CHALLENGE: Notifying customers about information breaches
New privacy rules require RIAs, BDs, and registered funds to notify affected customers.
The SEC finally adopted enhancements to the rules governing how investment advisers, broker-dealers, and investment companies must protect customer financial information. Regulation S-P has been in place for over 20 years, but the rule had holes and the regulator has been warning the industry for years that changes were a-coming. The shoe has dropped, but it may not make that much of a thud.
The headline news is that RIAs, BDs, and mutual funds must immediately (i.e. within 30 days) notify affected customers if a breach occurs. Notice must be provided in a manner reasonably expected to be received (e.g. email or snail mail if required). The Rule details the content requirements including information about the breach, who to contact, and what to do. This new federal notification requirement supplements already-existing state-by-state notification requirements.
New Regulation S-P also requires covered firms to strengthen oversight of third party service providers. Procedures must include due diligence and monitoring, especially regarding the delivery of breach notices to affected customers. Regardless, the registrants themselves own the notice requirement even if they rely on third parties.
With a few changes, the new Rule S-P requires RIA, BDs, and mutual funds to adopt and implement incident response plans “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.” A firm must adopt procedures to assess breach incidents and take “appropriate steps” to “control the incident to prevent further unauthorized access or use.” The incident response plan requirement hasn’t changed much from the prior rule, and most covered firms have already adopted such a plan.
The SEC also upped the recordkeeping requirements, presumably so they could review incident responses in real time or during an exam.
Firms have 18-24 months to comply, depending on size.
MY TAKE: The federal notification requirement sounds good, but what does it really accomplish? RIAs, BDs and funds have been sending breach notices to customers for years, as required by many state laws, but it is unclear that they have any impact on customers or firms.
I would argue that most consumers already have alert fatigue. They have received so many customer information notices that they have stopped paying attention, assuming that compromised data is part of the modern world that they are powerless to change. Maybe, they’ll check their credit card or bank statements to ensure there is no weird activity.
It is also unclear how the federal notification requirement will change firm behavior. Is the SEC hoping to embarrass firms into enhancing their privacy procedures? Most firms already want to avoid data breaches for many reasons including asset protection, data integrity, and reputation. Will this new notice requirement wake up some subset of firms who have weak data protection and will now be scared into better behavior because of a federal notification requirement?
I totally understand the SEC’s desire to reconcile all the various notice requirements imposed by the states, but, they didn’t do that. The new Rule just adds a new federal requirement. It doesn’t legally replace the state rules, thereby requiring firms to comply with yet more requirements. Shouldn’t the states take the lead to protect consumers within their borders?
I don’t think this revised Regulation S-P will fundamentally change how diligently firms will act to protect personal financial information. I don’t think it will change the behavior of customers receiving the notices. However, it does add work for the compliance officers charged with implementing the new rule. It also gives the SEC another rule to use during exams and enforcement cases.
This column reflects my personal opinions on business strategy and tactics. Nothing herein should be construed as legal advice.