Support Centre

You have out of 5 free articles left for the month

Signup for a trial to access unlimited content.

Start Trial

Continue reading on DataGuidance with:

Free Member

Limited Articles

Create an account to continue accessing select articles, resources, and guidance notes.

Free Trial

Unlimited Access

Start your free trial to access unlimited articles, resources, guidance notes, and workspaces.

USA: SEC adopts new rule amendments to protect customer information

On May 16, 2024, the Securities and Exchange Commission (SEC) announced the adoption of new rule amendments on the protection of customer information by financial institutions. Specifically, the amendments require covered institutions to adopt comprehensive written policies and procedures for incident response programs to detect, respond to, and recover from unauthorized access to or use of customer information.

Notification requirements

The amendments require covered institutions to notify individuals affected by security incidents involving sensitive customer information. Notification must be provided as soon as practicable, but no later than 30 days after the institution becomes aware of the unauthorized access or use. According to the amendments, notifications must detail the incident, the nature of the breached data, and guidance on how affected individuals can protect themselves. However, the amendments clarify that if it is determined that the compromised information is unlikely to be used in a way that causes substantial harm or inconvenience, the institution may forego notification.

Expanded safeguards and disposal rules

The amendments also extend the application of existing safeguards and disposal rules to cover both nonpublic personal information collected by the institution and information received from other financial institutions. Covered institutions must also document their compliance with these rules, with the exception of funding portals.

The amendments will take effect on August 2, 2024. However, larger entities will have 18 months from the date of publication in the Federal Register to comply with the amendments, while smaller entities will have 24 months from the date of publication to comply.

You can read the press release here and the amendments here.