Client alert: REGULATORY CHANGES TO THE CONSUMER PERSONAL INFORMATION SAFEGUARD RULES
August 15, 2024
Background of the New Rules
On May 16, 2024, the Securities and Exchange Commission (“SEC”) adopted amendments to Regulation S-P under the Securities Exchange Act of 1934 (the “Amendments”) to modernize and enhance the rules that govern treatment of consumers’ nonpublic personal information by SEC-registered investment advisers (“RIAs”), broker-dealers (including funding portals), investment companies, and transfer agents (collectively, “Covered Institutions”).
First, the Amendments require a Covered Institution to develop an incident response program that detects, responds to, and recovers from unauthorized access to or use of customer information. If there has been unauthorized access to, or use of sensitive customer information, a Covered Institution must provide a written notice within 30 days of the actual or potential data breach to all affected individuals.
Second, in addition to existing written policies and procedures, mandated by Regulation S-P, a Covered Institution must make and maintain written policies and procedures of the incident response program pursuant to the Amendments. A Covered Institution must make and maintain the following records in writing and make them available in an easily accessible place: (1) any detected unauthorized access to or use of customer information; (2) any response to and recovery from such unauthorized access to or use of customer information; (3) any investigation and determination made regarding whether notification is required, including the basis for any determination made, any written documentation from the U.S. Attorney General related to a delay in notice; and (4) a copy of any notice transmitted following such determination.
Third, the Amendments expand the scope of “customer” and now include both individuals with whom a Covered Institution has a customer relationship and to the customers of other financial institutions where such information have been provided to the Covered Institution.
On June 3, 2024, the Amendments were published in the Federal Register.1 Larger entities2
must comply with the Amendments within 18 months after the date of publication in the Federal Register. Smaller entities3 must comply with the Amendments within 24 months after the date of the publication.
This alert focuses on three key action items related to the Amendments that a Covered Institution must take from a regulatory standpoint. Further, this alert focuses on RIAs and broker-dealers. For information about other types of Covered Institutions, please contact a member of the CFDB team.
Recommendations for Covered Institutions
Action Item 1: Develop, Implement, and Maintain an Incident Response Program
To help protect the privacy of customers’ financial data, the Amendments require a Covered Institution to develop an Incident Response Program. Any instance of unauthorized access to or use of customer information will trigger the incident response plan.
The program must include policies and procedures to:
- Assess the nature and scope of any incident involving unauthorized access to or use of customer information, and identify the customer information systems and types of customer information subject to the incident
- Take appropriate steps to contain and control such incidents to prevent further unauthorized access to or use of customer information
- Notify each affected individual whose sensitive customer information* was, or is reasonably likely to have been, accessed or used without authorization within 30 days of the actual or potential data breach. The content of the notification must include (1) details of the incident (an actual or estimated date(s) of the incident), (2) type of breached data, (3) the Covered Institution’s contact information for the affected individuals to inquire about the incident, and (4) resources for the affected individuals to protect themselves from further injury
- Require oversight, through due diligence and monitoring of “service providers,” who must notify a Covered Institution within 72 hours of becoming aware of a breach in its security resulting in unauthorized access to a customer information system maintained by the service provider.
*Sensitive customer information means any component of customer information alone, or in conjunction with any other information, the compromise of which could create a reasonably likely risk of substantial harm or inconvenience to an individual identified with the information.
Action Item 2: Create and Retain Written Records Documenting Compliance with Regulation S-P
A Covered Institution must maintain the following records in writing and make them available in an easily accessible place:
- Any detected unauthorized access to or use of customer information;
- Any response to and recovery from such unauthorized access to or use of customer information;
- Any investigation and determination made regarding whether notification is required, including the basis for any determination made, any written documentation from the U.S. Attorney General related to a delay in notice;
- A copy of any notice transmitted following such determination; and
- All other written policies and procedures previously required under Regulation S-P.
RIAs and broker-dealers must maintain the above records pursuant to the below record retention schedule.
| Covered Institution | Rule | Retention Period |
| Registered Investment Advisers | 17 CFR 275.204-2(a) | All records for five years.
A copy of policies and procedures in effect must be maintained in an easily accessible place. |
| Broker-Dealers | 17 CFR 240.17a-4(e) | All records for three years, maintained in an easily accessible place. |
Action Item 3: Ensure Compliance with the Broader Scope of Customer Information
The Amendments expanded the scope of “customer” to include both individuals with whom a Covered Institution has a customer relationship (defined in 17 C.F.R. § 248.3(k)(1)) and to the customers of other financial institutions, where such information have been provided to the Covered Institution. Thus, a Covered Institution must determine whether any indirect customer information it retains and maintains is now considered customer information under the Amendments.
Conclusion
The Amendments dramatically affect Covered Institutions that have natural persons as investors or clients. However, RIAs, for example, with exclusively institutional clients, may be only minimally affected. All investment advisers, fund sponsors, and broker-dealers should carefully consider the degree to which the specific provisions of the Amendments affect them.
Investment advisers that are not registered with the SEC, such as state-registered investment advisers and exempt reporting investment advisers, and private funds which rely on Section 3(c)(1) and 3(c)(7) of the Investment Company Act, are not subject to Regulation S-P. However, certain investment advisers not registered with the SEC may be subject to the FTC Safeguards Rule. Finally, certain states have very stringent privacy statutes and regulations which may be applicable.
Please contact a member of the CFDB team for any inquiries relating to this matter.
David Skelding
Partner
dskelding@crokefairchild.com
708.275.9339
Rachel Eun
Summer Associate
reun@crokefairchild.com
1 https://www.federalregister.gov/documents/2024/06/03/2024-11116/regulation-s-p-privacy-of-consumer-financial-information-and-safeguarding-customer-information
2 Designation of Larger Entities
| Entity | Qualification to be Considered a Larger Entity |
| Registered Investment Advisers | $1.5 billion or more in assets under management |
| Broker-dealers | All broker-dealers that are not small entities under the Securities Exchange Act for purposes of the Regulatory Flexibility Act |
3 Small Entities under the Securities Exchange Act for Purposes of the Regulatory Flexibility Act
| Entity | Qualifications |
| Broker or dealer | (1) Had total capital of less than $500,000 on the date in its prior fiscal year as of which its audited financial statements were prepared or, if not required to file audited financial statements, on the last business day of its prior fiscal year; and
(2) Is not affiliated with any person that is not a small entity |