, and the FTC's website address.^[869] One commenter supported these proposed requirements, stating that the proposed notice requirements avoided common problems with the content of many data breach notifications, such as confusing language, a lack of details, and insufficient attention to the practical steps customers should take in response.^[870] We expect that these additional elements will provide useful information to affected customers regarding potential mitigating actions to take and help ensure that these customers are able to react appropriately to the notice. We expect that while these requirements will impose costs on covered institutions whose notification process does not already include these elements,^[871] these costs will be limited and passed on to the customers.^[872] We received no comments opposing these requirements.

The proposed amendments included a provision that would have required the notice to include a description of what has been done by the covered institution to protect the sensitive customer information from further unauthorized access or use. One commenter disagreed with this proposed requirement, stating that it “would be extremely useful to threat actors and not particularly useful to clients.” ^[873] After considering this comment, we have decided to exclude this provision from the final amendments.^[874] In addition to reducing the perceived risk of providing a roadmap for threat actors, we expect that this change will accelerate the process of preparing the notice, thereby reducing the associated costs.

The final amendments require that notice must be transmitted by a means designed to ensure that each affected individual can reasonably be expected to receive actual notice in writing.^[875] Some commenters discussed the alignment between the requirements of the final amendments and those of existing regulation affecting covered institutions. In particular, one commenter stated that a Federal notification requirement would complicate compliance efforts for covered institutions already complying with similar State laws.^[876] On the other hand, another commenter stated that the proposed amendments' alignment with existing requirements would allow covered institutions to leverage existing programs.^[877] We analyze here the expected benefits and costs of this provision of the final amendments vis-à-vis the baseline.^[878]

We expect that the main benefit of this provision will be to help ensure that customers whose sensitive personal information has been breached receive the required information. We expect that the costs of this provision will be limited for most covered institutions since most States require similar methods of notification.^[879] Hence, we expect that most covered institutions will not have to significantly modify their procedures and processes for notice issuance in order to satisfy this provision of the final amendments.

However, we do expect some benefits in some instances. First, 26 States allow Start Printed Page 47763 a notice to be made over the telephone.^[880] While 7 of these States require direct contact with the affected individuals when the notice is given using this method, 19 do not have such requirements.^[881] We expect that for the 21 million potential customers residing in the 19 States allowing for telephonic notices but without such requirements,^[882] receiving a written notice may result in clearer information and in a higher likelihood of taking appropriate mitigating actions.

Second, many States allow for electronic notifications. While most of these States require that this be done only under certain conditions that are similar to the final amendments' conditions, some States have conditions that are significantly looser. The final amendments provide that the notice can be provided through electronic means to customers who have agreed to receive information electronically.^[883] In contrast, five States allow electronic notification without restriction, and two States require only that the institution has an email address for the affected individuals.^[884] We expect that for the 11 million potential customers residing in these seven States ^[885] —that allow electronic notification even to customers who have not explicitly agreed to receiving electronic notification—the final amendments will help ensure that they receive a notice in a format that they are expecting.^[886]

Third, all States allow for a substitute notice under certain conditions.^[887] Substitute notification requirements vary across States but must generally include an email notification to affected individuals, a notice on the entity's website, and notification to major statewide media.^[888] The final amendments do not provide for such substitute notice and instead have the same notice requirements in all cases. We expect that the final amendments will strengthen the benefits of notification by helping ensure that affected individuals are made aware of the relevant information regarding a breach of their sensitive information. Examples of customers who would benefit include customers who: interact infrequently with the covered institution, thereby not visiting the institution's website regularly; who do not consume local or State news sources; or who may be wary or skeptical of receiving such information by email if they have not given their prior informed consent (for example, customers who are used to receiving communications from the covered institution by mail only or who interact with the covered institution very rarely). In other States, the requirements for substitute notice include fewer elements.^[889] We expect that for the customers residing in these States, the final amendments will help ensure that they are made aware of the breach and provided an appropriate notice.

The final amendments require written notification, which may be provided electronically if certain conditions are met, such as if the customer has agreed to receive information electronically.^[890] Not all State notification provisions include similar consent conditions for electronic communication.^[891] Therefore, the final amendments may result in additional compliance costs in the instances where, prior to the final amendments, the covered institutions would have sent email notices or used substitute notification, but will instead have to obtain customer consent for electronic notification or else send individual notices by mail because their methods of electronic delivery are not consistent with existing Commission guidance on electronic delivery, for example if they have not obtained customer consent to receive electronic communications.^[892] However, given the variety of State law conditions and requirements, we expect that most notices being sent already satisfy many of these provisions and we therefore expect that these provisions will result in limited additional costs.^[893]

c. Service Provider Provisions

The final amendments require that a covered institution's incident response program include the establishment, maintenance, and enforcement of written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers. Specifically, these written policies and procedures must be reasonably designed to ensure the service providers take appropriate measures to protect against unauthorized access to or use of customer information and provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system. Upon receipt of such notification, a covered institution must initiate its incident response program.^[894] In the final amendments, “service provider” is defined as “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.” ^[895] Thus, the requirements might affect arrangements with a broad range of entities, including potentially email providers, customer relationship management systems, cloud applications, and other technology vendors.

As modern business processes increasingly rely on service providers,^[896] ensuring consistency in regulatory requirements increasingly requires consideration of the functions performed by service providers and how these functions interact with the regulatory regime.^[897] Ignoring such aspects could incentivize covered institutions to attempt to outsource functions to service providers to avoid the requirements that would apply if the Start Printed Page 47764 functions were performed in-house. Thus, the service provider requirements will strengthen the benefits of the final amendments by helping ensure that they have similar effects regardless of how a covered institution chooses to implement its business processes ( i.e., whether those processes are implemented in-house or outsourced).

Commenters supported the proposal's objective to safeguard customer information in the case where this information rests with service providers.^[898] One commenter stated that third-party service providers were specifically a favored attack vector, adding that the Commission's attention to this risk was well-directed.^[899] Another commenter stated that it did not disagree that service providers should protect sensitive customer information and be required to provide timely notification of a breach to the covered institution.^[900] Another commenter stated that service providers that have access to customer information should be contractually required to take appropriate risk-based measures and diligence designed to protect against unauthorized access to or use of customer information, including notification of a covered institution in the event of certain types of breaches in security.^[901] Another commenter recognized and supported the importance of covered institutions having appropriate policies and procedures to manage the cybersecurity and privacy risks posed by service providers that process their customer information.^[902]

Some commenters criticized the analysis of the proposed service provider provisions.^[903] One commenter stated, referring to the proposed service provider written agreement obligation, that the Commission had failed to address the costs in any meaningful way and was thus dismissive of them.^[904] Another commenter stated that the Proposing Release included no discussion or estimate of the costs that renegotiating contracts with service providers or hiring new service providers would impose on brokers.^[905] In addition, some commenters disagreed with our analysis of specific parts of the requirements, stating that the analysis in the Proposing Release did not identify why a 48-hour reporting period was optimal,^[906] or stating that the breadth of the definition of service providers was disproportionate to the benefits and risks presented.^[907] In response to these commenters, we have modified this aspect of the amendments, as discussed in greater detail above.^[908] These modifications mitigate, but may not eliminate entirely, commenters' concerns regarding the costs associated with the service provider provisions of the proposed amendments. We also have supplemented the economic analysis of the service provider provisions in response to comments as follows. First, we have supplemented the analysis of the potential costs to covered institutions. This includes an analysis of the indirect effects of the final amendments on covered institutions' service providers, and how these effects may affect covered institutions and their customers,^[909] for example where costs to service providers are passed on to covered institutions, and ultimately to covered institutions' customers,^[910] or have negative competitive effects that impact covered institutions.^[911] Second, we are providing supplemental analysis specifically on the timeline requirement and the definition of service providers.^[912]

The costs to covered institutions of implementing the final amendments will be influenced by the potential burdens on service providers that may result from the amendments. If implementing procedures that satisfy covered institutions' requirements were costless for them, service providers would be likely to agree to implement the requirements without much negotiation and the costs to covered institutions would be minimal. If, instead, such procedures were costly to implement for service providers, more negotiation would be required, which would be costlier for all parties involved. In addition, in this case, the service providers might increase the price of their services, further increasing the costs for covered institutions.^[913] We discuss further below the expected indirect effects of the final amendments on service providers and how these effects may affect covered institutions.^[914]

However, even if, as in the scenario described above, the cost per service provider turns out to be minimal for covered institutions, the total cost might still become significant for covered institutions that have a large number of service providers. Even in this case, covered institutions will need to devote time and resources to verify that they satisfy the final requirements with respect to each of their service providers. In addition, covered institutions will need to devote time and resources to oversee their service providers throughout their relationship with these service providers.^[915] We are unable to quantify these costs, as the range would be too wide to be informative and commenters did not provide any data that would yield an estimation of such a range. The range of costs for covered institutions is likely to be wide given the varied nature of the uses of service providers by financial institutions. For instance, the cost for covered institutions that do not rely on service providers is likely to be minimal. However, for those covered institutions that have more complex arrangements with service providers, the cost would be significantly higher. The cost depends on a large number of factors that vary across covered institutions.^[916] For example, the cost Start Printed Page 47765 would depend on the number of service providers used, the extent to which service providers are used for multiple functions, each service provider's access to relevant customer information, as well as the staffing needs of the covered institutions.

The definition of service provider in the final amendments will affect the costs to covered institutions by determining the number of service providers for which covered institutions will have to perform these tasks. The final amendments adopt a definition of service provider to mean “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.” ^[917] Many commenters opposed the proposed definition of service provider.^[918] These commenters suggested narrower definitions which would exclude a covered institution's affiliates.^[919] In addition, one commenter stated that the proposed definition was unrealistically and unnecessarily broad, reaching service providers where there would be few or no marginal benefits to their inclusion and the costs (time, money, personnel, etc.) to covered institutions would be substantial.^[920] This commenter suggested that the definition of service provider be limited to persons or entities with permitted access to sensitive customer information only.^[921]

We acknowledge that fulfilling the requirements for each of their service providers will impose costs on the covered institutions. However, the potential benefits are also large given the increasing reliance of covered institutions on service providers.^[922] Individual customers have no control over a covered institution's decisions to perform activities in-house or to outsource them. As such, these customers have little control over who has access to their information. A broad definition of service providers will contribute to safeguard customers' information and will help ensure that customers are notified in the event their sensitive information is compromised, no matter where this information resides. Furthermore, the modifications in the final amendments to require covered institutions to establish, maintain, and enforce written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers, instead of requiring written contracts as was proposed,^[923] will alleviate the commenters' concerns over the potential inclusion of affiliates. Since affiliates are likely to have policies and procedures similar to those of covered institutions,^[924] we expect that both the benefits and the costs of implementing this provision of the requirements will be minimal.

The indirect effects of the final amendments on service providers might also affect the costs borne by covered institutions and, ultimately, their customers. In particular, these indirect effects may generate costs to service providers, which may be passed on (at least partly) to covered institutions and ultimately to covered institutions' customers,^[925] or may result in negative competitive effects on service provider industries that then impact the services offered to covered institutions and their customers.^[926] The potential indirect effects on service providers that will result from the final amendments can be divided into three parts.^[927] First, entities that meet the definition of service providers will likely take appropriate measures to protect against unauthorized access to or use of customer information to facilitate covered institutions' compliance with the final amendments. We expect that many service providers already take such measures.^[928] Hence, we expect that the number of service providers who will modify their business processes for this specific requirement is limited. Such modifications will benefit not only the customers whose information is being better protected and the covered institutions relying on the service providers, but also the service providers themselves, to the extent that the modifications decrease the likelihood of unauthorized access to their customer information systems which could affect their operations or reputation.

Second, covered institutions' policies and procedures will need to be reasonably designed to ensure that service providers take appropriate measures to provide notification of unauthorized access to a customer information system to the covered institutions as soon as possible, but no later than 72 hours after becoming aware that the breach has occurred. This provision might also result in a number of service providers adapting their businesses processes. However, considering that 24 States require entities that maintain but do not own or license customer information data to notify the entity that owns or licenses such data “immediately” in case of a breach of security, we expect that many service providers already have processes in place to ensure that such notification is made.^[929] For the service providers who do not already have such processes in place, this approach will create benefits for the customers who will be informed in a timely manner in the event their sensitive information is compromised.

Third, because the final amendments require covered institutions to establish, maintain, and enforce written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers who have access to their customers' information, these service providers will face requests for information from covered institutions or otherwise participate in the covered institutions' oversight activities. This will impose costs on service providers, but it will also strengthen the benefits of the amendments by helping ensure that customer information is appropriately protected even when it is residing in service providers' systems.

For service providers that provide specialized services aimed at covered institutions, the final amendments may create market pressure to enhance service offerings that facilitate covered institutions' compliance with the requirements.^[930] Such enhancement will entail costs for specialized service providers, including the actual cost of adapting business processes, as discussed above, to accommodate the requirements.^[931] That said, we do not expect that these costs will represent an undue burden as both the specialized service providers and the covered institutions are operating in a highly regulated industry and might be accustomed to adapting their business processes to meet regulatory requirements. Moreover, more specialized service providers may be likely to have particularly sensitive or valuable information about the customers of covered institutions, and therefore the investor protection benefits in those cases may be substantial. With respect to service providers providing services aimed at a broad range of institutions, such as those providing email or customer-relationship management services, covered institutions are likely to represent a small fraction of their customer base. These service providers may be unwilling to adapt their business processes to the regulatory requirements of a small subset of their customers if they do not already have such processes in place.

For the service providers that already have in place processes satisfying the covered institutions' requirements, we expect that the costs to both the service providers and the covered institutions will be minimal and will mostly result from covered institutions' oversight duties. If service providers modify their business processes to facilitate covered institutions' compliance with the final amendments' requirements, we anticipate they likely will pass costs on to covered institutions, and ultimately covered institutions may pass these costs on to customers.^[932] We also expect that there might be a fraction of service providers who will be unwilling to take the steps necessary to facilitate covered institutions' compliance with the final amendments. In such cases, the covered institutions will need to either switch service providers and bear the associated switching costs or perform the functions in-house and establish the appropriate processes as a result.^[933] We expect that these costs will be particularly acute for smaller covered institutions which lack bargaining power with large service providers, and that these costs might be passed on to customers.^[934] However, the amendments will create benefits arising from enhanced efficacy of the regulation.^[935]

The proposal included a requirement that a covered institution's response program must include written policies and procedures requiring the institution, pursuant to a written contract between the covered institution and its service providers, to require that service providers take appropriate measures that are designed to protect against unauthorized access to or use of customer information.^[936] While one commenter supported this proposed requirement,^[937] other commenters suggested that the final amendments not require written contracts with service providers,^[938] stating that doing so would impose significant costs on covered institutions.^[939] After considering these comments, we are requiring that covered institutions establish, maintain, and enforce written policies and procedures to require oversight of service providers instead of requiring written contracts.^[940] This change, while enhancing the policies and procedures obligations, will provide covered institutions with greater flexibility in achieving compliance with the requirements, which could reduce compliance costs without significantly reducing the benefits of the final Start Printed Page 47767 amendments.^[941] Providing this flexibility will also help address commenters' concerns that requiring a written contractual agreement could harm covered institutions, particularly those that are relatively small and may not have sufficient negotiating power or leverage to demand specific contractual provisions from a larger third-party service provider.^[942] However, in a scenario where a covered institution has an existing contract with a service provider that is renegotiated as a result of the final amendments, the covered institution may incur additional costs.^[943] In addition, in a scenario where a service provider would have agreed to a written contract under the proposed amendments but will not under the final amendments, a covered institution may have to exert greater efforts to oversee this service provider than would have been necessary had it signed a written contract with this service provider.^[944]

We also proposed that the measures taken by service providers include notification to the covered institution as soon as possible, but no later than 48 hours after becoming aware of a breach in security resulting in unauthorized access to a customer information system maintained by the service provider.^[945] While one commenter supported this proposed requirement,^[946] other commenters stated that a longer deadline would be preferable.^[947] One commenter also suggested a change from “becoming aware” to “determining” that a breach has occurred in order to minimize pressure to report on service providers while an investigation is being conducted.^[948]

After considering these comments, we have changed this provision. The final amendments require covered institutions to ensure that their service providers notify them of a breach as soon as possible, but no later than 72 hours after becoming aware that an applicable breach has occurred.^[949] We expect that the change to 72 hours will reduce the cost to service providers not only because it will give them more time to assess an incident before notifying the covered institution, but also because it aligns with existing regulation.^[950] Hence, we expect that this change will decrease compliance costs for covered institutions by making service providers more likely to agree to the requirements, which will decrease negotiation and switching costs for covered institutions.^[951] We also expect that this will alleviate some of the commenters' concerns about having insufficient negotiating power to negotiate specific with service providers.^[952] While this change may result in a longer period of time before customers receive notification of a breach, thereby decreasing the benefits of such notification,^[953] it might also reduce the number of unnecessary notifications to covered institutions and, in turn, to customers.^[954]

The final amendments provide, as proposed, that a covered institution may enter into a written agreement with a service provider to notify individuals affected by a breach on the covered institution's behalf.^[955] Some commenters supported this proposed requirement.^[956] We expect that this provision could reduce the compliance costs of the amendments, especially in the case where the breach happens at the service provider. In this case, the service provider may be in a better position to collect the relevant information and provide the required notice to customers.^[957]

It is possible that a breach that will trigger a notification obligation might occur at a covered institution that will also be a service provider to another covered institution.^[958] The final amendments provide that the obligation to ensure that affected individuals are notified rests with the covered institution where the breach occurred.^[959] If this covered institution is also a service provider to another covered institution, it retains the obligation, as a service provider, to notify this other covered institution of the breach.^[960] This will allow the other covered institution to initiate its own incident response program and to perform its oversight duties on its service providers, and contribute to enhance the protection of customer information. We modified the final amendments such that only one covered institution needs to notify the affected customers.^[961] By requiring only one Start Printed Page 47768 notice to be sent for a given incident, this modification will reduce compliance costs—since only one covered institution will have to devote resources to preparing and sending the notice—and reduce potential confusion for the affected customers.^[962] We do not expect this modification to reduce the benefit for such customers, who will still receive a timely notice.

2. Extending the Scope of the Safeguards Rule and the Disposal Rule

a. Definition of Customer Information

The final amendments more closely align the scope of the safeguards rule with the scope of the disposal rule. They also broaden the scope of information covered by the rules to all customer information, regardless of whether the customers are a covered institution's own, or those of another financial institution whose customer information has been provided to the covered institution.^[963] The final amendments define customer information, for any covered institution other than a transfer agent, as “any record containing nonpublic personal information” about a customer of a financial institution, whether in paper, electronic or other form, that is in the possession of a covered institution or that is handled or maintained by the covered institution or on its behalf. Such information is customer information regardless of whether it pertains to (a) individuals with whom the covered institution has a customer relationship or (b) the customers of other financial institutions where such information has been provided to the covered institution.^[964] For transfer agents, customer information is defined as any record containing nonpublic personal information “identified with any natural person, who is a securityholder of an issuer for which the transfer agent acts or has acted as transfer agent, that is handled or maintained by the transfer agent or on its behalf.” ^[965]

While some commenters supported the proposed scope of the rules regarding the definition of customer information,^[966] one commenter stated that the rule should focus on sensitive customer information, and that the breadth of the proposed amendments was disproportionate to the risks of disclosure.^[967] This commenter also stated that applying the service provider requirements to all service providers that have access to any customer information would be disproportionate to the benefits and risk presented and suggested that it apply only to service providers with access to sensitive customer information.^[968]

We acknowledge that applying the policies and procedures requirements to all customer information will impose costs that would not be incurred if the amendments covered only sensitive customer information. However, this approach creates important benefits. For example, the disclosure of customer information could be used for phishing attacks or similar efforts to access sensitive customer information. Moreover, with respect to policies and procedures specifically, the costs of creating policies and procedures for all information should not be much larger than the cost of creating them for only sensitive customer information, because the cost is in the creation of the policies and procedures rather than in their application. We acknowledge, however, that in some organizations the sensitive customer information could be located in different systems or accessible to different employees, such that policies and procedures for non-sensitive information would be different. In addition, covered institutions' existing policies and procedures may be less likely to meet the new requirements as a result of the breadth of the definition and would thus require modifications.

Because the final amendments extend the scope of customer information subject to protection to information possessed by a covered institution regardless of whether the customers are a covered institution's own, or those of another financial institution whose customer information has been provided to the covered institution, the benefits of the final amendments will extend to a wide range of individuals such as prospective customers, account beneficiaries, recipients of wire transfers, or any other individual whose customer information a covered institution comes to possess, so long as the individuals are customers of a financial institution.^[969] We anticipate that, in many instances, the preventative measures taken by covered institutions to safeguard customer information in response to the final amendments will generally also protect these additional individuals.^[970] Hence, while we expect that these measures could have potential significant benefits for these additional individuals, we do not expect them to result in significant additional costs for the covered institutions. However, we acknowledge that, in certain instances, this may not be the case. For example, information about prospective customers used for sales or marketing purposes may be housed in separate systems from the covered institution's “core” customer account management systems and require additional efforts to secure. Regarding the measures taken by covered institutions to comply with the final amendments' incident response program requirements, following a data breach, we do not anticipate that extending the scope of information covered by the final amendments to include these additional individuals will have a significant effect. These costs will include additional reputational harm and litigation as well as increased notice delivery costs. However, given that the distinction between customers and other individuals is generally not relevant under existing State notification laws—which apply to information pertaining to residents of a given State—we expect that most covered institutions will have already undertaken to protect and provide notification of data breaches to these additional individuals.

Some commenters agreed that covered institutions should safeguard the customer information they receive from other financial institutions.^[971] Other commenters disagreed with the proposed requirement that a covered institution would have to notify individuals whose sensitive customer information was compromised even when these individuals were not the covered institution's customers.^[972] Some commenters stated that it would be impractical for covered institutions to identify and contact such individuals, or that it could confuse these Start Printed Page 47769 individuals.^[973] However, such individuals will benefit from their information being included in the scope of the amendments' requirements. Another commenter stated that this provision of the requirement could lead to duplicative notification obligations if the two financial institutions involved—that is, the institution that received the information and the institution that provided the information—were both covered institutions.^[974] After considering comments, we have modified the amendments to avoid requiring that multiple covered institutions notify the same affected individuals for a given incident.^[975] The final amendments require that when an incident occurs at a covered institution or at one of its service providers that is not itself a covered institution, the covered institution has the obligation to ensure that a notice is provided to affected individuals, regardless of whether this covered institution has a customer relationship with the individuals. If this covered institution received the customer information from another covered institution, the two covered institutions can coordinate with each other to decide who will send the notice. As discussed above,^[976] we expect that this modification will reduce compliance costs without reducing the benefits of the final amendments.

b. Extension To Cover All Transfer Agents

The final amendments extend both the safeguards rule and the disposal rule to apply to any transfer agent registered with the Commission or another appropriate regulatory agency. Before this adoption, the safeguards rule did not apply to any transfer agents, and the disposal rule only applied to transfer agents registered with the Commission.^[977] In addition to requiring transfer agents to design an incident response program, the benefits and costs of which are discussed separately above,^[978] the amendments create an additional obligation on transfer agents to develop, implement, and maintain written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer information.^[979] Moreover, the final amendments create an obligation on transfer agents registered with a regulatory agency other than the Commission to develop, implement, and maintain written policies and procedures that address the proper disposal of customer information.^[980]

As discussed in sections II.B.2 and IV.C.3.e, in the U.S., transfer agents provide the infrastructure for tracking ownership of securities. Maintaining such ownership records necessarily entails holding or accessing non-public information about a large swath of the U.S. investing public.^[981] Given the highly concentrated nature of the transfer agent market,^[982] a general failure of customer information safeguards at a transfer agent could negatively impact large numbers of customers.^[983]

One commenter stated that because transfer agents' customers are not the individuals whose information they hold but the issuers of securities, the proposed amendments were ill-fitting, which decreased their efficacy and increased their complications.^[984] This commenter also stated that the proposed amendments were not well-suited for transfer agents, and that this highlighted the need for a more in-depth analysis of how the final amendments may impact transfer agents, their customers (the issuers of securities), and securityholders.^[985] In response to this commenter, we have supplemented below the analysis of the benefits and costs of extending the scope of Regulation S-P to transfer agents.^[986]

The final amendments extend the scope of the safeguards rule to cover any transfer agent registered with the Commission or another appropriate regulatory agency. As discussed above,^[987] the safeguards rule requires covered institutions to develop written policies and procedures, including a response program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including customer notification procedures. The benefits and costs of the response program, as detailed above,^[988] will also apply to transfer agents. Additionally, because transfer agents may be considered service providers under State law, or may maintain but not own or license customer information data, they are likely to be required by State law to notify the entity that owns or licenses the data (the issuer of the securities), which in turn could be required to notify the affected individuals (the holders of the securities).^[989] Hence, it is possible that the final amendments will result in two notices being sent for the same incident—one by the issuer of the securities, as required by State law, and one by the issuer's transfer agent, as required by the final amendments.

Some commenters stated that a second notification would have negative consequences for customers without providing any benefits.^[990] One commenter stated that the proposed requirements would not provide shareholders with helpful, new information but rather that two different notices, from two different entities, concerning the same breach would likely result in shareholder confusion.^[991] Another commenter added that this second notice could potentially result in confusion, questions, and unnecessary costs to the transfer agent and the issuer.^[992]

We disagree that no helpful, new information will be provided to the affected customers. In the situation where State law requires a notification from the issuer and the final amendments require a notification from the transfer agent as a covered institution, the final amendments will help ensure that the individuals whose information has been breached receive an informative and timely notice, with the benefits over the baseline described above.^[993] Securityholders will benefit by potentially receiving additional and more timely information on a given breach.^[994] In addition, in response to Start Printed Page 47770 commenters' concerns, we have modified the final amendments such that, for the cases where multiple notifying entities are covered institutions, only one notice needs to be sent to satisfy the amendments' requirements.^[995] Furthermore, some States allow for the entity that is the victim of a breach, but does not own or license the data, to notify individuals directly.^[996] Hence, we expect that in some instances, the notice required by the final amendments will satisfy the State law requirements and only one notice will be sent. In these instances, additional costs related to the second notice will be avoided. For the instances where two notices will nevertheless be sent, we acknowledge that a second notification will impose costs on the transfer agent or its customer the issuer. As discussed below, we estimate that certain costs associated with the preparation and distribution of notices will be, on average, $5,178 per year per covered institution.^[997] We understand it is possible that, in some cases, customers may be confused when receiving a notice from an entity they do not recognize and may read the notification as a phishing attempt or another nefarious scheme. However, we do not expect that a second notice will impose significant costs on the affected customers, and we expect that this confusion will be mitigated by the content of the notice. As discussed in section IV.D.1.b(5), the notice is required to include a description of the incident in general terms. We expect that this description will help explain the situation in the case where customers do not have a direct relationship with the transfer agent sending the notice and, therefore, that it will reduce potential customer confusion from duplicative notification, as discussed above.^[998]

Before this adoption, transfer agents that are registered with the Commission were not required to notify customers directly in case of a breach under Federal law.^[999] As discussed above, we also expect that, under State law, transfer agents are likely to be considered service providers (or entities that use or maintain but do not own or license data) and as such are typically only required to notify the issuer of securities in case of breach.^[1000] Hence, we expect that to satisfy the amendments' requirements, these transfer agents might need to design and implement a response program and notification procedures, which will require some resources.^[1001] As discussed below, we estimate that certain costs associated with developing and implementing policies and procedures, which include the response program and notification procedures, to comply with the final amendments will be, on average, $17,950 per year per transfer agent.^[1002] In addition, as for other types of covered institutions, if transfer agents respond to this requirement by improving their customer information safeguards beyond what is required by the final amendments, they will incur additional costs.^[1003] We expect that the different costs resulting from the written policies and procedures requirement will be passed on to the transfer agents' customers (the issuers of securities) and ultimately to the holders of these securities.

Transfer agents that are registered with an appropriate regulatory agency other than the Commission may already be required to notify affected individuals in case of a breach under the Banking Agencies' Incident Response Guidance.^[1004] As discussed above, although the notification requirement under the final amendments is largely aligned with the Banking Agencies' Incident Response Guidance, there are some differences.^[1005] Hence, for these institutions, we expect that the costs of the requirements will primarily be to review and, if needed, update their notification procedures to ensure consistency with the amendments, though there may be some costs associated with updating procedures to achieve consistency with the final amendments.^[1006] As discussed below, we estimate that certain costs associated with developing and implementing policies and procedures to comply with the final amendments will be, on average, $17,950 per year per transfer agent.^[1007]

One commenter supported the proposed inclusion of transfer agents in the safeguards rule, stating that it would eliminate the asymmetry between the transfer agents registered with the Commission and those registered with another regulatory agency and that it would promote investor protection, regulatory parity, and fair competition among firms.^[1008] We agree with this commenter. Another commenter stated that expanding the regulation's scope to include transfer agents was long overdue.^[1009]

Other commenters opposed the proposed inclusion.^[1010] One commenter Start Printed Page 47771 stated that requiring transfer agents to notify customers directly would create undue costs for transfer agents, that the proposed amendments included a potential for conflicting regulations where there are overlapping State and Federal regulations, and that this would lead to unnecessary expenses as transfer agents attempt to develop policies and procedures capable of addressing these potentially conflicting regulations.^[1011] This commenter suggested that the Commission either preempt State law or prepare and produce a cost-benefit analysis identifying the specific ways in which the amendments would be an improvement over existing regulations.^[1012] Another commenter—a transfer agent—stated that it already had policies and procedures to notify issuers of securities in accordance with State law and that notifying the securityholders directly could violate some of its existing contracts with issuers.^[1013]

In response to commenters and as discussed above,^[1014] we have modified the final amendments to minimize the likelihood of multiple notices being sent for the same incident, which will decrease compliance costs.^[1015] The final amendments do not necessarily require covered institutions to notify affected customers directly in case of breach, but instead provide that a covered institution must ensure that the required notice is sent.^[1016] Hence, if a transfer agent has a contract with an issuer that prevents it from notifying securityholders directly, the transfer agent will be able to, under the final amendments, enter into an agreement with the issuer so that the issuer sends the notice on its behalf.^[1017] In consideration of the commenter's request for an analysis that considers the incremental effects of the rule over existing regulations, we have (i) conducted supplemental analyses of the baseline regarding State law requirements,^[1018] and (ii) supplemented the analysis of the benefits and costs of the final amendments over this baseline, highlighting the different areas where the final amendments will improve over existing regulations.^[1019]

The final amendments to the safeguards rule also require transfer agents to develop, implement, and maintain written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer information.^[1020] In general, transfer agents with written policies and procedures to safeguard customer information would be at reduced risk of experiencing such safeguard failures.^[1021] Because some State laws require written policies and procedures to protect customer information,^[1022] and because transfer agents, by the nature of their business models, are likely to hold information about individuals residing in a large number of States, we expect that most transfer agents already have policies and procedures in place.^[1023] In addition, transfer agents registered with a regulatory agency other than the Commission may also be subject to the Banking Agencies' Safeguards Guidance or other Federal regulation.^[1024] Hence, we expect the costs of this requirement to be limited and to consist mostly of reviewing and updating existing policies and procedures to ensure consistency with the safeguards rule.^[1025] As discussed below, we estimate that certain costs associated with developing and implementing policies and procedures to comply with the final amendments will be, on average, $17,950 per year per transfer agent.^[1026]

The final amendments extend the disposal rule to transfer agents registered with a regulatory agency other than the Commission.^[1027] The amendments require these transfer agents to properly dispose of customer information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.^[1028] Because these transfer agents are subject to regulatory requirements and to State laws which require proper disposal of customer information,^[1029] we expect that they are likely to already have procedures in place for the disposal of customer information. Therefore, to the extent that transfer agents already have in place procedures that are consistent with these provisions of the final amendments, the benefits and costs relating to this requirement will be reduced for these institutions and for the customers whose information is covered by this requirement. Hence, we expect the costs of this requirement to be limited and to consist mostly of reviewing and updating existing policies and procedures to ensure consistency with the safeguards rule.^[1030] As discussed below, we estimate that certain costs associated with developing and implementing policies and procedures to comply with the final amendments will be, on average, $17,950 per year per transfer agent.^[1031]

3. Recordkeeping

The recordkeeping provisions of the final amendments require covered institutions (other than funding portals) to make and maintain written records documenting compliance with the requirements of the safeguards rule and of the disposal rule.^[1032] Each covered institution (other than funding portals) is required to make and maintain written records documenting its compliance with, among other things: its written policies and procedures required under the final amendments, including those relating to its service providers and its consumer information and customer information disposal practices; its assessments of the nature and scope of any incidents involving unauthorized access to or use of customer information; any notifications of such incidents received from service providers; steps taken to contain and control such incidents; and, where applicable, any investigations into the facts and circumstances of an incident involving sensitive customer information, and the basis for determining that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.^[1033]

These recordkeeping requirements will help facilitate the Commission's inspection and enforcement capabilities. Covered institutions may react to this enhanced ability of the Commission staff to detect deficiencies and impose sanctions against non-compliance due to the recordkeeping requirements by taking more care to comply with the substance of the amendments, which may result in material improvement in the response capabilities of covered institutions and mitigate potential harm resulting from the lack of an adequate response program. As such, the amendments' recordkeeping requirements might benefit customers through channels described in section IV.D.1.

One commenter supported the proposed recordkeeping requirements.^[1034] Another commenter requested a clarification of the proposed requirements, suggesting that the text in the final amendments include more detail.^[1035] In response to this commenter, we have provided a more detailed description of the requirements in the rule text of the final amendments.^[1036] We expect that this change will mitigate compliance costs for covered institutions.

We do not expect the final recordkeeping requirements to impose substantial compliance costs. As covered institutions are currently subject to similar recordkeeping requirements applicable to other required policies and procedures, we do not anticipate that covered institutions will need to invest in new recordkeeping staff, systems, or procedures to satisfy the new recordkeeping requirements.^[1037] The incremental administrative costs arising from maintaining additional records related to these provisions using existing systems are covered in the Paperwork Reduction Act analysis in section V and are estimated to be $420 per year per covered institution other than funding portals, and $630 per year per funding portal.^[1038]

4. Exception From Annual Notice Delivery Requirement

The final amendments incorporate into the regulation an existing statutory exception to the requirement that a broker-dealer, investment company, or registered investment adviser deliver an annual privacy notice to its customers.^[1039] An institution may rely on the exception to forgo notice if it has not changed its policies and practices with regard to disclosing nonpublic personal information from those it most recently provided to the customer via privacy notice.^[1040] The effect of the exception is to eliminate the requirement to send the same privacy policy notice to customers on multiple occasions. As such notices would provide no new information, receiving multiple copies of such notices is unlikely to provide any significant benefit to customers. Moreover, we expect that widespread reliance on the proposed exception is more likely to benefit customers, by providing clearer signals of when privacy policies have changed.^[1041] At the same time, reliance on the exception will reduce costs for covered institutions. However, we expect these cost savings to be limited to the administrative burdens discussed in section V.^[1042] We received one comment supporting the proposed exception.^[1043] We did not receive any comments suggesting alternatives to the proposed exception or suggesting that we not proceed with it.

Because the exception became effective when the statute was enacted, the aforementioned benefits are likely to have already been realized. Consequently, we do not expect that its inclusion will have any economic effects relative to the current status quo.

E. Effects on Efficiency, Competition, and Capital Formation

As discussed above, market imperfections might lead to underinvestment in customer information safeguards, and to information asymmetry about incidents resulting in unauthorized access to or use of customer information.^[1044] This information asymmetry might prevent customers whose sensitive information was compromised from taking timely mitigating actions. The final amendments aim to mitigate the inefficiency resulting from these imperfections by imposing mandates for policies and procedures. Specifically, the amendments require covered institutions to include a response program for incidents involving unauthorized access to or use of customer information. This response program must address assessment and containment of such incidents, and might thereby reduce potential underinvestment in these areas, improving customer information safeguards as a result.^[1045] In addition, by requiring notification to customers about certain safeguard failures, the amendments could reduce the aforementioned information asymmetry and help customers choose a covered Start Printed Page 47773 institution that meets their needs or preferences. The notification requirement, by imposing reputational costs on institutions whose safeguards of customer information fail, might also provide covered institutions with greater incentives to improve their safeguards, contributing to lowering the probability of a breach even further.

While the amendments have the potential to mitigate these inefficiencies, the scale of the overall effect is difficult to estimate. Due to the presence of existing regulations, including State notification laws, and existing security practices,^[1046] these inefficiencies are likely to be of limited magnitude. However, to the extent that they remain, the amendments might contribute to reduce them.^[1047] Insofar as the proposed amendments alter covered institutions' practices, the improvement—in terms of the effectiveness of covered institutions' response to incidents, customers' ability to respond to breaches of their sensitive customer information, and in reduced information asymmetry about covered institutions' efforts to safeguard this information—is impracticable to quantify due to data limitations discussed previously.^[1048]

The final provisions will not have first order effects on channels typically associated with capital formation ( e.g., taxation policy, financial innovation, capital controls, investor disclosure, market integrity, intellectual property, rule-of-law, and diversification). Thus, the final amendments are unlikely to lead to significant effects on capital formation.^[1049]

Because the amendments are likely to impose proportionately larger direct and indirect costs on smaller and more geographically limited covered institutions, these institutions' competitiveness vis-à-vis their larger peers might be affected. Such covered institutions—which may be less likely to have written policies and procedures for incident response programs already in place—will face disproportionately higher costs resulting from the proposed amendments.^[1050] Thus, the amendments might have negative effects on competition, to the extent these higher costs represent a barrier to entry or limit smaller institutions' viability as a competitive alternative to larger institutions. However, given the considerable competitive challenges arising from economies of scale and scope already faced by smaller firms, we do not anticipate that the costs associated with this adoption will significantly alter these challenges and therefore expect the incremental effects of these amendments on competition to be limited.

On the other hand, the amendments may have positive competitive effects also. Because safeguarding customer information, including through cybersecurity, is disproportionately more expensive for smaller institutions,^[1051] customers today may already suspect that smaller institutions have more severe under-investments in cybersecurity than larger institutions and may therefore avoid smaller institutions. If disproportionately large costs faced by smaller institutions cause existing and potential customers to suspect that these institutions are more likely to avoid such costs, the existing information asymmetry may be greater for these institutions. Smaller institutions may be unable to overcome these suspicions on their own absent regulatory policy, and so asymmetries of information may represent a barrier to entry for smaller institutions. In this case, if the amendments result in customers having better information on the covered institutions' efforts towards protecting customer information, there will be a positive effect on competition. Hence, the overall effect on smaller and more geographically limited covered institutions' competitiveness remains difficult to predict.

With respect to funding portals, the situation could be different. As discussed above, the final amendments are likely to impose proportionately larger costs on smaller covered institutions,^[1052] including smaller funding portals. At the margin, it is possible that the final amendments will result in a smaller number of funding portals, which could result in a smaller number of crowdfunding intermediaries available to potential issuers. Crowdfunding intermediaries facilitate capital raising by smaller issuers relying upon Regulation Crowdfunding to offer or sell securities. To the extent that the final amendments result in a decrease in the availability of funding portals or in an increase in the costs of utilizing crowdfunding intermediaries for issuers or investors, they may have incremental negative effects on capital formation associated with issuers relying on such intermediaries. However, we expect the incremental negative effect on competition that could result from this to be mitigated by the already significant degree of concentration among crowdfunding intermediaries observed today.^[1053] We further expect these effects to be mitigated to the extent that issuers may be able to switch to using other intermediaries for their Regulation Crowdfunding offerings, such as larger funding portals. Lastly, the amendments may have a positive effect on capital formation in offerings under Regulation Crowdfunding to the extent that the additional procedural requirements in the final amendments increase protection of customer information and thereby attract additional potential investors. Hence, the overall effect remains difficult to predict.

Two commenters raised concerns about barriers to entry disproportionately affecting smaller covered institutions. One commenter stated that smaller advisers had been significantly affected by “one-size-fits-all” regulations that effectively require substantial fixed investments in infrastructure, personnel, technology, and operations, adding that they were concerned that these stressors and barriers would negatively affect smaller advisers' ability to continue to serve their clients.^[1054] Another commenter stated that we had done “little analysis” about the impact of recent proposals on small broker-dealers, competition within the brokerage industry, and whether the proposals could contribute to barriers for new entrants into the markets.^[1055] We acknowledge these Start Printed Page 47774 commenters' concerns about smaller covered institutions and, as discussed above, understand that smaller covered institutions might be disproportionately affected by the final amendments.^[1056] In response to these concerns, we have changed the final amendments from the proposal. We expect that some of these changes may mitigate costs and may reduce, but not eliminate, the degree to which the final amendments act as a barrier to entry.^[1057] We have also responded to commenters' concerns by adopting longer compliance periods for all covered institutions relative to the proposal and an even longer compliance period for smaller covered institutions.^[1058] The final amendments provide 24 months for smaller covered institutions to comply with the final amendments after the date of publication in the Federal Register , compared to 18 months for larger covered institutions.^[1059] Since smaller covered institutions are those most likely to exit the market in response to high compliance costs, this longer compliance period will mitigate the negative effect of the final amendments on competition, for example by giving smaller covered institutions opportunities to learn about compliance with the final requirements from larger covered institutions' earlier compliance.^[1060]

With respect to competition among transfer agents, the situation could be different. Because transfer agents registered with a regulatory agency other than the Commission may already have been required to notify customers in case of breach,^[1061] whereas the transfer agents registered with the Commission may, before this adoption, have only been required, by State law, to notify the security issuer, the latter group may face disproportionately high compliance costs compared to the former group since they might have to design and implement new policies and procedures, including the required incident response program and notification procedures.^[1062] This might affect their competitiveness vis-à-vis the transfer agents registered with a regulatory agency other than the Commission.^[1063] Because transfer agents registered with the Commission may already have procedures in place to notify individuals affected by a data breach,^[1064] the magnitude of this effect is difficult to estimate.

One commenter supported the proposed extension of the scope of the safeguard and disposal rules to all transfer agents and stated that it would promote fair competition among these firms by reducing asymmetry in the requirements with which different types of transfer agents must comply.^[1065] We agree with this commenter that including all transfer agents in the scope of both the safeguards rule and the disposal rule will contribute to enhanced competition in the market for transfer agents.^[1066]

With respect to efficiency and competition among covered institutions' service providers, the overall effects of the final amendments are difficult to predict. The final amendments require covered institutions to ensure that their service providers protect against unauthorized access to or use of customer information and notify the covered institution in case of a breach. The final amendments also require covered institutions to oversee their service providers to ensure that these measures are enforced.^[1067] As discussed above,^[1068] we expect that most service providers will continue their relationships with covered institutions, but some service providers might not. We expect that four possible scenarios may happen:

Scenario 1: The service provider already has the processes and procedures in place to satisfy the covered institution's obligations under the final amendments and is willing to cooperate with the oversight activities of the covered institution.
Scenario 2: The service provider does not have the necessary processes and procedures in place but is willing to adapt them to satisfy the covered institution's obligations under the final amendments and to cooperate with the oversight activities of the covered institution.
Scenario 3: The service provider does not have the necessary processes and procedures in place and is not willing to adapt to satisfy the covered institution's obligation under the final amendments.^[1069]

Scenario 4: The service provider already has the processes and procedures in place to satisfy the covered institution's obligations under the final amendments but is not willing to cooperate with the oversight activities of the covered institution.

Under scenarios 1 and 2, the relationship between the covered institution and its service provider is maintained. Hence, we do not expect significant effects on efficiency and competition in these cases.^[1070] On the other hand, scenarios 3 and 4 imply that the covered institution will have to either switch to a new service provider or perform the former service provider's functions in-house. If the covered institution is unable to find a new service provider that is equivalent in its ability to provide the services, this is likely to result in a second-best outcome for the covered institution and therefore to result in a loss of efficiency.^[1071] Start Printed Page 47775 Scenario 4 could also lead to covered institutions being forced to switch away from large, established service providers and instead to rely on smaller, less established providers that may be less capable of addressing the vulnerabilities within its control. This situation could result in a reduced ability to protect customer information.

Commenters identified service providers exiting the market as a significant potential cost of the proposed requirements.^[1072] We expect that the changes that we have made to the final amendments, including the change from a written contract requirement to a requirement to oversee service providers and the change to an extended notification deadline of 72 hours, will reduce the likelihood of scenario 4 by giving covered institutions more flexibility in how they choose to satisfy the service provider requirements of the final amendments.^[1073] This will reduce the likelihood of this potential negative outcome. However, such an outcome is still possible and to the extent that it occurs, it will represent a cost of the final amendments.

Because scenarios 3 and 4 result in service providers exiting the market, they also have effects on competition. While scenario 3 would result in an overall decrease in the number of service providers available to covered institutions, it would not necessarily reduce competition among service providers who are able and willing to satisfy covered institutions' requirements. In fact, the final amendments will prevent service providers that are not willing to satisfy the minimum requirements from operating in that market and from potentially undercutting service providers who do satisfy the requirements. This will improve the competitiveness of the service providers who are able and willing to satisfy the requirements. The situation is different for scenario 4, which would result in a decrease in the number of service providers with adequate customer information safeguards and notification procedures. This would result in a decrease in competition, and this is a potential cost of the regulation.

One commenter stated that the proposed amendments could lead to service providers not agreeing with the new requirements, adding that it could result in covered institutions relying on a small group of service providers in the industry.^[1074] This commenter also stated that some service providers may choose not to enter into agreements with covered institutions as a result of the proposed amendments.^[1075] We acknowledge that this is a risk of the final amendments. However, we expect that the modifications that we have made to the service provider provisions of the final amendments will reduce the costs to service providers of satisfying covered institutions' requirements,^[1076] and might therefore reduce the likelihood of this potential negative outcome.

Because of the reasons described above,^[1077] we are unable to estimate the likelihood of the different scenarios and, therefore, we are unable to quantify the efficiency and competition effects of the service provider provisions of the final amendments.

Some commenters requested that the Commission consider interactions between the effects of the proposed rule and other recent Commission rules, as well as practical realities such as implementation timelines.^[1078] As discussed above, the Commission acknowledges that overlapping compliance periods may in some cases increase costs, particularly for smaller entities with more limited compliance resources.^[1079] This effect can negatively impact competition because these entities may be less able to absorb or pass on these additional costs, making it difficult for them to remain in business or compete. We acknowledge that to the extent overlap occurs, there could be costs that could affect competition. However, we do not expect these costs to be significant, for two reasons. First, the final amendments mitigate overall costs relative to the proposal,^[1080] including by adopting longer compliance periods for all covered institutions, and an even longer compliance period for smaller covered institutions because they may have more limited compliance resources. The final amendments also reduce costs for both larger and smaller entities, relative to the proposal, notably by removing the proposed requirement to have a written contract with service providers. Thus, any higher costs or potential negative effects on competition due to overlapping compliance periods raised in the context of the proposal may be mitigated under the final amendments. Second, as explained in section IV.D, many of the rules commenters named affect limited sets of covered institutions, and the compliance dates are generally spread out over a more than three-year period, including several that precede the compliance dates of the final amendments. These factors will limit the incidence of covered institutions affected by overlapping compliance dates.

Additionally, we anticipate that neither the recordkeeping provisions nor the exception from annual privacy notice delivery requirements will have a notable impact on efficiency, competition, or capital formation due to their limited economic effects.^[1081] As discussed elsewhere, we do not expect the recordkeeping requirements to impose material compliance costs, and we therefore expect the economic effects of the exception to be limited. And, as the economic effects of the recordkeeping provisions are limited, any overlapping compliance dates involving recordkeeping will likewise have limited effect on competition.

F. Reasonable Alternatives Considered

In formulating the final amendments, we have considered various reasonable alternatives. These alternatives are discussed below.

1. Reasonable Assurances From Service Providers

Rather than requiring the establishment, maintenance, and enforcement of written policies and procedures reasonably designed to Start Printed Page 47776 require oversight, including through due diligence and monitoring, of service providers to ensure service providers take appropriate measures to protect against unauthorized access to or use of customer information and provide notification to the covered institution if a breach of security occurs,^[1082] the Commission considered requiring covered institutions to obtain “reasonable assurances” from service providers instead. One commenter supported this alternative for some service providers.^[1083] This alternative requirement would be a lower threshold than the final provisions requiring the establishment, maintenance, and enforcement of written policies and procedures designed to require oversight, and as such would be less costly to reach but also less protective for customers.

Under this alternative we would have used the final amendments' definition of “service provider,” which is “any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.” ^[1084] Thus, similar to the final amendments, this alternative could affect a broad range of service providers including, potentially: email providers, customer relationship management systems, cloud applications, and other technology vendors. Depending on the States where they operate, these service providers may already be subject to State laws applicable to businesses that “maintain” computerized data containing private information.^[1085] Additionally, it is likely that any service provider that offers a service involving the maintenance of customer information to U.S. financial firms generally, or to any specific financial firm with a national presence, has processes in place to ensure compliance with these State laws.

For those service providers that provide specialized services aimed at covered institutions, this alternative would, like the final amendments, create market pressure to enhance service offerings so as to provide the requisite assurances and facilitate covered institutions' compliance with the requirements.^[1086] These service providers might have little choice other than to adapt their services to provide the required assurances, which would result in additional costs for the service providers related to adapting business processes to accommodate the requirements. In general, we expect these costs would be limited in scale in the same ways the costs of the final amendments are limited in scale: specialized service providers are adapted to operating in a highly regulated industry and are likely to have policies and procedures in place to facilitate compliance with State data breach laws. And, as with the final amendments, we generally anticipate that such costs would largely be passed on to covered institutions and ultimately their customers. As compared to the final amendments' requirements, we expect that “reasonable assurances” would in many cases require fewer changes to business processes and, accordingly, lower costs.^[1087] However, this alternative—without more—could also be less protective than the final amendments.

With respect to service providers providing services aimed at a broad range of institutions ( e.g., email, or customer-relationship management), the situation could be different. For these providers, covered institutions are likely to represent a small fraction of their customer base. As under the final service provider provisions, these service providers may again be unwilling to adapt their business processes to the regulatory requirements of a small subset of their customers under this alternative.^[1088] Some may be unwilling to make the assurances needed, although we anticipate that they would be generally more willing to make assurances than to participate in the covered institutions' oversight activities.^[1089] If the covered institution could not obtain the reasonable assurances required under this alternative, the covered institution would need to switch service providers and bear the associated switching costs, while the service providers would suffer loss of customers. Although the costs of obtaining reasonable assurances would likely be lower than under the final service provider provisions, and the need to switch providers less frequent, these costs could nonetheless be particularly acute for smaller covered institutions who lack bargaining power with some service providers. And, as outlined above, this alternative would be less protective than the final amendments' requirements.

2. Lower Threshold for Customer Notice

The Commission considered lowering the threshold for customer notice, such as one based on the “possible misuse” of sensitive customer information (rather than the adopted threshold requiring notice when sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization), or even requiring notification of any breach without exception. One commenter suggested that the final amendments require notification when the unauthorized access to or use of sensitive customer information was “reasonably possible” instead of “reasonably likely.” ^[1090] A lower threshold would increase the number of notices customers receive. Although more frequent notices could potentially reveal incidents that warrant customers' attention and thereby potentially increase the benefits accruing to customers from the notice requirement discussed in section IV.D.1.b, they would also increase the number of false alarms. Such false alarms could be problematic if they reduce customers' ability to discern which notices require action.

Although a lower threshold could impose some additional compliance costs on covered institutions (due to additional notices being sent), we would not anticipate the additional direct compliance costs to be significant.^[1091] Of more economic significance to covered institutions would be the resulting reputational effects.^[1092] However, the direction of these effects is difficult to predict. On the one hand, increased notices resulting from a lower threshold can be expected to lead to additional reputational costs for firms Start Printed Page 47777 required to issue more of such notices. On the other hand, lower thresholds could result in customers receiving a large number of notices. In this case, notices could become no longer notable, likely leading to the negative reputation effects associated with such notices being reduced.

3. Encryption Safe Harbor

The Commission considered including a safe harbor to the notification requirement for breaches in which only encrypted information was compromised. Several commenters supported an encryption safe harbor.^[1093] An encryption safe harbor would also align with many existing State laws.^[1094] Assuming that such an alternative safe harbor would be sufficiently circumscribed to prevent its application to insecure encryption algorithms, or to secure algorithms used in a manner as to render them insecure, the economic effects of its inclusion would be largely indistinguishable from the final amendments. This is because under the final amendments, notification is triggered by the “reasonable likelihood” that sensitive customer information was accessed or used without authorization.^[1095] Given the computational complexity involved in deciphering information encrypted using modern encryption algorithms and secure procedures,^[1096] the compromise of such encrypted information would generally not give rise to “a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” ^[1097] It would thus not constitute “sensitive customer information,” meaning that the threshold for providing notice would not be met. In addition, when determining that the compromised sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience, a covered institution may consider encryption as a factor.^[1098] Hence, in some cases, an explicit encryption safe harbor would be superfluous. In certain other cases, however, an explicit encryption safe harbor may not be as protective as the final amendments' Federal minimum standard for determining whether the compromise of customer information could create “a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.” ^[1099] It may also become outdated as technologies and security practices evolve. Thus, while an explicit (and appropriately circumscribed) safe harbor could provide some procedural efficiencies from streamlined application, it could also be misapplied.

4. Longer Customer Notification Deadlines

The Commission considered incorporating longer customer notification deadlines, such as 60 or 90 days instead of the adopted 30 days, as well as providing no fixed customer notification deadline. Several commenters suggested longer customer notification deadlines.^[1100] Although longer notification deadlines would provide more time for covered institutions to rebut the presumption of notification discussed in section II.A.3.a, we expect that longer investigations would, in general, correlate with more serious or complicated incidents and would therefore be unlikely to end in a determination that sensitive customer information has not been and is not reasonably likely to be used in a manner that would result in substantial harm or inconvenience. We therefore do not expect that longer notification deadlines would ultimately lead to significantly fewer required notifications. Compliance costs conditional on notices being required ( i.e., the actual furnishing of notices to customers) would be largely unchanged under alternative notice deadlines. That said, costs related to incident assessment would likely be somewhat lower due to the reduced urgency of determining the scope of an incident and a reduced likelihood that notifications would need to be made before an incident has been contained.^[1101] Arguably, longer notification deadlines may increase reputational costs borne by covered institutions that choose to take advantage of the longer deadlines. Overall, however, we do not expect that longer notification deadlines would lead to costs for covered institutions that differ significantly from the costs of the adopted 30-day outside timeframe.

Providing for longer notifications deadlines would likely reduce the promptness with which some covered institutions issue notifications to customers, potentially reducing their customers' ability to take effective mitigating actions. In particular, as discussed in section IV.D.1.b(2), some breaches are discovered very quickly. For customers whose sensitive customer information is compromised in such breaches, a longer notification deadline could significantly reduce the timeliness—and value—of the notice.^[1102] On the other hand, where a public announcement could hinder containment efforts, a longer notification timeframe could yield benefits to the broader public (and/or to the affected investors).^[1103]

5. Broader National Security and Public Safety Delay in Customer Notification

The Commission considered providing for a broader delay to the 30-day notification outside timeframe by extending its applicability to cases where any appropriate law enforcement agency requests the delay.^[1104] This alternative delay would more closely align with the delays adopted by other regulators, such as the Banking Start Printed Page 47778 Agencies,^[1105] and by many States.^[1106] Several commenters suggested broader delays.^[1107] On the other hand, another commenter stated that the Commission should not allow for any law enforcement delay.^[1108]

The principal function of a law enforcement delay is to allow a law enforcement or national security agency to prevent cybercriminals from becoming aware of their detection. Observing a cyberattack that is in progress can allow investigators to take actions that can assist in revealing the attacker's location, identity, or methods.^[1109] Notifying affected customers has the potential to alert attackers that their intrusion has been detected, hindering these efforts.^[1110] Thus, a broader delay could generally be expected to enhance law enforcement's efficacy in cybercrime investigations, which would potentially benefit affected customers through damage mitigation and benefit the general public through improved deterrence and increased recoveries, and by enhancing law enforcement's knowledge of attackers' methods. It would also potentially reduce compliance costs for covered institutions by aligning more closely with the existing regulations discussed above.^[1111]

That said, use of the delay provisions would necessarily result in customers affected by a cyberattack being notified later, reducing the value to customers of such notices.^[1112] Incidents where law enforcement would like to delay customer notifications are likely to involve numerous customers, who—without timely notice—may be unable to take timely mitigating actions that could prevent additional harm.^[1113] Law enforcement investigations can also take time to resolve and, even when successful, their benefits to affected customers ( e.g., recovery of criminals' ill-gotten gains) may be limited.

Information about cybercrime investigations is often confidential. The Commission does not have data on the prevalence of covert cybercrime investigations, their success or lack of success, their deterrent effect if any, or the impact of customer notification on investigations.^[1114] No commenter suggested such data. Thus, we are unable to quantify the costs and benefits of this alternative.^[1115]

V. Paperwork Reduction Act

A. Introduction

Certain provisions of the final amendments contain “collection of information” requirements within the meaning of the Paperwork Reduction Act of 1995 (“PRA”).^[1116] We are submitting the final collection of information to the Office of Management and Budget (“OMB”) for review in accordance with the PRA.^[1117] The safeguards rule and the disposal rule we are amending will have an effect on the currently approved existing collection of information under OMB Control No. 3235-0610, the title of which is, “Rule 248.30, Procedures to safeguard customer records and information; disposal of consumer report information.” ^[1118] An agency may not conduct or sponsor, and a person is not required to respond to, a collection of information unless it displays a currently valid OMB control number. The amended requirement to adopt policies and procedures constitutes a collection of information requirement under the PRA. The collection of information associated with the final amendments will be mandatory, and responses provided to the Commission in the context of its examination and oversight program concerning the final amendments will be kept confidential subject to the provisions of applicable law. A description of the final amendments, including the need for the information and its use, as well as a description of the types of respondents, can be found in section II above, and a discussion of the expected economic effects of the final amendments can be found in section III above. The Commission published notice soliciting comments on the collection of information requirements in the Proposing Release and submitted the proposed collections of information to OMB for review in accordance with 44 U.S.C. 3507(d) and 5 CFR 1320.11.

The Commission did not receive any comments that specifically addressed the estimated PRA analysis in the Proposing Release but did receive comments regarding the costs and burdens of the proposed rules generally. Those comments are discussed in more detail in section IV above. In particular, several commentators raised concerns regarding the costs associated with negotiating and renegotiating written contracts with service providers.^[1119] One commenter did support the proposed written contract provision due to its very narrow scope.^[1120] In response to commenters' concerns about the costs of negotiating contracts, we have replaced the proposed requirement for a covered institution to have a written contract with a service provider with a requirement to implement written policies and procedures to oversee, monitor, and conduct due diligence on the service provider. In a modification from the proposal, rather than requiring written policies and procedures requiring the covered institution to Start Printed Page 47779 enter into a written contract with its service providers to take certain appropriate measures, the policies and procedures required by the final amendments must be reasonably designed to ensure service providers take appropriate measures to: (A) protect against unauthorized access to or use of customer information; and (B) provide notification to the covered institution regarding an incident affecting customer information in the timeframes and circumstances discussed above. The modifications to the proposal are designed to address many of commenters' concerns regarding the costs associated with the service provider provisions of the proposed amendments. We have not reduced the Proposing Release's PRA estimates, however, because the final amendments still require policies and procedures regarding service providers that we estimate will involve PRA burdens consistent with those we estimated for the proposed requirement. As discussed above, some commenters urged for more time to investigate incidents, suggesting that failing to do so would result in an increase in the amount of notices being provided.^[1121] We are increasing the estimates associated with the final rule with regards to the preparation and distribution of notices because these comments seem to suggest a view that the proposed estimates related to these burdens were too low. We have also adjusted the proposal's estimated annual burden hours and total time costs to reflect updated wage rates.

B. Amendments to the Safeguards Rule and Disposal Rule

As discussed above, the final amendments to the safeguards rule will require covered institutions to develop, implement, and maintain written policies and procedures that include incident response programs reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including customer notification procedures. The response program must include procedures to assess the nature and scope of any incident involving unauthorized access to or use of customer information; take appropriate steps to contain and control the incident; and provide notice to each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization (unless the covered institution makes certain determinations as specified in the final amendments).

The final amendments to the disposal rule will require covered institutions that maintain or otherwise possess customer information, or consumer information to adopt and implement written policies and procedures that address proper disposal of such information, which will include taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.

Finally, the final amendments will require covered institutions other than funding portals to make and maintain written records documenting compliance with the requirements of the safeguards rule and the disposal rule. Under the final amendments, the time periods for preserving records will vary by covered institution to be consistent with existing recordkeeping rules.^[1122]

Based on FOCUS Filing, Form BD Filing, and Form BD-N data, as of the third quarter of 2023, there were 3,476 brokers or dealers, other than notice-registered brokers or dealers or funding portals. Based on Investment Adviser Registration Depository data, as of Oct. 5, 2023, there were 15,565 investment advisers registered with the Commission. As of Sept. 30, 2023, there were 13,766 investment companies.^[1123] Based on Form TA-1, as of Sept. 30, 2023, there were 251 transfer agents registered with the Commission and 64 transfer agents registered with the Banking Agencies. Based on staff analysis and publicly available filings, as of Dec. 31, 2023, there were 92 funding portals.

Table 5 below summarizes our PRA initial and ongoing annual burden estimates associated with the final amendments to the safeguards rule and the disposal rule.

Table 5—Amendments to Safeguards Rule and Disposal Rule—PRA
	Internal initial burden hours	Internal annual burden hours ¹	Wage rate ²	Internal time cost	Annual external cost burden
PROPOSED ESTIMATES
Adopting and implementing policies and procedures	60 hours	25 hours ³	$455 (blended rate for compliance attorney and assistant general counsel)	$11,375 (equal to the internal annual burden × the wage rate)	$2,655.⁴
Preparation and distribution of notices	9 hours	8 hours ⁵	$300 (blended rate for senior compliance examiner and compliance manager)	$2,400 (equal to the internal annual burden × the wage rate)	$2,018.⁶
Recordkeeping	1 hour	1 hour	$381 (blended rate for compliance attorney and senior programmer)	$381	$0.
Total new annual burden per covered institution		34 hours (equal to the sum of the above three boxes)		$14,156 (equal to the sum of the above three boxes)	$4,673 (equal to the sum of the above two boxes).
Number of covered institutions		× 32,897 covered institutions ⁷		× 32,897 covered institutions	16,449.⁸
Total new annual aggregate burden		1,118,498 hours		$465,689,932	$76,866,177.
Start Printed Page 47780
FINAL ESTIMATES
Broker-dealers other than notice registered broker-dealers, investment advisers registered with the Commission and investment companies
Adopting and implementing policies and procedures	60 hours	25 hours ³	$501 (blended rate for compliance attorney and assistant general counsel)	$12,525 (equal to the internal annual burden × the wage rate)	$2,920.⁹
Preparation and distribution of notices	12 hours	9 hours ⁵	$329 (blended rate for senior compliance examiner and compliance manager)	$2,961 (equal to the internal annual burden × the wage rate)	$2,217.¹⁰
Recordkeeping	1 hour	1 hour	$420 (blended rate for compliance attorney and senior programmer)	$420	$0.
Total new annual burden per applicable covered institution		35 hours (equal to the sum of the above three boxes)		$15,906 (equal to the sum of the above three boxes)	$5,137 (equal to the sum of the above two boxes).
Number of applicable covered institutions		× 32,807 covered institutions ¹¹		× 32,807 covered institutions	16,404.⁸
New annual applicable covered institutions aggregate burden		1,148,245 hours		$521,828,142	$84,267,348.
Transfer Agents
Adopting and implementing policies and procedures	75 hours	30 hours ¹²	$501 (blended rate for compliance attorney and assistant general counsel)	$15,030 (equal to the internal annual burden × the wage rate)	$2,920.⁹
Preparation and distribution of notices	12 hours	9 hours ⁵	$329 (blended rate for senior compliance examiner and compliance manager)	$2,961 (equal to the internal annual burden × the wage rate)	$2,217.¹⁰
Recordkeeping	1 hour	1 hour	$420 (blended rate for compliance attorney and senior programmer)	$420	$0.
Total new annual burden per transfer agent		40 hours (equal to the sum of the above three boxes)		$18,411 (equal to the sum of the above three boxes)	$5,137 (equal to the sum of the above two boxes).
Number of transfer agents		× 315 ¹³		× 315	158.⁸
New annual transfer agent aggregate burden		12,600		$5,799,465	$811,646.
Funding Portals
Adopting and implementing policies and procedures	60 hours	25 hours ³	$501 (blended rate for compliance attorney and assistant general counsel)	$12,525 (equal to the internal annual burden × the wage rate)	$2,920.⁹
Preparation and distribution of notices	12 hours	9 hours ⁵	$329 (blended rate for senior compliance examiner and compliance manager)	$2,961 (equal to the internal annual burden × the wage rate)	$2,217.¹⁰
Recordkeeping	1.5 hours ¹⁴	1.5 hours	$420 (blended rate for compliance attorney and senior programmer)	$630	$0.
Total new annual burden per funding portal		35.5 hours (equal to the sum of the above three boxes)		$16,116 (equal to the sum of the above three boxes)	$5,137 (equal to the sum of the above two boxes).
Number of funding portals		× 92		× 92	46.⁸
New annual funding portal aggregate burden		3,266		$1,482,672	$236,302.
Total Estimated Burdens of the Final Amendments
Total new annual aggregate burden		1,164,111 hours		$529,110,279	$85,315,296.
TOTAL ESTIMATED BURDENS INCLUDING AMENDMENTS
Current aggregate annual burden estimates		+65,760 hours			+$0.
Revised aggregate annual burden estimates		1,229,871 hours		$529,110,279	$85,315,296.
Notes:
¹ Includes initial burden estimates annualized over a 3-year period.
² The Commission's estimates of the relevant wage rates are based on the SIFMA Wage Report. The estimated figures are modified by firm size, employee benefits, overhead, and adjusted to account for the effects of inflation.
³ Includes initial burden estimates annualized over a three-year period, plus 5 hours of ongoing annual burden hours. The estimate of 25 hours is based on the following calculation: ((60 initial hours/3) + 5 hours of additional ongoing burden hours) = 25 hours. Start Printed Page 47781
⁴ This estimated burden is based on the estimated wage rate of $531/hour, for 5 hours, for outside legal services. The Commission's estimates of the relevant wage rates for external time costs, such as outside legal services, takes into account staff experience, a variety of sources including general information websites, and adjustments for inflation.
⁵ Includes initial burden estimate annualized over a three-year period, plus 5 hours of ongoing annual burden hours. The estimate of 9 hours is based on the following calculation: ((12 initial hours/3 years) + 5 hours of additional ongoing burden hours) = 9 hours.
⁶ This estimated burden is based on the estimated wage rate of $531/hour, for 3 hours, for outside legal services and $85/hour, for 5 hours, for a senior general clerk.
⁷ Total number of covered institutions is calculated as follows: 3,401 broker-dealers other than notice registered broker-dealers + 15,129 investment advisers registered with the Commission + 13,965 investment companies + 335 transfer agents registered with the Commission + 67 transfer agents registered with the Banking Agencies = 32,897 covered institutions.
⁸ We estimate that 50% of covered institutions will use outside legal services for these collections of information. This estimate takes into account that covered institutions may elect to use outside legal services (along with in-house counsel), based on factors such as budget and the covered institution's standard practices for using outside legal services, as well as personnel availability and expertise.
⁹ This estimated burden is based on the estimated wage rate of $584/hour, for 5 hours, for outside legal services. The Commission's estimates of the relevant wage rates for external time costs, such as outside legal services, takes into account staff experience, a variety of sources including general information websites, and adjustments for inflation.
¹⁰ This estimated burden is based on the estimated wage rate of $584/hour, for 3 hours, for outside legal services and $93/hour, for 5 hours, for a senior general clerk.
¹¹ Total number of applicable covered institutions is calculated as follows: 3,476 broker-dealers other than notice-registered broker-dealers or funding portals + 15,565 investment advisers registered with the Commission + 13,766 investment companies = 32,807 covered institutions. The burdens for funding portals and transfer agents are calculated separately.
¹² Includes initial burden estimates annualized over a three-year period, plus 5 hours of ongoing annual burden hours. The estimate of 30 hours is based on the following calculation: ((75 initial hours/3) + 5 hours of additional ongoing burden hours) = 30 hours.
¹³ The number of transfer agents includes 251 transfer agents registered with the Commission + 64 transfer agents registered with the Banking Agencies = 315 transfer agents.
¹⁴ Funding portals are not subject to the recordkeeping obligations for brokers found under Rule 17a-4. Instead, they are obligated, pursuant to Rule 404 of Regulation Crowdfunding, to make and preserve all records required to demonstrate their compliance with, among other things, Regulation S-P. While the final amendments do not modify funding portals' recordkeeping requirements to include the same enumerated list of obligations as those applied to brokers under the amendments to Rule 17a-4, funding portals generally should look to make and preserve the same scope of records in connection with demonstrating their compliance with this portion of Regulation S-P. Further, Rule 404 requires funding portals to preserve these records for a longer period of time than brokers are required to preserve records under Rule 17a-4. Due to this longer required period for records preservation, the estimated burden for funding portals is higher than for brokers.

VI. Final Regulatory Flexibility Act Analysis

The Regulatory Flexibility Act (“RFA”) requires the Commission, in promulgating rules under Section 553 of the Administrative Procedure Act,^[1124] to consider the impact of those rules on small entities. We have prepared this Final Regulatory Flexibility Analysis (“FRFA”) in accordance with Section 604 of the RFA.^[1125] An Initial Regulatory Flexibility Analysis (“IRFA”) was prepared in accordance with the RFA and was included in the Proposing Release.^[1126]

A. Need for, and Objectives of, the Final Amendments

The purpose of the final amendments is to limit potential harmful impacts to customers by enhancing and modernizing the protection of customer information. Among other things, the amendments update the rule's requirements to address the expanded use of technology and corresponding risks.

The need for, and objectives of, the final amendments are described in Sections I and II above. We discuss the economic impact and potential alternatives to the amendments in Section IV, and the estimated compliance costs and burdens of the amendments under the PRA in Section V.

B. Significant Issues Raised by Public Comments

In the Proposing Release, the Commission requested comment on any aspect of the IRFA, and particularly on the number of small entities that would be affected by the proposed amendments, the existence or nature of the potential impact of the proposed amendments on small entities discussed in the analysis, how the proposed amendments could further lower the burden on small entities, and how to quantify the impact of the proposed amendments.

One commenter urged the Commission to conduct a more holistic cost-benefit analysis, and in particular consider the disproportionate costs on smaller advisers.^[1127] The commenter noted that smaller advisers have been significantly burdened by one-size-fits-all regulations—both in isolation and cumulatively—that effectively require substantial fixed investments in infrastructure, personnel, technology, and operations.^[1128] Another commenter stated that the Commission did little analysis about the impact of these proposals on small broker-dealers, competition within the brokerage industry, and whether they could contribute to barriers for new entrants into the markets.^[1129] We discuss the cost-benefit analysis and challenges small entities may face above.^[1130]

Additionally, multiple commenters discussed the burden small entities would face. For instance, several commenters stated that an increased compliance cost for implementing new systems, training employees, and conducting audits, may disproportionately affect smaller firms, inhibiting their ability to compete and grow.^[1131] Multiple commenters asserted small covered institutions, who may not have the negotiating power or leverage to demand specific contract provisions from large third-party service providers, would potentially be harmed by the written contract requirement for service providers.^[1132] Another commenter noted the outsized impact small broker-dealers face.^[1133] However, another commenter noted while small firms may be impacted by increased costs, this should not come at the expense of customer protection, and stated that driving competition towards better protections will ultimately benefit customers and promote a healthier market.^[1134]

Commenters proposed multiple alternatives to lower the burden on small entities. One commenter urged the Commission to provide a longer time to transition for smaller advisers.^[1135] Additionally, the commenter stated that it has frequently called on the Commission to take steps to tailor its rules to minimize impacts the proposed amendments would have on smaller advisers, for example through preserving a flexible, risk- and principles-based approach, excluding or exempting smaller advisers from specific requirements where the burdens on those advisers outweigh the benefits, and tiering and staggering Start Printed Page 47782 compliance timetables.^[1136] Likewise, another commenter proposed a longer implementation period for smaller broker-dealers and investments advisers to allow these firms to benefit from implementation for larger industry participants.^[1137]

We expect the benefits and the costs of the final amendments to vary across covered institutions.^[1138] For example, because smaller covered institutions are less likely to have an existing incident response program than larger covered institutions, some small entities may be more likely to face greater costs but also expect greater benefits complying with the final amendments, because they must adopt and implement new procedures. Creating new programs will likely cost more, but the new programs would result in improved efficacy in notifying customers and improve the manner incidents are handled. Smaller entities may have less negotiating power than larger entities, so requiring contracts with service providers could potentially be more detrimental to them than other entities. Additionally, smaller covered institutions are less likely to have a national presence, so small entities whose customers are concentrated in States with less informative customer notification laws are likely to face higher costs to comply with the final amendments. These costs and benefits may have an effect on competition for smaller entities.^[1139]

We have revised the final amendments in several ways to mitigate potential compliance costs that small entities may face, as raised by commenters. As previously discussed, the changes made to the service provider provisions of the amendments requiring that the covered institution's policies and procedures are reasonably designed to oversee, monitor, and conduct due diligence on service providers instead of requiring written contracts between covered institutions and their service providers, and requiring that the covered institution's policies and procedures be reasonably designed to ensure service providers take appropriate measures to notify covered institutions of an applicable breach in security within 72 hours instead of 48 hours) may reduce some costs relative to the proposal and facilitate their implementation, especially for smaller covered institutions.^[1140] For example, it could potentially reduce compliance costs by reducing the number of notices being sent ( e.g., if the covered institution is able to determine that a notice is not needed or if it is able to determine with more precision which individuals must be notified).^[1141] Additionally, we are now adopting a longer compliance period of 24 months for smaller covered institutions, who are less likely to already have policies and procedures broadly consistent with the final amendments.

Moreover, the final amendments still maintain that the incident response program must include policies and procedures containing certain general elements but will not prescribe specific steps a covered institution must undertake when carrying out incident response activities, thereby enabling covered institutions to create policies and procedures best suited to their particular circumstances, including size. This design balances the necessity of maintaining general elements to achieve the investor protection objectives the amendments are designed to achieve, while still providing covered institutions the ability to tailor policies to their individual needs. We will not exempt small entities from any specific requirements, because entities of all sizes are vulnerable to the types of data security breach incidents we are trying to address, and therefore, no entity should be exempted from requirements, regardless of size.^[1142]

Additionally, one commenter argued that the Commission does not accurately analyze the impact of its regulations on small advisers as required under the RFA because according to the commenter, virtually no SEC-registered advisers fall under the “asset-based” definition of small adviser adopted by the Commission.^[1143] However, the commenter believes that the vast majority of advisers are small businesses.^[1144] The commenter stated that the Commission adopted Rule 0-7 under the Advisers Act defining “small business” or “small organization” for purposes of treatment as a “small entity” under the RFA as including an investment adviser that has less than $25 million in assets under management, but with few exceptions, advisers are not permitted to register with the Commission unless they have at least $100 million in assets under management.^[1145] The commenter argued that this makes any analysis the Commission does regarding the impact on smaller advisers virtually meaningless.^[1146] As discussed below, we estimate that approximately 872 broker-dealers,^[1147] 132 transfer agents, 81 investment companies, and 579 registered investment advisers may be considered small entities under the Regulatory Flexibility Act.^[1148] The Commission takes seriously the potential impact of any new rule on these advisers who meet this definition and on other smaller advisers that do not meet the definition of small entity under the Regulatory Flexibility Act, as considered and discussed throughout this release.

C. Small Entities Subject to Final Amendments

The final amendments to Regulation S-P will affect brokers, dealers, registered investment advisers, investment companies, and transfer agents, including entities that are considered to be a small business or small organization (collectively, “small entity”) for purposes of the RFA. For purposes of the RFA, under the Exchange Act a broker or dealer is a small entity if it: (i) had total capital of less than $500,000 on the date in its prior fiscal year as of which its audited financial statements were prepared or, if not required to file audited financial statements, on the last business day of its prior fiscal year; and (ii) is not affiliated with any person that is not a small entity.^[1149] A transfer agent is a small entity if it: (i) received less than 500 items for transfer and less than 500 items for processing during the preceding six months; (ii) transferred items only of issuers that are small entities; (iii) maintained master shareholder files that in the aggregate contained less than 1,000 shareholder accounts or was the named transfer agent for less than 1,000 shareholder accounts at all times during the preceding fiscal year; and (iv) is not affiliated with any person that is not a small entity.^[1150] Under the Investment Company Act, investment companies are considered small entities if they, together with other funds in the same Start Printed Page 47783 group of related funds, have net assets of $50 million or less as of the end of its most recent fiscal year.^[1151] Under the Investment Advisers Act, a small entity is an investment adviser that: (i) manages less than $25 million in assets; (ii) has total assets of less than $5 million on the last day of its most recent fiscal year; and (iii) does not control, is not controlled by, and is not under common control with another investment adviser that manages $25 million or more in assets, or any person that has had total assets of $5 million or more on the last day of the most recent fiscal year.^[1152]

Based on Commission filings, we estimate that approximately 872 broker-dealers,^[1153] 132 transfer agents,^[1154] 81 investment companies,^[1155] and 579 registered investment advisers ^[1156] may be considered small entities.

D. Projected Reporting, Recordkeeping, and Other Compliance Requirements

The final amendments to Regulation S-P will require covered institutions to develop incident response programs for unauthorized access to or use of customer information, as well as imposing a customer notification obligation in instances where sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The final amendments also would include new mandatory recordkeeping requirements and language conforming Regulation S-P's annual privacy notice delivery provisions to the terms of a statutory exception.

Under the final amendments, covered institutions would have to develop, implement, and maintain, within their written policies and procedures designed to comply with Regulation S-P, a program that is reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including customer notification procedures. Such policies and procedures will also need to require that covered institutions oversee, monitor, and conduct due diligence on service providers and ensure that service providers take appropriate measures to notify covered institutions of an applicable breach in security within 72 hours. Upon receipt of such notification, the covered institution must initiate its incident response program. As part of its incident response program, a covered institution may also enter into a written agreement with its service provider to have the service provider notify affected individuals on its behalf. However, the covered institution's obligation to ensure that affected individuals are notified in accordance with paragraph (a)(4) of the final amendments rests with the covered institution.

In addition, covered institutions will be required to make and maintain specified written records designed to evidence compliance with these requirements.^[1157] Such records will be required to be maintained starting from when the record was made, or from when the covered institution terminated the use of the written policy or procedure, for the time periods stated in the amended recordkeeping regulations for each type of covered institution.

Some covered institutions, including covered institutions that are small entities, will incur increased costs involved in reviewing and revising their current safeguarding policies and procedures to comply with these obligations, including their cybersecurity policies and procedures. Initially, this will require covered institutions to develop as part of their written policies and procedures under the safeguards rule, a program reasonably designed to detect, respond to, and recover from any unauthorized access to or use of customer information, including customer notification procedures, in a manner that provides clarity for firm personnel. Further, in developing these policies and procedures, covered institutions will need to include policies and procedures requiring the covered institution to ensure its service providers take appropriate measures to protect against unauthorized access to or use of customer information, and notify the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider, and upon receipt of such notification, the covered institution must initiate its response program. However, as the Commission recognizes the number and varying characteristics ( e.g., size, business, and sophistication) of covered institutions, these final amendments would help covered institutions to tailor these policies and procedures and related incident response program based on the individual facts and circumstances of the firm, and provide flexibility in addressing the general elements of the response program requirements based on the size and complexity of the covered institution and the nature and scope of its activities.

In addition, the Commission acknowledges that the final amendments will impose greater costs on those transfer agents that are registered with another appropriate regulatory agency, if they are not currently subject to Regulation S-P, as well as those transfer agents registered with the Commission who are not currently subject to the safeguards rule. Such costs will include the development and implementation of necessary policies and procedures, the ongoing costs of required recordkeeping and maintenance requirements, and, where necessary, the costs to comply with the customer notification requirements of the final amendments. Such costs will also include the same minimal costs for employee training or establishing clear procedures for consumer report information disposal that are imposed on all covered institutions. To the extent that such costs are being applied to a transfer agent for the first time as a result of new obligations being imposed, the final amendments would incur higher present costs on those transfer agents than those covered institutions that are already subject to the safeguards rule and the disposal rule.

To comply with these amendments on an ongoing basis, covered institutions will need to respond appropriately to incidents that entail the unauthorized access to or use of customer information. This will entail carrying out the established response program procedures to (i) assess the nature and scope of any incident involving unauthorized access to or use of customer information and identify the customer information systems and types of customer information that may have been accessed or used without authorization; (ii) take appropriate steps to contain and control the incident to prevent further unauthorized access to Start Printed Page 47784 or use of customer information; and (iii) notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization, unless the covered institution determines, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.

Where the covered institution determines notice is required, the covered institution will need to provide a clear and conspicuous notice, or ensure that such notice is provided, to each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. This notice must be provided as soon as reasonably practicable, but not later than 30 days, after the covered institution becomes aware that unauthorized access to or use of sensitive customer information has, or is reasonably likely to have, occurred, absent an applicable request from the Attorney General. This notice will need to be transmitted by a means designed to ensure that each affected individual can reasonably be expected to receive actual notice in writing. Further, the covered institution will need to satisfy the specified content requirements of that notice,^[1158] the preparation of which will incur some incremental additional costs on covered institutions.

Finally, covered institutions will also face costs in complying with the new recordkeeping requirements imposed by these amendments that are incrementally more than those costs covered institutions already incur from their existing regulatory recordkeeping obligations, in light of their already existing record retention systems. However, the record maintenance provisions align with those most frequently employed as to each covered institution subject to this rulemaking, partially in an effort to minimize these costs to firms.

Overall, incremental costs will be associated with the final amendments to Regulation S-P.^[1159] Some proportion of large or small institutions would be likely to experience some increase in costs to comply with the amendments.

More specifically, we estimate that many covered institutions will incur one-time costs related to reviewing and revising their current safeguarding policies and procedures to comply with these obligations, including their cybersecurity policies and procedures. Additionally, some covered institutions, including transfer agents, may incur costs associated with establishing such policies and procedures as these amendments require if those covered institutions do not already have such policies and procedures. We also estimate that the ongoing, long-term costs associated with the final amendments could include costs of responding appropriately to incidents that entail the unauthorized access to or use of customer information.

E. Agency Action To Minimize Effect on Small Entities

The RFA directs us to consider alternatives that would accomplish our stated objectives, while minimizing any significant adverse impact on small entities. Accordingly, we considered the following alternatives:

1. Establishing different compliance or reporting standards that take into account the resources available to small entities;

2. The clarification, consolidation, or simplification of the reporting and compliance requirements under the rule for small entities;

3. Use of performance rather than design standards; and

4. Exempting small entities from coverage of the rule, or any part of the rule.

With regard to the first alternative, the final amendments to Regulation S-P that will continue to permit institutions substantial flexibility to design safeguarding policies and procedures appropriate for their size and complexity, the nature and scope of their activities, and the sensitivity of the personal information at issue. However, it is necessary to require that covered institutions, regardless of their size, adopt a response program for incidents of unauthorized access to or use of customer information, which will include customer notification procedures.^[1160] The amendments to Regulation S-P arise from our concern with the increasing number of information security breaches that have come to light in recent years, particularly those involving institutions regulated by the Commission. Establishing different compliance or reporting requirements for small entities could lead to less favorable protections for these entities' customers and compromise the effectiveness of the amendments. However, we are providing smaller covered institutions a longer compliance period to establish and implement processes to comply with the final amendments.

With regard to the second alternative, the final amendments will, by their operation, simplify reporting and compliance requirements for small entities. Small covered institutions are likely to maintain personal information on fewer individuals than large covered institutions, and they are likely to have relatively simple personal information systems. The amendments will not prescribe specific steps a covered institution must take in response to a data breach, but instead would give the institution flexibility to tailor its policies and procedures to its individual facts and circumstances. The amendments therefore are intended to give covered institutions the flexibility to address the general elements in the response program based on the size and complexity of the institution and the nature and scope of its activities. Accordingly, the requirements of the amendments already will be simplified for small entities. In addition, the requirements of the amendments could Start Printed Page 47785 not be further simplified, or clarified or consolidated, without compromising the investor protection objectives the amendments are designed to achieve.

With regard to the third alternative, the final amendments are design based. Rather than specifying the types of policies and procedures that an institution would be required to include in its response program, the amendments will require a response program that is reasonably designed to detect, respond to, and recover from both unauthorized access to and unauthorized use of customer information. With respect to the specific requirements regarding notifications in the event of a data breach, institutions provide only the information that seems most relevant for an affected customer to know in order to assess adequately the potential damage that could result from the breach and to develop an appropriate response.

Finally, with regard to alternative four, an exemption for small entities would not be appropriate. Small entities are as vulnerable as large ones to the types of data security breach incidents we are trying to address. In this regard, the specific elements the final amendments must be considered and incorporated into the policies and procedures of all covered institutions, regardless of their size, to mitigate the potential for fraud or other substantial harm or inconvenience to investors. Exempting small entities from coverage of the amendments or any part of the amendments could compromise the effectiveness of the amendments and harm investors by lowering standards for safeguarding investor information maintained by small covered institutions. Excluding small entities from requirements that would be applicable to larger covered institutions also could create competitive disparities between large and small entities, for example by undermining investor confidence in the security of information maintained by small covered institutions.

Statutory Authority

The Commission is amending Regulation S-P pursuant to authority set forth in sections 17, 17A, 23, and 36 of the Exchange Act [15 U.S.C. 78q, 78q-1, 78w, and 78mm], sections 31 and 38 of the Investment Company Act [15 U.S.C. 80a-30 and 80a-37], sections 204, 204A, and 211 of the Investment Advisers Act [15 U.S.C. 80b-4, 80b-4a, and 80b-11], section 628(a) of the FCRA [15 U.S.C. 1681w(a)], and sections 501, 504, 505, and 525 of the GLBA [15 U.S.C. 6801, 6804, 6805, and 6825].

List of Subjects

17 CFR Part 240

Reporting and recordkeeping requirements; Securities

17 CFR Part 248

Brokers
Consumer protection
Dealers
Investment advisers
Investment companies
Privacy
Reporting and recordkeeping requirements
Securities
Transfer agents

17 CFR Parts 270 and 275

Reporting and recordkeeping requirements; Securities

Text of Rule Amendments

For the reasons set out in the preamble, title 17, chapter II of the Code of Federal Regulations is amended as follows:

PART 240—GENERAL RULES AND REGULATIONS, SECURITIES EXCHANGE ACT OF 1934

1. The authority citation for part 240 and the sectional authorities for §§ 240.17a-14 and 240.17Ad-7 are revised to read, as follows:

Authority: 15 U.S.C. 77c, 77d, 77g, 77j, 77s, 77z-2, 77z-3, 77eee, 77ggg, 77nnn, 77sss, 77ttt, 78c, 78c-3, 78c-5, 78d, 78e, 78f, 78g, 78i, 78j, 78j-1, 78j-4, 78k, 78k-1, 78 l, 78m, 78n, 78n-1, 78 o, 78 o -4, 78 o -10, 78p, 78q, 78q-1, 78s, 78u-5, 78w, 78x, 78dd, 78 ll, 78mm, 80a-20, 80a-23, 80a-29, 80a-37, 80b-3, 80b-4, 80b-11, 1681w(a)(1), 6801-6809, 6825, 7201 et seq., and 8302; 7 U.S.C. 2(c)(2)(E); 12 U.S.C. 5221(e)(3); 18 U.S.C. 1350; Pub. L. 111-203, 939A, 124 Stat. 1376 (2010); and Pub. L. 112-106, sec. 503 and 602, 126 Stat. 326 (2012), unless otherwise noted.

Section 240.17a-14 is also issued under Public Law 111-203, sec. 913, 124 Stat. 1376 (2010).

Section 240.17ad-7 is also issued under 15 U.S.C. 78b, 78q, and 78q-1.

2. Amend § 240.17a-4 by adding a reserved paragraph (e)(13) and adding paragraph (e)(14) to read as follows:

§ 240.17a-4

Records to be preserved by certain exchange members, brokers and dealers.

(e) * * *

(13) [Reserved]

(14)(i) The written policies and procedures required to be adopted and implemented pursuant to § 248.30(a)(1) of this chapter until three years after the termination of the use of the policies and procedures;

(ii) The written documentation of any detected unauthorized access to or use of customer information, as well as any response to, and recovery from such unauthorized access to or use of customer information required by § 248.30(a)(3) of this chapter for three years from the date when the records were made;

(iii) The written documentation of any investigation and determination made regarding whether notification is required pursuant to § 248.30(a)(4) of this chapter, including the basis for any determination made, any written documentation from the United States Attorney General related to a delay in notice, as well as a copy of any notice transmitted following such determination, for three years from the date when the records were made;

(iv) The written policies and procedures required to be adopted and implemented pursuant to § 248.30(a)(5)(i) of this chapter until three years after the termination of the use of the policies and procedures;

(v) The written documentation of any contract or agreement entered into pursuant to § 248.30(a)(5) of this chapter until three years after the termination of such contract or agreement; and

(vi) The written policies and procedures required to be adopted and implemented pursuant to § 248.30(b)(2) of this chapter until three years after the termination of the use of the policies and procedures;

§ 240.17Ad-7

[Redesignated as § 240.17ad-7].

3. Redesignate § 240.17Ad-7 as § 240.17ad-7.

4. Amend newly redesignated § 240.17ad-7 by:

a. Revising the section heading;

b. Adding a reserved paragraph (j); and

c. Adding paragraph (k).

The revision and additions read as follows:

§ 240.17ad-7

(Rule 17Ad-7) Record retention.

(j) [Reserved]

(k) Every registered transfer agent shall maintain in an easily accessible place:

(1) The written policies and procedures required to be adopted and implemented pursuant to § 248.30(a)(1) of this chapter for no less than three years after the termination of the use of the policies and procedures;

(2) The written documentation of any detected unauthorized access to or use of customer information, as well as any Start Printed Page 47786 response to, and recovery from such unauthorized access to or use of customer information required by § 248.30(a)(3) of this chapter for no less than three years from the date when the records were made;

(3) The written documentation of any investigation and determination made regarding whether notification is required pursuant to § 248.30(a)(4) of this chapter, including the basis for any determination made, any written documentation from the United States Attorney General related to a delay in notice, as well as a copy of any notice transmitted following such determination, for no less than three years from the date when the records were made;

(4) The written policies and procedures required to be adopted and implemented pursuant to § 248.30(a)(5)(i) of this chapter until three years after the termination of the use of the policies and procedures;

(5) The written documentation of any contract or agreement entered into pursuant to § 248.30(a)(5) of this chapter until three years after the termination of such contract or agreement; and

(6) The written policies and procedures required to be adopted and implemented pursuant to § 248.30(b)(2) of this chapter for no less than three years after the termination of the use of the policies and procedures.

PART 248—REGULATIONS S-P, S-AM, and S-ID

5. The authority citation for part 248 continues to read as follows:

Authority: 15 U.S.C. 78q, 78q-1, 78 o -4, 78 o -5, 78w, 78mm, 80a-30, 80a-37, 80b-4, 80b-11, 1681m(e), 1681s(b), 1681s-3 and note, 1681w(a)(1), 6801-6809, and 6825; Pub. L. 111-203, secs. 1088(a)(8), (a)(10), and sec. 1088(b), 124 Stat. 1376 (2010).

6. Amend § 248.5 by revising paragraph (a)(1) and adding paragraph (e) to read as follows:

§ 248.5

Annual privacy notice to customers required.

(a)(1) General rule. Except as provided by paragraph (e) of this section, you must provide a clear and conspicuous notice to customers that accurately reflects your privacy policies and practices not less than annually during the continuation of the customer relationship. Annually means at least once in any period of 12 consecutive months during which that relationship exists. You may define the 12-consecutive-month period, but you must apply it to the customer on a consistent basis.

(e) Exception to annual privacy notice requirement —(1) When exception available. You are not required to deliver an annual privacy notice if you:

(i) Provide nonpublic personal information to nonaffiliated third parties only in accordance with § 248.13, § 248.14, or § 248.15; and

(ii) Have not changed your policies and practices with regard to disclosing nonpublic personal information from the policies and practices that were disclosed to the customer under § 248.6(a)(2) through (5) and (9) in the most recent privacy notice provided pursuant to this part.

(2) Delivery of annual privacy notice after financial institution no longer meets the requirements for exception. If you have been excepted from delivering an annual privacy notice pursuant to paragraph (e)(1) of this section and change your policies or practices in such a way that you no longer meet the requirements for that exception, you must comply with paragraph (e)(2)(i) or (ii) of this section, as applicable.

(i) Changes preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 248.8 requires you to provide a revised privacy notice, you must provide an annual privacy notice in accordance with the timing requirement in paragraph (a) of this section, treating the revised privacy notice as an initial privacy notice.

(ii) Changes not preceded by a revised privacy notice. If you no longer meet the requirements of paragraph (e)(1) of this section because you change your policies or practices in such a way that § 248.8 does not require you to provide a revised privacy notice, you must provide an annual privacy notice within 100 days of the change in your policies or practices that causes you to no longer meet the requirement of paragraph (e)(1) of this section.

(iii) Examples. (A) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section effective April 1 of year 1. Assuming you define the 12-consecutive-month period pursuant to paragraph (a) of this section as a calendar year, if you were required to provide a revised privacy notice under § 248.8 and you provided that notice on March 1 of year 1, you must provide an annual privacy notice by December 31 of year 2. If you were not required to provide a revised privacy notice under § 248.8, you must provide an annual privacy notice by July 9 of year 1.

(B) You change your policies and practices in such a way that you no longer meet the requirements of paragraph (e)(1) of this section, and so provide an annual notice to your customers. After providing the annual notice to your customers, you once again meet the requirements of paragraph (e)(1) of this section for an exception to the annual notice requirement. You do not need to provide additional annual notice to your customers until such time as you no longer meet the requirements of paragraph (e)(1) of this section.

§ 248.17

[Amended]

7. Amend § 248.17 in paragraph (b) by removing the words “Federal Trade Commission” and adding in their place “Consumer Financial Protection Bureau” and removing the words “Federal Trade Commission's” and adding in their place “Consumer Financial Protection Bureau's”.

8. Revise § 248.30 to read as follows:

§ 248.30

Procedures to safeguard customer information, including response programs for unauthorized access to customer information and customer notice; disposal of customer information and consumer information.

(a) Policies and procedures to safeguard customer information —(1) General requirements. Every covered institution must develop, implement, and maintain written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer information.

(2) Objectives. These written policies and procedures must be reasonably designed to:

(i) Ensure the security and confidentiality of customer information;

(ii) Protect against any anticipated threats or hazards to the security or integrity of customer information; and

(iii) Protect against unauthorized access to or use of customer information that could result in substantial harm or inconvenience to any customer.

(3) Response programs for unauthorized access to or use of customer information. Written policies and procedures in paragraph (a)(1) of this section must include a program reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information, including customer notification procedures. This response program must include procedures for the covered institution to:

(i) Assess the nature and scope of any incident involving unauthorized access Start Printed Page 47787 to or use of customer information and identify the customer information systems and types of customer information that may have been accessed or used without authorization;

(ii) Take appropriate steps to contain and control the incident to prevent further unauthorized access to or use of customer information; and

(iii) Notify each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization in accordance with paragraph (a)(4) of this section unless the covered institution determines, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information, that the sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience.

(4) Notifying affected individuals of unauthorized access or use —(i) Notification obligation. Unless a covered institution has determined, after a reasonable investigation of the facts and circumstances of the incident of unauthorized access to or use of sensitive customer information that occurred at the covered institution or one of its service providers that is not itself a covered institution, that sensitive customer information has not been, and is not reasonably likely to be, used in a manner that would result in substantial harm or inconvenience, the covered institution must provide a clear and conspicuous notice, or ensure that such notice is provided, to each affected individual whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization. The notice must be transmitted by a means designed to ensure that each affected individual can reasonably be expected to receive actual notice in writing.

(ii) Affected individuals. If an incident of unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred, but the covered institution is unable to identify which specific individuals' sensitive customer information has been accessed or used without authorization, the covered institution must provide notice to all individuals whose sensitive customer information resides in the customer information system that was, or was reasonably likely to have been, accessed or used without authorization. Notwithstanding the foregoing, if the covered institution reasonably determines that a specific individual's sensitive customer information that resides in the customer information system was not accessed or used without authorization, the covered institution is not required to provide notice to that individual under this paragraph.

(iii) Timing. A covered institution must provide the notice as soon as practicable, but not later than 30 days, after becoming aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred unless the United States Attorney General determines that the notice required under this rule poses a substantial risk to national security or public safety, and notifies the Commission of such determination in writing, in which case the covered institution may delay providing such notice for a time period specified by the Attorney General, up to 30 days following the date when such notice was otherwise required to be provided. The notice may be delayed for an additional period of up to 30 days if the Attorney General determines that the notice continues to pose a substantial risk to national security or public safety and notifies the Commission of such determination in writing. In extraordinary circumstances, notice required under this section may be delayed for a final additional period of up to 60 days if the Attorney General determines that such notice continues to pose a substantial risk to national security and notifies the Commission of such determination in writing. Beyond the final 60-day delay under this paragraph (a)(4)(iii), if the Attorney General indicates that further delay is necessary, the Commission will consider additional requests for delay and may grant such delay through Commission exemptive order or other action.

(iv) Notice contents. The notice must:

(A) Describe in general terms the incident and the type of sensitive customer information that was or is reasonably believed to have been accessed or used without authorization;

(B) Include, if the information is reasonably possible to determine at the time the notice is provided, any of the following: the date of the incident, the estimated date of the incident, or the date range within which the incident occurred;

(C) Include contact information sufficient to permit an affected individual to contact the covered institution to inquire about the incident, including the following: a telephone number (which should be a toll-free number if available), an email address or equivalent method or means, a postal address, and the name of a specific office to contact for further information and assistance;

(D) If the individual has an account with the covered institution, recommend that the customer review account statements and immediately report any suspicious activity to the covered institution;

(E) Explain what a fraud alert is and how an individual may place a fraud alert in the individual's credit reports to put the individual's creditors on notice that the individual may be a victim of fraud, including identity theft;

(F) Recommend that the individual periodically obtain credit reports from each nationwide credit reporting company and that the individual have information relating to fraudulent transactions deleted;

(G) Explain how the individual may obtain a credit report free of charge; and

(H) Include information about the availability of online guidance from the Federal Trade Commission and usa.gov regarding steps an individual can take to protect against identity theft, a statement encouraging the individual to report any incidents of identity theft to the Federal Trade Commission, and include the Federal Trade Commission's website address where individuals may obtain government information about identity theft and report suspected incidents of identity theft.

(5) Service providers. (i) A covered institution's response program prepared in accordance with paragraph (a)(3) of this section must include the establishment, maintenance, and enforcement of written policies and procedures reasonably designed to require oversight, including through due diligence and monitoring, of service providers, including to ensure that the covered institution notifies affected individuals as set forth in paragraph (a)(4) of this section. The policies and procedures must be reasonably designed to ensure service providers take appropriate measures to:

(A) Protect against unauthorized access to or use of customer information; and

(B) Provide notification to the covered institution as soon as possible, but no later than 72 hours after becoming aware that a breach in security has occurred resulting in unauthorized access to a customer information system maintained by the service provider. Upon receipt of such notification, the covered institution must initiate its incident response program adopted pursuant to paragraph (a)(3) of this section.

(ii) As part of its incident response program, a covered institution may enter into a written agreement with its Start Printed Page 47788 service provider to notify affected individuals on the covered institution's behalf in accordance with paragraph (a)(4) of this section.

(iii) Notwithstanding a covered institution's use of a service provider in accordance with paragraphs (a)(5)(i) and (ii) of this section, the obligation to ensure that affected individuals are notified in accordance with paragraph (a)(4) of this section rests with the covered institution.

(b) Disposal of consumer information and customer information —(1) Standard. Every covered institution, other than notice-registered broker-dealers, must properly dispose of consumer information and customer information by taking reasonable measures to protect against unauthorized access to or use of the information in connection with its disposal.

(2) Written policies, procedures, and records. Every covered institution, other than notice-registered broker-dealers, must adopt and implement written policies and procedures that address the proper disposal of consumer information and customer information according to the standard identified in paragraph (b)(1) of this section.

(3) Relation to other laws. Nothing in this paragraph (b) shall be construed:

(i) To require any covered institution to maintain or destroy any record pertaining to an individual that is not imposed under other law; or

(ii) To alter or affect any requirement imposed under any other provision of law to maintain or destroy records.

(c) Recordkeeping. (1) Every covered institution that is an investment company under the Investment Company Act of 1940 (15 U.S.C. 80a), but is not registered under section 8 thereof (15 U.S.C. 80a-8), must make and maintain:

(i) The written policies and procedures required to be adopted and implemented pursuant to paragraph (a)(1) of this section;

(iii) The written documentation of any investigation and determination made regarding whether notification is required pursuant to paragraph (a)(4) of this section, including the basis for any determination made, any written documentation from the United States Attorney General related to a delay in notice, as well as a copy of any notice transmitted following such determination;

(iv) The written policies and procedures required to be adopted and implemented pursuant to paragraph (a)(5)(i) of this section;

(v) The written documentation of any contract or agreement entered into pursuant to paragraph (a)(5) of this section; and

(vi) The written policies and procedures required to be adopted and implemented pursuant to paragraph (b)(2) of this section.

(2) In the case of covered institutions described in paragraph (c)(1) of this section, such records, apart from any policies and procedures, must be preserved for a time period not less than six years, the first two years in an easily accessible place. In the case of policies and procedures required under paragraphs (a) and (b)(2) of this section, covered institutions described in paragraph (c)(1) of this section must maintain a copy of such policies and procedures in effect, or that at any time within the past six years were in effect, in an easily accessible place.

(d) Definitions. As used in this section, unless the context otherwise requires:

(1) Consumer information means:

(i) Any record about an individual, whether in paper, electronic or other form, that is a consumer report or is derived from a consumer report, or a compilation of such records, that a covered institution maintains or otherwise possesses for a business purpose regardless of whether such information pertains to:

(A) Individuals with whom the covered institution has a customer relationship; or

(B) To the customers of other financial institutions where such information has been provided to the covered institution.

(ii) Consumer information does not include information that does not identify individuals, such as aggregate information or blind data.

(2) Consumer report has the same meaning as in section 603(d) of the Fair Credit Reporting Act (15 U.S.C. 1681a(d)).

(3) Covered institution means any broker or dealer, any investment company, and any investment adviser or transfer agent registered with the Commission or another appropriate regulatory agency (“ARA”) as defined in section 3(a)(34)(B) of the Securities Exchange Act of 1934.

(4) Customer. (i) Customer has the same meaning as in § 248.3(j) unless the covered institution is a transfer agent registered with the Commission or another ARA.

(ii) With respect to a transfer agent registered with the Commission or another ARA, for purposes of this section, customer means any natural person who is a securityholder of an issuer for which the transfer agent acts or has acted as a transfer agent.

(5) Customer information. (i) Customer information for any covered institution other than a transfer agent registered with the Commission or another ARA means any record containing nonpublic personal information as defined in § 248.3(t) about a customer of a financial institution, whether in paper, electronic or other form, that is in the possession of a covered institution or that is handled or maintained by the covered institution or on its behalf regardless of whether such information pertains to:

(A) Individuals with whom the covered institution has a customer relationship; or

(B) To the customers of other financial institutions where such information has been provided to the covered institution.

(ii) With respect to a transfer agent registered with the Commission or another ARA, customer information means any record containing nonpublic personal information as defined in § 248.3(t) identified with any natural person, who is a securityholder of an issuer for which the transfer agent acts or has acted as transfer agent, that is in the possession of a transfer agent or that is handled or maintained by the transfer agent or on its behalf, regardless of whether such information pertains to individuals with whom the transfer agent has a customer relationship, or pertains to the customers of other financial institutions and has been provided to the transfer agent.

(6) Customer information systems means the information resources owned or used by a covered institution, including physical or virtual infrastructure controlled by such information resources, or components thereof, organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of customer information to maintain or support the covered institution's operations.

(7) Disposal means:

(i) The discarding or abandonment of consumer information or customer information; or

(ii) The sale, donation, or transfer of any medium, including computer equipment, on which consumer information or customer information is stored. Start Printed Page 47789

(8) Notice-registered broker-dealer means a broker or dealer registered by notice with the Commission under section 15(b)(11) of the Securities Exchange Act of 1934 (15 U.S.C. 78o(b)(11)).

(9) Sensitive customer information. (i) Sensitive customer information means any component of customer information alone or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.

(ii) Examples of sensitive customer information include:

(A) Customer information uniquely identified with an individual that has a reasonably likely use as a means of authenticating the individual's identity, including

( 1) A Social Security number, official State- or government-issued driver's license or identification number, alien registration number, government passport number, employer or taxpayer identification number;

( 2) A biometric record;

( 3) A unique electronic identification number, address, or routing code;

( 4) Telecommunication identifying information or access device (as defined in 18 U.S.C. 1029(e)); or

(B) Customer information identifying an individual or the individual's account, including the individual's account number, name or online user name, in combination with authenticating information such as information described in paragraph (d)(9)(ii)(A) of this section, or in combination with similar information that could be used to gain access to the customer's account such as an access code, a credit card expiration date, a partial Social Security number, a security code, a security question and answer identified with the individual or the individual's account, or the individual's date of birth, place of birth, or mother's maiden name.

(10) Service provider means any person or entity that receives, maintains, processes, or otherwise is permitted access to customer information through its provision of services directly to a covered institution.

(11) Transfer agent has the same meaning as in section 3(a)(25) of the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(25)).

PART 270—RULES AND REGULATIONS, INVESTMENT COMPANY ACT OF 1940

9. The authority citation for part 270 is revised to read as follows:

Authority: 15 U.S.C. 80a-1 et seq., 80a-34(d), 80a-37, 80a-39, 1681w(a)(1), 6801-6809, 6825, and Pub. L. 111-203, sec. 939A, 124 Stat. 1376 (2010), unless otherwise noted.

Section 270.31a-2 is also issued under 15 U.S.C. 80a-30.

10. Amend § 270.31a-1 by adding paragraph (b)(13) to read as follows:

§ 270.31a-1

Records to be maintained by registered investment companies, certain majority-owned subsidiaries thereof, and other persons having transactions with registered investment companies.

(b) * * *

(13)(i) The written policies and procedures required to be adopted and implemented pursuant to § 248.30(a)(1);

(iii) The written documentation of any investigation and determination made regarding whether notification is required pursuant to § 248.30(a)(4), including the basis for any determination made, any written documentation from the United States Attorney General related to a delay in notice, as well as a copy of any notice transmitted following such determination;

(iv) The written policies and procedures required to be adopted and implemented pursuant to § 248.30(a)(5)(i);

(v) The written documentation of any contract or agreement entered into pursuant to § 248.30(a)(5); and

(vi) The written policies and procedures required to be adopted and implemented pursuant to § 248.30(b)(2).

11. Amend § 270.31a-2 by:

a. In paragraph (a)(7), removing the period at the end of the paragraph and adding “; and” in its place; and

b. Adding paragraph (a)(8).

The addition reads as follows:

§ 270.31a-2

Records to be preserved by registered investment companies, certain majority-owned subsidiaries thereof, and other persons having transactions with registered investment companies.

(a) * * *

(8) Preserve for a period not less than six years, the first two years in an easily accessible place, the records required by § 270.31a-1(b)(13) apart from any policies and procedures thereunder and, in the case of policies and procedures required under § 270.31a-1(b)(13), preserve a copy of such policies and procedures in effect, or that at any time within the past six years were in effect, in an easily accessible place.

PART 275—RULES AND REGULATIONS, INVESTMENT ADVISERS ACT OF 1940

12. The authority citation for part 275 is revised to read as follows:

Authority: 15 U.S.C. 80b-2(a)(11)(G), 80b-2(a)(11)(H), 80b-2(a)(17), 80b-3, 80b-4, 80b-4a, 80b-6(4), 80b-6a, 80b-11, 1681w(a)(1), 6801-6809, and 6825, unless otherwise noted.

Section 275.204-2 is also issued under 15 U.S.C. 80b-6.

13. Amend § 275.204-2 by adding paragraph (a)(25) to read as follows:

§ 275.204-2

Books and records to be maintained by investment advisers.

(a) * * *

(25)(i) The written policies and procedures required to be adopted and implemented pursuant to § 248.30(a)(1);

(iv) The written policies and procedures required to be adopted and implemented pursuant to § 248.30(a)(5)(i) of this chapter;

(v) The written documentation of any contract or agreement entered into pursuant to § 248.30(a)(5) of this chapter; and

(vi) The written policies and procedures required to be adopted and implemented pursuant to § 248.30(b)(2) of this chapter.

By the Commission.

Dated: May 16, 2024.

Vanessa A. Countryman,

Secretary.

2024-11116. Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Customer Information

AGENCY:

ACTION:

SUMMARY:

DATES:

FOR FURTHER INFORMATION CONTACT:

SUPPLEMENTARY INFORMATION:

Table of Contents

I. Introduction and Background

II. Discussion

A. Incident Response Program Including Customer Notification

1. Assessment

2. Containment and Control

3. Notice to Affected Individuals

a. Standard for Providing Notice and Identification of Affected Individuals

b. Definition of “Sensitive Customer Information”

c. Substantial Harm or Inconvenience

d. Timing Requirements

(1) General Timing Requirements

(2) National Security and Public Safety Delay

e. Notice Contents and Format

4. Service Providers

a. Covered Institutions' Incident Response Program Obligations Regarding Service Providers

b. Deadline for Service Provider Notice to Covered Institutions and Notice Trigger

c. Delegation of Notice and Covered Institutions' Customer Notification Obligations

d. Service Provider Definition

B. Scope of Safeguards Rule and Disposal Rule

1. Scope of Information Protected

Definition of Customer Information

Safeguards Rule and Disposal Rule Coverage of Customer Information

2. Extending the Scope of the Safeguards Rule and the Disposal Rule To Cover All Transfer Agents

Extending to All Transfer Agents, Including Transfer Agents Subject to Existing Federal and State Requirements, and Scope of the Commission's Authority

Definition of a Transfer Agent's Customer

Application of Laws, Requirements, and Contractual Provisions

Impact of Notices From Transfer Agents

3. Maintaining the Current Regulatory Framework for Notice-Registered Broker-Dealers

C. Recordkeeping

D. Exception From Requirement To Deliver Annual Privacy Notice

E. Existing Staff No-Action Letters and Other Staff Statements

F. Compliance Period

III. Other Matters

IV. Economic Analysis

A. Introduction

B. Broad Economic Considerations

C. Baseline

1. Safeguarding Customer Information: Risks and Practices

2. Regulations and Guidelines

a. State Law Customer Notification Requirements

(1) Scope of Requirements

(2) Timing, Content, and Method of Notification

(3) Notification by Service Providers

b. Customer Information Safeguards

c. Annual Notice Delivery Requirement

3. Market Structure

a. Broker-Dealers

b. Funding Portals

c. Investment Advisers

d. Investment Companies

e. Transfer Agents

f. Service Providers

D. Benefits and Costs of the Final Rule Amendments

1. Written Policies and Procedures

a. Response Program

b. Notification Requirements

(1) GLBA Safe Harbors

(2) Accelerated Timing of Customer Notification

(3) Broader Scope of Information Triggering Notification

(4) Notification Trigger

(5) Content and Method of Notice

c. Service Provider Provisions

2. Extending the Scope of the Safeguards Rule and the Disposal Rule

a. Definition of Customer Information

b. Extension To Cover All Transfer Agents

3. Recordkeeping

4. Exception From Annual Notice Delivery Requirement

E. Effects on Efficiency, Competition, and Capital Formation

F. Reasonable Alternatives Considered

1. Reasonable Assurances From Service Providers

2. Lower Threshold for Customer Notice

3. Encryption Safe Harbor