[Federal Register Volume 89, Number 107 (Monday, June 3, 2024)]
[Rules and Regulations]
[Pages 47688-47789]
From the Federal Register Online via the Government Publishing Office [www.gpo.gov]
[FR Doc No: 2024-11116]



[[Page 47687]]

Vol. 89

Monday,

No. 107

June 3, 2024

Part II





Securities and Exchange Commission





-----------------------------------------------------------------------





17 CFR Parts 240, 248, 270, et al.





 Regulation S-P: Privacy of Consumer Financial Information and 
Safeguarding Customer Information; Final Rule

  Federal Register / Vol. 89, No. 107 / Monday, June 3, 2024 / Rules 
and Regulations  

[[Page 47688]]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Parts 240, 248, 270, and 275

[Release Nos. 34-100155; IA-6604; IC-35193; File No. S7-05-23]
RIN 3235-AN26


Regulation S-P: Privacy of Consumer Financial Information and 
Safeguarding Customer Information

AGENCY: Securities and Exchange Commission.

ACTION: Final rule.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission (``Commission'' or 
``SEC'') is adopting rule amendments that will require brokers and 
dealers (or ``broker-dealers''), investment companies, investment 
advisers registered with the Commission (``registered investment 
advisers''), funding portals, and transfer agents registered with the 
Commission or another appropriate regulatory agency (``ARA'') as 
defined in the Securities Exchange Act of 1934 (``transfer agents'') to 
adopt written policies and procedures for incident response programs to 
address unauthorized access to or use of customer information, 
including procedures for providing timely notification to individuals 
affected by an incident involving sensitive customer information with 
details about the incident and information designed to help affected 
individuals respond appropriately. In addition, the amendments extend 
the application of requirements to safeguard customer records and 
information to transfer agents; broaden the scope of information 
covered by the requirements for safeguarding customer records and 
information and for properly disposing of consumer report information; 
impose requirements to maintain written records documenting compliance 
with the amended rules; and conform annual privacy notice delivery 
provisions to the terms of an exception provided by a statutory 
amendment to the Gramm-Leach-Bliley Act (``GLBA'').

DATES: 
    Effective date: This rule is effective August 2, 2024.
    Compliance date: The applicable compliance dates are discussed in 
section II.F of this rule.

FOR FURTHER INFORMATION CONTACT: Emily Hellman, James Wintering, 
Special Counsels; Edward Schellhorn, Branch Chief; Devin Ryan, 
Assistant Director; John Fahey, Deputy Chief Counsel; Emily Westerberg 
Russell, Chief Counsel; Office of Chief Counsel, Division of Trading 
and Markets, (202) 551-5550; Kevin Schopp, Senior Special Counsel; 
Moshe Rothman, Assistant Director; Office of Clearance and Settlement, 
Division of Trading and Markets, (202) 551-5550, Susan Ali and Andrew 
Deglin, Counsels; Michael Khalil and Y. Rachel Kuo, Senior Counsels; 
Blair Burnett and Bradley Gude, Branch Chiefs; or Brian McLaughlin 
Johnson, Assistant Director, Investment Company Regulation Office, 
Division of Investment Management, (202) 551-6792, Securities and 
Exchange Commission, 100 F Street NE, Washington, DC 20549.

SUPPLEMENTARY INFORMATION: The Commission is adopting amendments to 17 
CFR 248.1 through 248.100 (``Regulation S-P'') under Title V of the 
GLBA [15 U.S.C. 6801 through 6827], the Fair Credit Reporting Act 
(``FCRA'') [15 U.S.C. 1681 through 1681x], the Securities Exchange Act 
of 1934 (``Exchange Act'') [15 U.S.C. 78a et seq.], the Investment 
Company Act of 1940 (``Investment Company Act'') [15 U.S.C. 80a-1 et 
seq.], and the Investment Advisers Act of 1940 (``Investment Advisers 
Act'') [15 U.S.C. 80b-1 et seq.].

Table of Contents

I. Introduction and Background
II. Discussion
    A. Incident Response Program Including Customer Notification
    1. Assessment
    2. Containment and Control
    3. Notice to Affected Individuals
    4. Service Providers
    B. Scope of Safeguards Rule and Disposal Rule
    1. Scope of Information Protected
    2. Extending the Scope of the Safeguards Rule and the Disposal 
Rule To Cover All Transfer Agents
    3. Maintaining the Current Regulatory Framework for Notice-
Registered Broker-Dealers
    C. Recordkeeping
    D. Exception From Requirement To Deliver Annual Privacy Notice
    E. Existing Staff No-Action Letters and Other Staff Statements
    F. Compliance Period
III. Other Matters
IV. Economic Analysis
    A. Introduction
    B. Broad Economic Considerations
    C. Baseline
    1. Safeguarding Customer Information: Risks and Practices
    2. Regulations and Guidelines
    3. Market Structure
    D. Benefits and Costs of the Final Rule Amendments
    1. Written Policies and Procedures
    2. Extending the Scope of the Safeguards Rule and the Disposal 
Rule
    3. Recordkeeping
    4. Exception From Annual Notice Delivery Requirement
    E. Effects on Efficiency, Competition, and Capital Formation
    F. Reasonable Alternatives Considered
    1. Reasonable Assurances From Service Providers
    2. Lower Threshold for Customer Notice
    3. Encryption Safe Harbor
    4. Longer Customer Notification Deadlines
    5. Broader National Security and Public Safety Delay in Customer 
Notification
V. Paperwork Reduction Act
    A. Introduction
    B. Amendments to the Safeguards Rule and Disposal Rule
VI. Final Regulatory Flexibility Act Analysis
    A. Need for, and Objectives of, the Final Amendments
    B. Significant Issues Raised by Public Comments
    C. Small Entities Subject to Final Amendments
    D. Projected Reporting, Recordkeeping, and Other Compliance 
Requirements
    E. Agency Action To Minimize Effect on Small Entities
Statutory Authority

I. Introduction and Background

    Regulation S-P is a set of privacy rules adopted pursuant to the 
GLBA and the Fair and Accurate Credit Transactions Act of 2003 (``FACT 
Act'') that govern the treatment of nonpublic personal information 
about consumers by certain financial institutions.\1\ The Commission is 
adopting rule amendments that are designed to modernize and enhance the 
protections that Regulation S-P provides by addressing the expanded use 
of technology and corresponding risks that have emerged since the 
Commission originally adopted Regulation S-P in 2000. The amendments in 
particular update the requirements of the ``safeguards'' and 
``disposal'' rules. The safeguards rule requires brokers, dealers, 
investment companies,\2\ and registered investment advisers to adopt 
written policies and procedures that address administrative, technical, 
and physical safeguards to protect customer records and information.\3\ 
The disposal rule, which applies to transfer agents

[[Page 47689]]

registered with the Commission in addition to the institutions covered 
by the safeguards rule, requires proper disposal of consumer report 
information.\4\ In addition, under Regulation Crowdfunding, funding 
portals must comply with the requirements of Regulation S-P as they 
apply to brokers.\5\ Thus, funding portals will also be required to 
comply with the applicable amendments to Regulation S-P adopted in this 
release.
---------------------------------------------------------------------------

    \1\ See 17 CFR 248.1.
    \2\ Regulation S-P applies to investment companies as the term 
is defined in section 3 of the Investment Company Act (15 U.S.C. 
80a-3), whether or not the investment company is registered with the 
Commission. See 17 CFR 248.3(r). Thus, a business development 
company, which is an investment company but is not required to 
register as such with the Commission, is subject to Regulation S-P. 
Similarly, employees' securities companies--including those that are 
not required to register under the Investment Company Act--are 
investment companies and are, therefore, subject to Regulation S-P. 
By contrast, issuers that are excluded from the definition of 
investment company--such as private funds that are able to rely on 
section 3(c)(1) or 3(c)(7) of the Investment Company Act--are not 
subject to Regulation S-P.
    \3\ 17 CFR 248.30(a). References in this release to ``rule 
248.30'' are to 17 CFR 248.30.
    \4\ Rule 248.30(b).
    \5\ See 17 CFR 227.403(b). Accordingly, unless otherwise stated 
(for example, see infra sections IV and V), references in this 
release to ``brokers'' or ``broker-dealers'' include funding 
portals.
---------------------------------------------------------------------------

    The final Regulation S-P amendments are needed to provide enhanced 
protection of customer or consumer information and help ensure that 
customers of covered institutions receive timely and consistent 
notifications in the event of unauthorized access to or use of their 
information.\6\ In evaluating amendments to Regulation S-P, we have 
considered developments in how firms obtain, share, and maintain 
individuals' personal information since the Commission originally 
adopted Regulation S-P, which correspond with an increasing risk of 
harm to individuals.\7\ This environment of expanded risks and the 
importance of reducing or mitigating the potential for harm also 
supports our amendments to Regulation S-P.
---------------------------------------------------------------------------

    \6\ See Proposing Release at section II.A.4.
    \7\ See, e.g., Federal Bureau of Investigation, 2022 internet 
Crime Report (Mar. 27, 2023), at 7-8, available at: https://www.ic3.gov/Media/PDF/AnnualReport/2022_IC3Report.pdf (stating that 
the FBI's internet Crime Complaint Center received 800,944 
complaints in 2022 (an increase from 351,937 complaints in 2018). 
The complaints included 58,859 related to personal data breaches (an 
increase from 50,642 breaches in 2018)); the Financial Industry 
Regulatory Authority (``FINRA''), 2022 Report on FINRA's Examination 
and Risk Monitoring Program: Cybersecurity and Technology Governance 
(Feb. 2022), available at: https://www.finra.org/rules-guidance/guidance/reports/2022-finras-examination-and-risk-monitoring-program 
(noting increased number and sophistication of cybersecurity attacks 
and reminding firms of their obligations to oversee, monitor, and 
supervise cybersecurity programs and controls of third-party 
vendors); Office of Compliance Inspections and Examinations (now the 
Division of Examinations) (``EXAMS''), Risk Alert, Cybersecurity: 
Safeguarding Client Accounts against Credential Compromise (Sept. 
15, 2020), available at https://www.sec.gov/files/Risk%20Alert%20-%20Credential%20Compromise.pdf (describing increasingly 
sophisticated methods used by attackers to gain access to customer 
accounts and firm systems). This Risk Alert, and any other 
Commission staff statements represent the views of the staff. They 
are not a rule, regulation, or statement of the Commission. 
Furthermore, the Commission has neither approved nor disapproved 
their content. These staff statements, like all staff statements, 
have no legal force or effect. They do not alter or amend applicable 
law; and they create no new or additional obligations for any 
person.
---------------------------------------------------------------------------

    In March 2023, the Commission proposed amendments to Regulation S-
P.\8\ In particular, the proposed amendments would amend the safeguards 
rule to require any broker or dealer, investment company, registered 
investment adviser, or transfer agent (collectively, ``covered 
institutions'') to develop, implement, and maintain written policies 
and procedures for an incident response program reasonably designed to 
detect, respond to, and recover from unauthorized access to or use of 
customer information. The proposal included a further requirement that, 
as part of this incident response program, covered institutions would 
provide notices to individuals whose sensitive customer information 
was, or is reasonably likely to have been, accessed or used without 
authorization as soon as practicable, but not later than 30 days, after 
becoming aware that the incident occurred or is reasonably likely to 
have occurred. The proposed notice requirement included provisions that 
addressed the use of service providers by covered institutions and 
included a provision that would permit covered institutions to delay 
providing notice after receiving a written request from the United 
States Attorney General (``Attorney General'') that this notice poses a 
substantial risk to national security.
---------------------------------------------------------------------------

    \8\ See Regulation S-P: Privacy of Consumer Financial 
Information and Safeguarding Customer Information, Securities 
Exchange Act Release No. 97141 (Mar. 15, 2023) [88 FR 20616 (Apr. 6, 
2023)] (``Proposing Release'' or ``proposal''). The Commission voted 
to issue the Proposing Release on Mar. 15, 2023. The release was 
posted on the Commission website that day, and comment letters were 
received beginning the same day. The comment period closed on June 
5, 2023. We have considered all comments received since Mar. 15, 
2023.
---------------------------------------------------------------------------

    The Commission also proposed other amendments to Regulation S-P to 
enhance the protection of customers' nonpublic personal information. 
The proposed amendments included provisions to expand the scope of the 
protections of the safeguards and disposal rules, including extending 
the safeguards rule to transfer agents. The proposed amendments also 
included requirements for covered institutions to maintain written 
records documenting compliance with the proposed amended rules. 
Finally, the Commission proposed amendments to conform annual privacy 
notice delivery provisions to the terms of an exception provided by a 
statutory amendment to the GLBA.
    The Commission received comment letters on the proposal from a 
variety of commenters, including financial services firms and their 
service providers, law firms, investor advocacy groups, professional 
and trade associations, public policy research institutes, academics, 
and interested individuals.\9\ Most individual and public interest 
group commenters and some industry groups generally supported the 
proposed amendments.\10\ A few commenters urged the Commission to 
consider taking additional steps to strengthen the proposed 
requirements, for example, by shortening the period for customer 
notification.\11\ Many industry commenters expressed concern with 
specific elements of the proposed amendments, however, suggesting that 
these amendments would pose operational difficulties.\12\
---------------------------------------------------------------------------

    \9\ The comment letters on the proposal are available at https://www.sec.gov/comments/s7-05-23/s70523.htm.
    \10\ See, e.g., Comment Letter of the Investment Adviser 
Association (June 5, 2023) (``IAA Comment Letter 1''); Comment 
Letter of the Investment Company Institute (May 23, 2023) (``ICI 
Comment Letter 1''); Comment Letter of Better Markets (June 5, 2023) 
(``Better Markets Comment Letter''); Comment Letter of North 
American Securities Administrators Association (May 22, 2023) 
(``NASAA Comment Letter''). Some commenters suggested more tailored 
requirements for smaller covered institutions. See, e.g., IAA 
Comment Letter 1; Comment Letter of the Securities Transfer 
Association (June 2, 2023) (``STA Comment Letter 2''); Comment 
Letter of the Committee of Annuity Insurers (June 5, 2023) (``CAI 
Comment Letter''). As discussed in more detail below, the final 
amendments apply to all covered institutions because entities of all 
sizes are vulnerable to the types of data security breach incidents 
we are trying to address. See infra section VI.
    \11\ See, e.g., Better Markets Comment Letter.
    \12\ See, e.g., Comment Letter of the Securities Industry and 
Financial Markets Association, et al. (June 5, 2023) (``SIFMA 
Comment Letter 2''); Comment Letter of the Financial Services 
Institute (May 22, 2023) (``FSI Comment Letter''); Comment Letter of 
Federated Hermes, Inc. (June 6, 2023) (``Federated Comment 
Letter'').
---------------------------------------------------------------------------

    Comments on specific aspects of the proposed amendments focused on 
a few key themes. First, commenters urged the Commission to take a more 
holistic regulatory approach to harmonize the proposed amendments with 
other Commission rules and proposals to avoid creating redundant, 
overlapping, or conflicting obligations for covered institutions.\13\ 
We have modified the

[[Page 47690]]

rule from the proposal to address comments.\14\
---------------------------------------------------------------------------

    \13\ See, e.g., IAA Comment Letter 1; ICI Comment Letter 1; 
Comment Letter of Nasdaq Stock Market LLC (June 2, 2023) (``Nasdaq 
Comment Letter''). Commenters also raised these concerns about other 
proposed rulemakings that the Commission has not adopted. See, e.g., 
Comment Letter of the Investment Adviser Association (June 17, 2023) 
(``IAA Comment Letter 2''); ICI Comment Letter 1. Other commenters 
requested more specific guidance regarding how the various policies 
and procedure requirements in other Commission proposals would 
interact with each other. See, e.g., CAI Comment Letter; SIFMA 
Comment Letter 2; IAA Comment Letter 2. To the extent that those 
proposals are adopted, the baseline in those subsequent rulemakings 
will reflect the existing regulatory requirements at that time.
    \14\ Since the publication of the proposing release, the 
Commission adopted new rules to enhance and standardize disclosures 
regarding cybersecurity risk management, strategy, governance, and 
incidents by public companies that are subject to the reporting 
requirements of the Securities Exchange Act of 1934 (``Public 
Company Cybersecurity Rules''). See Cybersecurity Risk Management, 
Strategy, Governance, and Incident Disclosure, Securities Act 
Release No. 11216 (July 26, 2023) [88 FR 51896 (Aug. 4, 2023)].
---------------------------------------------------------------------------

    For example, covered institutions may be required to adopt written 
policies and procedures on similar issues under other provisions of the 
Federal securities laws.\15\ A covered institution can, however, adopt 
a single set of policies and procedures covering Regulation S-P and 
other rules, provided that the policies and procedures meet the 
requirements of each rule.\16\ Additionally, we have changed the 
proposed requirement to delay providing customer notices when that 
notice poses a substantial risk to national security or public safety 
in order to align with a similar provision contained in the Public 
Company Cybersecurity Rules.\17\
---------------------------------------------------------------------------

    \15\ See, e.g., 15 U.S.C. 80b-4a (requiring each adviser 
registered with the Commission to have written policies and 
procedures reasonably designed to prevent misuse of material non-
public information by the adviser or persons associated with the 
adviser); 17 CFR 270.38a-1(a)(1) (requiring investment companies to 
adopt compliance policies and procedures); 275.206(4)-7(a) 
(requiring investment advisers to adopt compliance policies and 
procedures); and Regulation S-ID, 17 CFR part 248, subpart C 
(requiring financial institutions subject to the Commission's 
jurisdiction with covered accounts to develop and implement a 
written identity theft prevention program that is designed to 
detect, prevent, and mitigate identity theft in connection with 
covered accounts, which must include, among other things, policies 
and procedures to respond appropriately to any red flags that are 
detected pursuant to the program).
    \16\ Two commenters addressed the proposal's application to 
dually-registered investment advisers and broker-dealers or firms 
operating both business models (collectively, ``dual registrants''). 
One of these commenters stated that the proposed amendments to 
Regulation S-P allow for streamlining of process because they would 
apply uniformly to broker-dealers and investment advisers. FSI 
Comment Letter. The other commenter addressed collectively other 
Commission cyber proposals and the proposed amendments to Regulation 
S-P. The commenter stated that these proposals collectively would 
involve significant burden for a dual registrant to bring both 
broker-dealer and investment adviser entities into compliance, 
urging the Commission to provide an extended compliance period for 
all of the proposed rules to provide time for dual registrants to 
come into compliance and ``identify some synergies that might make 
compliance more effective and economical.'' Cambridge Comment 
Letter. As one of these commenters stated, Regulation S-P's 
requirements apply uniformly to broker-dealers and advisers, 
although each covered institution--including a dual registrant--will 
have to tailor its policies and procedures to its business.
    \17\ See infra section II.A.3.d(2).
---------------------------------------------------------------------------

    Commenters also questioned the need for the proposed amendments in 
light of existing State laws that also address data breaches and raised 
concerns about differences between the proposed amendments and State 
regulatory requirements. One commenter stated that the proposed 
amendments were not needed because existing State laws already require 
firms to provide notice to individuals in the event of a data 
breach.\18\ Some commenters stated that parts of the proposed 
amendments would conflict with certain provisions of State laws,\19\ 
while other commenters stated that parts of the proposed amendments 
would duplicate existing State laws.\20\
---------------------------------------------------------------------------

    \18\ See CAI Comment Letter.
    \19\ See, e.g., IAA Comment Letter 1; Letter from Computershare 
(June 5, 2023) (``Computershare Comment Letter''); SIFMA Comment 
Letter 2.
    \20\ See, e.g., CAI Comment Letter.
---------------------------------------------------------------------------

    As discussed more fully later in this section, while we recognize 
that existing State laws require covered institutions to notify State 
residents of data breaches in some cases, State laws are not consistent 
on this point and exclude some entities from certain requirements.\21\ 
The final amendments will require notification to all customers of a 
covered institution affected by a data breach (regardless of State 
residency), in order to provide timely and consistent disclosure of 
important information to help affected customers respond to a data 
breach.\22\ To that end, the final amendments will enhance investor 
protection in a number of ways, including by covering a broader scope 
of customer information than many States; \23\ providing for a 30-day 
notification deadline that is shorter than the timing currently 
mandated by many States (including States that have no deadline or 
those allowing for various notification delays); \24\ and providing for 
a more robust notification trigger than in many States.\25\
---------------------------------------------------------------------------

    \21\ See infra section IV.C.2.
    \22\ With respect to the interaction of the final rule with 
State law, Section 15(i)(1) of the Exchange Act (15 U.S.C. 
78o(i)(1)) provides that no law, rule, regulation, or order, or 
other administrative action of any State or political subdivision 
thereof shall establish capital, custody, margin, financial 
responsibility, making and keeping records, bonding, or financial or 
operational reporting requirements for brokers, dealers, municipal 
securities dealers, government securities brokers, or government 
securities dealers that differ from, or are in addition to, the 
requirements in those areas established under the Exchange Act.
    \23\ See infra section IV.D.1.b(3).
    \24\ See infra section IV.D.1.b(2).
    \25\ See infra section IV.D.1.b(4).
---------------------------------------------------------------------------

    Commenters also raised concerns with differences between the 
proposed amendments and other Federal regulators' safeguarding 
standards that also include a requirement for a data breach response 
plan or program.\26\ The GLBA and FACT Act oblige us to adopt 
regulations, to the extent possible, that are consistent and comparable 
with those adopted by the Banking Agencies, the Consumer Financial 
Protection Bureau (``CFPB''), and the FTC.\27\ Accordingly, the 
Commission has also been mindful of the need to set standards for 
safeguarding customer records and information that are consistent and 
comparable with the corresponding standards set by these agencies in 
developing the amendments.\28\ To this end, we have modified the final 
amendments from the proposal to promote greater consistency with other 
applicable Federal safeguard standards to the extent they do not affect 
the investor protection purposes of this rulemaking, as discussed in 
more detail below. For example, the final amendments require covered 
institutions to ensure that their service providers provide 
notification as soon

[[Page 47691]]

as possible, but no later than 72 hours after becoming aware that an 
applicable breach has occurred, which is informed by the 72-hour 
deadline that is required under the Cyber Incident Reporting for 
Critical Infrastructure Act of 2022 (``CIRCIA'').\29\
---------------------------------------------------------------------------

    \26\ The Federal Trade Commission (``FTC'') in 2021 amended its 
Safeguards Rule (16 CFR part 314 (``FTC Safeguards Rule'')) by, 
among other things, adding a requirement for financial institutions 
under the FTC's GLBA jurisdiction to establish a written incident 
response plan designed to respond to information security events. 
See FTC, Standards for Safeguarding Customer Information, 86 FR 
70272 (Dec. 9, 2021). As amended, the FTC's rule requires that a 
response plan address security events materially affecting the 
confidentiality, integrity, or availability of customer information 
in the financial institution's control, and that the plan include 
specified elements that would include procedures for satisfying an 
institution's independent obligation to perform notification as 
required by State law. See id. at n.295. The ``Banking Agencies'' 
include the Office of the Comptroller of the Currency (``OCC''), the 
Board of Governors of the Federal Reserve System (``FRB''), the 
Federal Deposit Insurance Corporation (``FDIC''), and the former 
Office of Thrift Supervision. In 2005, the Banking Agencies and the 
National Credit Union Administration (``NCUA'') jointly issued 
guidance on responding to incidents of unauthorized access to or use 
of customer information. See Interagency Guidance on Response 
Programs for Unauthorized Access to Customer Information and 
Customer Notice, 70 FR 15736 (Mar. 29, 2005) (``Banking Agencies' 
Incident Response Guidance''). The Banking Agencies' Incident 
Response Guidance provides, among other things, that when an 
institution becomes aware of an incident of unauthorized access to 
sensitive customer information, the institution should conduct a 
reasonable investigation to determine promptly the likelihood that 
the information has been or will be misused. If the institution 
determines that misuse of the information has occurred or is 
reasonably possible, it should notify affected customers as soon as 
possible.
    \27\ See generally 15 U.S.C. 6804(a) (directing the agencies 
authorized to prescribe regulations under title V of the GLBA to 
assure to the extent possible that their regulations are consistent 
and comparable); 15 U.S.C. 1681w(a)(2)(A) (directing the agencies 
with enforcement authority set forth in 15 U.S.C. 1681s to consult 
and coordinate so that, to the extent possible, their regulations 
are consistent and comparable).
    \28\ See Proposing Release at the text following n.37.
    \29\ See final rule 248.30(a)(5)(i); see also infra footnote 245 
and accompanying text (discussing how a 72-hour reporting deadline 
would align with other regulatory standards). Under CIRCIA, the 72-
hour reporting deadline is for entities to report cyber incidents to 
the Cybersecurity and Infrastructure Security Agency (``CISA'').
---------------------------------------------------------------------------

    We recognize, however, that there are some areas of divergence 
between the final amendments and other Federal regulators' GLBA 
safeguarding standards, and we discuss the basis for each provision of 
the final rules below, including cases where the amendments differ from 
analogous requirements under State law or other Federal 
regulations.\30\
---------------------------------------------------------------------------

    \30\ Among the changes being adopted, we are revising as 
proposed the requirements of 17 CFR 248.17 (``rule 248.17'') to 
refer to determinations made by the CFPB rather than the FTC, 
consistent with changes made to section 507 of the GLBA by the Dodd-
Frank Wall Street Reform and Consumer Protection Act. See Public Law 
111-203, sec. 1041, 124 Stat. 1376 (2010). Upon its adoption, rule 
248.17 essentially restated the then-current text of section 507 of 
the GLBA, and as such, referenced determinations made by the FTC. 
See Privacy of Consumer Financial Information (Regulation S-P), 
Exchange Act Release No. 42974 (June 22, 2000) [65 FR 40334 (June 
29, 2000)].
---------------------------------------------------------------------------

    Many commenters also urged the Commission to coordinate with other 
Federal agencies, particularly on reporting deadlines.\31\ For example, 
a number of commenters suggested that the Commission coordinate with 
CISA as it develops regulations pursuant to CIRCIA.\32\ We have 
consulted and coordinated with CISA and, consistent with the 
requirements of the GLBA and other statutory requirements,\33\ other 
relevant agencies and their representatives for the purpose of 
ensuring, to the extent possible, that the amendments are consistent 
and comparable with the regulations prescribed by other relevant 
agencies.\34\
---------------------------------------------------------------------------

    \31\ See, e.g., Comment Letter of Amazon Web Services (June 5, 
2023) (``AWS Comment Letter''); Comment Letter of Google Cloud (June 
5, 2023) (``Google Comment Letter''); and Nasdaq Comment Letter.
    \32\ See, e.g., SIFMA Comment Letter 2; Cambridge Comment 
Letter; Google Comment Letter. CISA has provided a notice of 
proposed rulemaking that would implement the CIRCIA requirements but 
they have not yet been adopted. See also Cyber Incident Reporting 
for Critical Infrastructure Act (CIRCIA) Reporting Requirements, 89 
FR 23644 (Apr. 4, 2024).
    \33\ See Exchange Act Section 17A(d)(3)(A), 15 U.S.C. 78q-
1(d)(3)(A) (providing that ``[w]ith respect to any clearing agency 
or transfer agent for which the Commission is not the appropriate 
regulatory agency, the Commission and the appropriate regulatory 
agency for such clearing agency or transfer agent shall consult and 
cooperate with each other . . .'').
    \34\ See 15 U.S.C. 6804(a)(2). The relevant agencies include the 
OCC, FRB, FDIC, CFPB, FTC, CISA, Commodity Futures Trading 
Commission (``CFTC''), Department of Justice (``DOJ''), and the 
National Association of Insurance Commissioners.
---------------------------------------------------------------------------

    We are adopting amendments to Regulation S-P substantially as 
proposed, with some changes in response to comments. The principal 
elements of the final amendments, as discussed in more detail below, 
are as follows:
     Incident Response Program. The final safeguards rule 
requires covered institutions to develop, implement, and maintain 
written policies and procedures for an incident response program that 
is reasonably designed to detect, respond to, and recover from 
unauthorized access to or use of customer information. The final 
amendments will require that a response program include procedures to 
assess the nature and scope of any incident and to take appropriate 
steps to contain and control the incident to prevent further 
unauthorized access or use.
     Notification Requirement. The response program procedures 
in the final amendments also includes a requirement that covered 
institutions provide a notification to individuals whose sensitive 
customer information was, or is reasonably likely to have been, 
accessed or used without authorization. Notice will not be required if 
a covered institution determines, after a reasonable investigation of 
the facts and circumstances of the incident of unauthorized access to 
or use of sensitive customer information, that the sensitive customer 
information has not been, and is not reasonably likely to be, used in a 
manner that would result in substantial harm or inconvenience. Under 
the final amendments, a customer notice must be clear and conspicuous 
and provided by a means designed to ensure that each affected 
individual can reasonably be expected to receive it. This notice must 
be provided as soon as reasonably practicable, but not later than 30 
days, after the covered institution becomes aware that unauthorized 
access to or use of customer information has, or is reasonably likely 
to have, occurred. As discussed in more detail below, the final 
amendments will permit covered institutions to delay providing notice 
after the Commission receives a written request from the Attorney 
General that this notice poses a substantial risk to national security 
or public safety.\35\
---------------------------------------------------------------------------

    \35\ See infra section II.A.3.d(2).
---------------------------------------------------------------------------

     Service Providers. The final amendments to the safeguards 
rule include new provisions that address the use of service providers 
by covered institutions. Under these provisions, covered institutions 
will be required to establish, maintain, and enforce written policies 
and procedures reasonably designed to require oversight, including 
through due diligence and monitoring of service providers, including to 
ensure that affected individuals receive any required notices. The 
final amendments make clear that while covered institutions may use 
service providers to provide any required notice, covered institutions 
will retain the obligation to ensure that affected individuals are 
notified in accordance with the notice requirements.
     Scope. The final amendments will more closely align the 
information protected under the safeguards rule and the disposal rule 
by applying the protections of both rules to ``customer information,'' 
a newly defined term. The final amendments will also broaden the group 
of customers whose information is protected under both rules. Also, 
transfer agents will be required to comply with the safeguards rule.
     Recordkeeping and Annual Notice Amendments. The final 
amendments will add requirements for covered institutions, other than 
funding portals,\36\ to make and maintain written records documenting 
compliance with the requirements of the safeguards rule and the 
disposal rule. Further, the final amendments amend the existing 
requirement to provide annual privacy notices to codify a statutory 
exception.
---------------------------------------------------------------------------

    \36\ As discussed below, funding portals are already subject to 
recordkeeping requirements with regard to documenting their 
compliance with Regulation S-P, which are not being amended by these 
final amendments. See infra footnote 385 and accompanying 
discussion.
---------------------------------------------------------------------------

II. Discussion

    Since Regulation S-P was first adopted in 2000, evolving digital 
communications and information storage tools and other technologies 
have made it easier for firms to obtain, share, and maintain 
individuals' personal information. This increases the risk of 
customers' information being accessed or used without authorization, 
for example in a cyberattack or if customer information is improperly 
disposed of or stolen. In particular, as a frequently-targeted 
industry, the financial sector has observed increased exposure to 
cyberattacks that threaten not only the financial firms themselves, but 
also their customers, especially considering that customer records and 
other information that covered

[[Page 47692]]

institutions possess can be particularly sensitive.\37\ The final 
amendments will modernize and enhance the protections that Regulation 
S-P already provides to address this changed landscape.
---------------------------------------------------------------------------

    \37\ See infra section IV.C.1.
---------------------------------------------------------------------------

A. Incident Response Program Including Customer Notification

    As set forth in the proposal, security incidents may result in, 
among other things, misuse, exposure or theft of a customer's nonpublic 
personal information, and potentially leave affected individuals 
vulnerable to having their information further compromised. Threat 
actors can use customer information to cause harm in a number of ways, 
such as by stealing customer identities to sell to other threat actors 
on the dark web, publishing customer information on the dark web, using 
customer identities to carry out fraud themselves, or taking over a 
customer's account for malevolent purposes.
    To help protect against harms that may result from a security 
incident involving customer information, the Commission proposed and is 
adopting amendments to the safeguards rule largely as proposed, with 
certain modifications to the notification requirement as discussed 
further below.\38\ The amendments will require that covered 
institutions' safeguards policies and procedures include an incident 
response program for unauthorized access to or use of customer 
information, including customer notification procedures.\39\ The 
amendments will require the incident response program to be reasonably 
designed to detect, respond to, and recover from both unauthorized 
access to and unauthorized use of customer information (for the 
purposes of this release, an ``incident'').\40\ Any instance of 
unauthorized access to or use of customer information will trigger a 
covered institution's incident response program. The amendments will 
also require that the response program include procedures for notifying 
affected individuals whose sensitive customer information was, or is 
reasonably likely to have been, accessed or used without 
authorization.\41\
---------------------------------------------------------------------------

    \38\ See infra section II.A.3.
    \39\ See final rule 248.30(a)(3). For clarity, when the 
amendments to the safeguards rule refer to ``unauthorized access to 
or use'', the word ``unauthorized'' modifies both ``access'' and 
``use.''
    \40\ See final rule 248.30(a)(3). See also infra section II.B.1 
for a discussion of ``customer information.''
    \41\ See final rule 248.30(d)(9) for the definition of 
``sensitive customer information.'' See also infra section II.A.3.b, 
which includes a discussion of ``sensitive customer information.'' 
Notice must be provided unless a covered institution determines, 
after a reasonable investigation of the facts and circumstances of 
the incident of unauthorized access to or use of sensitive customer 
information that occurred at the covered institution or one of its 
service providers that is not itself a covered institution, that 
sensitive customer information has not been, and is not reasonably 
likely to be, used in a manner that would result in substantial harm 
or inconvenience.
---------------------------------------------------------------------------

    In this regard, requiring covered institutions to have incident 
response programs will help mitigate the risk of harm to affected 
individuals stemming from incidents where a customer's information has 
been accessed or used without authorization. For example, incident 
response programs will help covered institutions to be better prepared 
to respond to such incidents, and providing notice to affected 
individuals will aid those individuals in taking protective measures 
that could mitigate harm that might otherwise result from unauthorized 
access to or use of their information. Further, a reasonably designed 
incident response program will help facilitate more consistent and 
systematic responses to customer information security incidents and 
help avoid inadequate responses based on a covered institution's 
initial impressions of the scope of the information involved in the 
compromise. Requiring the incident response program to address any 
incident involving customer information can help a covered institution 
better contain and control these incidents and facilitate a prompt 
recovery.
    As proposed, the amendments will require that a covered 
institution's incident response program include policies and procedures 
containing certain general elements but will not prescribe specific 
steps a covered institution must undertake when carrying out incident 
response activities, thereby enabling covered institutions to create 
policies and procedures best suited to their particular circumstances. 
Specifically, a covered institution's incident response program will be 
required to have written policies and procedures to:
    (i) Assess the nature and scope of any incident involving 
unauthorized access to or use of customer information and identify the 
customer information systems and types of customer information that may 
have been accessed or used without authorization; \42\
---------------------------------------------------------------------------

    \42\ See final rule 248.30(a)(3)(i). The term ``customer 
information systems'' would mean the information resources owned or 
used by a covered institution, including physical or virtual 
infrastructure controlled by such information resources, or 
components thereof, organized for the collection, processing, 
maintenance, use, sharing, dissemination, or disposition of customer 
information to maintain or support the covered institution's 
operations. See final rule 248.30(d)(6).
---------------------------------------------------------------------------

    (ii) Take appropriate steps to contain and control the incident to 
prevent further unauthorized access to or use of customer information; 
\43\ and
---------------------------------------------------------------------------

    \43\ See final rule 248.30(a)(3)(ii).
---------------------------------------------------------------------------

    (iii) Notify each affected individual whose sensitive customer 
information was, or is reasonably likely to have been, accessed or used 
without authorization in accordance with the notification obligations 
discussed below,\44\ unless the covered institution determines, after a 
reasonable investigation of the facts and circumstances of the incident 
of unauthorized access to or use of sensitive customer information, 
that the sensitive customer information has not been, and is not 
reasonably likely to be, used in a manner that would result in 
substantial harm or inconvenience.\45\
---------------------------------------------------------------------------

    \44\ See infra section II.A.3.
    \45\ See final rule 248.30(a)(3)(iii).
---------------------------------------------------------------------------

    The Commission received multiple comments regarding the proposed 
requirement for an incident response program generally.\46\ One 
commenter supported requiring the incident response program and 
appreciated its similarity to the Banking Agencies' Incident Response 
Guidance.\47\ Another commenter stated that there should not be a one-
size-fits-all approach to incident response programs, stating that an 
adviser should have discretion to determine how the incident response 
program should be implemented, and requested that any final rule make 
clear that specific steps for incident response are not required.\48\ 
Moreover, this commenter requested that the final rule expressly 
indicate that in developing their programs, advisers should employ a 
principles- and risk-based approach.\49\ This commenter also opposed 
the addition of any requirement in the policies and procedures for an 
adviser to designate an employee with specific qualifications and 
experience (or hire a similarly qualified third party) to coordinate 
its incident response program.\50\
---------------------------------------------------------------------------

    \46\ Comments for specific components of the incident response 
program are discussed in more depth separately. See infra sections 
II.A.1-4.
    \47\ See ICI Comment Letter 1; see also supra footnote 26 
(discussing the Banking Agencies' Incident Response Guidance).
    \48\ See IAA Comment Letter 1.
    \49\ See id.; see also CAI Comment Letter stating that policies 
and procedures should be based on the specific risks of the 
particular covered institution and commensurate with the size and 
complexity of the covered institution's activities.
    \50\ See id.
---------------------------------------------------------------------------

    Covered institutions need the flexibility to develop policies and 
procedures suited to their size and

[[Page 47693]]

complexity and the nature and scope of their activities. Therefore, we 
did not propose, and are not adopting, specific steps a covered 
institution must take when carrying out its incident response program, 
and we are not specifically designating who must undertake oversight 
responsibilities, thus providing covered institutions flexibility to 
determine whether and how to appropriately assign or divide such 
responsibilities. As proposed and adopted, the amendments will require 
that a covered institution's incident response program include policies 
and procedures containing certain general elements, so covered 
institutions may tailor their policies and procedures to their 
individual facts and circumstances. Additionally, advisers, like other 
covered institutions, can continue to use a risk-based approach to 
tailor their assessment and containment policies and procedures if they 
choose to do so, as long as the required elements of the incident 
response program are met.
    Two commenters opposed the scope of the proposed incident response 
program.\51\ Specifically, these commenters stated that, consistent 
with the notification requirements, the assessment and containment and 
control components of the incident response program should be limited 
to sensitive customer information (and not encompass all nonpublic 
customer information).\52\ According to one commenter, because 
sensitive customer information is the information likely to cause 
substantial harm or inconvenience to a customer and that requires 
notification to customers, it follows that incident response programs 
should be tailored to sensitive customer information.\53\ The other 
commenter stated that clients would view the protection of their 
sensitive customer information as a critically important aspect of 
their relationship with their adviser and that an adviser's efforts and 
resources should appropriately be focused on this information.\54\
---------------------------------------------------------------------------

    \51\ See Comment Letter of Schulte Roth & Zabel LLP (June 5, 
2023) (``Schulte Comment Letter'') and IAA Comment Letter 1.
    \52\ See Schulte Comment Letter; IAA Comment Letter 1.
    \53\ See Schulte Comment Letter.
    \54\ See IAA Comment Letter 1.
---------------------------------------------------------------------------

    We are adopting as proposed final rules which require the incident 
response program's assessment and containment and control components to 
cover a broader scope of information than the notification 
requirements. The scope of information covered by the assessment and 
containment and control requirements is designed to help ensure all 
information covered by the requirements of the GLBA \55\ are 
appropriately safeguarded and that sufficient information is assessed 
to fulfill the more narrowly tailored obligation to notify affected 
individuals. For example, assessment of any incident involving 
unauthorized access to or use of customer information will help 
facilitate the evaluation of whether sensitive customer information has 
been accessed or used without authorization, which informs whether 
notice has to be provided. Additionally, a covered institution's 
assessment may also be useful for collecting other information that is 
required to populate the notice, such as identifying the date or 
estimated date of the incident, among other details. Therefore, the 
scope of the incident response program is appropriate, and we are 
adopting as proposed.
---------------------------------------------------------------------------

    \55\ The GLBA directs the Commission to establish standards to 
insure the security and confidentiality of customer records and 
information; to protect against any anticipated threats or hazards 
to the security or integrity of such records; and to protect against 
unauthorized access to or use of records or information which could 
result in substantial harm or inconvenience to any customer. 15 
U.S.C. 6801(b).
---------------------------------------------------------------------------

1. Assessment
    The final amendments will require that the incident response 
program include procedures for: (1) assessing the nature and scope of 
any incident involving unauthorized access to or use of customer 
information, and (2) identifying the customer information systems and 
types of customer information that may have been accessed or used 
without authorization.\56\ We did not receive comments addressing the 
assessment portion of the incident response program and are adopting it 
as proposed.\57\
---------------------------------------------------------------------------

    \56\ See final rule 248.30(a)(3)(i). The proposed requirements 
related to assessing the nature and scope of a security incident are 
consistent with the components of a response program as set forth in 
the Banking Agencies' Incident Response Guidance. See Banking 
Agencies' Incident Response Guidance.
    \57\ Although no comments discussed only the assessment 
requirement, multiple comments discussed the incident response 
program generally, which includes the assessment requirement. These 
comments are discussed in section II.A.
---------------------------------------------------------------------------

    The assessment requirement is designed to require a covered 
institution to identify both the customer information systems and types 
of customer information that may have been accessed or used without 
authorization during the incident, as well as the specific customers 
affected, which would be necessary to fulfill the obligation to notify 
affected individuals.\58\ Information developed during the assessment 
process may also help covered institutions develop a contextual 
understanding of the circumstances surrounding an incident, as well as 
enhance their technical understanding of the incident, which should be 
helpful in guiding incident response activities such as containment and 
control measures. The assessment process may also be helpful for 
identifying and evaluating existing vulnerabilities that could benefit 
from remediation in order to prevent such vulnerabilities from being 
exploited in the future. Further, covered institutions generally should 
consider reviewing and updating the assessment procedures periodically 
to ensure that the procedures remain reasonably designed.\59\
---------------------------------------------------------------------------

    \58\ For example, a covered institution's assessment may include 
gathering information about the type of access, the extent to which 
systems or other assets have been affected, the level of privilege 
attained by any unauthorized persons, the operational or 
informational impact of the breach, and whether any data has been 
lost or exfiltrated.
    \59\ See also 17 CFR 270.38a-1, 275.206(4)-7.
---------------------------------------------------------------------------

2. Containment and Control
    The final amendments will require that the response program have 
procedures for taking appropriate steps to contain and control a 
security incident, in order to prevent further unauthorized access to 
or use of customer information.\60\ We did not receive comments 
discussing the containment and control portion of the incident response 
program and are adopting as proposed.\61\
---------------------------------------------------------------------------

    \60\ See final rule 248.30(a)(3)(ii). These proposed 
requirements are consistent with the components of a response 
program as set forth in the Banking Agencies' Incident Response 
Guidance. See Banking Agencies' Incident Response Guidance at 15752.
    \61\ Although no comments discussed only the containment and 
control requirements, multiple comments discussed the incident 
response program generally, which includes the containment and 
control requirement. These comments are discussed in section II.A.
---------------------------------------------------------------------------

    As set forth in the proposal, the objective of containment and 
control is to prevent additional damage from unauthorized activity and 
to reduce the immediate impact of an incident by removing the source of 
the unauthorized activity.\62\ Strategies for containing and 
controlling an incident vary depending upon the type of incident and 
may include, for example, isolating

[[Page 47694]]

compromised systems or enhancing the monitoring of intruder activities, 
searching for additional compromised systems, changing system 
administrator passwords, rotating private keys, and changing or 
disabling default user accounts and passwords, among other 
interventions. Because incident response may involve making complex 
judgment calls, such as deciding when to shut down or disconnect a 
system, developing and implementing written containment and control 
policies and procedures will provide a framework to help facilitate 
improved decision making at covered institutions during potentially 
high-pressure incident response situations. Further, covered 
institutions generally should consider reviewing and updating the 
containment and control procedures periodically to ensure that the 
procedures remain reasonably designed.\63\
---------------------------------------------------------------------------

    \62\ See Proposing Release at Section II.A.2. For a further 
discussion of the purposes and practices of such containment 
measures, see generally CISA Incident Response Playbook, at 14; see 
also Federal Financial Institutions Examination Council (``FFIEC''), 
Information Technology Examination Handbook--Information Security 
(Sept. 2016), at 52, available at https://ithandbook.ffiec.gov/media/274793/ffiec_itbooklet_informationsecurity.pdf.
    \63\ See also 17 CFR 270.38a-1, 275.206(4)-7.
---------------------------------------------------------------------------

3. Notice to Affected Individuals
    As part of their incident response programs, covered institutions 
will be required under the final amendments to provide a clear and 
conspicuous notice to affected individuals under certain 
circumstances.\64\ We are adopting this requirement substantially as 
proposed, with some changes in response to comments.
---------------------------------------------------------------------------

    \64\ See final rule 248.30(a)(4).
---------------------------------------------------------------------------

    We are adopting as proposed, a requirement for a covered 
institution to notify each affected individual whose sensitive customer 
information was, or was reasonably likely to have been, accessed or 
used without authorization, unless the covered institution has 
determined, after a reasonable investigation of the incident, that 
sensitive customer information has not been, and is not reasonably 
likely to be, used in a manner that would result in substantial harm or 
inconvenience. The covered institution will be required to provide a 
clear and conspicuous notice to each affected individual by a means 
designed to ensure that the individual can reasonably be expected to 
receive actual notice in writing. Also as proposed, the final 
amendments require the notice to be provided as soon as practicable, 
but not later than 30 days, after the covered institution becomes aware 
that unauthorized access to or use of customer information has occurred 
or is reasonably likely to have occurred. Lastly, in a modification 
from the proposal, the final amendments provide for an incrementally 
longer period of time than the proposal for a covered institution to 
delay providing notice to affected individuals in cases where the 
Attorney General has determined that providing the notice would pose a 
substantial risk to national security or public safety. These 
requirements are discussed in detail below.
a. Standard for Providing Notice and Identification of Affected 
Individuals
    We are adopting as proposed a requirement for a covered institution 
to provide notice to individuals whose sensitive customer information 
was, or is reasonably likely to have been, accessed or used without 
authorization, unless, after a reasonable investigation of the facts 
and circumstances of the incident of unauthorized access to or use of 
sensitive customer information, it determines that sensitive customer 
information has not been, and is not reasonably likely to be, used in a 
manner that would result in substantial harm or inconvenience.\65\ The 
final amendments reflect a presumption of notification: a covered 
institution must provide a notice unless it determines notification is 
not required following a reasonable investigation. Also as proposed, if 
an incident of unauthorized access to or use of customer information 
has occurred or is reasonably likely to have occurred, but a covered 
institution is unable to identify which specific individuals' sensitive 
customer information has been accessed or used without authorization, 
the final amendments require the covered institution to provide notice 
to all individuals whose sensitive customer information resides in the 
customer information system that was, or was reasonably likely to have 
been, accessed without authorization (``affected individuals'').\66\
---------------------------------------------------------------------------

    \65\ Final rule 248.30(a)(4)(i).
    \66\ Final rule 248.30(a)(4)(ii). This proposed provision was 
not intended to require notification of customers whose sensitive 
customer information resided in the affected customer information 
system if the covered institution has reasonably determined that 
such customers' sensitive customer information was not accessed or 
used without authorization. Accordingly, we have modified the final 
rule to reflect this intended result. See infra footnote 102 and 
accompanying text.
---------------------------------------------------------------------------

    While the incident response program is generally required to 
address information security incidents involving any form of customer 
information,\67\ notification is only required when there has been 
unauthorized access to or use of sensitive customer information, a 
subset of customer information, because it presents increased risks to 
affected individuals.\68\ This notice standard is designed to give 
affected individuals an opportunity to mitigate the risk of substantial 
harm or inconvenience arising from an information security incident 
that potentially implicates their sensitive customer information by 
affording them an opportunity to take timely responsive actions, such 
as monitoring credit reports for unauthorized activity, placing fraud 
alerts on relevant accounts, or changing passwords used to access 
accounts. At the same time, the final amendments provide a mechanism 
for covered institutions to avoid making unnecessary notifications in 
cases where, following a reasonable investigation, the institution 
determines that sensitive customer information has not been, and is not 
reasonably likely to be, used in a manner that would result in 
substantial harm or inconvenience to the affected individual.\69\
---------------------------------------------------------------------------

    \67\ See infra section II.B.1.
    \68\ See infra section II.A.3.b. Additionally, customer 
information that is not disposed of properly could trigger the 
requirement to notify affected individuals under final rule 
248.30(a)(4)(i). For example, a covered institution whose employee 
leaves un-shredded customer files containing sensitive customer 
information in a dumpster accessible to the public would be required 
to notify affected customers, unless the institution has determined 
that sensitive customer information has not been, and is not 
reasonably likely to be, used in a manner that would result in 
substantial harm or inconvenience.
    \69\ See infra section II.A.3.c.
---------------------------------------------------------------------------

    Whether an investigation is reasonable will depend on the 
particular facts and circumstances of the unauthorized access or use. 
For example, unauthorized access or use that is the result of 
intentional intrusion by a threat actor may warrant more extensive 
investigation than inadvertent unauthorized access or use by an 
employee. The investigation may occur in parallel with an initial 
assessment and scoping of the incident and may build upon information 
generated from those activities. The scope of the investigation 
generally should be refined by using available data and the results of 
ongoing incident response activities. Information related to the nature 
and scope of the incident may be relevant to determining the extent of 
the investigation, such as whether the incident is the result of 
internal unauthorized access or use of sensitive customer information 
or an external intrusion, the duration of the incident, what accounts 
have been compromised and at what privilege level, and whether and what 
type of customer information may have been copied, transferred, or 
retrieved without authorization.\70\
---------------------------------------------------------------------------

    \70\ For example, depending on the nature of the incident, it 
may be necessary to consider how a malicious intruder might use the 
underlying information based on current trends in identity theft.
---------------------------------------------------------------------------

    A covered institution cannot avoid its notification obligations in 
cases where

[[Page 47695]]

an investigation's results are inconclusive. Instead, the notification 
requirement is excused only where a reasonable investigation supports a 
determination that sensitive customer information has not been and is 
not reasonably likely to be used in a manner that would result in 
substantial harm or inconvenience. Thus, in a case where a threat actor 
has gained access to a customer information system that stores 
sensitive customer information, and the covered institution lacks 
information indicating that any particular individual's sensitive 
customer information stored in that customer information system was or 
was not used in a manner that would result in substantial harm or 
inconvenience, a covered institution will be required to provide notice 
to affected individuals even though it may not have a sufficient basis 
to determine whether the breach would result in substantial harm or 
inconvenience.\71\ Pursuant to the amendments, as proposed and adopted, 
for any determination that a covered institution makes that notice is 
not required, covered institutions other than funding portals will be 
required to maintain a record of the investigation and basis for its 
determination.\72\
---------------------------------------------------------------------------

    \71\ See final rule 248.30(a)(4)(ii).
    \72\ See infra section II.C; see also infra footnote 385.
---------------------------------------------------------------------------

    As further described below,\73\ a number of commenters supported 
the proposal's requirement for covered institutions to provide notices 
promptly, emphasizing the importance of ensuring that customers receive 
timely notification when their sensitive customer information is 
reasonably likely to have been subject to unauthorized access or use so 
they have an opportunity to effectively respond to the incident.\74\ 
One commenter stated that timeliness is key because any delay will 
impact consumers' ability to take steps to protect themselves from 
identify theft, account compromise, and other downstream impacts 
resulting from the initial harm of the unauthorized access or use.\75\ 
According to this commenter, a breach notification regime is 
fundamentally deficient if it does not empower consumers with the 
information and tools necessary to take action to protect themselves or 
understand what risks they may face as a result of a breach.\76\
---------------------------------------------------------------------------

    \73\ See infra section II.A.3.d.
    \74\ See, e.g., Better Markets Comment Letter; EPIC Comment 
Letter; NASAA Comment Letter; ICI Comment Letter 1; Nasdaq Comment 
Letter.
    \75\ See EPIC Comment Letter; see also Better Markets Comment 
Letter (customers whose information has been exposed need 
appropriate and timely notifications to decide for themselves 
whether and how to address the breach to avoid being ``victimized 
twice'': first when the breach occurs, and then again when ``bad 
actors use the information to steal their identity, drain their bank 
accounts, or run up their credit cards'').
    \76\ See EPIC Comment Letter.
---------------------------------------------------------------------------

    Several commenters proposed alternative notification standards, 
some expanding the circumstances requiring customer notification, and 
others suggesting a narrower notification regime.\77\ One commenter 
suggested we require notification for any incident of unauthorized 
access to or use of sensitive information, regardless of the risk of 
harm or inconvenience.\78\ According to this commenter, customers 
should always be notified when their sensitive information is accessed 
or used without authorization, which would allow customers to determine 
for themselves whether they believe there is a risk of substantial harm 
or inconvenience that should prompt action on their part. Similarly, 
another commenter suggested that the notification standard should be 
expanded from a ``reasonably likelihood'' standard to a ``reasonably 
possible'' standard with regard to whether an individual's sensitive 
customer information was accessed or used without authorization.\79\ 
This commenter stated that this change was necessary to protect against 
the possibility that a covered institution might conclude it lacked 
sufficient information to find the reasonably likely standard satisfied 
if, for example, it knows it has been hacked but is unable to determine 
the scope of the hack. According to these commenters, the seemingly 
higher threshold proposed by the Commission, coupled with their belief 
that businesses want to avoid making disclosures that could incur 
liability or lose customers, leaves open the potential that customers 
will not be notified of some information security compromises that 
could threaten their investments.\80\ One commenter suggested that, in 
addition to requiring notifications to affected individuals, the rules 
should be modified to also require that covered institutions provide 
notice to the Commission whenever they are providing notice to affected 
individuals.\81\
---------------------------------------------------------------------------

    \77\ See, e.g., Better Markets Comment Letter, NASAA Comment 
Letter (proposing more expansive standards); SIFMA Comment Letter 2, 
CAI Comment Letter, IAA Comment Letter 1 (proposing narrower 
standards).
    \78\ See Better Markets Comment Letter.
    \79\ See NASAA Comment Letter.
    \80\ See Better Markets Comment Letter; NASAA Comment Letter; 
see also EPIC Comment Letter (``EPIC agrees that businesses have a 
natural tendency to want to avoid making disclosures that could 
incur liability or lose customers'').
    \81\ See Better Markets Comment Letter.
---------------------------------------------------------------------------

    By contrast, with regard to narrowing the standard, some commenters 
suggested eliminating the presumption of notification altogether, such 
that covered institutions would have a notification obligation only 
after having affirmatively determined, following an investigation, a 
likelihood of a breach or resulting harm to customers.\82\ These 
commenters suggested that eliminating the notification presumption, and 
allowing for the completion of an investigation, would provide covered 
institutions with additional time to respond to and mitigate an 
incident as opposed to spending time deliberating over notification 
obligations, and would allow for more informed notifications. These 
commenters also suggested that this approach would be more consistent 
with certain State law regimes that only require notification where an 
investigation shows a risk of harm and the Banking Agencies' Incident 
Response Guidance.\83\ To address the concern that lengthy 
investigations might unduly delay customer notifications, one commenter 
suggested revising the rule to separately require covered institutions 
``to conduct a prompt investigation of potential incidents,'' which the 
commenter stated would better align with certain existing State law 
standards while still providing a mechanism for timely 
notifications.\84\
---------------------------------------------------------------------------

    \82\ See, e.g., SIFMA Comment Letter 2 (notification should only 
be required if the covered institution makes an affirmative finding 
of substantial harm or inconvenience); CAI Comment Letter (proposing 
revised notification trigger to no later than 30 days from a 
determination that actual or reasonably likely unauthorized access 
to sensitive customer information has occurred); ACLI Comment Letter 
(suggesting trigger should instead be only after the completion of a 
reasonable investigation and conclusion of the incident response 
process).
    \83\ The Banking Agencies' Incident Response Guidance advises 
that a covered institution should provide notice to affected 
customers if, following the conclusion of a reasonable 
investigation, it has determined that misuse of sensitive customer 
information has occurred or is reasonably possible. See Banking 
Agencies' Incident Response Guidance. See also section II.A.3.d(1) 
(responding to commenters' concerns that the proposed notification 
timing requirements provide an insufficient amount of time for 
covered institutions to conduct a reasonable investigation of a data 
breach incident and prepare and send notices to affected 
individuals).
    \84\ See CAI Comment Letter.
---------------------------------------------------------------------------

    We considered the alternative approaches suggested by commenters 
but determined that adopting the standard as proposed strikes an 
appropriate balance in accommodating the relevant competing concerns. 
The suggestions to expand the circumstances requiring notification 
(either by requiring notification regardless of the risk of harm, or by 
expanding notification to include cases where it is ``reasonably 
possible'' that an

[[Page 47696]]

individual's sensitive customer information was accessed or used 
without authorization) raise over-notification concerns, particularly 
given that the adopted standard already has a presumption towards 
notification.\85\ We also disagree that the ``reasonably likely'' 
standard would allow a covered institution that knows it suffered a 
breach to avoid providing notice simply by pointing to a lack of 
information about the scope of the breach as the commenter recommending 
this approach suggested.\86\ To the contrary, under the proposed and 
final amendments, if it is reasonably likely that a malicious actor 
gained access to a covered institution's information system containing 
sensitive customer information but the scope of the breach is unclear 
(i.e., the covered institution is unable to determine which specific 
individuals' sensitive customer information has been accessed or used 
without authorization and cannot make the determinations required under 
the rule to avoid sending notices), the covered institution would be 
required to provide notice to each individual whose sensitive customer 
information resides in the customer information system.\87\ In 
addition, providing notice of every incident, regardless of the risk of 
harm to affected individuals or the need to take protective measures, 
could diminish the impact and effectiveness of the notice in a 
situation where enhanced vigilance is necessary. Utilizing a 
``reasonably possible'' standard raises similar concerns, as it could 
require covered institutions to provide notice in situations where it 
is possible, but not reasonably likely, that sensitive customer 
information was compromised. This could result in over-notification 
where, for example, a customer's sensitive information ultimately was 
not accessed or used without authorization, but it was not possible to 
rule out that possibility at the time of the incident or in the course 
of a reasonable investigation during the 30-day period for notices.
---------------------------------------------------------------------------

    \85\ See supra footnotes 78-80 and accompanying text.
    \86\ See NASAA Comment Letter.
    \87\ See final rule 248.30(a)(4)(i) and (ii).
---------------------------------------------------------------------------

    Additionally, we are not adopting a commenter's recommendation that 
the Commission require covered institutions to provide notices to the 
Commission when they are required to send notices to affected 
individuals, as one commenter suggested.\88\ A primary reason for these 
amendments was to require a reasonably designed incident response 
program, including policies and procedures for assessment, control and 
containment, and customer notification, in order to mitigate the 
potential harm to individuals whose sensitive information is exposed or 
compromised in a data breach.\89\ Providing timely notices to affected 
individuals accomplishes this goal without the need for covered 
institutions also to provide copies of the notice to the Commission.
---------------------------------------------------------------------------

    \88\ See Better Markets Comment Letter.
    \89\ Proposing Release at section I.
---------------------------------------------------------------------------

    Conversely, the narrower alternative standards suggested by 
commenters (i.e., that covered institutions have a notification 
obligation only after an investigation, and only if they affirmatively 
determine a likelihood of a breach or resulting harm to customers) 
could result in an unreasonable risk of significant delays in providing 
notice and in notification not being provided to affected individuals. 
A principal purpose of these amendments is to provide a notification 
regime that allows affected individuals to take actions to avoid or 
mitigate the risk of substantial harm or inconvenience.\90\ If customer 
notification of a potential breach was delayed to allow a covered 
institution to complete an investigation that comes to a definitive 
conclusion about the precise details of the breach, even if done 
promptly, it would frustrate this goal by postponing (or potentially 
limiting or foreclosing) the ability of affected individuals to take 
mitigating actions pending the conclusion of that investigation. For 
these same reasons, we were not persuaded by those commenters who 
suggested that we should allow for the completion of an investigation 
in order to align with the Banking Agencies' Incident Response 
Guidance. After considering the comments, we continue to believe the 
notification standard we proposed (and are adopting in the final 
amendments) is necessary to enable affected individuals to make their 
own determinations on needed self-protections regarding the 
incident.\91\
---------------------------------------------------------------------------

    \90\ See Proposing Release at nn.97-98 and accompanying text.
    \91\ See Proposing Release at n.100 (discussing reasons for 
divergence from Banking Agencies' Incident Response Guidance); see 
also infra sections II.A.3.b, II.A.3.e, II.A.4, II.B.2, and IV.C 
(also discussing the Banking Agencies' Incident Response Guidance).
---------------------------------------------------------------------------

    Regarding commenters' concerns about harmonizing Regulation S-P 
with State law requirements, State law notification standards vary 
widely such that broad harmonization would be impracticable, and a 
benefit of the final amendments is that they provide a consistent 
minimum Federal notification standard to protect affected individuals 
in an environment of enhanced risk. This will, for example, provide 
additional protections for customers in States whose laws do not 
mandate notification without an affirmative determination of harm or 
provide an outside time by which notification must be provided.\92\ 
This standard will protect all customers, regardless of their State of 
residence and reduce the potential confusion that could result from 
customers in one State receiving notice of an incident while customers 
in another State do not. Moreover, to the extent a covered institution 
will have a notification obligation under both the final amendments and 
a similar State law, a covered institution may be able to provide one 
notice to satisfy notification obligations under both the final 
amendments and the State law, provided that the notice includes all 
information required under both the final amendments and the State law, 
which may reduce the number of notices an individual receives.\93\
---------------------------------------------------------------------------

    \92\ See Proposing Release at nn.107-108 and accompanying text 
(discussing variation in State laws); see also infra section IV.C.2 
for a fuller discussion of State law variations, and infra section 
IV.D.1.b(2) discussing timing of State law notification regimes.
    \93\ See also infra section IV.C.2.a(2) (discussing States that 
excuse covered entities from individual notification under State law 
if the entities comply with the notification requirements of another 
regulator).
---------------------------------------------------------------------------

    Relatedly, some commenters suggested eliminating or narrowing the 
concept of ``affected individuals'' entitled to notification in 
situations where a covered institution is unable to identify which 
specific individuals' sensitive customer information has been accessed 
or used without authorization. Instead of the proposed requirement that 
the covered institution must provide notice to all individuals whose 
sensitive customer information resides in the customer information 
system that was, or was reasonably likely to have been, accessed or 
used without authorization, commenters urged narrowing notification to 
individuals whose sensitive customer information was, or was reasonably 
likely to have been, accessed or used without authorization based on 
the covered institution's reasonable investigation.\94\

[[Page 47697]]

These commenters stated that, by requiring a covered institution to 
provide all affected individuals notice prior to the conclusion of an 
investigation and particularized determination, the proposed 
notification standard could result in the over-notification of 
individuals whose sensitive customer information may not have been 
accessed but was residing on a system that was compromised.\95\ For 
example, one commenter posited a situation where a threat actor was 
able to compromise an employee's email account through a phishing 
email, and access documents accessible through that account's shared 
file server. According to this commenter, if the covered institution 
were unable to determine which files containing personal information 
actually were accessed, the institution would be required to provide 
notice in connection with millions of records, even though the ``vast 
majority of files and data on that file server would not have been 
accessible to the employee or to the threat actor.'' \96\ These 
commenters stated that the resulting over-notification could, in turn, 
desensitize or unnecessarily disturb individuals whose information was 
not actually compromised, and might increase costs and litigation and 
reputational risks for the covered institution, its service providers, 
or other financial institutions whose contracts reside on the 
system.\97\
---------------------------------------------------------------------------

    \94\ See, e.g., IAA Comment Letter 1 (suggesting the rule's 
affected individuals' provision be modified to remove the reference 
to situations where an institution is unable to identify which 
specific individual's sensitive customer information has been 
accessed or used without authorization, as well as the presumption 
that affected individuals include individuals whose sensitive 
customer information resides in the breached customer information 
system); CAI Comment Letter (suggesting the provision be revised to 
remove the requirement to notify all individuals whose information 
is on an affected system, and instead require the institution to 
notify individuals whose information it reasonably believes was, or 
reasonably could have been, subject to unauthorized access based on 
the finding of its investigation).
    \95\ See, e.g., CAI Comment Letter; Computershare Comment 
Letter; IAA Comment Letter 1.
    \96\ CAI Comment Letter.
    \97\ See also infra section IV.D.1.b.(4) (discussing 
reputational costs).
---------------------------------------------------------------------------

    For similar reasons to those discussed above,\98\ we were not 
persuaded by commenter suggestions to narrow the scope of affected 
individuals entitled to notification in cases where a breach has or is 
reasonably likely to have occurred, but the covered institution is 
unable to identify which specific individuals' sensitive customer 
information has been accessed or used without authorization.\99\ 
Because of the potential that customers might be adversely affected by 
the breach, covered institutions should be required to provide notice 
to affected individuals in these circumstances so they may make their 
own determination as to whether to take remedial actions.
---------------------------------------------------------------------------

    \98\ See supra footnotes 90-93 and accompanying text.
    \99\ See supra footnotes 94-97 and accompanying text.
---------------------------------------------------------------------------

    Contrary to the concerns expressed by some commenters, under the 
proposed and final amendments, a covered institution would not need to 
provide notice in connection with files or data residing on a system 
where it knows that information was not used or accessed.\100\ Rather, 
a covered institution is only required to provide notification to an 
affected individual where her sensitive customer information was, or is 
reasonably likely to have been, accessed or used without 
authorization.\101\ Additionally, a covered institution need not 
provide notice where, after a reasonable investigation of the facts and 
circumstances of the incident, it has determined that sensitive 
customer information has not been, and is not reasonably likely to be, 
used in a manner that would result in substantial harm or 
inconvenience. To address these commenters' concerns, in a change from 
the proposal, the final amendments explicitly provide that, in cases 
where a covered institution reasonably determines that a specific 
individual's sensitive customer information that resides in the 
customer information system was not accessed or used without 
authorization, the covered institution need not provide notice to that 
individual.\102\ Thus, a covered institution would not have an 
obligation to provide notice to an affected individual whose files 
happened to reside on a breached information system if it was able to 
reasonably conclude that those files were not subject to unauthorized 
use or access.
---------------------------------------------------------------------------

    \100\ See supra footnote 96 and accompanying text.
    \101\ See final rule 248.30(a)(4)(i).
    \102\ See final rule 248.30(a)(4)(ii).
---------------------------------------------------------------------------

    The notification standard should help to improve security outcomes 
by incentivizing covered institutions to conduct more thorough 
investigations after an incident occurs because the rule does not 
permit a covered institution to rebut the presumption of notification 
without conducting a reasonable investigation. Further, the rule's 
requirement that a covered institution provide notice to all affected 
individuals where it is unable to identify which specific individuals' 
sensitive customer information has been accessed or used without 
authorization should incentivize covered institutions to establish 
procedures (for themselves and their service providers) that provide 
robust protections for sensitive customer information. For example, it 
may encourage covered institutions to employ a principle of least 
privilege, so that users' access rights to sensitive customer 
information on a particular information system are limited to the 
information strictly required to do their jobs.\103\ Protections that 
limit the scope of any breaches reduce the investigation and 
notification costs (and as a consequence, the potential harm) resulting 
from a breach.
---------------------------------------------------------------------------

    \103\ See, e.g., Defend Privileges and Accounts, National 
Security Agency Cybersecurity Information (``Least privilege is the 
restriction of privileges to only those accounts that require them 
to perform their duties, while limiting accounts to only those 
privileges that are truly necessary. Doing this reduces the exposure 
of those privileges to a smaller, more easily manageable set of 
accounts. Local administrative accounts and accounts for software 
program management and installation are particularly powerful, but 
have small scopes of control and should be restricted as much as 
possible'') (available at https://media.defense.gov/2019/Sep/09/2002180330/-1/-1/0/Defend%20Privileges%20and%20Accounts%20-%20Copy.pdf).
---------------------------------------------------------------------------

    For a covered institution's customer notification procedures to 
remain reasonably designed to notify each affected individual whose 
sensitive customer information was reasonably likely to have been 
compromised, as required by the final amendments, the covered 
institution's policies and procedures generally should be designed to 
include revisiting notification determinations whenever the covered 
institution becomes aware of new facts that are potentially relevant to 
the determination.\104\ For example, if at the time of the incident, a 
covered institution determines that risk of use in a manner that would 
result in substantial harm or inconvenience is not reasonably likely 
based on the use of encryption in accordance with industry standards, 
but subsequently the encryption is compromised or it is discovered that 
the decryption key was also obtained by the threat actor, the covered 
institution generally should revisit its determination.
---------------------------------------------------------------------------

    \104\ See final rule 248.30(a)(3).
---------------------------------------------------------------------------

    As discussed in more detail below, the scope of the final 
amendments will apply to customer information in a covered 
institution's possession or that is handled or maintained on the 
covered institution's behalf, regardless of whether such information 
pertains to (a) individuals with whom the covered institution has a 
customer relationship or (b) to the customers of other financial 
institutions where such information has been provided to the covered 
institution.\105\ Some commenters expressed concern that, as a result 
of this scope, covered institutions would be required to provide 
notification to customers of other institutions with whom they do not 
have a preexisting

[[Page 47698]]

relationship.\106\ One of these commenters suggested that it was 
unclear how a third-party service provider's notice to a covered 
institution of a breach would affect that covered institution's 
obligations.\107\ Additionally, some commenters addressed circumstances 
where multiple covered institutions would all be required to notify 
affected individuals concerning the same incident, asserting that 
requiring all covered institutions involved to provide notices to 
customers would be burdensome, duplicative, and confusing to 
customers.\108\
---------------------------------------------------------------------------

    \105\ See infra section II.B.1.
    \106\ See ACLI Comment Letter; Federated Hermes Comment Letter; 
ICI Comment Letter; SIFMA Comment Letter 2.
    \107\ See ACLI Comment Letter.
    \108\ See CAI Comment Letter; Computershare Comment Letter.
---------------------------------------------------------------------------

    Where a covered institution experiences an incident involving 
sensitive customer information related to the customers of another 
covered institution, commenters generally suggested that the covered 
institution that has the customer relationship with the customer whose 
information was affected should be responsible for providing the 
required notice.\109\ These commenters asserted that this would be more 
efficient because, if the covered institution that experienced the 
incident did not have a customer relationship with an affected 
individual, that covered institution might not have contact information 
for the individual necessary to send a notice.
---------------------------------------------------------------------------

    \109\ See SIFMA Comment Letter 2; ACLI Comment Letter; Federated 
Hermes Comment Letter; CAI Comment Letter. Two of these commenters 
suggested that the covered institution with the customer 
relationship may make arrangements with other institutions to 
provide the notice on its behalf. SIFMA Comment Letter 2; ACLI 
Comment Letter.
---------------------------------------------------------------------------

    After considering comments, we are modifying the proposal to avoid 
requiring multiple covered institutions to notify the same affected 
individuals about a given incident. In an effort to minimize 
duplicative notices, rather than requiring the covered institution with 
the customer relationship to send the notice as some commenters 
suggested, the final amendments only require a covered institution to 
provide notice where unauthorized access to or use of sensitive 
customer information has occurred at the covered institution or one of 
its service providers that is not itself a covered institution.\110\ 
That covered institution will have information about the incident 
itself that is necessary to properly inform affected individuals. Thus, 
in response to the commenter question about the relationship between a 
covered institution's receipt of a breach notification from a third 
party service provider and the covered institution's own 
obligations,\111\ where a service provider (that is not itself a 
covered institution) provides notice to a covered institution that a 
breach in security has occurred resulting in unauthorized access to a 
customer information system maintained by the service provider,\112\ 
that covered institution will be required to initiate its incident 
response program under the final amendments \113\ and thereafter, if 
applicable, provide notice to affected individuals.\114\ While we 
appreciate, as offered by commenters,\115\ that a covered institution 
may not have access to the contact information for some customers, it 
can coordinate with the covered institution that has a customer 
relationship to receive contact information as needed for the 
notices.\116\
---------------------------------------------------------------------------

    \110\ Final rule 248.30(a)(4). If a covered institution is 
acting as a service provider, in addition to its own obligations 
under rule 248.30, it must provide notification to the other covered 
institution as required by the policies and procedures required in 
rule 248.30(a)(5)(i).
    \111\ See ACLI Comment Letter.
    \112\ See final rule 248.30(a)(5)(i)(B).
    \113\ See id.; see also infra Section II.A.4.a.
    \114\ See final rule 248.30(a)(4)(iii). As described above, a 
covered institution need not provide notice where, after a 
reasonable investigation of the facts and circumstances of the 
incident, it has determined that sensitive customer information has 
not been, and is not reasonably likely to be, used in a manner that 
would result in substantial harm or inconvenience. See final rule 
248.30(a)(4)(i).
    \115\ See ACLI Comment Letter, SIFMA Comment Letter 2.
    \116\ Further, as discussed below, a covered instituition will 
be permitted to enter into a written agreement with its service 
provider to notify affected individuals on its behalf in accordance 
with the notice requirements. See final rule 248.30(a)(5)(ii); see 
also supra section II.A.4.
---------------------------------------------------------------------------

    Moreover, in another modification from the proposal, the final 
amendments also provide that a covered institution that is required to 
notify affected individuals may satisfy that obligation by ensuring 
that the notice is provided.\117\ Accordingly, if a covered institution 
experiences an incident affecting another covered institution's 
customers, although the covered institution that experienced the 
incident is responsible for notification under the final amendments, 
the two covered institutions can coordinate with each other as to which 
institution will send the notice.
---------------------------------------------------------------------------

    \117\ Final rule 248.30(a)(4) (requiring covered institutions to 
either provide notice or ensure that such notice is provided).
---------------------------------------------------------------------------

b. Definition of ``Sensitive Customer Information''
    As discussed above, covered institutions will be required to notify 
customers when ``sensitive customer information'' was, or is reasonably 
likely to have been, accessed or used without authorization, subject to 
a reasonable investigation. As proposed and as adopted, the final 
amendments define the term ``sensitive customer information'' to mean 
``any component of customer information alone or in conjunction with 
any other information, the compromise of which could create a 
reasonably likely risk of substantial harm or inconvenience to an 
individual identified with the information.'' \118\ This definition is 
calibrated to include types of information that, if exposed, could put 
affected individuals at a higher risk of suffering substantial harm or 
inconvenience through, for example, fraud or identity theft enabled by 
the unauthorized access to or use of the information.\119\ As with the 
proposal, the final amendments provide examples of the types of 
information that will be considered sensitive customer 
information.\120\ These examples include certain customer information 
identified with an individual that, without any other identifying 
information, could create a substantial risk of harm or inconvenience 
to an individual identified with the information,\121\ along with 
examples of combinations of identifying information and authenticating 
information that could create such a risk to an individual identified 
with the information.\122\
---------------------------------------------------------------------------

    \118\ See final rule 248.30(d)(9)(i). The definition is limited 
to information identified with customers of financial institutions. 
See final rule 248.30(d)(5)(i); infra section II.B.1. As proposed, 
information pertaining to a covered institution's customers and to 
customers of other financial institutions that the other 
institutions have provided to the covered institution are subject to 
the safeguards rule under the final amendments, including the 
incident response program and customer notice requirements. See 
final rule 248.30(a); infra section II.B.1.
    \119\ See supra section II.A.3.a.
    \120\ See final rule 248.30(d)(9)(ii).
    \121\ These examples include Social Security numbers and other 
types of identifying information that can be used alone to 
authenticate an individual's identity such as a driver's license or 
identification number, alien registration number, government 
passport number, employer or taxpayer identification number, 
biometric records, a unique electronic identification number, 
address, or routing code, or telecommunication identifying 
information or access device.
    \122\ These examples include information identifying a customer, 
such as a name or online user name, in combination with 
authenticating information such as a partial Social Security number, 
access code, or mother's maiden name.
---------------------------------------------------------------------------

    One commenter supported our proposed definition of sensitive 
customer information and emphasized the benefits of a broad 
definition.\123\ According to this commenter, this breadth helps 
protect customers by ensuring that they can take the necessary steps to 
minimize their

[[Page 47699]]

exposure risks and will assist covered institutions in formulating and 
improving their security standards. Another commenter suggested the 
proposed definition might be too narrow because it includes the 
separate concept of substantial harm or inconvenience in the 
definition, resulting in under-notification.\124\ This commenter stated 
that harms can take many forms, and customers should receive notice of 
breaches involving customer information even where that information's 
compromise might not have obvious financial implications to the 
customer.
---------------------------------------------------------------------------

    \123\ See Better Markets Comment Letter.
    \124\ See EPIC Comment Letter.
---------------------------------------------------------------------------

    Conversely, a number of commenters asserted that the proposed 
definition was too broad and could lead to over-notification, 
suggesting that the definition be narrowed to focus on information 
whose exposure would be more likely to lead to tangible economic 
harms.\125\ For example, some commenters suggested that, rather than 
providing examples, the definition should list specific data elements 
that, when combined with an individual's name, are sufficiently 
sensitive to require notification.\126\ These commenters focused on 
those data elements that could be used to commit identity theft or 
access the customer's financial account, such as a Social Security 
number, driver's license or State ID number, or financial account 
number combined with information necessary to access the account. 
According to one of these commenters, by using illustrative examples 
rather than a circumscribed list, covered institutions would face 
uncertainty over the definition's meaning and would likely err on the 
side of over-inclusion, which could lead to over-notification.\127\ A 
number of commenters stated that narrowing the definition would be more 
consistent with the Banking Agencies' Incident Response Guidance and 
with various State laws.\128\ One commenter also suggested the proposed 
use of the term ``compromise'' in the definition was unclear, and 
should be replaced with ``unauthorized access or use,'' consistent with 
other authorities and language used elsewhere in the proposal.\129\
---------------------------------------------------------------------------

    \125\ See, e.g., CAI Comment Letter; IAA Comment Letter 1; SIFMA 
Comment Letter 2; ICI Comment Letter 1.
    \126\ See CAI Comment Letter; SIFMA Comment Letter 2.
    \127\ See CAI Comment Letter.
    \128\ See, e.g., SIFMA Comment Letter 2; Computershare Comment 
Letter; CAI Comment Letter.
    \129\ See CAI Comment Letter.
---------------------------------------------------------------------------

    After considering these comments, we are adopting the definition of 
``sensitive customer information'' as proposed. We recognize that this 
definition is broader than that used by some States and the Banking 
Agencies' Incident Response Guidance.\130\ However, in contrast to the 
narrower definition used in some States, the definition of sensitive 
customer information we are adopting includes identifying information 
that, in combination with authenticating information (such as a partial 
Social Security number, access code, or mother's maiden name), could 
create a substantial risk of harm or inconvenience to the customer 
because they may be widely used for authentication purposes.\131\ 
Similarly, in contrast to the definition provided in the Banking 
Agencies' Incident Response Guidance (which includes a customer's name, 
address, or telephone number, only in conjunction with other pieces of 
information that would permit access to a customer account), the 
definition in the Commission's final amendments includes customer 
information identified with an individual (such as Social Security 
numbers, driver's license numbers, biometric records) that, without any 
other identifying information, could create a substantial risk of harm 
or inconvenience to an individual identified with the information.\132\ 
Accordingly, our adopted definition could help affected individuals 
take measures to protect themselves.
---------------------------------------------------------------------------

    \130\ See Proposing Release at nn.113 and 115 (describing the 
differences). But see id. at n.115, stating that a number of States 
define the scope of personal information subject to a notification 
obligation in a manner that generally aligns with the definition of 
sensitive customer information under these final rules.
    \131\ See infra footnote 810 and surrounding text (discussing 
that 14 States more narrowly define the kind of information that 
trigger notice requirements than our adopted definition of sensitive 
customer information in that only the compromise of a customer's 
name together with one or more enumerated pieces of information 
triggers the notice requirement).
    \132\ See Proposing Release at n.114 and accompanying text, 
stating that Social Security numbers alone, without any other 
information linked to the individual, are sensitive because they 
have been used by malicious actors in ``Social Security number-
only'' or ``synthetic'' identity theft, to open new financial 
accounts, and that a similar sensitivity exists with other types of 
identifying information that can be used alone to authenticate an 
individual's identity such as a biometric record of a fingerprint or 
iris image.
---------------------------------------------------------------------------

    Given the varied and evolving nature of security practices across 
covered institutions, it would be impractical to provide an exhaustive 
list of data elements whose exposure could put affected individuals at 
risk of substantial harm or inconvenience. Further, while we are 
mindful of concerns about overbreadth and potential over-notification, 
those concerns are tempered by the definition's harm component and the 
ability of covered entities to rebut the notification presumption 
following a reasonable investigation and determination. Given these 
considerations, we are not broadening the definition of sensitive 
customer information to encompass information whose exposure does not 
pose a reasonably likely risk of substantial harm or inconvenience. Nor 
do we agree that the definition's use of the verb ``compromise,'' which 
is commonly used to mean ``to expose or make liable to danger,'' is 
ambiguous in this context or inconsistent with other Federal 
authorities.\133\ Individuals are less likely to need to take 
protective measures in cases where the exposure of their information is 
not likely to involve a substantial harm or inconvenience.\134\
---------------------------------------------------------------------------

    \133\ See, e.g., Harmonization of Cyber Incident Reporting to 
the Federal Government, Homeland Security Office of Strategy, 
Policy, and Plans, Appendix B: Federal Cyber Incident Reporting 
Requirements Inventory (Sept. 10, 2023) (summarizing cyber incident 
reporting regulations of multiple agencies that use the term 
``compromise,'' including Departments of Defense, Justice, and 
Energy, the Federal Communications Commission, the Nuclear 
Regulatory Commission, and the Federal Energy Regulatory 
Commission).
    \134\ See infra section II.A.3.c.
---------------------------------------------------------------------------

    Finally, several commenters suggested we include an exception or 
safe harbor in the definition of sensitive customer information for 
encrypted information.\135\ These commenters stated that excepting 
encrypted information would protect customers by incentivizing covered 
institutions to adopt encryption practices, limit the potential for 
voluminous over-reporting of less severe incidents, and align with 
existing State data breach notification rules. Some of these commenters 
acknowledged that an exception should not apply in cases where there is 
reason to believe that the encryption key has been compromised or that 
the encryption method is outdated.\136\ One commenter suggested that if 
we did not include an exception in the rule text, we should acknowledge 
that encryption is a factor that covered institutions may take into 
account in determining whether an incident will result in substantial 
harm or inconvenience.\137\
---------------------------------------------------------------------------

    \135\ See AWS Comment Letter; Google Comment Letter; IAA Comment 
Letter 1; SIFMA Comment Letter 2.
    \136\ See Google Comment Letter, IAA Comment Letter 1; SIFMA 
Comment Letter 2.
    \137\ See IAA Comment Letter 1.
---------------------------------------------------------------------------

    After considering these comments, we are not excepting encrypted 
information from the rule's definition of sensitive customer 
information because the rule

[[Page 47700]]

text effectively addresses encrypted information without the need for a 
provision specifically tailored to that information. Specifically, in 
applying the final rule, a covered institution may consider encryption 
as a factor in determining whether the compromise of customer 
information could create a reasonably likely harm risk to an individual 
identified with the information.\138\ Specifically, we acknowledge that 
encryption of information using current industry standard best 
practices is a reasonable factor for a covered institution to consider 
in making this determination. To the extent such encryption minimizes 
the likelihood that the cipher text could be decrypted, it would also 
reduce the likelihood that the cipher text's compromise could create a 
risk of harm, as long as the associated decryption key is secure.\139\ 
Covered institutions may also reference commonly used cryptographic 
standards to determine whether encryption, in fact, does substantially 
impede the likelihood that the cipher text's compromise could create a 
risk of harm.\140\ As industry standards continue to develop in the 
future, covered institutions generally should review and update, as 
appropriate, their encryption practices. While we agree with commenters 
that it is important to incentivize the use of encryption consistent 
with State law regimes, the final amendments' approach accomplishes 
this goal while also addressing concerns that any particular approach 
to encryption may become outdated as technologies and security 
practices evolve. Relatedly, and for the same reasons, when information 
that would otherwise constitute sensitive customer information is 
encrypted, the covered institution may consider the security provided 
by that encryption in determining whether the cipher text (i.e., the 
data rendered in a format not understood by people or machines without 
an encryption key) is sensitive customer information. Accordingly, 
while the final amendments provide illustrative examples of information 
(such as a customer's Social Security number) that can constitute 
sensitive customer information when unencrypted,\141\ a covered 
institution could nevertheless determine that the encrypted 
representation of that information is not sensitive customer 
information if the encryption renders the cipher text sufficiently 
secure, such that the compromise of that encrypted information does not 
create a reasonably likely risk of substantial harm or inconvenience to 
an individual.\142\
---------------------------------------------------------------------------

    \138\ See Proposing Release at n.116 and accompanying text.
    \139\ As discussed in the Proposing Release, most States except 
encrypted information in certain circumstances, including, for 
example, where the covered institution can determine that the 
encryption offers certain levels of protection or the decryption key 
has not also been compromised. See Proposing Release at n.117 and 
accompanying text.
    \140\ We understand that standards included in Federal 
Information Processing Standard Publication 140-3 (FIPS 140-3) are 
widely referenced by industry participants. See Proposing Release at 
n.118.
    \141\ See final rule 248.30(d)(9)(ii)(A)(1) through (4) and 
248.30(d)(9)(ii)(B).
    \142\ To the extent a covered institutioon's determination about 
the security of cipher text affects its determination about whether 
notice of a breach is required under the final rules, the covered 
institution would be required to make and maintain written 
documentation of that documentation. See final rule 
248.30(c)(1)(iii).
---------------------------------------------------------------------------

c. Substantial Harm or Inconvenience
    The GLBA directs the Commission and other Federal financial 
regulators to, among other things, establish appropriate standards 
requiring financial institutions subject to their jurisdiction to 
protect against unauthorized access to or use of customer records or 
information which could result in ``substantial harm or inconvenience'' 
to any customer, without defining what constitutes a substantial harm 
or inconvenience under the statute.\143\ The Commission proposed to 
define ``substantial harm or inconvenience'' to mean all personal 
injuries, as well as instances of financial loss, expenditure of 
effort, or loss of time when they are ``more than trivial,'' with the 
proposal also providing a non-exhaustive list of examples of included 
harms or inconveniences.\144\ This proposed definition included a broad 
range of financial and non-financial harms and inconveniences that may 
result from the failure to safeguard sensitive customer 
information.\145\ After considering comments, and as discussed further 
below, we have determined not to define the term ``substantial harm or 
inconvenience'' in the final amendments.
---------------------------------------------------------------------------

    \143\ See 15 U.S.C. 6801(b). The Banking Agencies' Incident 
Response Guidance likewise does not define the term ``substantial 
harm or inconvenience.''
    \144\ See proposed rule 248.30(e)(11).
    \145\ See Proposing Release at n.124.
---------------------------------------------------------------------------

    Commenters raised various concerns with the proposed definition. 
Some commenters proposed expanding the definition to include a broader 
array of harms requiring notification.\146\ For example, one commenter 
suggested revising it to enumerate a list of specific personal injuries 
requiring notification to help clarify to covered institutions that 
there are a range of personal injuries that can result from an exposure 
of customer data.\147\ Commenters also suggested we remove the 
requirement that personal or financial harms be nontrivial because, 
according to these commenters, there might always be some set of 
individuals to whom a particular personal or financial harm is 
material, and securities firms are not well positioned to determine 
what potential personal or financial harms to their customers are 
significant enough to require customer notice.\148\ One of these 
commenters observed that, while it made sense to apply the concept of 
nontriviality to potential harms or inconveniences that would infringe 
upon a customer's time and personal labors, risks to the customer's 
person and pocketbook are materially different from risks to the 
customer's time and energies.\149\ This commenter also suggested 
broadening the definition to include the term ``cyberattack'' as one of 
the enumerated events that could give rise to the customer notice 
obligation.
---------------------------------------------------------------------------

    \146\ See EPIC Comment Letter; NASAA Comment Letter; Better 
Markets Comment Letter.
    \147\ See EPIC Comment Letter (suggesting the definition 
specifically list as examples of personal injuries: theft, fraud, 
harassment, physical harm, psychological harm, impersonation, 
intimidation, damaged reputation, impaired eligibility for credit or 
government benefits, or the misuse of information identified with an 
individual to obtain a financial product or service, or to access, 
log onto, effect a transaction in, or otherwise misuse the 
individual's account).
    \148\ See NASAA Comment Letter; EPIC Comment Letter (agreeing 
with NASAA's comment).
    \149\ See NASAA Comment Letter.
---------------------------------------------------------------------------

    Alternatively, a number of commenters suggested that the proposed 
standard was ambiguous and urged narrowing the definition to reduce the 
types of injuries that would require notification.\150\ For example, 
one commenter suggested that we not attempt to define ``substantial 
harm or inconvenience'' at all, and further expressed concern that the 
proposed definition would require notice for harms or inconveniences 
that are unrelated to identify theft, the means to access an account 
without authority, or other ``tangible harms.'' \151\ Another commenter 
proposed narrowing the kinds of financial loss or time and effort 
cognizable under the rules from ``more than trivial'' to only 
``material'' financial loss or ``significant'' expenditure of effort or 
loss of time, suggesting that the proposed definition would be 
inconsistent with the usual meaning of the term ``substantial'' and 
could include any financial loss that is slightly

[[Page 47701]]

above trivial as substantial.\152\ Another commenter stated that the 
use of ``more than trivial'' set a very low bar that could result in 
second-guessing and over notification by covered intuitions that could 
lead to notification in practically all instances, not just instances 
of what the commenter viewed as a substantial harm or 
inconvenience.\153\ This commenter also stated that, as drafted, it was 
unclear whether the proposed ``more than trivial'' standard was meant 
to apply to instances of personal injury or financial loss and 
suggested replacing ``more than trivial'' with substantial, while 
making clear that the word substantial modified all elements of the 
definition. Other commenters suggested narrowing the proposed 
definition by removing the term ``inconvenience'' from the definition, 
with notification only required in cases of substantial harm that were 
more than trivial.\154\
---------------------------------------------------------------------------

    \150\ See, e.g., Comment Letter of Cambridge (``Cambridge 
Comment Letter''); CAI Comment Letter; IAA Comment Letter 1; SIFMA 
Comment Letter 2.
    \151\ See SIFMA Comment Letter 2.
    \152\ See IAA Comment Letter 1.
    \153\ See CAI Comment Letter (``it is hard to imagine any 
instance of unauthorized access or use of customer information that 
could not create a reasonably likely risk of more than trivial 
inconvenience, and therefore not require notification'').
    \154\ See Cambridge Comment Letter; Financial Services Institute 
Comment Letter.
---------------------------------------------------------------------------

    After considering comments, we have determined, consistent with the 
approach of the Banking Agencies, not to define the term ``substantial 
harm or inconvenience.'' As the range of commenter concerns discussed 
above reflects, commenters found the proposed definition simultaneously 
too broad and too narrow, suggesting it could consequently lead to both 
under-notification and over-notification. Eliminating the proposed 
definition avoids this result without diminishing investor protection.
    Determining whether a given harm or inconvenience rises to the 
level of a substantial harm or a substantial inconvenience would depend 
on the particular facts and circumstances surrounding an incident. As 
stated in the Proposing Release, we do not intend for covered 
institutions to design programs and incur costs to protect customers 
from harms of such trivial significance that the customer would be 
unconcerned with remediating them.\155\ At the same time, consistent 
with the GLBA, the rules are intended to protect against unauthorized 
access to or use of customer records or information which could result 
in substantial harm or inconvenience to any customer. Given the wide 
variety of ways that a data breach can injure a customer,\156\ and the 
potentially varied nature of those harms and inconveniences,\157\ the 
range of harms outlined in the proposed definition may be a useful 
starting point for this determination. A personal injury, financial 
loss, expenditure of effort, or loss of time, each could constitute a 
substantial harm or inconvenience depending on the particular facts and 
circumstances. Some examples of these harms could include theft, fraud, 
harassment, physical harm, impersonation, intimidation, damaged 
reputation, impaired eligibility for credit, or the misuse of 
information identified with an individual to obtain a financial product 
or service, or to access, log into, effect a transaction in, or 
otherwise misuse the individual's account.
---------------------------------------------------------------------------

    \155\ See Proposing Release at Section II.A.4.c.
    \156\ See Proposing Release at n.124.
    \157\ See, e.g., NASAA Comment Letter; IAA Comment Letter 1.
---------------------------------------------------------------------------

d. Timing Requirements
(1) General Timing Requirements
    Consistent with the proposal, the final amendments require covered 
institutions to provide notices to affected individuals as soon as 
practicable, but not later than 30 days, after becoming aware that 
unauthorized access to or use of customer information has occurred or 
is reasonably likely to have occurred, except under the limited 
circumstances discussed below.\158\ This approach reflects the goal of 
giving covered institutions adequate time to make an initial assessment 
of an incident and prepare and send notices to affected individuals, 
while helping to ensure that those individuals receive sufficient 
notice to protect themselves.
---------------------------------------------------------------------------

    \158\ See final rule 248.30(a)(4)(iii); see also section 
II.A.3.d(2) (discussing the national security and public safety 
delay to the notification timing requirements).
---------------------------------------------------------------------------

    A few commenters expressed support for the proposed notification 
timing requirements.\159\ As described above, these commenters viewed 
timeliness as important because any delay in notification could impact 
individuals' ability to take steps to protect themselves from the 
downstream impacts resulting from the unauthorized access to or use of 
their sensitive customer information.\160\ One commenter asserted that 
30 days after becoming aware of an incident is more than an ample 
amount of time for covered institutions to determine the scope of the 
compromised information and compile a list of affected customers that 
must be notified.\161\ Accordingly, this commenter suggested that the 
Commission should shorten the outside notification date from 30 days 
after becoming aware of a data security incident to 14 days, asserting 
that the longer an instance of identity theft goes undetected, the 
greater the damage that usually follows.
---------------------------------------------------------------------------

    \159\ EPIC Comment Letter; Better Markets Comment Letter.
    \160\ See supra section II.A.3.a.
    \161\ Better Markets Comment Letter.
---------------------------------------------------------------------------

    In contrast, some commenters objected to the proposed notification 
timing requirements because, in their view, it provided an insufficient 
amount of time to notify affected individuals.\162\ These commenters 
emphasized the logistical tasks associated with responding to an 
information breach, asserting that in some cases it would be impossible 
to accomplish these steps within 30 days.\163\ Commenters expressed 
that these steps often include remediating the security incident 
directly, conducting a risk assessment and investigation to determine 
what information may have been affected, obtaining the information 
needed to make notification to affected individuals, arranging identity 
protection services for affected individuals, and generating and 
delivering the notifications to affected individuals, all while 
simultaneously engaging in extensive communication with and oversight 
from senior management, the board of directors, and external parties 
(such as outside counsel, expert consultants, and regulators).\164\
---------------------------------------------------------------------------

    \162\ See, e.g., SIFMA Comment Letter 2; IAA Comment Letter 1; 
FSI Comment Letter; NASDAQ Comment Letter; CAI Comment Letter.
    \163\ For example, one commenter offered the example of a 
ransomware attack that successfully shuts down systems and requires 
significant remediation to recover backup systems, as well as 
rebuilding and redeploying essential systems prior to conducting a 
forensic investigation to determine the scope of data subject to 
unauthorized access or use. See CAI Comment Letter. According to 
this commenter, it would be practically impossible to accomplish 
these tasks within 30 days of becoming aware of a possible issue, as 
required under the proposed rules.
    \164\ See, e.g., CAI Comment Letter, NASDAQ Comment Letter; IAA 
Comment Letter 1.
---------------------------------------------------------------------------

    Some commenters also suggested that the proposed timing 
requirements would lead to covered institutions delivering unnecessary 
or incomplete notifications to customers, which would have the result 
of confusing or desensitizing customers to such notifications.\165\ 
Similarly, commenters expressed that requiring a covered institution to 
notify affected individuals before the covered institution has had time 
to fully assess an incident could result in incorrect or incomplete 
conclusions being drawn and

[[Page 47702]]

disclosed.\166\ One commenter suggested, for this reason, that notices 
would be subject to continuous revision during an ongoing 
investigation.\167\ Accordingly, commenters stated that the Commission 
should revise the proposal to allow more time for covered institutions 
to provide notices to affected individuals, asserting that premature, 
incomplete, or frequent notifications would ultimately mislead and 
confuse customers rather than provide clarity about an incident.\168\
---------------------------------------------------------------------------

    \165\ See, e.g., ACLI Comment Letter; AWS Comment Letter, NASDAQ 
Comment Letter.
    \166\ NASDAQ Comment Letter; AWS Comment Letter.
    \167\ AWS Comment Letter.
    \168\ ACLI Comment Letter; AWS Comment Letter, NASDAQ Comment 
Letter.
---------------------------------------------------------------------------

    Several commenters suggested alternatives to the proposed timing 
requirements.\169\ For instance, a few commenters urged the Commission 
to expand the 30-day outside date to 45 or 60 days, stating that this 
modification would allow more time for a proper investigation and 
notification process.\170\ In addition, a couple of commenters 
suggested that the rule should not specify a number of days at 
all.\171\ One of these commenters stated that simply requiring a 
covered institution to notify affected individuals as soon as possible 
after the conclusion of an investigation, without including an outside 
date timeframe, would permit appropriate notification in both simple 
cases--where notification in less than 30 days may be appropriate--and 
more complex cases--where it may take significantly longer to identify 
the appropriate notice population and prepare and deliver 
notifications.\172\
---------------------------------------------------------------------------

    \169\ See, e.g., IAA Comment Letter 1; FSI Comment Letter; 
Cambridge Comment Letter; Federated Comment Letter; SIFMA Comment 
Letter 2.
    \170\ See FSI Comment Letter; Cambridge Comment Letter; IAA 
Comment Letter 1.
    \171\ Federated Comment Letter; SIFMA Comment Letter 2.
    \172\ SIFMA Comment Letter 2.
---------------------------------------------------------------------------

    Some commenters suggested that the trigger for notification should 
be the completion of a reasonable investigation and conclusion of the 
incident response process following the actual or reasonably likely 
unauthorized access to or use of sensitive customer information, rather 
than the proposal's trigger of a covered institution ``becoming aware'' 
of a breach of customer information.\173\ These commenters stated this 
alternative would allow covered institutions sufficient time to engage 
in system and data analysis to determine what data was impacted and 
what individuals were affected. Moreover, some commenters stated that 
their suggested alternatives would harmonize the rule's approach to 
timing with existing data breach requirements and guidance, such as the 
Banking Agencies' Incident Response Guidance and some current State 
laws.\174\ Lastly, one commenter urged that the 30-day outside 
timeframe to provide notices should run from the time that the covered 
institution determines that an incident involved ``sensitive customer 
information,'' rather than ``customer information'' as proposed.\175\
---------------------------------------------------------------------------

    \173\ See SIFMA Comment Letter 2; ACLI Comment Letter; see also 
CAI Comment Letter (suggesting that a revised rule could require 
covered institutions to conduct a prompt investigation of potential 
incidents to address concerns about lengthy investigations unduly 
delaying customer notification.).
    \174\ See FSI Comment Letter; SIFMA Comment Letter 2 (suggesting 
conforming to Banking Agencies' Incident Response Guidance which 
does not mandate specific number of days to provide notices); see 
also IAA Comment Letter 1 (stating that ``over half of state data 
breach notification laws do not specify a number of days to report a 
breach and a majority of those states that do require notification 
allow for 45-60 days for reporting'').
    \175\ IAA Comment Letter 1 (suggesting that referring to 
``customer information,'' rather than ``sensitive customer 
information,'' in this part of the proposed rule was an inadvertent 
omission).
---------------------------------------------------------------------------

    After considering comments and alternatives suggested by 
commenters, we are adopting the final amendments as proposed. We 
considered the concern raised by commenters that it may be logistically 
challenging for covered institutions to provide notice to affected 
individuals within the proposed rule's notification timing 
requirements, particularly for more complex data breach incidents.\176\ 
We recognize that modifying the timing trigger in the rule to start 
after a covered institution has completed an investigation that comes 
to a definitive conclusion about the precise details of the breach, as 
suggested by some commenters, could avoid over-notification in cases 
where a covered institution is able to determine that a given 
individual's customer information ultimately was not affected after a 
lengthy investigation. We agree with commenters, however, that 
timeliness is important in the context of a breach of sensitive 
customer information because delay in notification would impact the 
ability of affected individuals to take measures to protect themselves. 
Accordingly, the final amendments maintain the proposed timing trigger 
of after the covered institution ``becomes aware'' that unauthorized 
access to or use of customer information has occurred or is reasonably 
likely to have occurred.\177\
---------------------------------------------------------------------------

    \176\ See, e.g., CAI Comment Letter; ACLI Comment Letter.
    \177\ While this ``becoming aware'' standard differs from the 
reporting trigger in the Public Company Cybersecurity Rules (which 
require public disclosure of public issuer cybersecurity incidents 
four business days from when an issuer determines that a 
cybersecurity incident that it has experienced is material), that 
difference is attributable to the different purposes underlying the 
rules. The Public Company Cybersecurity Rules were designed to 
inform investment and voting decisions and to reduce information 
asymmetry and mispricing in the market, and therefore tie public 
disclosure to an issuer making a determination that information 
about an incident would be material, meaning there would be a 
substantial likelihood that a reasonable shareholder would consider 
it important in making an investment decision. As we stated in that 
release, ``we reiterate, consistent with the standard set out in the 
cases addressing materiality in the securities laws, that 
information is material if `there is a substantial likelihood that a 
reasonable shareholder would consider it important' in making an 
investment decision, or if it would have `significantly altered the 
``total mix'' of information made available.' '' See Public Company 
Cybersecurity Rules. By contrast, the notice provisions under these 
final rules do not require covered institutions to make a 
materiality determination, and balance the need for timely 
notifications with a regime that allows for reasonable 
investigations to avoid over-notification by allowing covered 
institutions up to 30 days to conduct a reasonable investigation 
after becoming aware of an incident. In light of this 30-day window, 
and the fact that covered institutions are not required to make a 
materiality determination, there is less need for a trigger based on 
a determination standard, and greater risk of harm to affected 
individuals if customer notification were further delayed by 
requiring that a covered institution come to a determination before 
triggering the 30-day notification window.
---------------------------------------------------------------------------

    In addition, the final amendments adopt the proposed 30-day outside 
date. We disagree that the rule should not include a specified 
notification deadline, as such an approach would diminish the goal of 
providing customers (regardless of State residency) with early and 
consistent notification of data breaches so that they may take remedial 
action because many States do not have any specific deadline for 
sending notices or provide deadlines exceeding 30 days.\178\
---------------------------------------------------------------------------

    \178\ See infra section IV.D.1.b(2).
---------------------------------------------------------------------------

    We understand that there are a number of steps a covered 
institution may have to take after becoming aware of a data breach 
incident to determine if it has met the standard for providing notice. 
In the context of the final amendments, 30 days should be sufficient to 
conduct an initial assessment and notify affected individuals. While a 
covered institution may still be working towards remediating the breach 
after the 30-day timeframe, the final amendments require a covered 
institution to notify affected customers within the 30-day timeframe so 
that affected individuals may take measures to protect themselves. The 
final amendments remove the specific requirement in the proposal that 
the notice describe what has been done to protect the sensitive 
customer information from further

[[Page 47703]]

unauthorized access or use.\179\ This change will help address some of 
the timing and logistical concerns raised by commenters because the 
process of preparing the requisite notices will be less time intensive, 
such that, once a covered institution has made its initial assessment 
of the incident and determined the universe of affected individuals, it 
should possess the information necessary to provide the requisite 
notices.
---------------------------------------------------------------------------

    \179\ See final rule 248.30(a)(4)(iv); infra section II.A.3.e. 
(discussing in more detail the modification to the notice content 
requirements).
---------------------------------------------------------------------------

    In addition, with regard to the commenter concern that it may be 
logistically challenging to provide a notice within the rule's timing 
requirements in cases where a ransomware attack has denied the covered 
institution access to its systems,\180\ that comment does not account 
for the fact that, under the proposed and final amendments, covered 
institutions will now be required to have an incident response program 
that includes policies and procedures to, among other things, assess 
the nature and scope of any qualifying incidents, identify customer 
information systems and types of customer information that may have 
been accessed or used without authorization, and respond to and recover 
from those incidents.\181\ Thus, as proposed, consistent with the final 
amendments, covered institutions will need to anticipate and prepare 
for the possibility that they may be denied access to a particular 
system (such as in the ransomware example offered by one commenter) and 
have procedures in place for complying with the notice requirements 
when applicable.
---------------------------------------------------------------------------

    \180\ See CAI Comment Letter.
    \181\ See supra section II.A; final rule 248.30(a).
---------------------------------------------------------------------------

    Consistent with the proposal, the final amendments will require 
that covered institutions provide notices ``as soon as practicable,'' 
but not more than 30 days, after becoming aware that unauthorized 
access to or use of customer information has occurred or is reasonably 
likely to have occurred. The amount of time that would constitute ``as 
soon as practicable'' may vary based on several factors, such as the 
time required to assess, contain, and control the incident.\182\ The 
requirement to notify affected individuals as soon as practicable but 
not more than 30 days in the final amendments is consistent with the 
purposes of the GLBA and reflects the importance of expeditious 
notification. The amendments are designed to help ensure that customers 
receive notification in a timely manner. It would be contrary to this 
policy goal for a covered institution to unduly delay notification to 
customers, for example by delaying notice until it has definitively 
concluded that a data breach incident has occurred, because this could 
result in excessively delayed notifications that could unnecessarily 
hinder affected customers from engaging their own remedial measures to 
protect their data. A covered institution should act promptly and must 
not delay its initial assessment of the available details of the 
incident as delaying notices could deprive customers of the ability to 
take prompt action to protect themselves.
---------------------------------------------------------------------------

    \182\ For example, an incident of unauthorized access by a 
single employee to a limited set of sensitive customer information 
may take only a few days to assess, remediate, and investigate. In 
those circumstances a covered institution generally should provide 
notices to affected individuals at the conclusion of those tasks and 
as soon as the notices have been prepared. See Proposing Release at 
n.133.
---------------------------------------------------------------------------

    The 30-day outside timeframe under both the proposed and final 
rules begins following an incident involving customer information. This 
is consistent with the scope of the incident response program, which is 
required to address unauthorized access to or use of customer 
information. The outside timeframe does not begin from the time that 
the covered institution determines that an incident involved 
``sensitive customer information,'' as suggested by one commenter.\183\ 
The commenter's suggested modification would likely delay notification 
as compared to the final rule because covered institutions could take 
considerable time to determine that an incident involved sensitive 
customer information before the outside timeframe would begin and this 
could further delay any potential notice to affected individuals.
---------------------------------------------------------------------------

    \183\ IAA Comment Letter 1.
---------------------------------------------------------------------------

(2) National Security and Public Safety Delay
    The final amendments will allow covered institutions to delay 
providing notice if the Attorney General determines that the notice 
required under the final amendments poses a substantial risk to 
national security or public safety, and notifies the Commission of such 
determination in writing, in which case the covered institution may 
delay such notice for a time period specified by the Attorney General, 
up to 30 days following the date when such notice was otherwise 
required to be provided.\184\ Previously referred to as the ``law 
enforcement exception'' in the proposal, the national security and 
public safety delay has been expanded to incorporate risks related to 
public safety in addition to national security. In a modification of 
the proposal, in which the Attorney General would have informed only 
the covered institution in cases where this delay is granted, in the 
final amendments the Attorney General will instead inform the 
Commission, in writing, if the Attorney General determines that the 
notice poses a substantial risk to national security or public safety. 
This modification is designed to ensure that the Commission receives 
information related to a delay in notice in an efficient and timely 
manner. We have consulted with the Department of Justice to establish 
an interagency communication process to allow for the Attorney 
General's determination to be communicated to the Commission in a 
timely manner. The Department of Justice will notify the covered 
institution that communication to the Commission has been made so that 
the covered institution may delay providing the notice.
---------------------------------------------------------------------------

    \184\ See final rule 248.30(a)(4)(iii).
---------------------------------------------------------------------------

    In another change from the proposal, the notice may be delayed for 
an additional period of up to 30 days if the Attorney General 
determines that the notice continues to pose a substantial risk to 
national security or public safety and notifies the Commission of such 
determination in writing. In a further change in response to comments, 
in extraordinary circumstances, notice may be delayed for a final 
additional period of up to 60 days if the Attorney General determines 
that notice continues to pose a substantial risk to national security 
and notifies the Commission of such determination in writing. Beyond 
the final 60-day delay, if the Attorney General indicates that further 
delay is necessary, the Commission will consider additional requests 
for delay and may grant such delay through a Commission exemptive order 
or other action. By contrast, the proposed rules would have allowed a 
covered institution to delay notice only for an aggregate period of 30 
days following a written request from the Attorney General to the 
covered institution, upon the expiration of which the covered 
institution would have been required to provide notice immediately. The 
modification to the proposed rule is designed to respond to concerns 
raised by commenters.\185\
---------------------------------------------------------------------------

    \185\ The final amendments will align more closely with the 
Public Company Cybersecurity Rules on this point by incorporating a 
similar scope and timing for its national security and public safety 
delay.
---------------------------------------------------------------------------

    One commenter stated that a delay in notifying affected individuals 
for law enforcement activity may cause harm to

[[Page 47704]]

customers whose personal information has been exposed.\186\ In 
addition, this commenter asserted that notifying affected individuals 
would not impede a law enforcement investigation of the data security 
incident.
---------------------------------------------------------------------------

    \186\ Better Markets Comment Letter.
---------------------------------------------------------------------------

    Other commenters, however, urged the Commission to expand the 
proposed law enforcement exception because, in their view, the proposed 
exception was too narrowly drawn.\187\ Several of these commenters 
expressed concern that requests by local or State police, or even other 
Federal agencies, would not be sufficient to delay notification under 
the proposed rule.\188\ Some commenters stated concerns about the 
feasibility and process of reaching out to the Attorney General to 
request a delay in support of expanding the exception to permit other 
law enforcement agencies to direct a covered institution to delay a 
notice.\189\ Commenters also expressed particular concern around 
competing requirements, noting that many State regulations include a 
more permissive delay and that covered institutions, in an effort to 
comply with the proposed exception, may be put into the difficult and 
unnecessary position of being subject to conflicting requirements from 
the Commission and a State law enforcement entity.\190\ Further, 
commenters articulated that the proposed exception is excessively 
narrow because it only accommodates law enforcement actions that 
address concerns that rise to the level of ``national security.'' \191\
---------------------------------------------------------------------------

    \187\ See, e.g., IAA Comment Letter 1; SIFMA Comment Letter 2; 
NASDAQ Comment Letter; CAI Comment Letter; FII Comment Letter.
    \188\ See, e.g., CAI Comment Letter; ICI Comment Letter 1; FII 
Comment Letter; SIFMA Comment Letter 2 (suggesting that the proposed 
law enforcement exception should also contemplate foreign law 
enforcement and include cooperation with international authorities).
    \189\ See ICI Comment Letter; SIFMA Comment Letter 2.
    \190\ See, e.g., ICI Comment Letter 1; NASDAQ Comment Letter; 
FII Comment Letter; IAA Comment Letter 1 (viewing the proposed 
exception as creating broader security risks for clients and 
advisers and forcing an adviser to choose between disregarding a law 
enforcement request or violating the rule).
    \191\ CAI Comment Letter; ICI Comment Letter 1; SIFMA Comment 
Letter 2.
---------------------------------------------------------------------------

    In addition to concerns regarding the scope of the proposed law 
enforcement exception, several commenters opposed the length of time 
that a covered institution would be permitted to delay notice under the 
proposed rule.\192\ These commenters suggested that there should be no 
outside time limitation on the proposed law enforcement exception, 
asserting that the judgment of any law enforcement agency investigating 
a breach should be an adequate and respected basis for delaying a 
regulatory notice regarding such breach. Commenters urged the 
Commission to expand the scope and timing requirements of the proposed 
law enforcement exception, expressing that they failed to understand 
the public purpose that would be served by ignoring the request of a 
law enforcement agency to delay notification.\193\
---------------------------------------------------------------------------

    \192\ See, e.g., IAA Comment Letter 1; ICI Comment Letter 1; 
NASDAQ Comment Letter; SIFMA Comment Letter 2; CAI Comment Letter.
    \193\ See, e.g., IAA Comment Letter 1; NASDAQ Comment Letter; 
see also SIFMA Comment Letter 2 (stating its view that only for a 
limited number of cases would delay be requested or mandated by 
other government entities, or court orders, so notification delays 
would not become routine or be otherwise abused).
---------------------------------------------------------------------------

    In response to commenters' concerns, we have broadened both the 
scope and timing requirements of the delay in the final amendments. The 
final amendments will allow covered institutions to delay notice in 
cases where disclosure would pose a substantial risk to national 
security or public safety, contingent on a written notification by the 
Attorney General to the Commission.\194\ This provision has been 
expanded to incorporate risks related to public safety, and not just 
national security, as proposed. This expansion allows for notice delay 
in scenarios where there may be significant risk of harm from 
disclosure; however, there may not be a substantial risk to national 
security. This modification should make the provision sufficiently 
expansive to protect against significant risks of harm from 
disclosure--such as the risk of alerting malicious actors targeting 
critical infrastructure that their activities have been discovered--
while also helping to ensure that individuals are not unduly denied 
timely access to information about the unauthorized access to or use of 
their sensitive customer information.
---------------------------------------------------------------------------

    \194\ A covered institution requesting that the Attorney General 
determine that notification under the rule would pose a substantial 
risk to national security or public safety does not change the 
covered institution's obligation to provide notice to affected 
customers within the timing required under the final amendments. 
This is because the rule permits a delay only upon the Attorney 
General making that determination and communicating it to the 
Commission in writing.
---------------------------------------------------------------------------

    With respect to commenters who recommended that other Federal 
agencies, State and local law enforcement agencies, and foreign law 
enforcement authorities also be permitted to trigger a delay or 
suggested that the perceived limited nature of this delay would cause 
conflict with State authorities, the rule does not preclude any such 
entity from requesting that the Attorney General determine that the 
disclosure poses a substantial risk to national security or public 
safety and communicate that determination to the Commission. 
Designating a single law enforcement agency as the point of contact for 
both the covered institution and the Commission on such delays is 
critical to ensuring that the rule is administrable. Some commenters 
stated concerns about the feasibility and process of reaching out to 
the Attorney General to request a delay, urging the Commission to 
expand the delay to apply to requests made by other law enforcement 
agencies in addition to the Attorney General. The FBI, in coordination 
with the Department of Justice, has since provided guidance on how 
firms can request disclosure delays for national security or public 
safety reasons in connection with the Public Company Cybersecurity 
Rules.\195\ To the extent needed, further guidance may be issued on how 
other law enforcement agencies may contact the Department of Justice to 
request a delay.
---------------------------------------------------------------------------

    \195\ See FBI Guidance to Victims of Cyber Incidents on SEC 
Reporting Requirements, available at: https://www.fbi.gov/investigate/cyber/fbi-guidance-to-victims-of-cyber-incidents-on-sec-reporting-requirements.
---------------------------------------------------------------------------

    The final amendments also will expand the amount of time that a 
covered institution can delay notice under this provision. However, we 
are not persuaded, as some commenters suggested, that the rules should 
not incorporate a timing component at all because such an approach 
would diminish the goal of providing customers (regardless of State 
residency) with timely and consistent notification of data breaches so 
that they may take remedial action. This includes permitting, in 
extraordinary circumstances, a delay for a final additional period of 
up to 60 days--following two previous 30-day extensions--if the 
Attorney General determines that disclosure continues to pose a 
substantial risk to national security and notifies the Commission of 
such determination in writing. We are providing for this additional 
delay period in the final amendments, beyond what was originally 
proposed, and in addition to the two 30-day delays that may precede it, 
in recognition that, in extraordinary circumstances, national security 
concerns may justify additional delay beyond that warranted by public 
safety concerns, due to the relatively more critical nature of national 
security concerns.\196\ Beyond the final 60-day

[[Page 47705]]

delay, if the Attorney General indicates to the Commission in writing 
that further delay is necessary, the covered institution can request an 
additional delay that the Commission may grant through exemptive order 
or other action. These modifications acknowledge that additional time 
beyond that proposed may be necessary, as called for by commenters, 
while balancing national security and public safety concerns against 
affected individuals' informational needs.
---------------------------------------------------------------------------

    \196\ Under the proposal, in contrast, the covered institution 
could delay a notice if the Attorney General informed the covered 
institution, in writing, that the notice poses a substantial risk to 
national security. The proposal provided that the covered 
institution could delay such a notice for a time period specified by 
the Attorney General, but not for longer than 15 days, plus an 
additional period of up to 15 days if the Attorney General 
determines that the notice continues to pose a substantial risk to 
national security.
---------------------------------------------------------------------------

e. Notice Contents and Format
    The final amendments, consistent with the proposal, require that 
notices include key information with details about the incident, the 
breached data, and how affected individuals can respond to the breach 
to protect themselves. This requirement is designed to help ensure that 
covered institutions provide basic information to affected individuals 
that will help them avoid or mitigate substantial harm or 
inconvenience. In a modification from the proposal, however, the final 
amendments will not require the notice to ``[d]escribe what has been 
done to protect the sensitive customer information from further 
unauthorized access or use.''
    Some of the information required by the final amendment, including 
information regarding a description of the incident, and the type of 
sensitive customer information accessed or used without authorization, 
will provide affected individuals with basic information to help them 
understand the scope of the incident and its potential ramifications. 
As proposed, the final amendments will require covered institutions to 
include contact information sufficient to permit an affected individual 
to contact the covered institution to inquire about the incident, 
including a telephone number (which should be a toll-free number if 
available), an email address or equivalent method or means, a postal 
address, and the name of a specific office to contact for further 
information and assistance, so that affected individuals can easily 
seek additional information from the covered institution. All of this 
information may help affected individuals assess the risk posed by the 
incident and whether to take additional measures to protect against 
harm from unauthorized access or use of their information.
    Similarly, as proposed, the final amendments will require 
information regarding the date of the incident, the estimated date of 
the incident, or the date range within which the incident occurred, if 
such information is reasonably possible to determine at the time the 
notice is provided. This requirement reflects the reality that a 
covered institution may have difficulty determining a precise date 
range for certain incidents because it may only discover an incident 
well after an initial time of access.\197\
---------------------------------------------------------------------------

    \197\ See Proposing Release at n.142.
---------------------------------------------------------------------------

    In addition, as proposed, the final amendments will require that 
covered institutions include certain information to assist affected 
individuals in evaluating how they should respond to the incident. 
Specifically, if the affected individual has an account with the 
covered institution, the final amendments will require the notice to 
recommend that the customer review account statements and immediately 
report any suspicious activity to the covered institution. The final 
amendments will also require the notice to explain what a fraud alert 
is and how an affected individual may place a fraud alert in credit 
reports. Further, the final amendments will require that the notice 
recommend that the affected individual periodically obtain credit 
reports from each nationwide credit reporting company and that the 
individual have information relating to fraudulent transactions 
deleted. The notice must also explain how a credit report can be 
obtained free of charge. Lastly, the final amendments require that 
notices include information regarding FTC and usa.gov guidance on steps 
an affected individual can take to protect against identity theft, a 
statement encouraging the individual to report any incidents of 
identity theft to the FTC, and the FTC's website address. These 
specific requirements are designed to give affected individuals 
resources and additional information to help them evaluate how they 
should respond to the incident.
    As proposed, under the final rules covered institutions will be 
required to provide the information specified in the final amendments 
in each required notice. While we recognize that relevant information 
may vary based on the facts and circumstances of the incident, 
customers will benefit from the same minimum set of basic information 
in all notices. Accordingly, the final amendments will permit covered 
institutions to include additional information but will not permit 
omission of the prescribed information. In addition, the final 
amendments will require covered institutions to provide notice in a 
clear and conspicuous manner and by means designed to ensure that the 
customer can reasonably be expected to receive actual notice in 
writing.\198\ Pursuant to 17 CFR 248.3, notices will therefore be 
required to be reasonably understandable and designed to call attention 
to the nature and significance of the information required to be 
provided in the notice.\199\ To the extent that a covered institution 
includes information in the notice that is not required to be provided 
to customers under the final amendments or provides notice 
contemporaneously with other disclosures, the covered institution will 
still be required to ensure that the notice is designed to call 
attention to the important information required to be provided under 
the final amendments; the inclusion of any additional information in 
the notice may not prevent the required information from being 
presented in a clear and conspicuous manner. The requirement to provide 
notices in writing, further, will ensure that customers receive the 
information in a format appropriate for receiving important 
information, with accommodation for those customers who agree to 
receive the information electronically.\200\ These requirements are 
designed to help ensure that customers are provided informative 
notifications and alerted to their importance.
---------------------------------------------------------------------------

    \198\ See final rule 248.30(a)(4)(i); see also 17 CFR 248.9(a) 
(delivery requirements for privacy and opt out notices) and 17 CFR 
248.3(c)(1) (defining ``clear and conspicuous'').
    \199\ See 17 CFR 248.3(c)(2) (providing examples explaining what 
is meant by the terms ``reasonably understandable'' and ``designed 
to call attention'').
    \200\ This requirement to provide notice ``in writing'' could be 
satisfied either through paper or, for customers who agree to 
receive information electronically, though electronic means 
consistent with existing Commission guidance on electronic delivery 
of documents. See Use of Electronic Media by Broker Dealers, 
Transfer Agents, and Investment Advisers for Delivery of 
Information; Additional Examples Under the Securities Act of 1933, 
Securities Exchange Act of 1934, and Investment Company Act of 1940 
[61 FR 24644 (May 15, 1996)]; Use of Electronic Media, [65 FR 25843 
(May 4, 2000)].
---------------------------------------------------------------------------

    Several commenters broadly supported the proposed notice contents 
and format requirements.\201\ One commenter stated that the provision 
will lead to notices that contain important information in a clear and 
conspicuous manner, which will allow affected individuals to assess the 
risk of the incident paired with guidance on

[[Page 47706]]

potential protective measures to take.\202\ Another commenter agreed 
with the proposed approach of requiring notices to contain certain 
information but not prescribing the specific format for the notices, 
asserting that this approach will ``make it easier for covered 
institutions to fulfill all their notice obligations under Federal and 
State laws with as few notice documents as possible (ideally through a 
single notice to all affected customers nationwide).'' \203\
---------------------------------------------------------------------------

    \201\ See, e.g., Better Markets Comment Letter, IAA Comment 
Letter 1; NASAA Comment Letter.
    \202\ Better Markets Comment Letter (stating that the provision 
``avoids some common problems with the content of many data breach 
notifications, such as confusing language, a lack of details, and 
insufficient attention to the practical steps customers should take 
in response.'').
    \203\ See NASAA Comment Letter (stating that ``[b]eing 
prescriptive here could potentially create inconsistencies with 
current or future State notice laws, which in turn could cause 
covered institutions to feel compelled to deliver entirely 
duplicative notices to customers simply for reasons of form. 
Customers should not be burdened in this way, and the Reg. S-P 
Proposal rightly takes this into account.'').
---------------------------------------------------------------------------

    Conversely, a few commenters opposed certain aspects of the notice 
content and format requirements.\204\ One commenter expressed concern 
related to the proposed requirement for covered institutions to include 
in the notice specific efforts they have taken to protect the sensitive 
customer information from further unauthorized access or use.\205\ This 
commenter articulated that this information could be extremely useful 
to threat actors and not particularly useful to affected 
individuals.\206\ Another commenter urged the Commission to remove the 
requirement for covered institutions to provide ``the date of the 
incident, the estimated date of the incident, or the date range,'' 
asserting that this specific information is not required by the Banking 
Agencies' Incident Response Guidance and should not be included in an 
amended Regulation S-P.\207\ In addition, two commenters suggested that 
the final amendments should provide more flexibility for covered 
institutions to determine the manner and method in which they should be 
contacted by affected individuals inquiring about an incident.\208\ 
Lastly, one commenter urged the Commission to consider whether it 
should require specific notice obligations at all, asserting that 
Federal notice would simply add another layer on top of existing State 
data breach notice requirements and would offer limited benefits to 
affected individuals.\209\
---------------------------------------------------------------------------

    \204\ See, e.g., CAI Comment Letter; ICI Comment Letter 1; IAA 
Comment Letter.
    \205\ IAA Comment Letter 1.
    \206\ Id. (further stating that in many cases ``the adviser will 
have already remediated the vulnerability, making the information 
even less relevant to a client's decision.'').
    \207\ ICI Comment Letter 1.
    \208\ CAI Comment Letter; SIFMA Comment Letter 2 (asserting that 
the rule should not require each of a telephone number, an email 
address, a postal address and a specific office contact, but rather 
should allow covered institutions to choose one or more of those 
contact options based on how the covered institution normally 
interacts with its customers).
    \209\ See CAI Comment Letter; see also NASDAQ Comment Letter 
(asserting that covered institutions ``should be permitted to comply 
with various State and Federal cybersecurity notification 
obligations with a single streamlined form.'').
---------------------------------------------------------------------------

    After considering comments, we are removing the specific 
requirement in the proposal that the notice ``[d]escribe what has been 
done to protect the sensitive customer information from further 
unauthorized access or use.'' We agree that this information has the 
potential to advantage threat actors and does not provide actionable 
information for affected individuals. Accordingly, the provision has 
been removed from the final amendments, which should reduce the 
perceived risk of providing a roadmap for threat actors compared with 
the proposal. Covered institutions may, however, voluntarily disclose 
details related to the incident's remediation status.
    The final amendments do not modify the proposed requirement for 
covered institutions to provide information about the date of the 
incident, as suggested by one commenter.\210\ Providing this 
information to affected individuals, to the extent the information is 
reasonably possible to determine, can help affected individuals 
identify the point in time in which their sensitive customer 
information was compromised, thus providing critical details that 
affected individuals can use to take targeted protective measures 
(e.g., review account statements) to mitigate the potential harm that 
could result from the unauthorized access to or use of their sensitive 
customer information. For this reason, we disagree with the commenter 
that stated firms should not be required to provide this information in 
their notice.
---------------------------------------------------------------------------

    \210\ ICI Comment Letter 1.
---------------------------------------------------------------------------

    Similarly, the final amendments do not modify the requirement for 
notices to include the prescribed contact information sufficient to 
permit an affected individual to contact the covered institution to 
inquire about the incident. We understand that covered institutions 
communicate with their customers using many different methods and 
formats. However, providing a telephone number, an email address or 
equivalent method or means (e.g., an online submission form), a postal 
address, and the name of a specific office to contact, is designed to 
provide sufficient optionality for affected individuals, who may have 
differing preferences and aptitudes in their use of contact 
methods.\211\ Nothing in this requirement, however, prevents a covered 
institution from choosing to provide additional contact methods.
---------------------------------------------------------------------------

    \211\ In addition, the final rule's requirement to provide 
contact information sufficient to permit an affected individual to 
inquire about the incident does not preclude a covered institution 
from providing the contact information of a third-party service 
provider that has been engaged by the covered institution to provide 
specialized information or assistance about the unauthorized access 
or use of sensitive customer information on the covered 
institution's behalf. See CAI Comment Letter (asserting that it is 
current business practice for companies to hire vendors who provide 
specialized breach response call centers to handle consumer 
inquiries).
---------------------------------------------------------------------------

    Lastly, the final amendments do not prescribe a specific format for 
the notice to affected customers. We agree with the commenter that 
asserted that such flexibility will make it easier for covered 
institutions to provide notices that meet the requirements of the final 
amendments while also meeting the requirements of other notice 
obligations, such as certain State requirements, and thereby mitigates 
commenter concerns about the potential for more than one notice 
covering a given incident.
4. Service Providers
    The final amendments require that each covered institution's 
incident response program include the establishment, maintenance, and 
enforcement of written policies and procedures reasonably designed to 
require oversight, including through due diligence on and monitoring, 
of service providers, including to ensure that the covered institution 
satisfies the customer notification requirements set forth in paragraph 
(a)(4) of the final amendments.\212\ In a modification from the 
proposal, rather than requiring written policies and procedures 
requiring the covered institution to enter into a written contract with 
its service providers to take certain appropriate measures, the 
policies and procedures required by the final amendments must be 
reasonably designed to ensure service providers take appropriate 
measures to: (A) protect against unauthorized access to or use of 
customer information; and (B) provide notification to the covered 
institution as soon as possible, but no later than 72 hours after 
becoming aware of a breach in security has occurred resulting in 
unauthorized access to a customer information system maintained by the 
service provider.\213\

[[Page 47707]]

In a modification from the proposal, upon receipt of such notification, 
a covered institution must initiate its incident response program 
pursuant to paragraph (a)(3) of this section.\214\ The final amendments 
thus modify the proposal by removing the written contract requirement 
and shifting the notification deadline for the service provider's 
notification of the covered institution from 48 to 72 hours, while 
retaining the notice trigger of the service provider ``becoming aware 
of'' a breach in security resulting in unauthorized access to a 
customer information system maintained by the service provider.\215\
---------------------------------------------------------------------------

    \212\ See final rule 248.30(a)(5)(i).
    \213\ See id. In the proposal, the covered institution's written 
contract with its service provider would have needed to require the 
service providers to take appropriate measures designed to protect 
against unauthorized access to or use of customer information, 
including notification to the covered institution as soon as 
possible, but no later than 48 hours after becoming aware of a 
breach in security resulting in unauthorized access to a customer 
information system maintained by the service provider to enable the 
covered institution to implement its response program. See proposed 
rule 248.30(b)(5)(i).
    \214\ See id. As discussed further below, this modification 
responds to comments by incorporating into rule text the 
Commission's intention that covered institutions would 
``expeditiously'' implement their incident response program 
following the receipt of such notification from a service provider, 
as discussed in the Proposing Release. See infra footnote 223 and 
accompanying discussion on clarifying modifications. See also 
Proposing Release at Section II.A.3.
    \215\ See final rule 248.30(a)(5)(i).
---------------------------------------------------------------------------

    However, the Commission is adopting as proposed final amendments 
that provide that a covered institution, as part of its incident 
response program, may enter into a written agreement with its service 
provider to notify affected individuals on the covered institution's 
behalf in accordance with paragraph (a)(4) of the final 
amendments.\216\ In a modification from the proposal, the final 
amendments provide that even where a covered institution uses a service 
provider in accordance with paragraphs (a)(5)(i) and (ii) of the final 
amendments, the covered institution's obligation to ensure that 
affected individuals are notified in accordance with paragraph (a)(4) 
of the final amendments rests with the covered institution.\217\
---------------------------------------------------------------------------

    \216\ See final rule 248.30(a)(5)(ii).
    \217\ See final rule 248.30(a)(5)(iii). As discussed further 
below, this modification is intended to clarify covered 
institutions' responsibilities under the final amendments by 
incorporating into rule text the Commission's intended scope, as 
discussed in the Proposing Release. See discussion on Delegation of 
Notice and Covered Institutions' Customer Notification Obligations 
infra Section II.A.4.c. and footnote 264, including accompanying 
discussion on clarifying modifications.
---------------------------------------------------------------------------

    Finally, the Commission is also defining a ``service provider'' at 
adoption to mean any person or entity that receives, maintains, 
processes, or otherwise is permitted access to customer information 
through its provision of services directly to a covered 
institution.\218\ As discussed further below, this definition removes 
language from the proposed definition relating to third parties, but 
does so solely to make plain that the definition of a ``service 
provider'' can include affiliates of a covered institution.\219\
---------------------------------------------------------------------------

    \218\ See final rule 248.30(d)(10).
    \219\ As stated below, this modification from the proposal 
responds to comments by incorporating into rule text the 
Commission's intended scope of the ``service provider'' definition, 
as discussed in the Proposing Release. See discussion on the Service 
Provider definition infra footnote 271, including accompanying 
discussion on clarifying modifications. See also proposed rule 
248.30(e)(10).
---------------------------------------------------------------------------

a. Covered Institutions' Incident Response Program Obligations 
Regarding Service Providers
    In a change from the proposed rule, the Commission is adopting the 
final amendments without requiring covered institutions to enter into a 
written contract with their service providers.\220\ Instead, the final 
amendments require that a covered institution's incident response 
program ``include the establishment, maintenance, and enforcement of 
written policies and procedures reasonably designed to require 
oversight, including through due diligence and monitoring, of the 
covered institution's service providers, including to ensure that the 
covered institution notifies affected individuals as set forth in 
paragraph (a)(4),'' in the event of a breach at the service 
provider.\221\ Further, while the final amendments do not require 
covered institutions to enter into a written contract, the final 
amendments incorporate the protections that would have been required in 
the proposed written contract \222\ by requiring that a covered 
institution's policies and procedures be reasonably designed to ensure 
service providers take the appropriate measures to: (A) protect against 
unauthorized access to or use of customer information, and (B) provide 
notification to the covered institution in the event of a breach 
resulting in unauthorized access to a customer information system 
maintained by the service provider, in accordance with the timing and 
notice trigger conditions discussed further below. Finally, in a 
modification from the proposal, upon receipt of such notification, a 
covered institution must initiate its incident response program adopted 
pursuant to paragraph (a)(3) of this section.\223\
---------------------------------------------------------------------------

    \220\ See proposed rule 248.30(b)(5)(i). See also supra footnote 
213 and accompanying discussion.
    \221\ See final rule 248.30(a)(5)(i). In the Proposing Release, 
we requested comment on whether the proposed written contract 
requirement should instead require that a covered institution adopt 
policies and procedures that ``require due diligence of or some type 
of reasonable assurances from its service providers.'' See Proposing 
Release at section II.A.3. We also encouraged commenters to review 
our separate proposal to prohibit registered investment advisers 
from outsourcing certain services or functions without first meeting 
minimum due diligence and monitoring requirements to determine 
whether that proposal might affect their comments on the Proposing 
Release. See Proposing Release at section G.2, n.300; see also 
Outsourcing by Investment Advisers, Investment Advisers Act Release 
No. 6176 (Oct. 26, 2022) [87 FR 68816 (Nov. 16, 2022)]. The due 
diligence standards we are adopting are intended to address related 
concerns raised by commenters who requested that we adopt a more 
principles-based set of requirements.
    \222\ See supra footnote 213 and accompanying discussion of the 
substantive obligations that were included in the proposal's written 
contract requirement.
    \223\ See final rule 248.30(a)(5)(i).
---------------------------------------------------------------------------

    Two commenters expressed varying degrees of support for requiring a 
written contract between a covered institution and its service 
providers.\224\ One such commenter expressed support for requiring a 
specific contractual agreement with a service provider, stating that 
the information covered by the service provider provision is already 
subject to a contractual agreement between the covered institution and 
the service provider.\225\ The other commenter agreed that service 
providers should be contractually required to take appropriate risk-
based measures and due diligence to protect against unauthorized access 
to or use of customer information, but suggested that for flexibility 
in oversight covered institutions should be permitted to rely on 
``reasonable assurances'' from service providers that they have taken 
appropriate measures to protect customer information.\226\
---------------------------------------------------------------------------

    \224\ See ICI Comment Letter. While this commenter supported a 
written contract requirement, it did assert that the Commission 
should adopt a longer compliance period due to the necessity of 
renegotiating existing contracts with service providers to align the 
breach notification provisions in those contracts to the rule's 
requirements. This comment is separately addressed below. See also 
SIFMA Comment Letter 2.
    \225\ See ICI Comment Letter. Specifically, this commenter 
stated that the information that is covered by proposed rule 
248.30(b)(5) ``is already subject to a contractual agreement between 
the covered institution and the service provider.'' Id. This 
commenter further explained it is opposing the contractual 
requirement because of its very narrow scope, specifically stating 
that ``as drafted, [the requirement] would only apply to any service 
provider that receives, maintains, processes, or otherwise is 
permitted access to customer information through the service 
provider's provision of services directly to the covered 
institution.'' Id.
    \226\ See SIFMA Comment Letter 2.

---------------------------------------------------------------------------

[[Page 47708]]

    Several commenters opposed this proposed requirement.\227\ 
Specifically, two commenters asserted that the written contract 
requirement would harm covered institutions, which may not have the 
negotiating power or leverage to demand specific contractual provisions 
from large third-party service providers, particularly where specific 
provisions are ``inconsistent with the business imperatives'' of the 
service provider and/or in the case of small covered institutions.\228\ 
A number of commenters also suggested alternatives to either adopting a 
written contract requirement or, if such a requirement is adopted, to 
mandating specified contractual requirements.\229\ Two commenters 
suggested that rather than requiring specific practices to be included 
within a written contract, the Commission should structure the final 
amendments to enable covered institutions to take a risk-based approach 
to due diligence and third-party risk management that integrates 
reliance on independent certifications, attestations, and industry 
standards as a sufficient means of assessing and determining whether 
the service provider is appropriately addressing these risks to an 
adequate standard.\230\ Meanwhile, another commenter who opposed the 
contractual requirement suggested the Commission should provide covered 
institutions with the flexibility to oversee their service providers 
``based on the nature and size of their businesses and in light of the 
risks posed by the facts and circumstances.'' \231\ Finally, one 
commenter suggested that it was unclear how a third-party service 
provider's notice to a covered institution would affect a covered 
institution's own obligations.\232\
---------------------------------------------------------------------------

    \227\ See, e.g., AWS Comment Letter; IAA Comment Letter 1 
(stating that [covered institutions] should not be required to enter 
into written agreements with service providers); Google Comment 
Letter; STA Comment Letter 2; and CAI Comment Letter (stating that 
many leading service providers (such as cloud service providers) do 
not negotiate the standard terms of their services with customers 
and those standard terms generally would not meet the proposed 
contractual requirements).
    \228\ See IAA Comment Letter 2; see also STA Comment Letter 2.
    \229\ See SIFMA Comment Letter 2; AWS Comment Letter; Google 
Comment Letter; and IAA Comment Letter 1.
    \230\ See AWS Comment Letter (suggesting that in order to 
address the practical difficulties of compliance, the Commission 
should provide covered institutions with a flexible approach to 
achieving compliance with the service provider provisions that 
relies on the use of independent certifications, attestations, and 
adherence to industry standards); see also Google Comment Letter 
(suggesting that rather than prescribing the specific practices that 
must be included in the contract, (a) contracts should require 
service providers to implement and maintain appropriate measures 
that are consistent with industry standards, and (b) each covered 
entity should oversee its providers to assess if the provider 
addresses the relevant practices to an adequate standard--noting 
this activity can be supported with third party certifications and 
standards).
    \231\ See IAA Comment Letter 1.
    \232\ See ACLI Comment Letter.
---------------------------------------------------------------------------

    Eliminating the written contract requirement from the final 
amendments, while enhancing the policies and procedures obligation, 
strikes an appropriate balance between providing covered institutions 
with greater flexibility in achieving compliance with the requirements 
of this rule within the context of their service provider 
relationships, while also helping to ensure the investor protections 
afforded by the final amendments are maintained when covered 
institutions utilize service providers.
    In particular, as adopted, the enhanced policies and procedures 
obligations will enable covered institutions to identify and utilize 
the most appropriate means for their business of achieving compliance 
with the final amendments through policies and procedures reasonably 
designed to require oversight, including through due diligence and 
monitoring, of their service providers. Providing this flexibility will 
help address commenters' concerns about imposing a written contractual 
agreement for covered institutions, particularly those that are small 
entities, which may not have sufficient negotiating power or leverage 
to demand specific contractual provisions from a large third-party 
service provider. At the same time, the enhanced policies and 
procedures requirements will provide for effective safeguarding of 
customer information when it is received, maintained, processed, or 
otherwise accessed by a service provider, as well as timely notice to 
customers affected by a breach at a covered institution's service 
provider, by requiring that the policies and procedures be reasonably 
designed to: (1) require oversight, including through due diligence and 
monitoring, of service providers, including to ensure that the covered 
institution notifies affected individuals as required in paragraph 
(a)(4) and (2) ensure service providers take appropriate measures to 
protect against the unauthorized access to or use of customer 
information and provide covered institutions with timely notification 
of a breach so that the covered institution can carry out their 
incident response program.
    While the final amendments thus provide increased flexibility as to 
a covered institution's means of overseeing its service providers, the 
modification the Commission is making at adoption does not lower the 
standard of a covered institution's substantive oversight obligations. 
Some covered institutions may find that such oversight can be 
accomplished more easily and less expensively through less formal 
arrangements in certain circumstances, based on the covered 
institution's relationship with its service provider, as well as the 
scope of the services that are now or will be provided over the course 
of the relationship.\233\ However, regardless of the means and 
arrangements employed, the covered institution must ensure that any 
service provider it decides to utilize takes appropriate measures to 
(A) protect against unauthorized access to or use of customer 
information, and (B) provide breach notifications to the covered 
institution as required by these final amendments.
---------------------------------------------------------------------------

    \233\ Although a written contract is not required under the 
final amendments, covered institutions should generally consider 
whether a written contract that memorializes the expectations of 
both covered institutions and their service providers is 
appropriate.
---------------------------------------------------------------------------

    Further, while it may be helpful to a covered institution in 
achieving compliance with the final amendments to receive ``reasonable 
assurances'' from its service providers that they have taken 
appropriate measures to both protect customer information and provide 
timely notification to the covered institution in the event of a 
relevant breach of the service provider's customer information systems, 
reliance solely on such assurances may be insufficient depending on the 
facts and circumstances, for example when a covered institution knows, 
or has reason to know, that such assurance is inaccurate. Instead, the 
final rules require the establishment, maintenance, and enforcement of 
written policies and procedures reasonably designed to require 
oversight, including through due diligence and monitoring, of the 
service provider to ensure the covered institution will be able to 
satisfy the obligations of paragraph (a)(4). Further, covered 
institutions generally should consider reviewing and updating these 
policies and procedures periodically throughout their relationship with 
a service provider, including updates designed to address any 
information learned during the course of their monitoring.
    The final amendments provide covered institutions with flexibility 
in overseeing their service provider relationships, while helping to 
ensure the additional investor protections intended by these final 
amendments are

[[Page 47709]]

still achieved. Consistent with this risk-based approach, covered 
institutions may wish to consider employing such tools as independent 
certifications and attestations obtained from the service provider, as 
suggested by some commenters, as part of their policies and procedures 
to require oversight, including through due diligence and monitoring, 
of the service provider. However, the covered institution's written 
policies and procedures must be reasonably designed under the 
circumstances, and the covered institution's oversight of its service 
providers pursuant to those written policies and procedures generally 
should be tailored to the facts and circumstances of the two parties' 
relationship, which may or may not include the use of such tools.
    Further, as stated above, we are modifying the proposed rule to 
state that upon a covered institution's receipt of a service provider's 
notification, the covered institution must initiate its incident 
response program required by paragraph (a)(3) of the rule.\234\ The 
Commission is adopting this modification in response to comment 
requesting clarification of a covered institution's obligations upon 
receipt of service provider breach notifications.\235\ Further, this 
modification helps further align the final amendments with the intended 
purpose of the service provider's breach notifications, as discussed in 
the Proposing Release.\236\ While receipt of such notice automatically 
triggers the covered institution's obligation to initiate the 
procedures of its incident response program, such notice is not a 
necessary predicate to trigger this obligation for incidents occurring 
at the service provider. A covered institution also must initiate its 
incident response program where the covered institution has otherwise 
independently detected an incident of unauthorized access to or use of 
customer information at the service provider.\237\
---------------------------------------------------------------------------

    \234\ See final rule 248.30(a)(5)(i).
    \235\ See ACLI Comment Letter.
    \236\ This modification is consistent with the intended purpose 
of this notification, as discussed in the Proposing Release. See 
Proposing Release at Section II.A.3 stating that the purpose of 
breach notifications to be provided by service providers to a 
covered institution is ``to enable the covered institution to 
implement its incident response program expeditiously.''
    \237\ See final rule 248.30(a)(3). See also discussion on 
covered institutions' required Incident Response Program Including 
Customer Notification supra Section II.A.
---------------------------------------------------------------------------

    Finally, some commenters asked that we consider making any new 
obligations with respect to a written contract requirement forward-
looking so as not to disrupt contracts already in existence by 
requiring renegotiation, and that we should further extend the 
compliance date to address this.\238\ As we are adopting the rule 
without a written contract requirement, these comments have become 
moot.\239\
---------------------------------------------------------------------------

    \238\ See, e.g., Computershare Comment Letter; Google Comment 
Letter; ICI Comment Letter.
    \239\ See discussion of compliance date infra section II.F.
---------------------------------------------------------------------------

b. Deadline for Service Provider Notice to Covered Institutions and 
Notice Trigger
    As described above, the final amendments require that a covered 
institution's policies and procedures be reasonably designed to ensure 
service providers take appropriate measures to provide covered 
institutions with notice ``as soon as possible, but no later than 72 
hours after becoming aware of a breach in security has occurred 
resulting in unauthorized access to a customer information system 
maintained by the service provider.'' \240\ This modification extends 
the proposed timeframe for service providers to provide such notice to 
72 hours, but maintains the proposed notice triggering event to 
initiate this timeframe of the service provider becoming aware of a 
breach.'' \241\
---------------------------------------------------------------------------

    \240\ See final rule 248.30(a)(5)(i). In the proposed rule, such 
notice would have been required ``as soon as possible, but no later 
than 48 hours after becoming aware of a breach, in the event of any 
breach in security resulting in unauthorized access to a customer 
information system maintained by the service provider.'' See 
proposed rule 248.30(a)(5)(i).
    \241\ See Proposing Release at section II.A.3.
---------------------------------------------------------------------------

    Commenters addressed both the notification deadline and the 
triggering event for notifications to be provided by service providers 
to covered institutions in the event of a relevant breach involving 
unauthorized access to a customer information system maintained by the 
service provider. As to the notification deadline, one commenter 
supported requiring service providers to notify a covered institution 
within 48 hours of a breach impacting the covered institution or 
affected individuals, stating its understanding is that this is ``not 
an uncommon arrangement'' today between covered institutions and 
service providers maintaining their nonpublic personal information 
(e.g., between investment companies and transfer agents).\242\ Another 
commenter raised concerns that a standard of ``as soon as possible, but 
no later than 48 hours after becoming aware of a breach,'' when paired 
with a written contract requirement, might impose formidable challenges 
to covered institutions in mandating such contractual provisions with 
service providers who are not explicitly subject to Commission 
jurisdiction, and may have their own policies and procedures addressing 
breaches.\243\ Several commenters suggested the Commission adopt a 72-
hour notification deadline.\244\ In particular, one such commenter 
stated that this notification provision should be extended to ``as soon 
as possible but no later than 72 hours,'' to harmonize the Commission's 
standard with a number of related Federal, State, and international 
regulatory deadlines governing required service provider notification 
to financial institutions in the event of a cyber incident, and also 
further the White House's and Congress's express policy of harmonizing 
cyber incident reporting requirements.\245\ Finally, this commenter 
stated that a consistent 72-hour reporting deadline would promote more 
effective cybersecurity incident response and cyber threat information 
sharing than shorter, or varied reporting periods, and that a 48-hour 
deadline in the commenter's experience would lead to ``premature 
reporting'' that increases the likelihood of reporting inaccurate or 
incomplete information and tends to create confusion and 
uncertainty.\246\
---------------------------------------------------------------------------

    \242\ See ICI Comment Letter.
    \243\ See Computershare Comment Letter.
    \244\ See Letter from Microsoft Corporation (June 5, 2023) 
(``Microsoft Comment Letter''); AWS Comment Letter (this commenter 
``encourage[d] the Commission'' to consider a longer reporting 
deadline than 48 hours to ``support the dedication of resources 
needed to discover and mitigate potential harm caused by an 
incident,'' and highlighted the 72-hour reporting timeframe that 
``CIRCIA contemplates. . .for national critical infrastructure, 
including the financial services sector'' in the alternative.).
    \245\ See Microsoft Comment Letter (explaining that use of this 
72-hour reporting deadline would align the SEC's rules with other 
notification requirements that may apply to entities covered by the 
Proposed Rules, and identifying additional authorities that use the 
72-hour deadline, such as the CIRCIA, Pub. L. 117-103, 136 Stat. 49 
(2022); Executive Order 14028, ``Improving the Nation's 
Cybersecurity,'' 86 FR 26,633 (May 12, 2021), directing the Federal 
government to incorporate a 72-hour reporting period into the 
Federal Acquisition Regulation (``FAR''); the Defense Federal 
Acquisition Regulation Supplement (``DFARS''), 48 CFR 204.7302(b) 
and 252.204-7012(c); the New York State Department of Financial 
Services' (``NYDFS'') Cybersecurity Requirements for Financial 
Service Companies, 23 NYCRR section 500.17(a); the European Union's 
General Data Protection Regulation (``GDPR''), Regulation (EU) 2016/
679; and Article 23 of the EU's new Network and Information Security 
Directive (``NIS 2 Directive''), Directive (EU) 2022/2555).
    \246\ Id.
---------------------------------------------------------------------------

    In contrast, some commenters recommended modifying the proposal to 
remove any specified duration for a reporting deadline.\247\ Several

[[Page 47710]]

commenters suggested that rather than an inflexible time deadline, the 
Commission should require that notification be provided without 
unreasonable delay after a reasonable investigation has been performed 
by the service provider.\248\ Another commenter stated that rather than 
mandating any form of a deadline, the time period should be left to 
covered institutions and service providers to negotiate, accounting for 
the nature of services and customer data.\249\
---------------------------------------------------------------------------

    \247\ See, e.g., Schulte Comment Letter; SIFMA Comment Letter 2.
    \248\ See, e.g., SIFMA Comment Letter 2 (stating this 
modification would harmonize with the Proposed Interagency Guidance 
on Third-Party Relationships: Risk Management, 86 FR 38182, 38184 
(proposed July 19, 2021)); ACLI Comment Letter (stating this 
modification would harmonize service provider and covered entity 
requirements); and Federated Comment Letter.
    \249\ See Schulte Comment Letter. This commenter stated that by 
mandating a 48-hour limit, service providers would be ``left with 
the impractical challenge of allocating resources to making 
disclosures to counterparties (i) when resources could be better 
allocated to identifying and containing the scope of the data 
breach, and (ii) before the service provider has a complete picture 
of the impact of a data breach.'' See id.
---------------------------------------------------------------------------

    As to the triggering event requiring service providers to notify 
covered institutions of a relevant breach, one commenter urged the 
Commission to shift from the service provider ``becoming aware'' of a 
breach that entailed unauthorized access to customer information, to 
the service provider ``determining'' that such a breach had 
occurred.\250\ This commenter asserted that the process of ``becoming 
aware'' will involve time and resources to investigate and that 
changing to a ``determining'' standard may minimize pressure on the 
service provider to report prior to performing sufficient 
investigation, while helping harmonize regulatory approaches across the 
financial sector, as it would align with similar requirements adopted 
by Federal banking agencies related to notice provided by bank service 
providers.\251\ Another commenter stated the Commission should, in 
addition to shifting to a 72-hour reporting deadline, amend the trigger 
initiating this reporting deadline to the moment the service provider 
``has a reasonable basis to conclude that a notifiable incident has 
occurred or is occurring.'' \252\
---------------------------------------------------------------------------

    \250\ See Google Comment Letter.
    \251\ See Google Comment Letter (referencing Computer-Security 
Incident Notification Requirements for Banking Organizations and 
Their Bank Service Providers, available at: fdic.gov/news/board-matters/2021/2021-11-17-notational-fr.pdf?source=govdelivery&utm_medium=email&utm_source=govdelivery).
    \252\ See Microsoft Comment Letter.
---------------------------------------------------------------------------

    Other commenters suggested narrowing the scope of incidents that 
would trigger required notice by service providers to a covered 
institution.\253\ One commenter asserted that incident response program 
requirements should only address and be triggered by incidents that 
involve unauthorized access to or use of a subset of customer 
information (e.g., sensitive customer information).\254\ Another 
commenter stated that the proposal would result in notices to a covered 
institution if there has been unauthorized access to the service 
provider's customer information system, regardless of whether the 
covered institution's customers were in any way affected by the 
breach.\255\ Instead, the commenter stated that the Commission should 
limit the scope of incidents requiring notification to a covered 
institution to only those resulting in unauthorized access to that 
covered institution's ``customer information'' maintained by the 
service provider.\256\
---------------------------------------------------------------------------

    \253\ See Schulte Comment Letter; SIFMA Comment Letter 2.
    \254\ See Schulte Comment Letter.
    \255\ See SIFMA Comment Letter 2.
    \256\ See id.
---------------------------------------------------------------------------

    After consideration, the Commission is extending the deadline for 
providing notification from 48 to 72 hours. Although we appreciate that 
the 48-hour standard in the proposed amendments may not be an uncommon 
arrangement between covered institutions and their service providers in 
the market today, extending this deadline by 24 hours will provide 
service providers with additional time to conduct more effective 
investigations of a breach at the service provider, resulting in more 
relevant and accurate notifications to the covered institution. 
Further, the 72-hour standard brings this notification deadline in 
alignment with other existing regulatory standards, which should reduce 
costs to service providers and covered institutions without sacrificing 
the investor protection benefits of the rule.\257\
---------------------------------------------------------------------------

    \257\ As discussed above, a 72-hour reporting deadline aligns 
with, among others, requirements in CIRCIA that include a 72-hour 
deadline for entities to report cyber incidents to CISA, Executive 
Order 14028 on ``Improving the Nation's Cybersecurity,'' which 
directs the Federal government to incorporate a 72-hour reporting 
period into the FAR, the DFARS, NYDFS's cybersecurity regulations, 
which include a 72-hour reporting deadline to NYDFS after any 
determination that a cybersecurity incident has occurred at the 
covered entity, its affiliates, or a third-party service provider, 
the European Union's GDPR, as well as the European Union's NIS 2 
Directive. See discussion of Microsoft Comment Letter and cited 
regulatory frameworks supra footnote 245.
---------------------------------------------------------------------------

    The Commission disagrees that there should be no specified 
notification deadline and that covered institutions and service 
providers should be able to negotiate the appropriate timing for such 
notification. As discussed above, upon receipt of the breach 
notification from the service provider, a covered institution must 
initiate its incident response program adopted pursuant to paragraph 
(a)(3) of the final amendments.\258\ As covered institutions cannot 
reasonably be expected to initiate their incident response programs for 
incidents occurring at a service provider that the covered institution 
is not yet aware have occurred, providing the indefinite timeline 
commenters suggest could significantly hinder the effectiveness of 
covered institutions' incident response programs.\259\ For example, 
delays in the service provider's notification to the covered 
institution of a breach could result in further delays in the 
initiation of the incident containment and control procedures the 
covered institution has adopted pursuant to its incident response 
program obligations, consequently diminishing their effectiveness. 
Further, any excess delay in the service provider's notification to the 
covered institution and resulting delay in the covered institution's 
initiation of its incident response program, could significantly hinder 
the goal of the final amendments of providing customers with timely 
notification of data breaches so that they may take remedial action. In 
light of this, reasonably designed policies and procedures generally 
should also account for instances where the covered institution 
determines that a service provider has failed to provide notice to the 
covered institution within 72 hours as required. In such circumstances, 
in addition to initiating its incident response program upon receipt of 
the notice as required, a covered institution generally should 
reevaluate its policies and procedures governing its relationship with 
the service provider and make adjustments as necessary to ensure the 
service provider will take the required appropriate measures going 
forward.
---------------------------------------------------------------------------

    \258\ See supra footnote 237 and accompanying discussion.
    \259\ While a covered institution's receipt of such notice from 
a service provider establishes such awareness, as discussed above, 
where a covered institution has otherwise independently detected an 
incident of the unauthorized access to or use of customer 
information at the service provider, it must implement its incident 
response program under paragraph (a)(3) of the final amendments 
regardless of any notice provided by the service provider. See supra 
footnote 237 and accompanying discussion. See also final rule 
248.30(a)(3).
---------------------------------------------------------------------------

    Further, the Commission is adopting as proposed the ``becoming 
aware of'' standard for triggering a service provider's breach 
notifications to a covered institution. This standard is

[[Page 47711]]

intended to enable the covered institution to implement its incident 
response program expeditiously. While the Commission believes it is 
appropriate, as discussed above, to extend the timeframe for service 
provider notifications from 48 to 72 hours, adopting either a ``having 
a reasonable basis to conclude'' standard or a ``determining'' standard 
could frustrate the investor protection goals of these final 
amendments. Specifically, adopting either of these alternative 
standards could result in undue delays in a service provider's 
notification to the covered institution beyond the point at which the 
service provider is already aware that a relevant breach has occurred. 
Such a delay would frustrate the goal of both enabling covered 
institutions to initiate their incident response program expeditiously, 
as well as the goal of providing timely notification to affected 
individuals. For similar reasons, given that the ``determining'' 
standard used by Federal banking regulators involves a different 
context--notice to the banking organization of downgraded or degraded 
services--adopting it here solely to harmonize regulatory approaches 
would be inappropriate.\260\ Accordingly, the final amendments maintain 
the proposed ``becoming aware of'' standard for triggering a service 
provider's notification.
---------------------------------------------------------------------------

    \260\ Specifically, the Federal banking agency regulations 
require notification from the bank service provider to ``each 
affected banking organization customer as soon as possible when the 
bank service provider determines that it has experienced a computer-
security incident that has materially disrupted or degraded, or is 
reasonably likely to materially disrupt or degrade, covered services 
provided to the banking organization for four or more hours.'' See 
12 CFR 304.24(a).
---------------------------------------------------------------------------

    The Commission also is not limiting the scope of incidents to be 
reported to covered institutions to only those involving ``sensitive 
customer information'' or alternatively to breaches that result in 
unauthorized access to ``customer information'' maintained by the 
service provider rather than those that result in unauthorized access 
to a service provider's ``customer information system.'' Under the 
final amendments, a covered institution's incident response program 
must be reasonably designed to ``detect, respond to, and recover from 
unauthorized access to or use of customer information,'' and must 
include provisions to assess such incidents to ``identify the customer 
information systems and types of customer information that may have 
been accessed or used without authorization'' and take appropriate 
steps to ``contain and control the incident to prevent further 
unauthorized access to or use of customer information.'' \261\ As 
discussed above, in doing so, we are requiring that covered 
institutions' incident response programs address any incident involving 
customer information--not merely those involving sensitive customer 
information--and also account for the identification of affected 
customer information systems in addition to the types of customer 
information that may have been accessed or used without 
authorization.\262\ For the same reasons, we are not limiting the scope 
of reportable incidents to only those breaches in security at the 
service provider that result in unauthorized access to sensitive 
customer information, or alternatively to only those breaches that 
result in unauthorized access to ``customer information'' maintained by 
the service provider.
---------------------------------------------------------------------------

    \261\ See final rule 248.30(a)(3)(i) and (ii). See also 
discussion of the Assessment and Containment and Control portions of 
covered institutions' incident response program requirements supra 
sections II.A.1 and II.A.2.
    \262\ See discussion of incident response program Assessment and 
Containment and Control requirements, and the reasons for not 
restricting such requirements to only ``sensitive customer 
information'' supra Sections II.A.1 and II.A.2. See also discussion 
of incident response program Containment and Control requirements 
and the reasons for requiring identification of both the customer 
information systems as well as types of customer information that 
may have been accessed or used without authorization supra Section 
II.A.2.
---------------------------------------------------------------------------

c. Delegation of Notice and Covered Institutions' Customer Notification 
Obligations
    The Commission is adopting as proposed language that permits 
covered institutions, as part of their incident response programs, to 
enter into a written agreement with their service providers to notify 
affected individuals on the covered institution's behalf.\263\ However, 
the Commission is also adopting a new paragraph that states that, 
notwithstanding any covered institution's use of a service provider, 
the covered institution's obligation to ensure that affected 
individuals are notified in accordance with this rule rests with the 
covered institution.\264\
---------------------------------------------------------------------------

    \263\ See final rule 248.30(a)(5)(ii) (stating ``As part of its 
incident response program, a covered institution may enter into a 
written agreement with its service provider to notify affected 
individuals on its behalf in accordance with paragraph (a)(4) of 
this section.''); see also proposed rule 248.30(b)(5)(ii).
    \264\ See final rule 248.30(a)(5)(iii).
---------------------------------------------------------------------------

    One commenter stated that it is appropriate to permit a covered 
institution to enter into a written agreement with its service provider 
to notify affected individuals on the covered institution's behalf, so 
long as the notification is actually ultimately provided to customers 
in a manner that satisfies the covered institution's notice 
obligations.\265\ The Commission agrees that there may be situations 
where a covered institution's service provider is better situated than 
the covered institution to provide a customer a breach notification. 
Thus, the Commission is adopting paragraph (a)(5)(ii) as proposed.\266\
---------------------------------------------------------------------------

    \265\ See Schulte Comment Letter (stating that if the service 
provider was the victim of a cyber-attack that included unauthorized 
access to the covered institution's sensitive customer information, 
the service provider would be better situated to notify the affected 
customers).
    \266\ As discussed below infra footnote 391 and in the 
accompanying discussion, in accordance with the recordkeeping 
provisions adopted in these final amendments, covered institutions, 
other than funding portals, are required to preserve a copy of any 
notice transmitted by the service provider to any customer on the 
covered institution's behalf following the covered institution's 
determination made regarding whether notification is required 
pursuant to 17 CFR 248.30(a)(4). See also discussion of funding 
portal recordkeeping requirements infra footnote 385.
---------------------------------------------------------------------------

    At the same time, the Commission is adopting a new paragraph 
(a)(5)(iii) to specify that even where a covered institution uses a 
service provider, the obligation to ensure that affected individuals 
are notified in accordance with the rule rests with the covered 
institution.\267\ While the proposing release included similar 
language,\268\ the final rule explicitly provides that the covered 
institution will be obligated to satisfy the customer notification 
requirements of paragraph (a)(4) in the event of a relevant breach 
occurring at the service provider. The Commission

[[Page 47712]]

agrees that in providing flexibility to covered institutions by 
permitting them to enter into a written agreement with their service 
providers to notify affected individuals on the covered institution's 
behalf, such notification to customers should be provided in a manner 
that satisfies the covered institution's notice obligations. 
Accordingly, where a covered institution has entered into a written 
agreement with its service provider to provide notice on the covered 
institution's behalf, the covered institution must ensure that the 
service provider has satisfied the customer notification 
obligations.\269\ To accomplish this, the covered institution's 
policies and procedures should consider including steps for conducting 
reasonable due diligence to confirm that the service provider has 
provided notice to affected customers. In addition to maintaining a 
copy of any notice transmitted to affected individuals by the service 
provider on the covered institution's behalf as required by the covered 
institution's (other than funding portals) recordkeeping obligations 
under the final amendments,\270\ effective due diligence might also 
include obtaining confirmation of delivery of such notification in the 
form of attestations or certifications made by the service provider. 
Covered institutions could also consider confirming with a sample of 
affected customers that they received such service provider 
notifications.
---------------------------------------------------------------------------

    \267\ See final rule 248.30(a)(5)(iii) (specifically stating 
``Notwithstanding a covered institution's use of a service provider 
in accordance with paragraphs (a)(5)(i) and (ii), the obligation to 
ensure that affected individuals are notified in accordance with 
paragraph (a)(4) of this section rests with the covered 
institution'').
    \268\ In the proposal, the Commission stated that in such a 
circumstance where the covered institution has delegated performance 
of its notice obligation to a service provider through written 
agreement, the covered institution would remain responsible for any 
failure to provide a notice as required by the proposed rule. See 
Proposing Release at II.A.3. The Commission also stated in the 
proposal that covered institutions may delegate other functions to 
service providers, such as reasonable investigation to determine 
whether sensitive customer information has not been and is not 
reasonably likely to be, used in a manner that would result in 
substantial harm or inconvenience, but covered institutions would 
remain responsible for these functions even if they are delegated to 
service providers. See id. at footnote 93; see also discussion of 
paragraph (a)(4) customer notification obligations supra section 
II.A.3. Under new paragraph (a)(5)(iii), covered institutions may 
still delegate such functions to service providers as stated in the 
proposal, but the rule text expressly states that the ultimate 
obligation to ensure affected individuals are notified in accordance 
with paragraph (a)(4) will remain with the covered institution.
    \269\ See final rule 248.30(a)(5)(iii); see also final rule 
248.30(a)(4) (enumerating the scope of the covered institution's 
customer notification obligations).
    \270\ See, e.g. final rule 17 CFR 240.17a-4(e)(14)(iii). See 
also discussion on a covered institution's recordkeeping obligations 
as to notices delivered to customers by its service providers infra 
footnote 391 and accompanying discussion. Funding portals generally 
should maintain all copies of such notices in connection with their 
own requirements to demonstrate compliance with Regulation S-P. See 
discussion of existing funding portal recordkeeping obligations 
infra footnote 385.
---------------------------------------------------------------------------

    In addition, where the covered institution has entered into a 
written agreement with its service provider to provide notice on the 
covered institution's behalf pursuant to paragraph (a)(5)(ii), and the 
covered institution determines that the service provider has not 
provided such notifications in a manner that satisfies the conditions 
of paragraph (a)(4), the covered institution must still ensure that 
notification is provided to the customer, and the covered institution's 
policies and procedures generally should be designed to address these 
instances. To accomplish this, the covered institution generally should 
conduct timely due diligence to identify any lack of notification by 
the service provider to the customer and remedy the matter in advance 
of the deadline set out in paragraph (a)(4).
d. Service Provider Definition
    The Commission is adopting the definition of ``service provider'' 
to mean ``any person or entity that receives, maintains, processes, or 
otherwise is permitted access to customer information through its 
provision of services directly to a covered institution.'' \271\ This 
definition thereby includes affiliates of covered institutions if they 
are permitted access to this information through their provision of 
services. The scope of this definition is intended to help protect 
against the risk of harm that may arise from service providers' access 
to a covered institution's customer information and customer 
information systems.\272\
---------------------------------------------------------------------------

    \271\ See final rule 248.30(d)(10); see also proposed rule 
248.30(e)(10).
    \272\ For example, in 2015, Division of Examinations staff 
released observations following the examinations of some 
institutions' cybersecurity policies and procedures relating to 
vendors and other business partners, which revealed mixed results 
with respect to whether the firms had incorporated requirements 
related to cybersecurity risk into their contracts with vendors and 
business partners. See EXAMS, Cybersecurity Examination Sweep 
Summary, National Exam Program Risk Alert, Volume IV, Issue 4 (Feb. 
3, 2015), at 4, available at https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf.
---------------------------------------------------------------------------

    A number of commenters addressed the scope of the proposed 
definition. Several commenters suggested narrowing the scope of the 
service provider definition by revising it to exclude affiliates or 
other GLBA regulated entities.\273\ Similarly, three commenters 
asserted that the Commission should revise the definition to exclude 
affiliates and other entities under common control with the covered 
institution, as those affiliates are typically subject to the same 
cybersecurity and privacy programs, including service provider 
management, which are frequently structured and operate on a group-wide 
basis.\274\ One of these commenters also stated the Commission should 
also exclude entities subject to the GLBA that have direct contractual 
relationships with the client.\275\ This commenter separately asserted 
that the service provider definition should be narrowed to only cover 
those persons or entities that are a third party and receive, maintain, 
process, or otherwise are permitted access to sensitive customer 
information, so that covered institutions can prioritize ``higher-risk 
service providers'' and not expend resources unnecessarily on an overly 
broad set of service providers.\276\ Finally, one commenter requested 
that the Commission ``clarify the scope of the service provider 
definition, including whether service providers would include financial 
counterparties such as brokers, clearing and settlement firms, and 
custodial banks.'' \277\
---------------------------------------------------------------------------

    \273\ See, e.g., CAI Comment Letter; IAA Comment Letter 1; SIFMA 
Comment Letter 2; and Schulte Comment Letter.
    \274\ See CAI Comment Letter; IAA Comment Letter 1, SIFMA 
Comment Letter 2.
    \275\ See IAA Comment Letter 1.
    \276\ See id.
    \277\ See SIFMA Comment Letter 2.
---------------------------------------------------------------------------

    As stated above, we are modifying the definition of service 
provider from the proposal to remove reference to third parties in 
response to commenters to incorporate into rule text the Commission's 
intended scope of the ``service provider' definition, as discussed in 
the Proposing Release.\278\ It would not be appropriate to narrow the 
definition to exclude affiliates or non-affiliates that are also 
subject to the GLBA, as commenters have suggested. While a covered 
institution's affiliates may collectively operate under the same 
cybersecurity and privacy programs, such uniformity in approach does 
not diminish the risk of harm to the institution's customers in the 
event of a cyber incident involving unauthorized access to or use of 
customer information at the affiliate.\279\ This risk is similarly not 
diminished where a cyber incident involving unauthorized access to or 
use of customer information occurs at a covered institution's 
unaffiliated service provider that is subject to the GLBA, even where 
the service provider has a direct contractual relationship with the 
client. In such instances, maintaining such an entity's inclusion 
within the service provider definition will help ensure that the 
covered institution is made aware of cyber incidents that occur at the 
service provider to aid in both the covered institution's oversight of 
its service providers, as well as satisfaction of its customer 
notification and broader customer information safeguarding obligations 
under the final

[[Page 47713]]

amendments. It is thus important for the service provider definition to 
remain sufficiently broad to address these risks by setting out clear 
obligations for all parties possessing legitimate access to customer 
information regarding both the safeguarding of that information, and, 
where necessary, ensuring notification to the affected customers in the 
event of a breach involving unauthorized access to or use of customer 
information. However, while we are not narrowing the scope of the 
``service provider'' definition to exclude either affiliates of the 
covered institution or unaffiliated service providers that are 
independently subject to the GLBA, pursuant to paragraph (a)(5)(ii) of 
these final amendments the covered institution and a service provider 
may enter into a written agreement for the service provider to notify 
affected individuals on its behalf in in the event of a breach at the 
service provider, as discussed above.\280\
---------------------------------------------------------------------------

    \278\ See Proposing Release at Section II.A.3, stating ``This 
definition would include affiliates of covered institutions if they 
are permitted access to this information through their provision of 
services.''
    \279\ While we are not narrowing the service provider definition 
to exclude affiliates of the covered institution, in most instances 
it generally should be appropriate for the covered institution to 
rely upon the adherence of any affiliated service provider to 
enterprise-wide cybersecurity and privacy programs that cover both 
the covered institution and its affiliates, so long as such programs 
satisfy the requirements of the final rules and the covered 
institution does not know, or have reason to know, that the 
affiliate is not adhering to such enterprise-wide programs.
    \280\ See discussion on Delegation of Notice and Covered 
Institutions' Customer Notification Obligations supra Section 
II.A.4.c. See also 17 CFR 248.30(a)(5)(ii). The permissibility of 
such written agreements between covered institutions and their 
service providers, including both their affiliates and those 
unaffiliated service providers that are also subject to the GLBA, 
may also help reduce costs related to customer notifications at the 
covered institution, and help reduce the risk of over-notification 
of affected individuals in instances where both the covered 
institution and its affiliated service provider are independently 
subject to customer notification obligations for the same breach in 
security.
---------------------------------------------------------------------------

    Further, it would not be appropriate to narrow the service provider 
definition to only address those persons or entities that operate as 
``higher-risk service providers'' that receive, maintain, process, or 
are otherwise permitted access to sensitive customer information, as 
one commenter suggested. As discussed above, the scope of information 
covered by the assessment and containment and control requirements of 
the final amendments is designed to help ensure all information covered 
by the requirements in the GLBA is appropriately safeguarded, and that 
sufficient information is assessed to fulfill the more narrowly 
tailored obligation to notify affected individuals.\281\ Specifically, 
consistent with the GLBA, the final amendments are tailored to require 
that a covered institution's written policies and procedures must be 
reasonably designed to protect against unauthorized access to or use of 
customer information that could result in substantial harm or 
inconvenience to any customer, not merely all sensitive customer 
information.\282\ Narrowing the service provider definition in a manner 
that would fail to cover the full scope of information that the GLBA 
requires to be covered in a covered institution's safeguarding policies 
and procedures, as would result from commenters' suggestion, would be 
inappropriate.\283\ Further, we are also concerned that limiting the 
service provider definition to only address those persons or entities 
that receive, maintain, process, or are otherwise permitted access to 
sensitive customer information, as commenters suggest, would result in 
insufficient notification to covered institutions in the event of a 
breach at a service provider. The purpose of this service provider 
notification is to enable the covered institution to begin carrying out 
its response program, which requires an assessment of the nature and 
scope of any incident involving unauthorized access to or use of 
customer information, not merely those involving sensitive customer 
information.\284\ For these reasons, the Commission is adopting the 
service provider definition as modified.
---------------------------------------------------------------------------

    \281\ See discussion on Incident Response Program Including 
Customer Notification supra Section II.A.
    \282\ See 17 CFR 248.30(a)(2)(iii). See also 15 U.S.C. 
6801(b)(3) (mandating that the Commission shall establish 
appropriate standards for the financial institutions subject to its 
jurisdiction relating to administrative, technical, and physical 
safeguards ``to protect against unauthorized access to or use of 
such records or information which could result in substantial harm 
or inconvenience to any customer.'').
    \283\ As discussed below, the definition of ``customer 
information'' we are adopting in these final amendments is intended 
to ensure that the standard for covered institutions' safeguards 
rule policies and procedures is consistent with the objectives of 
the GLBA, which focuses on protecting ``nonpublic personal 
information'' of those who are ``customers'' of financial 
institutions. See discussion on the Definition of Customer 
Information infra Section II.B.1. See also 17 CFR 248.30(d)(5) 
(defining ``customer information''). In contrast, the definition of 
``sensitive customer information'' that we are adopting is more 
narrowly tailored to only cover any component of customer 
information alone or in conjunction with any other information, the 
compromise of which could create a reasonably likely risk of 
substantial harm or inconvenience to an individual identified with 
the information. See 17 CFR 248.30(d)(9)(i). As discussed above, 
this definition is more narrowly tailored, and has been specifically 
calibrated to include types of information that, if exposed, could 
put affected individuals at a higher risk of suffering substantial 
harm or inconvenience through, for example, fraud or identity theft 
enabled by the unauthorized access to or use of the information. See 
discussion on the Definition of ``Sensitive Customer Information'' 
supra Section II.A.3.b. The narrower tailoring than is used in the 
``customer notification'' definition is intended to protect 
customers by ensuring that they can take the necessary steps to 
minimize their exposure to these risks, while also being mindful of 
concerns of how a broader definition could increase the potential 
for over-notification of customers to address such risks. See id.
    \284\ See final rule 248.30(b)(i). See also discussion on the 
assessment required by paragraph (a)(3) as to a covered 
institution's incident response program supra section II.A.1 above.
---------------------------------------------------------------------------

    The Commission also acknowledges the request to clarify the scope 
of what is included within the service provider definition, including 
``whether service providers would include financial counterparties such 
as brokers, clearing and settlement firms, and custodial banks.'' In 
alignment with the service provider definition we are adopting, covered 
institutions should make this determination based on the facts and 
circumstances about the substance of the relationship with the covered 
institution, rather than the form of the entity in question. Where 
financial counterparties receive, maintain, or otherwise are permitted 
access to customer information through the provision of services 
directly to the covered institution, they meet the service provider 
definition as adopted.

B. Scope of Safeguards Rule and Disposal Rule

1. Scope of Information Protected
    We are adopting amendments to rule 248.30 that define the scope of 
information covered by the safeguards and disposal rules. These 
amendments will broaden and more closely align the scope of both rules 
by applying them to the information of not only a covered institution's 
own customers, but also the customers of other financial institutions 
that has been provided to the covered institution.\285\ These 
amendments further specify that the rules also apply to customer 
information handled or maintained on behalf of the covered 
institution.\286\ We are adopting these changes substantively as 
proposed, with changes to the structure of the rule in response to 
comments as discussed in more detail below.
---------------------------------------------------------------------------

    \285\ Final rule 248.30(a), (b), and (d)(5)(i). Regulation S-P 
defines ``financial institution'' generally to mean any institution 
the business of which is engaging in activities that are financial 
in nature or incidental to such financial activities as described in 
section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 
1843(k)). 17 CFR 248.3(n).
    \286\ Final rule 248.30(d)(5)(i).
---------------------------------------------------------------------------

    Specifically, the amendments:
     Adopt a new definition of ``customer information'' 
defining the scope of information covered by both the safeguards and 
disposal rules. These amendments provide greater specificity regarding 
what constitutes customer information that must be protected under the 
safeguards rule. They also expand the scope of the disposal rule, which 
currently applies only to consumer information (defined as ``consumer 
report information'' in the

[[Page 47714]]

current rule) so that it applies to both customer and consumer 
information.
     Provide that customer information protected under both the 
safeguards and disposal rules includes both customer information in the 
possession of a covered institution as well as customer information 
handled or maintained on its behalf.
     Provide that both customer and consumer information 
include information that pertains to individuals with whom the covered 
institution has a customer relationship, as well as to the customers of 
other financial institutions where such information has been provided 
to the covered institution. We are adopting this expansion as proposed 
but, as discussed below, have reorganized the rule provisions 
effectuating the change in response to comments.
Definition of Customer Information
    Currently, Regulation S-P's protections under the safeguards rule 
and disposal rule apply to different, and at times overlapping, sets of 
information.\287\ Specifically, as required under the GLBA, the 
safeguards rule currently requires broker-dealers, investment 
companies, and registered investment advisers (but not transfer agents) 
to maintain written policies and procedures to protect ``customer 
records and information,'' \288\ which is not defined in the GLBA or in 
Regulation S-P. The disposal rule requires every covered institution 
properly to dispose of ``consumer report information,'' a different 
term, which Regulation S-P defines consistently with the FACT Act 
provisions.\289\
---------------------------------------------------------------------------

    \287\ See Disposal of Consumer Report Information, Investment 
Company Act Release No. 26685 (Dec. 2, 2004) [69 FR 71322 (Dec. 8, 
2004)], at n.13 (``Disposal Rule Adopting Release'').
    \288\ See 17 CFR 248.30; 15 U.S.C. 6801(b)(1).
    \289\ See 17 CFR 248.30(b)(2). Section 628(a)(1) of the FCRA 
directed the Commission to adopt rules requiring the proper disposal 
of ``consumer information, or any compilation of consumer 
information, derived from consumer reports for a business purpose.'' 
15 U.S.C. 1681w(a)(1). Regulation S-P currently uses the term 
``consumer report information,'' defined to mean a record in any 
form about an individual ``that is a consumer report or is derived 
from a consumer report.'' 17 CFR 248.30(b)(1)(ii). ``Consumer 
report'' had the same meaning as in section 603(d) of the Fair 
Credit Reporting Act (15 U.S.C. 1681(d)). 17 CFR 248.30(b)(1)(i). We 
are amending the term ``consumer report information'' currently in 
Regulation S-P to ``consumer information'' (without changing the 
definition) to conform to the term used by other Federal financial 
regulators in their guidance and rules. See, e.g., 16 CFR 682.1(b) 
(FTC); 17 CFR 162.2(g) (CFTC); OCC Information Security Guidance at 
I.C.2.b; FRB Information Security Guidance'') at I.C.2.b; FDIC 
Information Security Guidance at I.C.2.b.
---------------------------------------------------------------------------

    To align more closely the information protected by both rules, as 
proposed, we are amending rule 248.30 by replacing the term ``customer 
records and information'' in the safeguards rule with a newly defined 
term ``customer information'' and by adding customer information to the 
coverage of the disposal rule. For covered institutions other than 
transfer agents, the term ``customer information'' will mean, as 
proposed, ``any record containing nonpublic personal information as 
defined in section 248.3(t) about a customer of a financial 
institution, whether in paper, electronic, or other form.'' \290\
---------------------------------------------------------------------------

    \290\ As discussed below, the customer information definition 
also specifies that the definition covers information in the 
possession of a covered institution or that is handled or maintained 
by the covered institution or on its behalf, regardless of whether 
such information pertains to individuals with whom the covered 
institution has a customer relationship or the customers of other 
financial institutions where such information has been provided to 
the covered institution. This is being adopted substantively as 
proposed, but reflects structural modifications to the rule text to 
address the concerns of a commenter who asked for increased clarity. 
See infra section II.B.2 for a discussion of the term customer 
information with respect to transfer agents.
---------------------------------------------------------------------------

    Commenters did not object to the proposed definition of ``customer 
information.'' As discussed in the Proposing Release, the customer 
information definition in the coverage of the safeguards rule is 
intended to be consistent with the objectives of the GLBA, which 
focuses on protecting ``nonpublic personal information'' of those who 
are ``customers'' of financial institutions.\291\ The customer 
information definition is also based on the definition of ``customer 
information'' in the safeguards rule adopted by the FTC.\292\
---------------------------------------------------------------------------

    \291\ See 15 U.S.C. 6801(a).
    \292\ See 16 CFR 314.2(d) (The FTC safeguards rule defining 
``customer information'' to mean ``any record containing nonpublic 
personal information, as defined in 16 CFR 313.3(n) about a customer 
of a financial institution, whether in paper, electronic, or other 
form, that is handled or maintained by or on behalf of you or your 
affiliates''). The final amendments do not require covered 
institutions to be responsible for their affiliates' policies and 
procedures for safeguarding customer information because covered 
institutions affiliates generally are financial institutions subject 
to the safeguards rules of other Federal financial regulators.
---------------------------------------------------------------------------

    Additionally, adding customer information to the coverage of the 
disposal rule is also consistent with the objectives of the GLBA. Under 
the GLBA, an institution has a ``continuing obligation'' to protect the 
security and confidentiality of customers' nonpublic personal 
information.\293\ The final amendments specify that this obligation 
continues through disposal of customer information. The final 
amendments also are consistent with the objectives of the FACT Act, 
which focuses on protecting ``consumer information,'' a category of 
information that will remain within the scope of the disposal 
rule.\294\ Adding customer information to the disposal provisions will 
simplify compliance with the FACT Act by eliminating a covered 
institution's need to determine whether its customer information is 
also consumer information subject to the disposal rule. Covered 
institutions should also be less likely to fail to dispose of consumer 
information properly by misidentifying it as customer information only. 
In addition, including customer information in the coverage of the 
disposal rule would conform the rule more closely to the Banking 
Agencies' Safeguards Guidance.\295\ Commenters did not address the 
expansion of the disposal rule to cover customer information.
---------------------------------------------------------------------------

    \293\ See 15 U.S.C. 6801(a).
    \294\ See 15 U.S.C. 1681w(a)(1); proposed rule 248.30(c)(1). 
``Consumer information'' is not included within the scope of the 
safeguards rule, except to the extent it overlaps with any 
``customer information,'' because the safeguards rule is adopted 
pursuant to the GLBA and therefore is limited to information about 
``customers.''
    \295\ See, e.g., OCC Information Security Guidance (OCC 
guidelines providing that national banks and Federal savings 
associations' must develop, implement, and maintain appropriate 
measures to properly dispose of customer information and consumer 
information.''); FRB Information Security Guidance (similar Federal 
Reserve Board provisions for State member banks). See also 15 U.S.C. 
6804(a) (directing the agencies authorized to prescribe regulations 
under title V of the GLBA to assure to the extent possible that 
their regulations are consistent and comparable); 15 U.S.C. 
1681w(2)(B) (directing the agencies with enforcement authority set 
forth in 15 U.S.C. 1681s to consult and coordinate so that, to the 
extent possible, their regulations are consistent and comparable).
---------------------------------------------------------------------------

    One commenter sought clarification regarding the proposal's 
coverage of customer information handled or maintained on behalf of a 
covered institution. This commenter stated that proposed paragraph (a) 
of rule 248.30, which set out the scope of information collectively 
covered under the safeguards and disposal rules, could be interpreted 
to limit the application of the rules to customer information in the 
possession of the covered institution, while proposed paragraph (e)(5) 
defined customer information to include information that is handled or 
maintained on behalf of the covered institution. The proposal included 
both customer information in the possession of a covered institution as 
well as customer information handled or maintained on its behalf in 
both the safeguards and disposal rules. This is because rule 248.30 
provided the rules applied to ``customer information'' and, as the 
commenter observed, the proposal defined customer information to 
include ``any record containing

[[Page 47715]]

nonpublic personal information as defined in Sec.  248.3(t) about a 
customer of a financial institution, whether in paper, electronic or 
other form, that is handled or maintained by the covered institution or 
on its behalf.'' Applying these rules to information handled or 
maintained on behalf of a covered institution is necessary so that the 
incident response program applies to information about a covered 
institution's customers that is handled or maintained by a service 
provider on the covered institution's behalf and to require that such 
information is disposed of properly.
    In response to this comment, we have removed the dedicated scope 
paragraph (a) from the proposed rule and moved all the requirements for 
customer information and consumer information into the definitions of 
those terms, now in renumbered paragraphs (d)(5)(1) and (d)(1) 
respectively. Accordingly, and substantively as proposed, the 
definition of consumer information covers information that a covered 
institution maintains or otherwise possesses for a business purpose, 
and the customer information definition covers information in the 
possession of a covered institution or that is handled or maintained by 
the covered institution or on its behalf.\296\ These structural changes 
do not change the scope of the proposed rule, but rather consolidate in 
each definition the scope of covered information as opposed to 
referring to information possessed by a covered institution in one 
paragraph of the rule and referring to information handled on its 
behalf in another.
---------------------------------------------------------------------------

    \296\ We also eliminated language in paragraph (b)(1) that now 
appears in the final amendments' definitions of customer information 
and consumer information.
---------------------------------------------------------------------------

Safeguards Rule and Disposal Rule Coverage of Customer Information
    We also are adopting the requirement, substantively as proposed, 
that both the safeguards rule and the disposal rule apply to the 
information specified in those definitions regardless of whether such 
information pertains to (a) individuals with whom the covered 
institution has a customer relationship or (b) the customers of other 
financial institutions where such information has been provided to the 
covered institution.\297\ As discussed above, however, we are 
structurally reflecting this requirement in the definitions of customer 
information and consumer information, rather than in proposed paragraph 
(a).
---------------------------------------------------------------------------

    \297\ The safeguards rule is applicable to ``consumer 
information'' only to the extent it overlaps with ``customer 
information.'' See supra footnote 291. Regulation S-P defines 
``financial institution'' generally to mean any institution the 
business of which is engaging in activities that are financial in 
nature or incidental to such financial activities as described in 
section 4(k) of the Bank Holding Company Act of 1956 (12 U.S.C. 
1843(k)). Rule 248.3(n).
---------------------------------------------------------------------------

    Comments were mixed on expanding the safeguards and disposal rules 
to cover nonpublic personal information received by covered 
institutions from third party financial institutions. Some commenters 
supported the expansion.\298\ Two of these commenters stated that 
sensitive nonpublic information should be protected regardless of how 
it came into a covered institution's possession.\299\ Other commenters 
opposed the proposed expansion, suggesting that the rules should be 
limited to the customer information of the covered institution's own 
customers and stating that the safeguards rule in its current form is 
appropriately calibrated.\300\ One of these commenters stated that 
requiring notification of customers of other financial institutions 
under the proposed expansion would be confusing to customers and 
impractical for covered institutions.\301\
---------------------------------------------------------------------------

    \298\ See EPIC Comment Letter; ICI Comment Letter; Better 
Markets Comment Letter.
    \299\ See ICI Comment Letter; Better Markets Comment Letter.
    \300\ See SIFMA Comment Letter 2; CAI Comment Letter.
    \301\ See SIFMA Comment Letter 2; see also supra footnote 110 
and accompanying text.
---------------------------------------------------------------------------

    After considering comments, the final amendments provide that the 
safeguards rule and disposal rule apply to both nonpublic personal 
information that a covered institution collects about its own customers 
and to nonpublic personal information it receives from another 
financial institution about that institution's customers. Currently, in 
contrast, Regulation S-P defines ``customer'' as ``a consumer who has a 
customer relationship with you.'' The safeguards rule, therefore, only 
protects the ``records and information'' of individuals who are 
customers of the particular institution and not others, such as 
individuals who are customers of another financial institution. The 
disposal rule, on the other hand, requires proper disposal of certain 
records about individuals without regard to whether the individuals are 
customers of the particular institution. The final amendments better 
align the scope of the safeguards and disposal rules by requiring that 
a covered institution protect the information of individuals even if 
those individuals are not customers of that particular institution but 
customers of another financial institution.
    The amendments also are designed to help ensure that the nonpublic 
personal information of covered institution customers is better 
protected from unauthorized disclosure on an ongoing basis, regardless 
of what entity is maintaining or handling that information.\302\ For 
example, information that a registered investment adviser has received 
from the custodian of a former client's assets would be covered under 
both the safeguard and disposal rules if the former client remains a 
customer of either the custodian or of another financial institution, 
even though the individual no longer has a customer relationship with 
the investment adviser.\303\ Applying the safeguards rule and the 
disposal rule to customer information that a covered institution 
receives from other financial institutions will help ensure customer 
information safeguards are not lost because a third party financial 
institution shares that information with a covered institution.
---------------------------------------------------------------------------

    \302\ See Proposing Release at the text accompanying nn.156-158.
    \303\ See final rule 248.30(d)(5)(i) (customer information is 
covered by the rule if it pertains to ``the customers of other 
financial institutions where such information has been provided to 
the covered institution'').
---------------------------------------------------------------------------

2. Extending the Scope of the Safeguards Rule and the Disposal Rule To 
Cover All Transfer Agents
    As discussed in more detail below, the final amendments, which are 
the same as proposed except for the modifications to the structure of 
the rules discussed above,\304\ extend both the safeguards rule and the 
disposal rule to apply to any transfer agent registered with the 
Commission or another appropriate regulatory agency.\305\ We are 
extending these provisions to transfer agents because, as discussed in 
the Proposing Release, transfer agents maintain sensitive, detailed 
information related to securityholders.\306\ Like other market 
participants, systems maintained by transfer agents are subject to 
threats and hazards to the security or integrity of those systems. 
Likewise, the individuals whose information is maintained by those 
transfer agents' systems are subject to similar risks of substantial 
harm and inconvenience as individuals whose customer information is 
maintained by other covered institutions. Yet, prior to the amendments, 
the safeguards rule did

[[Page 47716]]

not apply to any transfer agents, and the disposal rule applied only to 
those transfer agents registered with the Commission. To address these 
risks, and help ensure that individuals whose customer information is 
held by a transfer agent are protected and receive appropriate notice 
of a breach in the same manner as individuals whose customer 
information is held by any other covered institution, the final 
amendments apply both the safeguards rule and the disposal rule to all 
transfer agents, even if the transfer agent is registered with another 
appropriate regulatory agency. The final amendments do this by 
including ``transfer agents registered with the Commission or another 
appropriate regulatory agency'' in the definition of a ``covered 
institution,'' in the same manner as we proposed.\307\
---------------------------------------------------------------------------

    \304\ See supra section II.B.1 (discussing the changes to the 
structure of final rule 248.30(d)).
    \305\ The term ``transfer agent'' is defined by rule 
248.30(d)(12) to have the same meaning as in section 3(a)(25) of the 
Exchange Act (15 U.S.C. 78c(a)(25)).
    \306\ See Proposing Release at section II.C.3.
    \307\ Final rule 248.30(d)(3).
---------------------------------------------------------------------------

    As proposed, the final amendments also account for the fact that 
transfer agents' clients generally are the issuers whose securities are 
held by investors, not the individual investors themselves, by defining 
``customer'' with respect to a transfer agent registered with the 
Commission or another appropriate regulatory agency as any natural 
person who is a securityholder of an issuer for which the transfer 
agent acts or has acted as a transfer agent. Some commenters supported 
extending these rules to all transfer agents. These commenters stated 
that doing so would: (i) be consistent with current market practice; 
(ii) benefit investors; and (iii) create a single, equal standard for 
all transfer agents.\308\ Other commenters opposed extension of the 
safeguards rule and disposal rule to all transfer agents. In general, 
these commenters stated that doing so would: (i) exceed the scope of 
the Commission's authority; (ii) fail to recognize that a transfer 
agent's customer is an issuer of securities; (iii) potentially conflict 
with State law; (iv) confuse securityholders; and (v) impose 
unnecessary costs on transfer agents.\309\ As discussed below, the 
Commission agrees with the commenters who supported extending the 
safeguards rule and disposal rule to all transfer agents and is 
adopting the amendments as proposed.
---------------------------------------------------------------------------

    \308\ See Better Markets Comment Letter, ICI Comment Letter 1, 
EPIC Comment Letter.
    \309\ See SIFMA Comment Letter 2, Comment Letter from the 
Securities Transfer Association (May 10, 2023) (``STA Comment Letter 
1''), STA Comment Letter 2, Computershare Comment Letter.
---------------------------------------------------------------------------

Extending to All Transfer Agents, Including Transfer Agents Subject to 
Existing Federal and State Requirements, and Scope of the Commission's 
Authority
    We received some comments in support of our proposed extension of 
scope to include transfer agents. One commenter stated that extending 
the protections of the safeguards rule and the disposal rule to all 
transfer agents would benefit the public and protect investors, due to 
the sensitive information they possess, and would equalize the 
standards that are applicable to transfer agents.\310\ This commenter 
stated that due to their role, transfer agents have information related 
to securityholders that may include names, addresses, phone numbers, 
email addresses, employers, employment history, bank account 
information, credit card information, transaction histories, and 
securities holdings.\311\ This commenter further stated that the 
systems transfer agents maintain are subject to the same risks of a 
breach as other covered institutions, and therefore the individuals 
whose customer information transfer agents maintain are subject to the 
same risks as customers of other covered institutions.\312\ Finally, 
the commenter stated that extending the safeguards rule and disposal 
rule to all transfer agents will promote regulatory parity and fair 
competition among firms, regardless of their registration status.\313\
---------------------------------------------------------------------------

    \310\ See Better Markets Comment Letter.
    \311\ See id.
    \312\ See id.
    \313\ See id.
---------------------------------------------------------------------------

    Similarly, one commenter supported including transfer agents and 
requiring breach notifications,\314\ and another commenter stated that 
establishing incident response and minimum data breach reporting 
requirements for transfer agents would be a significant step toward a 
stronger and more comprehensive national data breach regime.\315\
---------------------------------------------------------------------------

    \314\ See ICI Comment Letter 1.
    \315\ See EPIC Comment Letter.
---------------------------------------------------------------------------

    Other comments, however, objected to scoping transfer agents into 
the Safeguards Rule. For example, one commenter suggested that applying 
the rules to all transfer agents could subject transfer agents 
registered with an appropriate regulatory agency that is not the 
Commission to conflicting data security requirements from those 
regulators, resulting in regulatory confusion.\316\ One commenter 
stated that extending the rules to all transfer agents would exceed the 
scope of the Commission's authority.\317\ Similarly, two commenters 
stated that the Commission should exempt certain transfer agents from 
the safeguards rule, such as transfer agents subject to existing State 
and Federal banking laws addressing privacy and safeguarding customer 
information, or those that do not engage in paying agent services.\318\ 
One of these commenters stated that transfer agents ``do not have the 
type or scope of personal information which could lead to further 
complications for securityholders'' because transfer agents are not 
subject to know-your-customer obligations, do not have extensive 
background information concerning securityholders, and generally do not 
have possession of shareholder assets or have information which could 
be used to take or transfer assets of shareholders.\319\ One of these 
commenters also stated that it is already subject to banking laws and 
inter-agency guidelines that address privacy, breach notification, and 
disposal of personal information, such as the Banking Agencies' 
Incident Response Guidance.\320\
---------------------------------------------------------------------------

    \316\ See SIFMA Comment Letter 2.
    \317\ See SIFMA Comment Letter 2.
    \318\ See STA Comment Letter 2 and Computershare Comment Letter. 
We use the term ``paying agent services'' to refer to 
administrative, recordkeeping, and processing services related to 
the distribution of cash and stock dividends, bond principal and 
interest, mutual fund redemptions, and other payments to 
securityholders.
    \319\ See STA Comment Letter 2.
    \320\ See Computershare Comment Letter.
---------------------------------------------------------------------------

    The Commission does not agree that extending the rules to all 
transfer agents would result in regulatory confusion. As discussed 
above, the GLBA and FACT Act oblige us to adopt regulations, to the 
extent possible, that are consistent and comparable with those adopted 
by the Banking Agencies, the CFPB, and the FTC.\321\ The Commission has 
been mindful of the need to set standards for safeguarding customer 
records and information that are consistent and comparable with the 
corresponding standards set by these agencies, and to this end, we have 
modified the final amendments from the proposal to promote greater 
consistency with other applicable Federal safeguard standards where 
such changes do not affect the investor protection purposes of this 
rulemaking, as discussed in more detail above.\322\ Thus, although 
there are some differences, the final amendments are largely aligned 
with the Banking

[[Page 47717]]

Agencies' Incident Response Guidance and Safeguards Guidance to which 
some transfer agents supervised by one of the Banking Agencies are 
already subject.\323\ We recognize, however, that transfer agents 
registered with the Banking Agencies are already subject to the Banking 
Agencies' Incident Response Guidance and Safeguards Guidance and 
therefore may need to review their existing procedures under the 
Banking Agencies' Guidance for compliance with the final amendments. To 
the extent there are differences between their existing procedures and 
the final amendments, given the Commission's efforts to promote 
consistency between the final amendments and other Federal safeguards 
standards, it will be possible for transfer agents to update their 
existing policies, procedures, and practices to ensure consistency with 
both the Banking Agencies' Guidance and the final amendments.\324\ 
Finally, even if the final amendments impose additional requirements on 
some transfer agents already subject to the Banking Agencies' Guidance, 
it is appropriate to establish a minimum nationwide standard for the 
notification of securityholders who are affected by a transfer agent 
data breach that is tailored to the Commission's mission and the 
specific requirements.\325\ For these reasons, the Commission does not 
agree that it should exempt from the safeguards rule transfer agents 
that are subject to existing Federal banking laws addressing privacy 
and safeguarding customer information.
---------------------------------------------------------------------------

    \321\ See supra section I.
    \322\ For example, the final amendments require covered 
institutions to ensure that their service providers provide 
notification as soon as possible, but no later than 72 hours after 
becoming aware that an applicable breach has occurred, which is 
informed by the 72-hour deadline that is required under CIRCIA. See 
supra section II.A.4.b.
    \323\ See infra sections IV.C.2.b and IV.D.2.b.
    \324\ See supra section I.
    \325\ See supra section I.
---------------------------------------------------------------------------

    Moreover, the Commission is not exempting from the safeguards rule 
transfer agents that do not engage in paying agent services. The 
population of transfer agents that maintain sensitive, detailed and 
individualized information related to securityholders is not limited to 
those transfer agents that engage in paying agent services. Providing 
the exemption suggested by this commenter would deprive securityholders 
whose sensitive customer information is maintained by a non-paying 
agent transfer agent of the important protections afforded under the 
final amendments.
    The Commission does not agree that extending the rules to all 
transfer agents would exceed the scope of the Commission's authority. 
As discussed in the proposal, when the Commission initially proposed 
and adopted the disposal rule, it did so to implement the congressional 
directive in section 216 of the FACT Act to adopt regulations to 
require any person who maintains or possesses a consumer report or 
consumer information derived from a consumer report for a business 
purpose to properly dispose of the information.\326\ The Commission 
determined at that time that, through the FACT Act, Congress intended 
to instruct the Commission to adopt a disposal rule to apply to 
transfer agents registered with the Commission.\327\ The Commission 
also stated at that time that the GLBA did not include transfer agents 
within the list of covered entities for which the Commission was 
required to adopt privacy rules.\328\ The Commission extended the 
disposal rule only to those transfer agents registered with the 
Commission to carry out its directive under the FACT Act, while 
deferring to the FTC to utilize its ``residual jurisdiction'' under the 
same congressional mandate, to enact both a disposal rule and broader 
privacy rules that might apply to transfer agents registered with 
another appropriate regulatory agency.\329\
---------------------------------------------------------------------------

    \326\ See Proposing Release at section II.C.3; see also 15 
U.S.C. 1681w.
    \327\ See Disposal of Consumer Report Information, Exchange Act 
Release No. 50361 (Sept. 14, 2004), 69 FR 56307 at n.23 (Sept. 20, 
2004).
    \328\ See id. at n.27.
    \329\ See id.
---------------------------------------------------------------------------

    The Commission, however, has broad authority under Section 17A of 
the Exchange Act that is independent of either the FACT Act or the 
GLBA, to prescribe rules and regulations for transfer agents as 
necessary or appropriate in the public interest, for the protection of 
investors, for the safeguarding of securities and funds, or otherwise 
in furtherance of the purposes of Title I of the Exchange Act.\330\ 
Specifically, whether transfer agents initially register with the 
Commission or another appropriate regulatory agency,\331\ section 
17A(d)(1) of the Exchange Act authorizes the Commission to prescribe 
such rules and regulations as may be necessary or appropriate in the 
public interest, for the protection of investors, or otherwise in 
furtherance of the purposes of the Exchange Act with respect to any 
transfer agents registered with either the Commission or another 
appropriate regulatory agency. Once a transfer agent is registered with 
any appropriate regulatory agency, the Commission ``is empowered with 
broad rulemaking authority over all aspects of a transfer agent's 
activities as a transfer agent.'' \332\ Pursuant to its statutory 
authority, the Commission has adopted rules that address various 
aspects of transfer agents' activities, including annual disclosures, 
transaction processing, responses to written inquiries, recordkeeping, 
safeguarding of funds and securities, lost securityholder searches, 
among others.\333\ These and the Commission's other transfer agent 
rules \334\ currently apply to and are enforceable against all 
registered transfer agents, including those that initially registered 
with an appropriate regulatory agency other than the Commission.\335\
---------------------------------------------------------------------------

    \330\ See 15 U.S.C. 78q-1.
    \331\ See Exchange Act Section 17A(d)(1), 15 U.S.C. 78q-1(d)(1) 
(providing that ``no registered clearing agency or registered 
transfer agent shall . . . engage in any activity as . . . transfer 
agent in contravention of such rules and regulations'' as the 
Commission may prescribe); Exchange Act Section 17A(d)(3)(b), 15 
U.S.C. 78q-1(d)(3)(b) (providing that ``Nothing in the preceding 
subparagraph or elsewhere in this title shall be construed to impair 
or limit . . . the Commission's authority to make rules under any 
provision of this title or to enforce compliance pursuant to any 
provision of this title by any . . . transfer agent . . . with the 
provisions of this title and the rules and regulations 
thereunder.'').
    \332\ See Senate Report on Securities Act Amendments of 1975, S. 
Rep. No. 94-75.
    \333\ See, e.g., SEC Form TA-2, 17 CFR 249b.102 (Form for 
Reporting Activities of Transfer Agents Registered Pursuant to 
Section 17A of the Securities Exchange Act of 1934) (annual 
disclosures); Exchange Act Rule 17Ad-2, 17 CFR 240.17Ad-2 
(transaction processing); Exchange Act Rule 17Ad-5, 17 CFR 240.17Ad-
5 (written inquiries); Exchange Act Rule 17Ad-6, 17 CFR 240.17Ad-6 
(recordkeeping); Exchange Act Rule 17Ad-7, 17 CFR 240.17Ad-7 (record 
retention); Exchange Act Rule 17Ad-12, 17 CFR 240.17Ad-12 
(safeguarding); Exchange Act Rule 17Ad-17, 17 CFR 240.17Ad-17 (lost 
securityholder searches).
    \334\ See, e.g., Exchange Act Rules 17Ad-1 through 17Ad-20, 17 
CFR 240.17Ad-1 through 240.17Ad-20.
    \335\ For example, the Commission has found bank-registered 
transfer agents in violation of various Commission rules. See In the 
Matter of Citibank, N.A., Exchange Act Release No. 31612 (Dec. 7, 
1992) (settled matter) (Exchange Act Rules 17Ad-12 and 17f-1); In 
the Matter of the Chase Manhattan Bank, Exchange Act Release No. 
44835 (Sept. 24, 2001) (settled matter) (Exchange Act Rules 17Ac2-2, 
17Ad-10, and 17Ad-11); In the Matter of Wilmington Trust Company, 
Exchange Act Release No. 49904 (Jun. 23, 2004) (settled matter) 
(Exchange Act Rules 17Ac2-2, 17Ad-10, 17Ad-11, and 17Ad-13); In the 
Matter of the Bank of New York, Exchange Act Release No. 53709 (Apr. 
24, 2006) (settled matter) (Exchange Act Rule 17Ad-17).
---------------------------------------------------------------------------

    The FTC has not adopted disposal and privacy rules to govern 
transfer agents registered with an appropriate regulatory agency that 
is not the Commission. The Commission is exercising its authority under 
section 17A(d)(1) of the Exchange Act to extend the safeguards rule to 
apply to any transfer agent registered with either the Commission or 
another appropriate regulatory agency and to extend the disposal rule 
to apply to transfer agents registered with another appropriate 
regulatory agency. The Commission does so to address the risks of 
market disruptions and investor harm posed by

[[Page 47718]]

cybersecurity and other operational risks faced by transfer agents. 
Extending the safeguards rule and disposal rule to address those risks 
is in the public interest, and necessary for the protection of 
investors and for the safeguarding of funds and securities.
    As explained in the proposal, transfer agents are subject to many 
of the same risks of data system breach or failure that other market 
participants face.\336\ For example, transfer agents are vulnerable to 
a variety of software, hardware, and information security risks that 
could threaten the ownership interests of securityholders or disrupt 
trading within the securities markets.\337\ A software, hardware, or 
information security breach or failure at a transfer agent could result 
in the corruption or loss of securityholder information, erroneous 
securities transfers, or the release of confidential securityholder 
information to unauthorized individuals. A concerted cyber attack or 
other breach could have the same consequences, or result in the theft 
of securities and other crimes. A transfer agent's failure to account 
for such risks and take appropriate steps to mitigate them can directly 
lead to the loss of funds or securities, including through theft or 
misappropriation, due to the information about securityholders that 
transfer agents maintain.\338\
---------------------------------------------------------------------------

    \336\ See Proposing Release at section II.C.3.
    \337\ See generally SEC Cybersecurity Roundtable transcript 
(Mar. 26, 2014), available at https://www.sec.gov/spotlight/cybersecurity-roundtable/cybersecurity-roundtable-transcript.txt.
    \338\ See Proposing Release at section II.C.3.
---------------------------------------------------------------------------

    At the same time, the scope and volume of funds and securities that 
are processed or held by transfer agents have increased dramatically 
since Regulation S-P was first adopted.\339\ The risk of loss of such 
funds and securities presents significant risks to issuers, 
securityholders, other industry participants, and the U.S. financial 
system as a whole. For example, transfer agents that provide paying 
agent services on behalf of issuers play a significant role within that 
system. According to Form TA-2 filings in 2023, transfer agents 
distributed approximately $3.68 trillion in securityholder dividends 
and bond principal and interest payments. Critically, because Form TA-2 
does not include information relating to the value of purchase, 
redemption, and exchange orders by mutual fund transfer agents, the 
$3.68 trillion amount stated above does not include these amounts. If 
the value of such transactions by mutual fund transfer agents was 
captured by Form TA-2 it is possible that the $3.68 trillion number 
would be significantly higher.\340\
---------------------------------------------------------------------------

    \339\ See id.
    \340\ As stated in the proposal, Commission staff has observed 
through supervisory activities that aggregate gross purchase and 
redemption activity for some of the larger mutual fund transfer 
agents has ranged anywhere from $3.5 trillion to nearly $10 trillion 
just for a single entity in a single year. See Proposing Release at 
section II.C.3.
---------------------------------------------------------------------------

    Moreover, contrary to some commenters' statements, transfer agents 
do maintain personal information about individual securityholders that 
could be used to take or transfer assets of securityholders or 
otherwise lead to further complications for securityholders. As stated 
in the proposal, transfer agents may obtain, share, and maintain 
personal information on behalf of securityholders who hold securities 
in registered form (i.e., in their own name rather than indirectly 
through a broker).\341\ For example, any registered transfer agent that 
maintains a master securityholder file on behalf of an issuer must post 
to that file debits and credits containing minimum and appropriate 
certificate detail representing every security transferred, purchased, 
redeemed, or issued.\342\ Pursuant to Exchange Act Rule 17Ad-9, 
certificate detail must include, among other things, the name and 
address of the registered securityholder, the number of shares or 
principal dollar amount of the equity or debt security, and any other 
identifying information about the securityholder or the 
securityholder's securities that the transfer agent reasonably deems 
essential to its recordkeeping system for the efficient and effective 
research of record differences.\343\ This can include date of birth, 
social security or tax payer identification number, phone numbers, 
email addresses, information about relatives, and other sensitive 
personal information.\344\ Transfer agents also maintain additional 
personal information about securityholders in connection with ancillary 
account, administrative, and other services transfer agents provide to 
securityholders on behalf of issuers, such as plan administration, 
proxy services, corporate action processing, and disbursement of 
dividend and interest payments.\345\ This is the same type of customer 
information collected and maintained by other covered institutions and 
warrants the same level of protection. For example, the Commission is 
aware of instances in which threat actors have utilized securityholder 
information obtained from a transfer agent to steal securities and 
funds from those securityholders.\346\
---------------------------------------------------------------------------

    \341\ See Proposing Release at section I, section II.C.3.
    \342\ See 17 CFR 240.17Ad-10.
    \343\ See 17 CFR 240.17Ad-9(a).
    \344\ See In the Matter of Columbia Management Investment 
Services Corp., Exchange Release No. 80016 (Feb. 10, 2017) (settled 
matter) (finding that the transfer agent's Records Management 
Manager ``viewed sensitive personal account information such as 
addresses, dates of birth, and identification numbers'' to 
misappropriate foreign deceased shareholders' funds and securities).
    \345\ See Proposing Release at section II.C.3 (discussing 
generally the services provided by transfer agents); Advanced Notice 
of Proposed Rulemaking, Concept Release, Transfer Agent Regulations, 
Exchange Act Release No. 76743 (Dec. 22, 2015), 80 FR 81948 (Dec. 
31, 2015) (describing the recordkeeping, shareholder communications, 
securities issuance, and tax reporting services provided by transfer 
agents).
    \346\ See In the Matter of Columbia Management Investment 
Services Corp., Exchange Act Release No. 80016 (Feb. 10, 2017) 
(settled matter) (finding that the transfer agent's Records 
Management Manager ``viewed sensitive personal account information 
such as addresses, dates of birth, and identification numbers'' to 
misappropriate foreign deceased shareholders' funds and securities).
---------------------------------------------------------------------------

    For these reasons, the Commission is extending the safeguards rule 
and disposal rule to cover all registered transfer agents because it is 
in the public interest and will help protect investors and safeguard 
their securities and funds. Extending the safeguards rule to cover any 
registered transfer agent addresses the risks to the security and 
integrity of customer information associated with the systems those 
transfer agents maintain. This in turn helps prevent securityholders' 
customer information from being compromised, which, as discussed above, 
could threaten the ownership interest of securityholders or disrupt 
trading within the securities markets. Extending the final amendments 
to all registered transfer agents also helps establish minimum 
nationwide standards for the notification of securityholders who are 
affected by a transfer agent data breach that leads to the unauthorized 
access or use of their information so that affected securityholders 
could take additional mitigating actions to protect their customer 
information, ownership interest in securities, and trading activity. 
Finally, as discussed above, extending the disposal rule to cover those 
transfer agents registered with another appropriate regulatory agency 
helps ensure all registered transfer agents are subject to the same 
minimum nationwide standard, tailored to the Commission's mission and 
requirements, and will protect investors and safeguard their securities 
and funds by reducing the risk of fraud or related crimes, including 
identity theft, which can lead to the loss of securities and funds.

[[Page 47719]]

Definition of a Transfer Agent's Customer
    As stated above, the final amendments include a definition of 
customer that is specific to transfer agents, which is being adopted as 
proposed, except for a clarification noted below. For a transfer agent, 
customer means any natural person who is a securityholder of an issuer 
for which the transfer agent acts or has acted as a transfer 
agent.\347\ The Commission is clarifying that this definition applies 
for purposes of section 248, meaning that it does not apply to any 
other rules, including those specific to transfer agents codified at 17 
CFR 240.17Ad. Unless specified, securityholders of issuers are not 
customers of transfer agents for purposes of other rules. The 
Commission is adopting this definition because, as discussed above, 
although transfer agents' customers generally are issuers of 
securities, transfer agents collect and maintain non-public personal 
information about the individual registered owners who hold those 
issuers' securities in connection with various services and activities 
they engage in on behalf of issuers.
---------------------------------------------------------------------------

    \347\ See final rule 248.30(d)(4)(ii).
---------------------------------------------------------------------------

    Some commenters supported this definition and approach of treating 
securityholders of an issuer as a transfer agent's customer, while 
other commenters did not. One commenter stated that this approach would 
close a ``regulatory gap''--despite possessing and maintaining 
sensitive information about securityholders, no transfer agents are 
currently subject to the safeguards rule, and only transfer agents 
registered with the Commission are subject to the disposal rule.\348\ 
Similarly, one commenter supported protecting customer information by 
subjecting that information to Regulation S-P, regardless of how it 
comes into the covered institution's possession.\349\ On the other 
hand, one commenter opposed this proposed definition, stating that the 
need for a specific defined term for transfer agents indicated that the 
amendments were not well suited for transfer agents.\350\ Three 
commenters stated that securityholders of issuers are not customers of 
the transfer agent, rather the issuer is the customer of the transfer 
agent.\351\
---------------------------------------------------------------------------

    \348\ See Better Markets Comment Letter.
    \349\ See ICI Comment Letter 1.
    \350\ See STA Comment Letter 2.
    \351\ See STA Comment Letter 2, Computershare Comment Letter, 
and SIFMA Comment Letter 2.
---------------------------------------------------------------------------

    The Commission agrees that customer information held by a covered 
institution must be protected, regardless of how that customer 
information comes into the covered institution's possession. As 
discussed in the proposal and above, transfer agents obtain, share, and 
maintain personal information on behalf of securityholders who hold 
securities in registered form (i.e., in their own name rather than 
indirectly through a broker).\352\ They also collect detailed personal 
information in connection with various services provided directly to 
individual securityholders, such as facilitating legal and other 
transfers of securities, replacing lost or stolen securities 
certificates, facilitating corporate communications with investors, 
providing cost-basis calculations for tax purposes, and other 
services.\353\ The fact that a transfer agent may not have a direct 
contractual relationship with an individual securityholder does not 
eliminate the need for transfer agents to protect the sensitive 
personal information about individual securityholders that is collected 
and maintained by the transfer agent.
---------------------------------------------------------------------------

    \352\ See Proposing Release at section I; section II.C.3; see 
also supra the text accompanying footnote 285.
    \353\ See Proposing Release at section II.C.3 (discussing 
generally the services provided by transfer agents); Advanced Notice 
of Proposed Rulemaking, Concept Release, Transfer Agent Regulations, 
Exchange Act Release No. 76743 (Dec. 22, 2015), 80 FR 81948 (Dec. 
31, 2015) (describing the recordkeeping, shareholder communications, 
securities issuance, and tax reporting services provided by transfer 
agents).
---------------------------------------------------------------------------

    Contrary to some commenters' statements, adopting a transfer agent-
specific definition of customer does not indicate that the safeguards 
rule and disposal rule are not well-suited for transfer agents. Rather, 
it helps ensure that the rule is appropriately tailored to address 
transfer agents and the specific type of customer information they 
collect and maintain. Tailoring specific rule provisions to specific 
types of entities to address their unique functions, structures, and 
businesses does not render the rule inappropriate to the entity for 
which the provisions are being tailored, nor is it an approach that is 
unique to transfer agents or to Regulation S-P. For example, since the 
adoption of Exchange Act Rule 17Ad-12, transfer agents have been 
required to safeguard any funds and securities, including 
securityholder funds and securities, in the transfer agent's possession 
or control.\354\ This is the case although securityholders may not be 
direct customers of transfer agents. As another example, final rule 
248.30(d)(5)(i) defines customer information, for any covered 
institution other than a transfer agent as any record containing 
nonpublic personal information as defined in final rule 248.3(t) about 
a customer of a financial institution, whether in paper, electronic or 
other form, in the possession of a covered institution or that is 
handled or maintained by the covered institution or on its behalf, 
regardless of whether such information pertains to (a) individuals with 
whom the covered institution has a customer relationship, or (b) the 
customers of other financial institutions where such information has 
been provided to the covered institution.\355\ The fact that the 
securityholder whose funds and securities the transfer agent is in 
possession of is not a direct customer of the transfer agent does not 
eliminate the need for the transfer agent to safeguard those funds and 
securities. The same is true for customer information in the possession 
of a transfer agent or that is handled or maintained by the transfer 
agent or on its behalf.
---------------------------------------------------------------------------

    \354\ See 17 CFR 240.17Ad-12.
    \355\ See final rule 248.30(d)(5)(i).
---------------------------------------------------------------------------

    Finally, two commenters stated that the Commission should propose a 
rule specific to transfer agents as part of the existing rules that 
apply specifically to transfer agents.\356\ In these commenters' views, 
such a rule would impose obligations similar to the final amendments 
but would apply only to transfer agents. One of these commenters 
further explained that it would support general safeguarding of 
securityholder information requirements, similar to those set forth in 
the safeguard rule, if the Commission enacted them as part of the 
regulations specific to transfer agents codified at 17 CFR 
240.17Ad.\357\
---------------------------------------------------------------------------

    \356\ See STA Comment Letter 2 and Computershare Comment Letter.
    \357\ See Computershare Comment Letter.
---------------------------------------------------------------------------

    The Commission is not taking the approach suggested by the 
commenters. The final amendments will accomplish a similar result to a 
transfer agent-specific rule, while helping to ensure consistent 
requirements among covered institutions. Further, the commenters did 
not explain how such a rule would differ from the final amendments, 
other than being in a different set of Commission regulations, or how 
such a rule would be a material improvement over the approach being 
adopted as proposed. The Commission does not agree that adopting 
something different from the final amendments is necessary to achieve 
the ``Commission's privacy and cybersecurity goals in a manner specific 
to the business and role of transfer agents.'' \358\ Rather, doing so 
would undermine the Commission's

[[Page 47720]]

goal of establishing a consistent minimum nationwide standard. Further, 
where necessary, the Commission has already tailored the final 
amendments in a manner specific to transfer agents. As noted above, the 
final amendments include a definition of customer that it is specific 
to transfer agents. Finally, to the extent one of commenters' goals is 
ensuring that all transfer agent rules are codified in the same place, 
specifically 17 CFR 240.17Ad, commenters' suggestion would not further 
that goal. Transfer agents registered with the Commission are already 
subject to the disposal rule, which is not part of the existing rule 
set codified at 17 CFR 240.17Ad, and a new safeguards or disposal rule 
within that section would necessarily cite to Regulation S-P for 
defined terms and other references.
---------------------------------------------------------------------------

    \358\ STA Comment Letter 2.
---------------------------------------------------------------------------

Application of Laws, Requirements, and Contractual Provisions
    Some commenters raised concerns about potential conflicts with, or 
duplication, of State law requirements. One commenter stated that 
securityholders of issuers are not customers of the transfer agent and 
imposing obligations on them creates conflicting and duplicative 
requirements to those already in place through State laws to safeguard 
securityholders' personal information.\359\ Another commenter stated 
that under State law, transfer agents do not notify securityholders of 
a breach but issuers do.\360\ Specifically, this commenter stated that 
all fifty States have laws that require transfer agents to notify their 
issuer clients of unauthorized access to personal information of 
securityholders, and issuers may then be required to notify 
securityholders depending on whether the standards of the State law 
have been met. This commenter also stated that its existing policies, 
procedures, and contractual obligations are designed to track these 
State law requirements and that certain provisions in transfer agents' 
contracts with issuer clients could prohibit transfer agents from 
notifying securityholders of data breaches in the manner required by 
the amendments.\361\ Both commenters stated that the Commission should 
consider preempting State laws to minimize the potential for multiple 
and competing obligations, and if not, prepare and produce a cost-
benefit analysis to identify the specific ways in which the amendments 
would be an improvement over existing law.\362\ This commenter further 
explained that the issuer client would notify securityholders depending 
on whether the standards of the State law have been met.\363\
---------------------------------------------------------------------------

    \359\ See STA Comment Letter 2.
    \360\ See Computershare Comment Letter.
    \361\ See Computershare Comment Letter.
    \362\ See STA Comment Letter 2 and Computershare Comment Letter. 
See also infra section IV.D.2.b.
    \363\ See id.
---------------------------------------------------------------------------

    While we acknowledge the commenters' concerns, the final amendments 
permit transfer agents and issuers to develop arrangements to address 
them. Nothing in the final amendments will prohibit or limit transfer 
agents' ability to enter into or modify their contracts with issuer 
clients in a manner that allows the transfer agent to comply with 
applicable legal requirements. Indeed, some transfer agents already 
send customer notices on behalf of their issuer clients. As one 
commenter stated in requesting that the Commission permit covered 
institutions to have their service providers send breach notices to 
affected individuals on their behalf, it is a common practice today for 
investment companies to have their transfer agents assume 
responsibility for sending affected customers breach notices.\364\ The 
Commission acknowledges that, to the extent a transfer agent has 
contractual provisions with issuer clients that prevent securityholders 
from receiving notice of a breach directly from the transfer agent, the 
transfer agent may determine to amend those contractual provisions to 
comply with the final amendments. Further, as discussed above, in a 
modification from the proposal, the final amendments provide that a 
covered institution that is required to notify affected individuals may 
satisfy that obligation by ensuring that the notice is provided by 
another party (as opposed to providing the notice itself). Accordingly, 
if a transfer agent experiences an incident affecting securityholders 
of another covered institution, it would have the option of 
coordinating with the covered institution as to which institution will 
actually send the notice.\365\
---------------------------------------------------------------------------

    \364\ See ICI Comment Letter 1.
    \365\ See supra section II.A.3.a.
---------------------------------------------------------------------------

    As explained in the proposal, the Commission understands that State 
laws generally require persons or entities that own or license 
computerized data that includes private information to notify residents 
of the State when a data breach results in the compromise of their 
private information.\366\ In addition, State laws generally require 
persons and entities that do not own or license such computerized data, 
but that maintain such computerized data for other entities, to notify 
the affected entity in the event of a data breach (so as to allow that 
entity to notify affected individuals). However, the specific 
requirements regarding the timing of the notice, content of the notice, 
types of data covered, and other aspects may vary.\367\ Indeed, one 
commenter highlighted the variation and uncertainty among different 
State law requirements.\368\ Thus, while transfer agents may already be 
complying with one or more State notification laws, variations in these 
State laws could result in residents of one State receiving notice 
while residents of another do not receive notice, or receive it later, 
or receive different information for the same data breach incident. The 
final amendments address this concern by imposing a Federal minimum 
standard for customer notification, which will help ensure timely, 
consistent notice to affected securityholders regardless of their State 
of residence.
---------------------------------------------------------------------------

    \366\ See Proposing Release at section III.C.2.
    \367\ See supra section I.
    \368\ See Computershare Comment Letter.
---------------------------------------------------------------------------

Impact of Notices From Transfer Agents
    One commenter stated that the proposal would equalize standards 
governing transfer agents, and in doing so, promote investor 
protection.\369\ On the other hand, several commenters stated that the 
proposed rule regarding transfer agents would confuse securityholders. 
One commenter suggested that requiring a transfer agent to identify and 
contact customers of another institution may cause those customers to 
be confused and concerned.\370\ Two commenters similarly stated that 
the notification requirement is likely to confuse securityholders 
because it would result in securityholders receiving notice from both 
the transfer agent and the issuer with respect to the same breach.\371\ 
One commenter further stated that a transfer agent should only be 
required to notify an issuer of an incident.\372\
---------------------------------------------------------------------------

    \369\ See Better Markets Comment Letter.
    \370\ See SIFMA Comment Letter 2.
    \371\ See STA Comment Letter 2 and Computershare Comment Letter.
    \372\ See SIFMA Comment Letter 2.
---------------------------------------------------------------------------

    We acknowledge that due to existing State law provisions, 
individuals affected by a breach at a transfer agent may receive notice 
from the issuer and the transfer agent with respect to the same breach. 
Moreover, transfer agents subject to the Banking Agencies' Incident 
Response Guidance may send notices under those provisions as well, and 
it is possible that an issuer may also send notices to securityholders, 
pursuant to State law or other

[[Page 47721]]

requirements. We acknowledge that these existing provisions, coupled 
with the requirements of the final amendments, may result in multiple 
notices being sent for the same incident. That said, as explained 
above, we have modified the final amendments to minimize the likelihood 
of multiple notices being sent by covered institutions for the same 
incident.\373\
---------------------------------------------------------------------------

    \373\ See supra section II.A.3.a.
---------------------------------------------------------------------------

    Regardless, we do not agree that individuals who receive a notice 
from both a transfer agent and the issuer with respect to the same 
breach or who are contacted by a transfer agent on behalf of another 
institution will be confused. Any potential confusion could be 
ameliorated through a clear description of the specific incident that 
would allow an individual to determine whether it is covered by a 
notice from any covered institution.\374\ Rather than create confusion, 
as some commenters assert, the final amendments will establish a 
Federal minimum standard for covered institutions, thereby reducing any 
extant or potential confusion. As discussed in the proposal, there are 
variations in existing State laws regarding a firm's duty to 
investigate a data breach, the specific events that trigger when notice 
of a breach is required, the timing of any such notices, and other 
details of a notice. The Federal minimum standard established by the 
final amendments will eliminate this confusion by ensuring that all 
affected securityholders receive an appropriate notice, regardless of 
the securityholder's State of residence, thereby enhancing investor 
protection overall. This benefit justifies the remote risk of potential 
confusion suggested by some commenters.
---------------------------------------------------------------------------

    \374\ It is possible that customers may not be aware of their 
relationship with a transfer agent or otherwise may not recognize 
the transfer agent and therefore could read the notification as a 
phishing attempt or another nefarious scheme. See infra section 
IV.D.2.b.
---------------------------------------------------------------------------

3. Maintaining the Current Regulatory Framework for Notice-Registered 
Broker-Dealers
    The final amendments will, as proposed, contain a number of 
amendments to Regulation S-P that result in the continuation of the 
same regulatory treatment for notice-registered broker-dealers as they 
were subject to under the existing safeguards rule and disposal 
rule.\375\ Specifically, notice-registered broker-dealers are 
explicitly excluded from the scope of the disposal rule,\376\ but 
subject to the safeguards rule. However, under substituted compliance 
provisions, notice-registered broker-dealers are deemed to comply with 
the safeguards rule (and all other aspects of Regulation S-P, other 
than the disposal rule) if they are subject to, and comply with, the 
financial privacy rules of the CFTC,\377\ including similar obligations 
to safeguard customer information.\378\ The Commission initially 
adopted substituted compliance provisions with regard to the safeguards 
rule in acknowledgment that notice-registered broker-dealers are 
subject to primary oversight by the CFTC, and to mirror similar 
substituted compliance provisions afforded by the CFTC to broker-
dealers registered with the Commission.\379\ When the Commission later 
adopted the disposal rule, it excluded notice-registered broker-dealers 
from the rule's scope, stating its belief that Congress did not intend 
for the Commission's FACT Act rules to apply to entities subject to 
primary oversight by the CFTC.\380\ For these reasons, the Commission 
tailored the proposal to ensure there would be no change in the 
treatment of notice-registered broker-dealers under the safeguards rule 
and the disposal rule.\381\
---------------------------------------------------------------------------

    \375\ Notice-registered broker-dealers are futures commission 
merchants and introducing brokers registered with the CFTC that are 
permitted to register as broker-dealers by filing a notice with the 
Commission for the limited purpose of effecting transactions in 
security futures products. See Registration of Broker-Dealers 
Pursuant to section 15(b)(11) of the Securities Exchange Act of 
1934, Exchange Act Release No. 44730 (Aug. 21, 2001) [66 FR 45138 
(Aug. 27, 2001)] (``Notice-Registered Broker-Dealer Release'').
    \376\ See 17 CFR 248.30(b)(2)(i).
    \377\ See 17 CFR 248.2(c) and 248.30(b). Under the substituted 
compliance provision in rule 248.2(c), notice-registered broker-
dealers operating in compliance with the financial privacy rules of 
the CFTC are deemed to be in compliance with Regulation S-P, except 
with respect to Regulation S-P's disposal rule (currently rule 
248.30(b)).
    \378\ See 17 CFR 160.30.
    \379\ See Notice-Registered Broker-Dealer Release; see also 
CFTC, Privacy of Customer Information [66 FR 21236 (Apr. 27, 2001)].
    \380\ See Proposing Release at n.203.
    \381\ This approach will provide notice-registered broker-
dealers with the benefit of consistent regulatory treatment under 
Regulation S-P, without imposing any additional costs, while also 
maintaining the same investor protections that the customers of 
notice-registered broker-dealers currently receive. To the extent 
notice-registered broker-dealers opt to comply with Regulation S-P 
and the proposed safeguards rule rather than avail themselves of 
substituted compliance by complying with the CFTC's financial 
privacy rules, the benefits and costs of complying with the proposed 
rule would be the same as those for other broker-dealers. Notice-
registered broker-dealers should not face additional costs under the 
final rule related to the disposal rule, as they would remain 
excluded from its scope. See Proposing Release.
---------------------------------------------------------------------------

    No comments were received regarding the treatment of notice-
registered broker-dealers under the safeguards rule and the disposal 
rule. For the reasons outlined in the Proposing Release, the Commission 
is adopting the amendments as proposed.\382\ Specifically, as proposed, 
the definition of a ``covered institution'' includes ``any broker or 
dealer,'' without excluding notice-registered broker-dealers, thus 
ensuring that Regulation S-P's substituted compliance provisions still 
apply to notice-registered broker-dealers with respect to the 
safeguards rule.\383\ In addition, the final amendments include the 
``covered institution'' defined term within the disposal rule, while 
retaining the disposal rule's existing exclusion for notice-registered 
broker-dealers.\384\
---------------------------------------------------------------------------

    \382\ See Proposing Release at Section II.C.4.
    \383\ See proposed rule 248.30(e)(3); see also 17 CFR 248.2(c).
    \384\ See proposed rule 248.30(c)(1). As we are not adopting the 
paragraph in proposed rule 248.30(a), we are similarly not adopting 
the proposed technical amendment to 17 CFR 248.2(c), which, as to 
the disposal rule, provides an exception from the substituted 
compliance regime afforded to notice-registered broker-dealers for 
Regulation S-P. See proposed rule 248.2(c); see also discussion on 
Scope of Information Protected supra Section II.B.1. This proposed 
technical amendment was intended to reflect the proposed shift in 
the disposal rule's citation from paragraph (b) of rule 248.30 to 
paragraph (c) of rule 248.30, to ensure continuity in the treatment 
of notice-registered broker-dealers under Regulation S-P. As the 
final amendments will not result in such a shift to the disposal 
rule's citation, this proposed technical amendment has been rendered 
unnecessary.
---------------------------------------------------------------------------

C. Recordkeeping

    We are adopting amendments to require covered institutions to make 
and maintain written records documenting compliance with the 
requirements of the safeguards rule and of the disposal rule as 
outlined in the table below (collectively, ``recordkeeping 
requirements'').\385\ We are adopting these amendments substantially as 
proposed, but, in response to a comment, with modifications designed to 
provide additional specificity to the scope of certain of the 
recordkeeping requirements as discussed below. The table below reflects 
the time periods that covered institutions will be

[[Page 47722]]

required to preserve these records, which are as proposed. These times 
vary by covered institution but are consistent with existing 
recordkeeping rules for these entities to the extent they have pre-
existing recordkeeping obligations.
---------------------------------------------------------------------------

    \385\ As discussed previously, pursuant to Regulation 
Crowdfunding, funding portals must comply with the requirements of 
Regulation S-P as they apply to brokers. Funding portals are not, 
however, subject to the recordkeeping obligations for brokers found 
under Rule 17a-4. See 17 CFR 240.17a-4; see also supra footnote 5 
and accompanying text. Instead, funding portals are already 
obligated, pursuant to Rule 404 of Regulation Crowdfunding, to make 
and preserve all records required to demonstrate their compliance 
with, among other things, Regulation S-P for five years, the first 
two years in an easily accessible place. See 17 CFR 227.404(a)(5). 
While the final amendments do not modify funding portals' 
recordkeeping requirements to include the same enumerated list of 
obligations as those applied to brokers under the amendments to Rule 
17a-4, funding portals generally should look to make and preserve 
the same scope of records in connection with demonstrating their 
compliance with this portion of Regulation S-P.

                                       Table 1--Recordkeeping Requirements
----------------------------------------------------------------------------------------------------------------
           Covered institution                        Rule                          Retention period
----------------------------------------------------------------------------------------------------------------
Registered Investment Companies.........  17 CFR 270.31a-1(b)........  Policies and Procedures. A copy of
                                          17 CFR 270.31a-2(a)........   policies and procedures in effect, or
                                                                        that at any time in the past six years
                                                                        were in effect, in an easily accessible
                                                                        place.
                                                                       Other records. Six years, the first two
                                                                        in an easily accessible place.
Unregistered Investment Companies \1\...  17 CFR 248.30(c)...........  Policies and Procedures. A copy of
                                                                        policies and procedures in effect, or
                                                                        that at any time in the past six years
                                                                        were in effect, in an easily accessible
                                                                        place.
                                                                       Other records. Six years, the first two
                                                                        in an easily accessible place.
Registered Investment Advisers..........  17 CFR 275.204-2(a)........  All records for five years, the first two
                                                                        in an easily accessible place.\2\
Broker-Dealers..........................  17 CFR 240.17a-4(e)........  All records for three years, in an easily
                                                                        accessible place.
Transfer Agents.........................  17 CFR 240.17ad-7(k).......  All records for three years, in an easily
                                                                        accessible place.
----------------------------------------------------------------------------------------------------------------
Note:
\1\ Regulation S-P applies to investment companies as the term is defined in section 3 of the Investment Company
  Act (15 U.S.C. 80a-3), whether or not the investment company is registered with the Commission. See 17 CFR
  248.3(r). Thus, a business development company, which is an investment company but is not required to register
  as such with the Commission, is subject to Regulation S-P. Similarly, employees' securities companies--
  including those that are not required to register under the Investment Company Act--are investment companies
  and are, therefore, subject to Regulation S-P. By contrast, issuers that are excluded from the definition of
  investment company--such as private funds that are able to rely on section 3(c)(1) or 3(c)(7) of the
  Investment Company Act--are not subject to Regulation S-P.
\2\ All books and records required to be made under the provision of 17 CFR 275.204-2(a) must be maintained and
  preserved in an easily accessible place for a period of not less than five years. 17 CFR 275.204-2(e).

    These recordkeeping requirements should aid covered institutions in 
periodically reassessing the effectiveness of their safeguarding and 
disposal programs by helping to ensure that those institutions have the 
records needed to perform that assessment. Additionally, maintenance of 
these records for sufficiently long periods of time and in accessible 
locations will help the Commission and its staff to monitor compliance 
with the requirements of the amended rules. We received one comment 
broadly in support of these recordkeeping requirements.\386\
---------------------------------------------------------------------------

    \386\ ICI Comment Letter.
---------------------------------------------------------------------------

    The text of the proposed recordkeeping rules were worded 
differently for different covered institutions. For example, the 
proposed recordkeeping rule text for broker-dealers and transfer agents 
detailed the specific records to be kept whereas the proposed rule for 
advisers stated that advisers would be required to make and keep true, 
accurate and current a copy of the written records documenting 
compliance with the requirements of the safeguards and disposal 
rules.\387\ The Commission sought comment on whether the detailed 
requirements proposed for broker-dealers and transfer agents should be 
included in the recordkeeping rules for other covered entities. While 
no commenter specifically responded to this request, one commenter did 
suggest that a clarification of the adviser recordkeeping rule could 
assist in understanding their obligations under the rule.\388\ We are 
modifying the text of the proposed recordkeeping rules for registered 
investment advisers and registered and unregistered investment 
companies to provide in the final amendments the same detailed 
description as found in the rule text for broker-dealers and transfer 
agents. This should provide specificity as to what records are required 
to be kept under all of the recordkeeping rules.\389\ In addition, and 
in a change from the proposal, we are modifying the final rules to 
require a covered institution to retain any written documentation from 
the Attorney General related to a delay in notice.\390\ This should 
help ensure that a covered institution can justify a valid delay in 
sending notifications to affected individuals and aid the Commission's 
examination and oversight program.
---------------------------------------------------------------------------

    \387\ See proposed 17 CFR 240.17a-4, 17 CFR 240.17ad-7, and 17 
CFR 275.204-2.
    \388\ IAA Comment Letter.
    \389\ See Proposing Release at section II.D.
    \390\ See e.g., final 17 CFR 240.17a-4(e)(14)(iii) and final 
rule 248.30(c)(iii).
---------------------------------------------------------------------------

    The records that will be required under these amendments are:

     Written policies and procedures required to be adopted 
and implemented pursuant to final rule 248.30(a)(1), which requires 
policies and procedures to address administrative, technical, and 
physical safeguards for the protection of customer information;
     Written documentation of any detected unauthorized 
access to or use of customer information, as well as any response 
to, and recovery from such unauthorized access to or use of customer 
information required by final rule 248.30(a)(3);
     Written documentation of any investigation and 
determination made regarding whether notification to affected 
individuals is required pursuant to final rule 248.30(a)(4), 
including the basis for any determination made, any written 
documentation from the Attorney General related to a delay in 
notice, as well as a copy of any notice transmitted following such 
determination; \391\
---------------------------------------------------------------------------

    \391\ Covered institutions are required to preserve a copy of 
any notice transmitted following the determination required under 
the final amendments, including those notices provided by the 
service provider to the covered institution's customers on behalf of 
the covered institution. See e.g., final 17 CFR 270.31a-
1(b)(13)(iii) (requiring registered investment companies to keep a 
copy of ``any notice transmitted following such determination'') 
(emphasis added); see also supra Section II.A.4.c.
---------------------------------------------------------------------------

     Written policies and procedures required to be adopted 
and implemented pursuant to final rule 248.30(a)(5)(i), which 
requires policies and procedures to oversee, monitor, and conduct 
due diligence on service providers, including to ensure that the 
covered institution is notified when a breach in security has 
occurred at the service provider;
     Written documentation of any contract or agreement 
between a covered institution and a service provider entered into 
pursuant to final rule 248.30(a)(5); and
     Written policies and procedures required to be adopted 
and implemented pursuant to final rule 248.30(b)(2), which requires 
policies and procedures to address the proper disposal of consumer 
information and customer information.

    The records that will be required include records of policies and 
procedures under the safeguards rule that address administrative, 
technical, and physical safeguards for the protection of customer 
information.\392\ The requirements will also include

[[Page 47723]]

records documenting, among other things: (i) a covered institution's 
assessments of the nature and scope of any incidents involving 
unauthorized access to or use of customer information; (ii) steps taken 
to contain and control such incidents; and (iii) a covered 
institution's notifications to affected individuals consistent with the 
requirements of the final amendments as discussed above, or, where 
applicable, any determination that notification is not required after a 
reasonable investigation of the incident.\393\ Records required to be 
made and maintained will also include records of those written policies 
and procedures associated with the service provider notification 
requirements of the final amendments as well as related records of 
written contracts and agreements between the covered institution and 
the service provider.\394\
---------------------------------------------------------------------------

    \392\ See, e.g., final 17 CFR 240.17a-4(e)(14)(i) and final 17 
CFR 270.31a-1(b)(13)(i); see also final rule 248.30(a)(1).
    \393\ See, e.g., final 17 CFR 17a-4(e)(14)(ii) and (iii) and 
final 17 CFR 270.31a-1(b)(13)(ii) and (iii); see also final rule 
248.30(a)(3)(i) through (iii).
    \394\ See, e.g., final 17 CFR 17a-4(e)(14)(iv) and (v) and final 
17 CFR 270.31a-1(b)(13)(iv) and (v); see also final rule 
248.30(a)(5)(i) through (ii).
---------------------------------------------------------------------------

    The disposal rule, as amended, will require that every covered 
institution adopt and implement written policies and procedures that 
address the proper disposal of consumer information and customer 
information.\395\ The only record required under the final amendments 
for purposes of the disposal rule is these written policies and 
procedures.\396\
---------------------------------------------------------------------------

    \395\ See final rule 248.30(b)(2). While the disposal rule does 
not currently require covered institutions to adopt and implement 
written policies and procedures, those adopted pursuant to the 
current safeguards rule should already cover disposal. See Disposal 
Rule Adopting Release at text accompanying n.20 (``proper disposal 
policies and procedures are encompassed within, and should be a part 
of, the overall policies and procedures required under the safeguard 
rule.''). Therefore, rule 248.30(b)(2) is intended primarily to seek 
sufficient documentation of policies and practices addressing the 
specific provisions of the disposal rule.
    \396\ See, e.g., final 17 CFR 17a-4(e)(14)(vi) and final 17 CFR 
270.31a-1(b)(13)(vi); see also final rule 248.30(b)(2).
---------------------------------------------------------------------------

D. Exception From Requirement To Deliver Annual Privacy Notice

    Currently, Regulation S-P generally requires broker-dealers, 
investment companies, and registered investment advisers to provide 
customers with annual notices informing them about the institutions' 
privacy practices (``annual privacy notice'').\397\ The Commission is 
adopting as proposed amendments to conform Regulation S-P to the 
requirements of the Fixing America's Surface Transportation Act (``FAST 
Act''),\398\ which provides an exception to the annual privacy notice 
required by Regulation S-P, provided certain requirements are met. As 
proposed, we are amending Regulation S-P to include an exception to the 
annual privacy notice requirement if the institution (1) only provides 
non-public personal information to non-affiliated third parties when an 
exception to third-party opt-out applies and (2) the institution has 
not changed its policies and practices with regard to disclosing non-
public personal information from its most recent disclosure sent to 
customers.\399\ The amendments also, as proposed, provide the timing 
for when an institution must resume providing annual privacy notices in 
the event that the institution changes its policies and practices such 
that the exception no longer applies. We received one comment 
supporting the proposed exception and timing requirements.\400\
---------------------------------------------------------------------------

    \397\ 17 CFR 248.4; 248.5. ``Annually'' for these purposes is 
defined as at least once in any period of 12 consecutive months 
during which that relationship exists. Institutions are permitted to 
define the 12-consecutive-month period, but must apply it to the 
customer on a consistent basis. 17 CFR 248.5(a)(1). The institution 
does not need to provide an annual notice in addition to an initial 
notice in the same 12-month period.
    \398\ Public Law 114-94, Sec. 75001, 129 Stat. 1312 (2015) 
(adding section 503(f) to the GLBA, codified at 15 U.S.C. 6803(f)).
    \399\ See final 17 CFR 248.5(e)(1).
    \400\ ICI Comment Letter.
---------------------------------------------------------------------------

    We are adopting as proposed amendments to the annual notice 
provision requirement of Regulation S-P to include the exception to the 
annual notice delivery added by the statutory exception Congress 
enacted in the FAST Act. The statutory exception states that a 
financial institution that meets the requirements for the annual 
privacy notice exception will not be required to provide annual privacy 
notices ``until such time'' as that financial institution fails to 
comply with the conditions to the exception, but does not specify a 
date by which the annual privacy notice delivery must resume.\401\ The 
amended timing requirements are designed to be consistent with the 
existing timing requirements for privacy notice delivery in Regulation 
S-P. Specifically, if the change in policies and practices will also 
result in the institution being required to send a revised privacy 
notice under the current requirements, the revised notice will be 
treated as an initial notice for the purpose of the timing requirement 
and the institution will be required to resume notices at the same time 
it otherwise provides annual privacy notices.\402\ If a revised notice 
is not required, the institution will be required to resume providing 
annual privacy notices within 100 days of the change. The amendments 
allow institutions to preserve their existing approach to selecting a 
delivery date for annual privacy notices, thereby avoiding the 
potential burdens of determining delivery dates based on a new approach 
and any 100-day period will accommodate the institution delivering the 
privacy notice alongside any quarterly reporting to customers. The 
amendments also are intended to be consistent with existing privacy 
notice delivery requirements of the CFTC, CFPB, and FTC.\403\
---------------------------------------------------------------------------

    \401\ See supra footnote 398.
    \402\ See 17 CFR 248.8.
    \403\ See 17 CFR 160.5(D) (CFTC); 12 CFR 1016.5(e)(2) (CFPB); 16 
CFR 313.5(e)(2) (FTC). See also CFTC, Privacy of Consumer Financial 
Information--Amendment to Conform Regulations to the Fixing 
America's Surface Transportation Act, 83 FR 63450 (Dec. 10, 2018), 
at n.17; CFPB, Amendment to the Annual Privacy Notice Requirement 
Under the Gramm-Leach-Bliley Act (Regulation P) 83 FR 40945 (Aug. 
17, 2018); FTC, Privacy of Consumer Financial Information Rule Under 
the Gramm-Leach-Bliley Act, 84 FR 13150 (Apr. 4, 2019).
---------------------------------------------------------------------------

E. Existing Staff No-Action Letters and Other Staff Statements

    As stated in the Proposing Release, certain staff letters and other 
staff statements addressing Regulation S-P and other matters covered by 
the final amendments may be withdrawn or rescinded in connection with 
this adoption. Upon the compliance date of these rules, staff letters 
and other staff statements, or portions thereof, will be withdrawn or 
rescinded to the extent that they are moot, superseded, or otherwise 
inconsistent with the rules. This may include the letters and 
statements below. To the extent any staff statement is inconsistent or 
conflicts with the requirements of the rules, even if not specifically 
identified below, that statement is superseded.

                     Table 2--Letters and Statements
------------------------------------------------------------------------
        Name of letter or statement                  Date issued
------------------------------------------------------------------------
Staff Responses to Questions about          Jan. 23, 2003.
 Regulation S-P.
Certain Disclosures of Information to the   Mar. 11, 2011; Dec. 11,
 CFP Board.                                  2014.
Investment Adviser and Broker-Dealer        Apr. 16, 2019.
 Compliance Issues Related to Regulation S-
 P--Privacy Notices and Safeguard Policies.
------------------------------------------------------------------------

F. Compliance Period

    The Commission is providing an 18-month compliance period after the 
date of publication in the Federal Register for larger entities, and a 
24-month compliance period after the date of publication in the Federal 
Register for

[[Page 47724]]

smaller entities. Table 3 below outlines which entities will be 
considered ``larger entities'' for these purposes. Smaller entities 
will be those covered institutions that do not meet these standards. 
The Commission generally has approved similar tiered compliance dates 
with respect to smaller versus larger entities in the past and, in our 
experience, these thresholds are a reasonable means of distinguishing 
larger and smaller entities for purposes of tiered compliance dates for 
rules affecting these entities.\404\
---------------------------------------------------------------------------

    \404\ See, e.g., Investment Company Names, Investment Company 
Act Release No. 35000 (Sept. 20, 2023) [88 FR 70436 (Oct. 27, 
2023)]; Investment Company Reporting Modernization, Investment 
Company Act Release No. 32314 (Oct. 13, 2016) [81 FR 81870 (Nov. 18, 
2016)]; Investment Company Liquidity Risk Management Programs, 
Investment Company Act Release No. 32315 (Oct. 13, 2016) [81 FR 
82142 (Nov. 18, 2016)]; Inline XBRL Filing of Tagged Data, 
Securities Act Release No. 10514 (June 28, 2018) [83 FR 40846 (Sept. 
17, 2018)]; and Private Fund Advisers; Documentation of Registered 
Investment Adviser Compliance Reviews, Investment Advisers Act 
Release No. 6383 (Aug. 23, 2023) [88 FR 63206 (Sept. 14, 2023)].

                 Table 3--Designation of Larger Entities
------------------------------------------------------------------------
                                          Qualification to be considered
                 Entity                        a ``larger entity''
------------------------------------------------------------------------
Investment companies together with       Net assets of $1 billion or
 other investment companies in the same   more as of the end of the most
 group of related investment companies    recent fiscal year.
 \1\.
Registered investment advisers \2\.....  $1.5 billion or more in assets
                                          under management.
Broker-dealers \3\.....................  All broker-dealers that are not
                                          small entities under the
                                          Securities Exchange Act for
                                          purposes of the Regulatory
                                          Flexibility Act.
Transfer agents \4\....................  All transfer agents that are
                                          not small entities under the
                                          Securities Exchange Act for
                                          purposes of the Regulatory
                                          Flexibility Act.
------------------------------------------------------------------------
Note:
\1\ ``Group of related investment companies'' is as defined in 17 CFR
  270.0-10. We estimate that, as of September 2023, 77% of registered
  investment companies would be considered to be larger entities. This
  estimate is based on data reported in response to Items B.5, C.19, and
  F.11 on Form N-CEN.
\2\ We estimate that, as of September 2023, 23% of registered investment
  advisers would be considered to be larger registered investment
  advisers. This estimate is based on data reported in response to Items
  2.A and 5.F.2.(c) on Form ADV.
\3\ A broker or dealer is a small entity if it: (i) had total capital of
  less than $500,000 on the date in its prior fiscal year as of which
  its audited financial statements were prepared or, if not required to
  file audited financial statements, on the last business day of its
  prior fiscal year; and (ii) is not affiliated with any person that is
  not a small entity. This threshold was chosen to include all broker-
  dealers who do not fall within the definition of a small entity under
  the Regulatory Flexibility Act (5 U.S.C. 553). Based upon FOCUS
  filings for the third quarter of 2023, we estimate approximately 77%
  of broker-dealers, not including funding portals, would be considered
  larger entities. Based upon staff analysis and review of public
  filings, we estimate approximately 3% of funding portals would be
  considered larger entities.
\4\ A transfer agent is a small entity if it: (i) received less than 500
  items for transfer and less than 500 items for processing during the
  preceding six months; (ii) transferred items only of issuers that are
  small entities; (iii) maintained master shareholder files that in the
  aggregate contained less than 1,000 shareholder accounts or was the
  named transfer agent for less than 1,000 shareholder accounts at all
  times during the preceding fiscal year; and (iv) is not affiliated
  with any person that is not a small entity. 17 CFR 240.0-10. This
  threshold was chosen to include all transfer agents who do not fall
  within the definition of a small entity under the Regulatory
  Flexibility Act. Based on the number of transfer agents that reported
  a value of fewer than 1,000 for items 4(a) and 5(a) on Form TA-2 filed
  with the Commission as of September 30, 2023, we estimate
  approximately 132 transfer agents may be considered small entities, of
  315 total registered transfer agents. See infra section VI.

    We proposed a 12-month transition period from the effective date 
for all covered institutions, regardless of asset size, and we 
solicited comment on whether the compliance period should be shorter or 
longer, and whether it should be the same for all covered institutions. 
Commenters that addressed this aspect of the proposal urged the 
Commission to provide additional time, generally suggesting a two-year 
or three-year period to provide time for covered institutions to 
prepare to comply with the rule's requirements.\405\ Commenters 
suggested that the proposed compliance period underestimates the time 
it would take to implement any final rule.\406\ In particular, 
commenters expressed that advisers will need to holistically reassess 
their current service provider infrastructure and may need time to find 
new service providers or renegotiate terms of service provider 
agreements in order to comply with the rule's requirements.\407\ 
Separately, two commenters urged the Commission to consider a tiered 
compliance period that staggers the compliance date based on firm size, 
with larger firms having to comply with the rule's requirements prior 
to smaller firms.\408\ These commenters asserted that a longer 
compliance period for smaller broker-dealers and investment advisers 
would allow these firms to benefit from the implementation of larger 
industry participants.
---------------------------------------------------------------------------

    \405\ See, e.g., SIFMA Comment Letter 2; Computershare Comment 
Letter; ICI Comment Letter 1; Federated Comment Letter; Google 
Comment Letter.
    \406\ See, e.g., IAA Comment Letter 1; FII Comment Letter; SIFMA 
Comment Letter 2; ICI Comment Letter 1; see also IAA Comment Letter 
2 (stating that ``advisers would need to holistically reassess their 
current service provider infrastructure and undergo the time-
consuming and expensive process of negotiating terms with each 
Service Provider, re-evaluate their current policies, procedures, 
and practices in light of any new requirements, prepare for new and/
or different client notification obligations, and create and 
implement modified written incident response program policies and 
procedures and recordkeeping requirements'').
    \407\ See, e.g., Google Comment Letter; Federated Comment 
Letter; SIFMA Comment Letter 2; AWS Comment Letter; FII Comment 
Letter.
    \408\ IAA Comment Letter 1; FSI Comment Letter.
---------------------------------------------------------------------------

    We have taken commenter concerns into account in determining the 
compliance schedule,\409\ and we are adopting a compliance period of 
18-months following the date of publication of the final amendments in 
the Federal Register for larger entities, and 24-months following the 
date of publication in the Federal Register for smaller entities.\410\ 
The compliance period we are adopting is designed to

[[Page 47725]]

strike the appropriate balance between allowing covered institutions 
adequate time to establish or adjust their data notification compliance 
practices and allowing customers and investors to benefit from the 
amended Regulation S-P framework. Taking concerns of smaller entities 
into account, smaller entities will benefit from having an additional 
six months to come into compliance with the final amendments, based on 
feedback from commenters and to the extent that smaller entities may 
face additional or different challenges in coming into compliance with 
the final amendments than larger entities. Although we are providing 
for a longer compliance period than proposed, we are not providing more 
than 18 or 24 months, as suggested by some commenters, because we have 
made modifications from the proposal that should alleviate commenters' 
concerns related to time needed to establish and implement processes to 
comply with the final amendments. In a modification from the proposal, 
the final amendments will no longer require covered institutions to 
have a written contract with its service providers mandating that 
service providers take appropriate measures to protect against 
unauthorized access to or use of customer information, but will instead 
require covered institutions to establish written policies and 
procedures reasonably designed to oversee, monitor, and conduct due 
diligence on service providers.\411\ Accordingly, the compliance dates 
will provide an appropriate amount of time for covered institutions to 
comply with the final amendments.
---------------------------------------------------------------------------

    \409\ ICI Comment Letter 1; Schulte Comment Letter; IAA Comment 
Letter 2 (asserting that the Commission's new rules could 
potentially require investment advisers to establish and implement 
new regulatory requirements during compressed and overlapping 
compliance periods while attempting to comply with existing ongoing 
regulatory obligations). For further discussion of other recent 
Commission rules that may have overlapping compliance periods for 
some covered entities, as well as the potential associated costs 
associated with implementing multiple rules at once, see infra 
section IV.
    \410\ With respect to the compliance period, commenters 
requested the Commission consider interactions between the proposed 
rule and other recent Commission rules. In determining compliance 
dates, the Commission considers the benefits of the rules as well as 
the costs of delayed compliance dates and potential overlapping 
compliance dates. For the reasons discussed throughout the release, 
to the extent that there are costs from overlapping compliance 
dates, the benefits of the rule justify such costs. See infra 
section IV for a discussion of the interactions of the final 
amendments with certain other Commission rules.
    \411\ See supra section II.A.4.
---------------------------------------------------------------------------

III. Other Matters

    Pursuant to the Congressional Review Act,\412\ the Office of 
Information and Regulatory Affairs has designated the final amendments 
as a ``major rule'' as defined by 5 U.S.C. 804(2). If any of the 
provisions of these rules, or the application thereof to any person or 
circumstance, is held to be invalid, such invalidity shall not affect 
other provisions or application of such provisions to other persons or 
circumstances that can be given effect without the invalid provision or 
application.
---------------------------------------------------------------------------

    \412\ 5 U.S.C. 801 et seq.
---------------------------------------------------------------------------

IV. Economic Analysis

A. Introduction

    The Commission is mindful of the economic effects, including the 
benefits and costs, of the adopted amendments. Section 3(f) of the 
Exchange Act, section 2(c) of the Investment Company Act, and section 
202(c) of the Investment Advisers Act provide that when engaging in 
rulemaking that requires us to consider or determine whether an action 
is necessary or appropriate in or consistent with the public interest, 
to also consider, in addition to the protection of investors, whether 
the action will promote efficiency, competition, and capital formation. 
Section 23(a)(2) of the Exchange Act also requires us to consider the 
effect that the rules will have on competition and prohibits us from 
adopting any rule that would impose a burden on competition not 
necessary or appropriate in furtherance of the Exchange Act. The 
analysis below addresses the likely economic effects of the final 
amendments, including the anticipated and estimated benefits and costs 
of the amendments and their likely effects on efficiency, competition, 
and capital formation. The Commission also discusses the potential 
economic effects of certain alternatives to the approaches taken in 
this adoption.
    The final amendments require every broker-dealer,\413\ every 
funding portal,\414\ every investment company, every registered 
investment adviser, and every transfer agent to notify affected 
customers of certain data breaches.\415\ To that end, the final 
amendments require these covered institutions to develop, implement, 
and maintain written policies and procedures that include an incident 
response program that is reasonably designed to detect, respond to, and 
recover from unauthorized access to or use of customer 
information,\416\ and that includes a customer notification component 
for cases where sensitive customer information has been, or is 
reasonably likely to have been, accessed or used without 
authorization.\417\ The final amendments also define the scope of 
information covered by the safeguards rule and by the disposal 
rule,\418\ and extend the covered population to all transfer agents 
registered with the Commission or with another appropriate regulatory 
agency.\419\ Finally, the final amendments impose various related 
recordkeeping requirements,\420\ and include in the regulation an 
existing statutory exception to annual privacy notice 
requirements.\421\
---------------------------------------------------------------------------

    \413\ Notice-registered broker-dealers subject to and complying 
with the financial privacy rules of the CFTC will be deemed to be in 
compliance with the final provision through the substituted 
compliance provisions of Regulation S-P. See supra section II.B.3. 
As discussed above, unless otherwise stated, references elsewhere in 
this release to ``brokers'' or ``broker-dealers'' include funding 
portals. See supra footnote 5. For the purposes of this economic 
analysis, however, ``broker'' and ``broker-dealer'' do not include 
funding portals because the economic effects of the final amendments 
on funding portals differ in some respects from the effects on 
broker-dealers.
    \414\ Pursuant to Regulation Crowdfunding, funding portals 
``must comply with the requirements of [Regulation S-P] as they 
apply to brokers.'' See 17 CFR 227.403(b); see also supra footnote 5 
and accompanying text.
    \415\ Notification is required in the event that sensitive 
customer information was, or is reasonably likely to have been, 
accessed or used without authorization. See final rule 
248.30(a)(4)(i).
    \416\ As discussed above, ``customer information'' includes not 
only information of customers of the aforementioned entities, but 
also information of customers of other financial institutions in the 
possession of covered institutions. See supra section II.B.1 and 
final rule 248.30(d)(5)(i). In addition, with respect to transfer 
agents, ``customers'' refers to ``any natural person who is a 
securityholder of an issuer for which the transfer agent acts or has 
acted as a transfer agent.'' See final rule 248.30(d)(4)(ii).
    \417\ See final rule 248.30(a)(4); see also supra section II.A. 
Notice will not be required, however, if a covered institution has 
determined, after a reasonable investigation of the facts and 
circumstances of an incident of unauthorized access to or use of 
sensitive customer information, that sensitive customer information 
has not been, and is not reasonably likely to be, used in a manner 
that would result in substantial harm or inconvenience.
    \418\ Under the final amendments, the safeguards rule applies to 
``customer information'' and the disposal rule applies to ``consumer 
information'' and ``customer information.'' See final rule 
248.30(a)(1), 248.30(b), 248.30(d)(1), and 248.30(d)(5).
    \419\ See final rule 248.30(d)(3).
    \420\ See, e.g., final rule 17 CFR 275.204-2(a). See also supra 
section II.C and footnote 385.
    \421\ See final rule 248.5(e).
---------------------------------------------------------------------------

    The final amendments will affect covered institutions as well as 
customers who will receive the required notices. The final amendments 
will also have indirect effects on service providers that receive, 
maintain, process, or otherwise are permitted access to customer 
information on behalf of covered institutions: under the final 
amendments, unauthorized access to or use of sensitive customer 
information via service providers will fall under the customer 
notification requirement. The final amendments require that a covered 
institution's incident response program include the establishment, 
maintenance, and enforcement of written policies and procedures 
reasonably designed to require oversight, including through due 
diligence and monitoring, of service providers.\422\ These policies and 
procedures must be reasonably designed to ensure that service providers 
take appropriate measures to protect against unauthorized access to or 
use of customer information and provide notification to the covered 
institution of a breach of security resulting in

[[Page 47726]]

unauthorized access to a customer information system maintained by the 
service provider.\423\
---------------------------------------------------------------------------

    \422\ See final rule 248.30(a)(5).
    \423\ See id.
---------------------------------------------------------------------------

    The main economic effects of the final amendments will result from 
the notification and incident response program requirements applicable 
to all covered institutions.\424\ For reasons discussed later in this 
section, the extension of Regulation S-P to transfer agents will have 
more limited economic effects.\425\ Finally, we anticipate the 
recordkeeping requirements and the incorporation of the existing 
statutory exception to annual privacy notice requirements to have 
minimal economic effects, as discussed further below.\426\
---------------------------------------------------------------------------

    \424\ See infra sections IV.D.1.a and IV.D.1.b.
    \425\ See infra section IV.D.2.b.
    \426\ See infra sections IV.D.3 and IV.D.4.
---------------------------------------------------------------------------

    The main economic benefits of the final notification and incident 
response program requirements, as well as the extension of Regulation 
S-P to include all transfer agents, will result from enhanced 
protection of customer information. Customers will directly benefit 
from the opportunity to take appropriate mitigating actions to protect 
their accounts and information in the event of unauthorized access to 
or use of their sensitive information. Direct benefits will result from 
covered institutions allocating additional resources towards policies 
and procedures, information safeguards, and cybersecurity to comply 
with the final requirements. There may lastly be indirect benefits from 
covered institutions undertaking these actions to the extent they seek 
to avoid reputational harm resulting from the mandated notifications. 
These additional resources will contribute to reducing the exposure of 
covered institutions, and of the broader financial system, to incidents 
resulting in unauthorized access to or use of customer 
information.\427\ The main economic costs from these new requirements 
will be compliance costs related to the development and implementation 
of the required policies and procedures, reputational costs borne by 
firms that would not otherwise have notified customers of a data 
breach, and indirect costs from increased expenditures on additional 
safeguards for covered institutions who will choose to make such 
investments to avoid such reputational costs.\428\
---------------------------------------------------------------------------

    \427\ While the scope of the safeguards rule and of the final 
amendments is not limited to cybersecurity, in the contemporary 
context, their main economic effects are realized through their 
effects on cybersecurity. See infra footnote 507.
    \428\ Throughout this economic analysis, ``compliance costs'' 
refers to the direct costs that must be borne in order to avoid 
violating the Commission's rules. This includes costs related to the 
development of policies and procedures required by the regulation, 
costs related to delivery of the required notices, and the direct 
costs of any other required action. As used here, ``compliance 
costs'' excludes costs that are not required, but may nonetheless 
arise as a consequence of the Commission's rules (e.g., reputational 
costs resulting from disclosure of data breach, or increased 
cybersecurity spending aimed at avoiding such reputational costs).
---------------------------------------------------------------------------

    We anticipate that the economic benefits and costs of the final 
notification requirements will--in the aggregate--be limited because 
all States already require some form of customer notification of 
certain data breaches,\429\ and because many entities are likely to 
already have response programs in place.\430\ Many customers already 
receive some level of data breach notification under other laws. This 
means that the benefits and costs, both direct and indirect, will only 
accrue from actions taken by covered institutions that are not already 
required by existing rules or caused by existing competitive forces. 
The final amendments will, however, afford many individuals greater 
protections by, for example, defining ``sensitive customer 
information'' more broadly than the current definitions used by certain 
States; \431\ providing for a 30-day notification outside timeframe 
that is shorter than the timing currently mandated by many States, 
including States providing for no deadline or those allowing for 
various delays; \432\ and providing for a more robust notification 
trigger than in many States.\433\ The final amendments also limit the 
time a service provider can take to notify a covered institution of a 
breach to 72 hours, which is a shorter period of time than mandated by 
many States, allowing covered institutions to notify their customers 
faster if such notification is required under the final 
amendments.\434\ Further, in certain States, State customer 
notification laws do not apply to entities subject to or in compliance 
with the GLBA, and the final amendments will help ensure that customers 
residing in these States receive notice of a breach if it occurs.\435\ 
The final amendments will help ensure that all customers, regardless of 
where they reside, receive a minimum of information regarding a given 
breach affecting their information and are therefore equally able to 
take appropriate mitigating actions.
---------------------------------------------------------------------------

    \429\ See infra section IV.C.2.a.
    \430\ See infra sections IV.C.1 and IV.C.2.
    \431\ See infra section IV.D.1.b(3).
    \432\ See infra section IV.D.1.b(2).
    \433\ See infra section IV.D.1.b(4).
    \434\ Upon receipt of such a notification from a service 
provider, a covered institution must initiate its incident response 
program. This may or may not result in the covered institution 
having to notify customers. See final rule 248.30(a)(5)(i); infra 
section IV.D.1.c.
    \435\ See infra section IV.D.1.b(1).
---------------------------------------------------------------------------

    For these reasons, the final requirements will improve customers' 
knowledge of when their sensitive information has been compromised. 
Specifically, we expect that the adopted Federal minimum standard for 
notifying customers of certain types of data breaches, along with the 
preparation of written policies and procedures for incident response, 
will result in more customers being notified of these data breaches as 
well as faster notifications for some customers, and that both of these 
effects will improve customers' ability to act to protect their 
personal information. Moreover, such improved notification will--in 
many cases--become public and impose additional reputational costs on 
covered institutions that fail to safeguard customers' sensitive 
information. We expect that these potential additional reputational 
costs will increase the disciplining effect on covered institutions, 
incentivizing them to improve customer information safeguards and 
reduce their exposure to data breaches, thereby improving the 
resilience of the financial system more broadly.\436\ This will reduce 
economic inefficiency in that it will better align customers' and 
covered institutions' incentives to safeguard customer information, but 
will also result in new indirect costs for covered institutions who 
choose to undertake these improvements in order to avoid those 
potential reputational costs. In addition, by revealing when breaches 
occur, the final amendments will help provide customers with 
information on the effectiveness of covered institutions' customer 
information safeguards, further helping customers make better-informed 
decisions when choosing a covered institution.\437\
---------------------------------------------------------------------------

    \436\ As discussed below, the final amendments could result in 
unnecessary notification, which could lead to customer 
desensitization. See infra section IV.D.1. Unnecessary notification 
could decrease covered institutions' incentives to invest in 
customer information safeguards in order to avoid reputational costs 
if unnecessary notification, for example, desensitizes customers to 
notices. In that scenario, those reputational costs are themselves 
reduced as a result of unnecessary notification. See infra section 
IV.D.1.b(4) for a discussion of the effects of unnecessary 
notification.
    \437\ See infra section IV.B.
---------------------------------------------------------------------------

    To the extent that a covered institution does not have policies and 
procedures to safeguard customer information and respond to 
unauthorized access to or use of customer information, it will bear the 
costs to develop and implement the

[[Page 47727]]

required policies and procedures for the incident response 
program.\438\ Moreover, transfer agents--who were not subject to any of 
the customer information safeguard provisions of Regulation S-P prior 
to this adoption--will face additional compliance costs related to the 
development of policies and procedures that address administrative, 
technical, and physical safeguards for the protection of customer 
information.\439\
---------------------------------------------------------------------------

    \438\ See infra section IV.D.1 for a discussion of these costs.
    \439\ That is, they will face the compliance costs of the 
provisions of Regulation S-P not applicable to registered transfer 
agents before this adoption. See 17 CFR 248.30(a). In addition, 
transfer agents registered with a regulatory agency other than the 
Commission will face additional compliance costs to develop, 
implement, and maintain written policies and procedures that address 
the proper disposal of customer information, as these transfer 
agents were not subject to the disposal rule before this adoption. 
See 17 CFR 248.30(b); see also infra section IV.D.2.b for a 
discussion of these costs.
---------------------------------------------------------------------------

    As adopting policies and procedures involves fixed costs, doing so 
is very likely to impose a proportionately larger compliance cost on 
smaller covered institutions as compared to larger covered 
institutions.\440\ This may reduce smaller covered institutions' 
ability to compete with their larger peers, for whom the fixed costs 
are spread over more customers.\441\ However, given the considerable 
competitive challenges arising from economies of scale and scope 
already faced by smaller firms, we do not anticipate that the costs 
associated with this adoption will significantly alter these 
challenges. Similarly, although the final amendments may lead to 
improvements to capital formation, existing State rules are similar in 
many respects to the amendments, and so we do not expect the amendments 
to have a significant impact on capital formation vis-[agrave]-vis the 
baseline.\442\
---------------------------------------------------------------------------

    \440\ If both large and small covered institutions were to 
undertake the same compliance activities, the fixed costs associated 
with these activities would impose a proportionately larger 
compliance cost on smaller covered institutions. See infra footnote 
722. As discussed below, smaller covered institutions may have to 
undertake additional activities compared to larger covered 
institutions, which would result in additional burdens. See, e.g., 
infra section IV.D.1.a.
    \441\ See infra sections IV.D.1 and IV.E.
    \442\ We acknowledge, however, that the final amendments could 
have incremental effects on capital formation, and we discuss these 
effects below. See infra section IV.E.
---------------------------------------------------------------------------

    Many of the benefits and costs discussed below are difficult to 
quantify. Doing so would involve estimating the losses likely to be 
incurred by a customer in the absence of mitigation measures, the 
efficacy of mitigation measures implemented with a given delay, and the 
expected delay before notification can be provided under the final 
amendments. In general, data needed to arrive at such estimates are not 
available to the Commission. Thus, while we have attempted to quantify 
economic effects where possible, much of the discussion of economic 
effects is qualitative in nature.

B. Broad Economic Considerations

    In a market with complete information, customers are able to 
perfectly observe the quality of the goods and services being provided 
and the processes and service provider relationships by which they are 
being provided. Fully informed customers can then decide what level of 
quality of good or service to consume, based on their own personal 
preferences. In this context, one element of a financial service's 
quality is the customer information safeguards of the firm providing 
the service, which capture the likelihood of a customer's information 
being exposed in the event of a breach, as well as the firm's response 
to such a breach if it were to occur.\443\ Under this assumption, a 
customer is then able to choose a financial firm that offers a service 
of a quality that meets his or her preferences.\444\
---------------------------------------------------------------------------

    \443\ The response includes elements such as detection, 
assessment, recovery, and the communication of the breach to the 
firm's customers.
    \444\ For example, a customer may be particularly averse to risk 
and consequently choose a financial firm with a higher level of 
information safeguards, even if this firm's service is being 
provided for a higher price.
---------------------------------------------------------------------------

    In the context of covered institutions--firms whose services 
frequently involve custody of highly sensitive customer information--
the assumption of complete information is unrealistic. Customers have 
little visibility into the internal processes of a firm and those of 
its service providers, so it is impractical for them to directly 
observe the level of customer information safeguards that a firm is 
employing.\445\ In addition, customers generally do not know how a firm 
would respond to a breach, including whether and to what extent a firm 
would inform its customers about such breach.\446\ In fact, firms often 
lack incentives to voluntarily disclose when information breaches occur 
(and likely have substantial incentives to avoid such disclosures). 
Hence, customer information could be compromised without the customers 
being informed or with the customers being only partially 
informed.\447\ As a result, prospective customers have limited ability 
to choose a covered institution that is offering the service that most 
closely meets their needs. In addition, current customers may be paying 
for a service that is of lower quality than they expect.\448\ In both 
cases, customers have limited ability to avoid covered institutions 
that fail to protect customer information to the level expected by 
these customers.\449\ Hence, this information asymmetry prevents market 
forces from penalizing covered institutions that fail to protect 
customer information, and therefore prevents market forces from 
yielding economically efficient outcomes. This market failure serves as 
the economic rationale for this regulatory intervention.
---------------------------------------------------------------------------

    \445\ As discussed below, customers already receive some 
information on covered institutions' customer information safeguards 
and disclosure of nonpublic personal information to third parties. 
See infra section IV.C.2.c.
    \446\ Even if a firm has been the subject of a breach in the 
past, it may have changed its procedures since the last breach. In 
this case, even knowing the firm's response to a previous breach 
would not be fully informative to customers.
    \447\ Here, customers are ``partially informed'' if the 
information they receive about the breach is not sufficient to allow 
them to take appropriate mitigating actions.
    \448\ It could also be the case that the true quality of the 
service is higher than what customers expect. In this case, the 
customers would not be harmed, but the firm would not be fully 
realizing the benefits from its investment in customer information 
safeguards.
    \449\ The release of information about data breaches can lead to 
loss of customers, reputational harm, litigation, or regulatory 
scrutiny. See, e.g., U.S. Fed. Trade Comm'n, Press Release, Equifax 
to Pay $575 Million as Part of Settlement with FTC, CFPB, and States 
Related to 2017 Data Breach (July 22, 2019), available at https://www.ftc.gov/news-events/news/press-releases/2019/07/equifax-pay-575-million-part-settlement-ftc-cfpb-states-related-2017-data-breach. 
See also James Mackay, 5 Damaging Consequences of Data Breach: 
Protect Your Assets (Dec. 15, 2023), available at https://www.metacompliance.com/blog/data-breaches/5-damaging-consequences-of-a-data-breach (stating that research has shown that up to a third 
of customers in retail, finance and healthcare would stop doing 
business with organizations that have been breached and that 85% 
would tell others about their experience) and 2019 Consumer Survey: 
Trust and Accountability in the Era of Data Misuse, Ping Identity, 
available at https://www.pingidentity.com/en/resources/content-library/misc/3464-2019-consumer-survey-trust-accountability.html 
(last visited Apr. 9, 2024) (describing a survey of more than 4,000 
individuals across the U.S., U.K., Australia, France, and Germany 
which found that 81% of people would stop engaging with a brand 
online following a data breach; this includes 25% who would stop 
interacting with the brand in any capacity).
---------------------------------------------------------------------------

    The information asymmetry can lead to three inefficiencies. First, 
the information asymmetry about specific information breaches that have 
occurred prevents individual customers whose information has been 
compromised from taking timely actions (e.g., increased monitoring of 
account activity or placing blocks on credit reports) necessary to 
mitigate the potential

[[Page 47728]]

consequences of such breaches. Second, the information asymmetry about 
covered institutions' efforts at avoiding and limiting the consequences 
of such breaches can lead to customers choosing financial firms with 
levels of safeguards different from what they expect, which can result 
in customers choosing firms that they would not have otherwise chosen 
if provided with better information. Third, this asymmetry can also 
reduce covered institutions' incentives to sufficiently safeguard 
customer information. As a result, they could devote too little effort 
(i.e., ``underspend'') toward safeguarding this information, thereby 
increasing the probability of the information being compromised in the 
first place.\450\ This scenario is often characterized as a moral 
hazard problem. When an agent's actions cannot be observed or directly 
contracted for by the principal, it is difficult to induce the agent to 
supply the proper amounts of productive inputs.\451\ In other words, 
information asymmetry prevents covered institutions (the agents) that 
spend more effort on safeguarding customer information from having 
customers (the principals) recognize their extra efforts and therefore 
prevents the covered institutions from realizing some of the benefits 
associated with this additional effort.\452\ This reduces the 
incentives for covered institutions to exert effort towards 
safeguarding information.\453\
---------------------------------------------------------------------------

    \450\ For example, in a recent survey of financial firms, 58% of 
the respondents self-reported ``underspending'' on cybersecurity. 
See McKinsey & Co. and Institute of International Finance, IIF/
McKinsey Cyber Resilience Survey (Mar. 2020), available at https://www.iif.com/portals/0/Files/content/cyber_resilience_survey_3.20.2020_print.pdf (``IIF/McKinsey 
Report''). A total of 27 companies participated in the survey, with 
23 having a global footprint. Approximately half of respondents were 
European or U.S. Globally Systemically Important Banks (G-SIBs).
    \451\ See, e.g., Bengt Holmstrom, Moral Hazard and 
Observability, 10 Bell J. Econ. 74-91 (1979) (``It has long been 
recognized that a problem of moral hazard may arise when individuals 
engage in risk sharing under conditions such that their privately 
taken actions affect the probability distribution of the outcome [. 
. .]. The source of this moral hazard or incentive problem is an 
asymmetry of information among individuals that results because 
individual actions cannot be observed and hence contracted upon.''); 
Bengt Holmstrom, Moral Hazard in Teams, 13 Bell J. Econ. 324-340 
(1982) (``Moral hazard refers to the problem of inducing agents to 
supply proper amounts of productive inputs when their actions cannot 
be observed and contracted for directly.''). In other contexts, 
moral hazard refers to a party taking on excessive risk when knowing 
another party will be responsible for negative outcomes. This 
alternative definition may be viewed as a special case within the 
broader economic definition associated with the difficulty of 
contracting for privately taken actions. See, e.g., Adam Carpenter, 
Moral Hazard Definition, U.S. News (Aug. 11, 2022; updated Dec. 8, 
2023), available at https://money.usnews.com/investing/term/moral-hazard.
    \452\ Such benefits include attracting customers who are willing 
to pay more for enhanced security, thereby allowing these covered 
institutions to charge a higher price for their services.
    \453\ This is not to say that firms do not have any incentives 
to invest in customer information safeguards. As discussed below, 
firms themselves are hurt by incidents resulting in unauthorized 
access to or use of customer information and therefore have 
incentives to invest in safeguards even when these incidents remain 
unknown to their customers. See infra section IV.C.1.
---------------------------------------------------------------------------

    We expect the final amendments may mitigate the inefficiencies 
described above in several ways. First, by helping facilitate timely 
and informative notices to customers when their information is 
compromised, the amendments may mitigate information asymmetries around 
the compromise of information and improve customers' ability to take 
appropriate remedial actions. Second, by revealing when such events 
occur, the amendments may help customers draw inferences about a 
covered institution's efforts toward protecting customer information, 
which might help inform their choice of covered institution and reduce 
the probability of customers inadvertently choosing a firm that is less 
likely to meet their preferences or needs.\454\ This, in turn, might 
provide firms with greater incentives to exert effort toward protecting 
customer information,\455\ thereby mitigating the moral hazard problem. 
And, by imposing a regulatory requirement to develop, implement, and 
maintain policies and procedures, the final amendments might further 
enhance firms' cybersecurity preparations and will restrict firms' 
ability to limit efforts in these areas.
---------------------------------------------------------------------------

    \454\ In the case of transfer agents and funding portals, such 
effects would usually be mediated through security-issuing firms' 
choice of transfer agent or funding portal and therefore be less 
direct. Nonetheless we expect that, all else being equal, firms 
would prefer to avoid employing the services of transfer agents or 
funding portals that have been unable to prevent investors' 
information from being compromised.
    \455\ See, e.g., Richard J. Sullivan & Jesse Leigh Maniff, Data 
Breach Notification Laws, 101 Econ. Rev. 65 (2016) (``Sullivan & 
Maniff'').
---------------------------------------------------------------------------

    The effectiveness of the final amendments at mitigating these 
problems will depend on several factors. First, the effectiveness of 
the amendments will depend on the degree to which breach notification 
provides customers with sufficient actionable information in a 
sufficient timeframe to help them mitigate the effects of the 
compromise of sensitive customer information. Second, it will depend on 
customers' ability to draw inferences on a covered institution's 
protection of customer information based on the notifications they 
receive, or the absence thereof.\456\ Third, it will also depend on the 
degree to which the prospect of issuing such notices--and the prospect 
of the reputational harm, litigation, and regulatory scrutiny that 
could ensue--helps alleviate underspending on safeguarding customer 
information.\457\ These factors themselves depend on the extent to 
which covered institutions already have in place processes and 
practices that satisfy the final requirements and therefore on the 
extent to which the amendments will induce improvements to existing 
practices relative to the baseline.\458\
---------------------------------------------------------------------------

    \456\ Because breaches can happen even at firms with very high 
customer information safeguards, and because firms with very low 
levels of safeguards might never be victim of a breach, customers' 
ability to draw inferences could be limited.
    \457\ Although empirical evidence on the effectiveness of 
notification breach laws (that is, on how such laws help individuals 
mitigate the effects of a breach and how they prevent such breaches 
from occurring by influencing firms' levels of safeguards) is quite 
limited, extant studies suggest that such laws protect consumers 
from harm. See Sasha Romanosky et al., Do Data Breach Disclosure 
Laws Reduce Identity Theft?, 30 J. Pol'y Analysis & Mgmt 256 (2011); 
see also Sullivan & Maniff, supra footnote 455.
    \458\ This economic analysis presents evidence suggesting that 
the inefficiencies described above do exist in this context, and 
therefore suggesting that covered institutions' existing processes 
and practices can be improved. See infra footnote 464 and 
accompanying text for evidence that some notices do not currently 
contain sufficient information for customers to take appropriate 
mitigating actions and infra section IV.D.1.b(2) for evidence that 
such notices are sometimes sent with such delay as to make it 
difficult for customers to take ``timely'' mitigating actions; see 
also supra footnote 449 for evidence that customers would modify the 
firms with which they do business if they learned that this firm was 
the victim of a breach, suggesting that such customers do draw 
inferences on firms' customer information safeguards when learning 
that breaches occur and modify their behavior as a result; see also 
infra section IV.C.1 for evidence that some firms are currently 
underspending on cybersecurity.
---------------------------------------------------------------------------

    Some commenters supported generally the economic rationale in the 
Proposing Release.\459\ Some of these commenters expressed that the 
asymmetric information market failure was present in this context.\460\ 
Some

[[Page 47729]]

commenters stated that this market failure could lead to 
inefficiencies.\461\ One commenter stated that firms ``either seek to 
skirt notification requirements altogether or provide vague or 
confusing notifications,'' preventing affected individuals from taking 
timely actions, and that firms' self-interest could lead them to fail 
to notify customers affected by a breach.\462\ Another commenter stated 
its view that firms have a natural tendency to want to avoid making 
disclosures that could incur liability or lead to a loss of 
customers.\463\ Another commenter stated that beginning in the fourth 
quarter of 2021, less information started being included in data breach 
notices and that in 2022, only 34 percent of notices included 
information about the breaches and their victims.\464\ This commenter 
further added that this lack of actionable information in breach 
notices prevented individuals from effectively judging the risks they 
faced and from taking the appropriate actions to protect 
themselves.\465\ One commenter supported the economic rationale of the 
Proposing Release, stating that stronger notification requirements 
could effectively incentivize covered institutions to improve their 
data security practices in order to avoid the reputational harm 
associated with distributing breach notices.\466\
---------------------------------------------------------------------------

    \459\ See, e.g., Nasdaq Comment Letter; FSI Comment Letter.
    \460\ See, e.g., Better Markets Comment Letter (``But companies 
will not always disclose data breaches to affected individuals 
voluntarily. They may be concerned about the damage to their 
reputation and their bottom line from disclosing a breach.''); EPIC 
Comment Letter (``A company has better visibility than its consumers 
do into the threats to the privacy and security of consumer data 
entrusted to that company's custody; and the company's interests are 
not directly aligned with those of its consumers.''); Nasdaq Comment 
Letter (``Requiring various financial institutions and market 
entities to address these cybersecurity risks through policies and 
procedures, incident response programs, third-party management, 
notifications and/or public disclosures can promote transparency and 
consistency. Investors, issuers and other market participants 
benefit from healthy capital markets that promote trust and 
transparency.'').
    \461\ See, e.g., EPIC Comment Letter; Better Markets Comment 
Letter.
    \462\ See EPIC Comment Letter.
    \463\ See NASAA Comment Letter.
    \464\ See Better Markets Comment Letter, citing Identity Theft 
Resource Center, Data Breach Annual Report (Jan 2023), available at 
https://www.idtheftcenter.org/wp-content/uploads/2023/01/ITRC_2022-Data-Breach-Report_Final-1.pdf (``IRTC Data Breach Annual Report'').
    \465\ See Better Markets Comment Letter.
    \466\ See EPIC Comment Letter. This commenter also cited Federal 
Communications Commission (FCC), Data Breach Reporting Requirements, 
Proposed Rule, FCC 22-102, 88 FR 3953 (Jan. 23, 2023) (stating that 
the FCC ``anticipate[s] that requiring notification for accidental 
breaches will encourage telecommunications carriers to adopt 
stronger data security practices and will help us identify and 
confront systemic network vulnerabilities'').
---------------------------------------------------------------------------

    Other commenters disagreed with the economic rationale in the 
Proposing Release and stated that covered institutions' level of 
customer information safeguards and/or breach notification practices 
were already adequate, and that existing regulation made the amendments 
unnecessary.\467\ We disagree with these commenters that the amendments 
are unnecessary, even if some covered institutions may already have 
policies and procedures in place that satisfy the final amendments' 
requirements. We have discussed, here and in the Proposing Release, the 
information asymmetries that prevent customers from knowing whether or 
how they will be notified of a data breach and from choosing firms 
based on the level of their customer information safeguards.\468\ 
Furthermore, in addition to describing existing requirements and 
guidance available to (and potentially adopted by) covered institutions 
addressing customer information safeguards and customer notification, 
we have described (here and in the Proposing Release) a variety of 
practices and State law requirements that could lead to different 
notification outcomes depending on where the customer resides.\469\ In 
particular, we have described a variety of delays and inconsistencies 
in notification under existing requirements.\470\ Hence, the Proposing 
Release described in detail the existing regulatory framework and 
analyzed the benefits and costs of the proposed amendments relative to 
this framework. In addition, as discussed above, some commenters 
provided additional evidence of deficiencies in existing 
practices.\471\ Moreover, in response to commenters, we have 
supplemented the analysis of the amendments' benefits and costs, 
describing in greater detail the changes made by the final amendments 
over the baseline.\472\ We summarize these changes below. We have also 
supplemented the analysis of the expected benefits and costs of 
expanding the scope of the safeguards and disposal rules to include 
transfer agents.\473\
---------------------------------------------------------------------------

    \467\ See ASA Comment Letter (stating that the proposal was not 
``supported by evidence that brokers are fundamentally failing in 
their obligations to safeguard investor information and notify 
government authorities--within applicable Federal and State law--
when a significant breach of sensitive information has occurred'' 
and that the Proposing Release did not ``provide any discussion 
about how current broker-dealer cybersecurity and customer 
notification policies are deficient or in need of a regulatory 
fix''); ACLI Comment Letter (``The ACLI's members already comply 
with much of the Proposal's content through State regulations, such 
as those that require companies to maintain written cybersecurity 
policies and procedures, respond to cyber incidents, notify 
authorities and consumers of certain cyber incidents, and dispose of 
consumer data. However, we are concerned with the Proposal's 
shortened notification timeframes and expanded scope.''); CAI 
Comment Letter (stating that ``[n]otice currently is given to 
individuals whose information is reasonably believed to have 
potentially been affected after the findings of the investigation 
are determined,'' that it ``believes this current practice is an 
appropriate and common-sense approach to notification,'' and that 
``[t]he new notice requirement proposed under Proposed Rule 30(b) 
would simply add another layer on top of these existing requirements 
and would likely go entirely unnoticed by consumers''); 
Computershare Comment Letter (``Computershare believes Proposed Reg 
S-P is an unnecessary regulation for transfer agents, as they are 
already subject, either directly or indirectly, to State, Federal or 
provincial laws designed to protect personal information of 
securityholders and requiring breach notification.''); STA Comment 
Letter 2 (stating that the proposed amendments would not 
``meaningfully increase the safeguarding of shareholder 
information'' and instead ``cause ambiguity among competing 
laws.'').
    \468\ See Proposing Release at section III.B.
    \469\ See Proposing Release at section III.C; see also infra 
section IV.C.2.
    \470\ See Proposing Release at section III.C.2.a; see also infra 
section IV.C.2.a.
    \471\ See supra footnote 460 and accompanying text.
    \472\ See infra section IV.D.
    \473\ See infra section IV.D.2.b.
---------------------------------------------------------------------------

    In particular, the variety of practices and State law requirements 
that could lead to different notification outcomes under existing 
requirements provides a further rationale for the rule and motivated 
specific differences in the final amendments relative to State laws. We 
discuss the effects of these differences in detail below,\474\ but for 
example, the required timing of notification in the final amendments is 
stricter than under many State laws. The analysis in section 
IV.D.1.b(2) provides evidence that currently, many customers receive 
notification long after the event. The amendments are designed to help 
ensure that customers receive notification in a timely manner. In 
addition, the notification obligation covers a set of customer 
information that is broader than in many State laws, thereby covering 
more data breaches. Moreover, the final amendments require certain 
information to be included in the notice sent to customers. This 
requirement will help ensure that customers receive relevant 
information, allowing them to take appropriate mitigating actions in 
case of a breach. Hence, while the final amendments contain some 
requirements that are similar to those in some existing State laws, the 
final requirements are stricter than many State laws and may therefore 
lead to customers receiving additional, timelier, and more relevant 
notices than under existing regulations.\475\ In addition, variations 
in State law requirements highlight the need for a consistent Federal 
minimum standard for covered institutions. Such a standard will protect 
all customers regardless of their State of residence and reduce the 
potential confusion that could result from customers in one State 
receiving

[[Page 47730]]

notice of an incident while customers in another State do not.
---------------------------------------------------------------------------

    \474\ See infra section IV.D.1.
    \475\ It is possible that, because of the overlap with State 
laws, some covered institutions already have policies and procedures 
in place satisfying the final amendments' requirements. For these 
institutions and their customers, both the benefits and the costs of 
the amendments will be limited.
---------------------------------------------------------------------------

    Other commenters stated that the analysis in the Proposing Release 
underestimated the costs of the amendments.\476\ Some commenters also 
stated that the proposed amendments in general would be very costly to 
implement for smaller covered institutions.\477\ As discussed more 
fully below, we expect some of the changes made to the final amendments 
to result in lower costs relative to the proposal.\478\ For example, 
the changes made to the service provider provisions of the amendments 
(requiring that covered institutions oversee service providers instead 
of requiring written contracts between covered institutions and their 
service providers, and requiring that the covered institution's 
policies and procedures be reasonably designed to ensure service 
providers take appropriate measures to notify covered institutions of 
an applicable breach in security within 72 hours instead of 48 hours) 
may reduce some costs relative to the proposal and facilitate their 
implementation, especially for smaller covered institutions.\479\ In 
addition, in a change from proposal, we are adopting longer compliance 
periods for all covered institutions, and an even longer compliance 
period for smaller covered institutions,\480\ who are less likely to 
already have policies and procedures broadly consistent with the final 
amendments.
---------------------------------------------------------------------------

    \476\ See, e.g., IAA Comment Letter 1 (``We urge the Commission 
to undertake a more expansive, accurate, and quantifiable assessment 
of the specific and cumulative costs, burdens, and economic effects 
that would be placed on advisers by the proposed requirements, as 
well as of the potential unintended consequences for their 
clients.'').
    \477\ See, e.g., ASA Comment Letter; IAA Comment Letter 1.
    \478\ See, e.g., infra sections IV.D.1.c and IV.E.
    \479\ See supra section II.A.4; infra section IV.D.1.c.
    \480\ See supra section II.F.
---------------------------------------------------------------------------

C. Baseline

    The baseline against which the costs, the benefits, and the effects 
on efficiency, competition, and capital formation of the final 
amendments are measured consists of current requirements for customer 
notification and information safeguards, current practice as it relates 
to customer notification and information safeguards, and the current 
market structure and regulatory framework. The economic analysis 
appropriately considers existing regulatory requirements, including 
recently adopted Commission rules as well as State, Federal, and 
foreign laws and regulations, as part of the economic baseline against 
which the costs and benefits of the final amendments are measured.\481\
---------------------------------------------------------------------------

    \481\ See, e.g., Nasdaq v. SEC, 34 F.4th 1105, 1111-15 (D.C. 
Cir. 2022). This approach also follows SEC staff guidance on 
economic analysis for rulemaking. See SEC Staff, Current Guidance on 
Economic Analysis in SEC Rulemaking (Mar. 16, 2012), available at 
https://www.sec.gov/divisions/riskfin/rsfi_guidance_econ_analy_secrulemaking.pdf (``The economic 
consequences of proposed rules (potential costs and benefits 
including effects on efficiency, competition, and capital formation) 
should be measured against a baseline, which is the best assessment 
of how the world would look in the absence of the proposed 
action.''); Id. at 7 (``The baseline includes both the economic 
attributes of the relevant market and the existing regulatory 
structure.''). The best assessment of how the world would look in 
the absence of the proposed or final action typically does not 
include recently proposed actions, because that would improperly 
assume the adoption of those proposed actions.
---------------------------------------------------------------------------

    Several commenters requested that the Commission consider 
interactions between the economic effects of the proposal and other 
recent Commission proposals.\482\ The Commission adopted several of the 
rules mentioned by commenters, namely the Electronic Recordkeeping 
Adopting Release,\483\ the Form N-PX Adopting Release,\484\ the 
Settlement Cycle Adopting Release,\485\ the May 2023 SEC Form PF 
Adopting Release,\486\ the Public Company Cybersecurity Rules,\487\ the 
Money Market Fund Adopting Release,\488\ the Investment Company Names 
Adopting

[[Page 47731]]

Release,\489\ the Beneficial Ownership Adopting Release,\490\ the 
Private Fund Advisers Adopting Release,\491\ the Securitizations 
Conflicts Adopting Release,\492\ and the February 2024 Form PF Adopting 
Release.\493\ These adopted rules are part of the baseline against 
which this economic analysis considers the benefits and costs of the 
final amendments. In response to commenters, this economic analysis 
also considers potential economic effects arising from the extent to 
which there is any overlap between the compliance period for the final 
amendments and the compliance periods for these other adopted 
rules.\494\
---------------------------------------------------------------------------

    \482\ See, e.g., IAA Comment Letter 2; IAA Comment Letter 1; CAI 
Comment Letter; Comment Letter of the Securities Industry and 
Financial Markets Association, et al. (Mar. 31, 2023) (``SIFMA 
Comment Letter 1''). See also Comment Letter of the Investment 
Company Institute (Aug. 17, 2023) (``ICI Comment Letter 2'') 
(stating the Commission should analyze the interconnections in 
related rules).
    \483\ Electronic Recordkeeping Requirements for Broker-Dealers, 
Security-Based Swap Dealers, and Major Security-Based Swap 
Participants, Release No. 34-96034 (Oct. 12, 2022) [87 FR 66412 
(Nov. 3. 2022)] (``Electronic Recordkeeping Adopting Release''). One 
commenter stated that the Proposing Release could create concurrent 
obligations with Rule 17a-4 and Rule 18a-6. See AWS Comment Letter. 
Rule 17a-4 and Rule 18a-6 were amended in the Electronic 
Recordkeeping Adopting Release. Those amendments modified 
requirements regarding the maintenance and presentation of 
electronic records, the use of third-party recordkeeping services, 
and prompt production of records. The compliance dates were May 3, 
2023, and Nov. 3, 2023. See Electronic Recordkeeping Adopting 
Release, section II.I.
    \484\ Enhanced Reporting of Proxy Votes by Registered Management 
Investment Companies; Reporting of Executive Compensation Votes by 
Institutional Investment Managers, Release Nos. 33-11131, 34-96206, 
IC-34745 (Nov. 2, 2022) [87 FR 78770 (Dec. 22, 2022)] (``Form N-PX 
Adopting Release''). The Form N-PX amendments enhanced the 
information funds report publicly about their proxy votes, and apply 
to most registered management investment companies. The effective 
date is July 1, 2024. Form N-PX Adopting Release, section II.K.
    \485\ Shortening the Securities Transaction Settlement Cycle, 
Release No. 34-96930 (Feb. 15, 2023) [88 FR 13872 (Mar. 6, 2023)] 
(``Settlement Cycle Adopting Release''). This rule shortens the 
standard settlement cycle for most broker-dealer transactions from 
two business days after the trade date to one business day after the 
trade date. To facilitate orderly transition to a shorter settlement 
cycle, the rule requires same-day confirmations, allocations, and 
affirmations for processing transactions subject to the rule, and 
requires registered investment advisers to make and keep records of 
each confirmation received, and of any allocation and each 
affirmation sent or received, with a date and time stamp for each 
indicating when it was sent or received. With certain exceptions, 
the rule has a compliance date of May 28, 2024. Settlement Cycle 
Adopting Release, sections VII, VII.B.3.
    \486\ Form PF; Event Reporting for Large Hedge Fund Advisers and 
Private Equity Fund Advisers; Requirements for Large Private Equity 
Fund Adviser Reporting, Investment Company Act Release No. 6297 (May 
3, 2023) [88 FR 38146 (June 12, 2023)] (``May 2023 SEC Form PF 
Adopting Release''). The Form PF amendments adopted in May 2023 
require large hedge fund advisers and all private equity fund 
advisers to file reports upon the occurrence of certain reporting 
events. The compliance dates are Dec. 11, 2023, for the event 
reports in Form PF sections 5 and 6, and June 11, 2024, for the 
remainder of the Form PF amendments in the May 2023 SEC Form PF 
Adopting Release. See May 2023 SEC Form PF Adopting Release, section 
II.E.
    \487\ Public Company Cybersecurity Rules, supra footnote 14. The 
amendments require current disclosure about material cybersecurity 
incidents, and periodic disclosures about a registrant's processes 
to assess, identify, and manage material cybersecurity risks, 
management's role in assessing and managing material cybersecurity 
risks, and the board of directors' oversight of cybersecurity risks. 
With respect to Item 106 of Regulation S-K and item 16K of Form 20-
F, all registrants must provide disclosures beginning with annual 
reports for fiscal years ending on or after Dec. 15, 2023. With 
respect to incident disclosure requirements in Item 1.05 of Form 8-K 
and in Form 6-K, all registrants other than SRCs were required to 
begin complying on Dec. 18, 2023; SRCs must begin complying with 
Item 1.05 of Form 8-K on June 15, 2024. With respect to structured 
data requirements, all registrants must tag disclosures beginning 
one year after the initial compliance date: specifically, beginning 
with annual reports for fiscal years ending on or after Dec. 15, 
2024, in the case of Item 106 of Regulation S-K and item 16K of Form 
20-F, and beginning Dec. 18, 2024, in the case of Item 1.05 of Form 
8-K and Form 6-K. Cybersecurity Disclosure Adopting Release, section 
II.I.
    \488\ Money Market Fund Reforms; Form PF Reporting Requirements 
for Large Liquidity Fund Advisers; Technical Amendments to Form N-
CSR and Form N-1, Release No. 33-11211 (July 12, 2023) [88 FR 51404 
(Aug. 3, 2023)] (``Money Market Fund Adopting Release''). The 
amendments are designed to improve the resilience and transparency 
of money market funds by increasing minimum liquidity requirements 
to provide a more substantial buffer in the event of rapid 
redemptions; removing provisions that permitted a money market fund 
to temporarily suspend redemptions, and removing the regulatory tie 
between the imposition of liquidity fees and a fund's liquidity 
level; requiring certain money market funds to implement a liquidity 
fee framework that will better allocate the costs of providing 
liquidity to redeeming investors; and enhancing certain reporting 
requirements. The Money Market Fund Adopting Release has compliance 
dates of Oct. 2, 2024, for implementing mandatory liquidity fees and 
of Apr. 2, 2024, for discretionary liquidity fees; a compliance date 
of Apr. 2, 2024, for minimum liquidity requirements and weighted 
average maturity calculations; a compliance date of June 11, 2024, 
for certain form amendments and website reporting requirements; and 
an effective date of Oct. 2, 2023, for other provisions. Money 
Market Fund Adopting Release, section II.H.
    \489\ Investment Company Names, Release No. 33-11238 (Sept. 20, 
2023) [88 FR 70436 (Oct. 11, 2023)], as amended by Investment 
Company Names; Correction, Release No. 33-11238A (Oct. 24, 2023) [88 
FR 73755 (Oct. 27, 2023)] (``Investment Company Names Adopting 
Release''). The amendments broaden the scope of the requirement for 
certain funds to adopt a policy to invest at least 80 percent of the 
value of their assets in accordance with the investment focus that 
the fund's name suggests; require enhanced prospectus disclosure for 
terminology used in fund names; impose related notice, 
recordkeeping, and reporting requirements. The compliance date for 
the final amendments is Dec. 11, 2025, for larger entities and June 
11, 2026, for smaller entities. See Investment Company Names 
Adopting Release, sections II.H, IV.D.3.
    \490\ Modernization of Beneficial Ownership Reporting, Release 
No. 33-11253 (Oct. 10, 2023) [88 FR 76896 (Nov. 7, 2023)] 
(``Beneficial Ownership Adopting Release''). Among other things, the 
amendments generally shorten the filing deadlines for initial and 
amended beneficial ownership reports filed on Schedules 13D and 13G, 
and require that Schedule 13D and 13G filings be made using a 
structured, machine-readable data language. The amendments are 
effective Feb. 5, 2024. The new filing deadline for Schedule 13G 
will not be required before Sept. 30, 2024, and the rule's 
structured data requirements have a one-year implementation period 
ending Dec. 18, 2024. Beneficial Ownership Adopting Release, section 
II.G.
    \491\ Private Fund Advisers; Documentation of Registered 
Investment Adviser Compliance Reviews, Release No. IA-6383 (Aug. 23, 
2023) [88 FR 63206 (Sept. 14, 2023)] (``Private Fund Advisers 
Adopting Release''). The Commission adopted five new rules and two 
rule amendments as part of the reforms. The compliance date for the 
quarterly statement rule and the audit rule is Mar. 14, 2025, for 
registered private fund advisers. For the adviser-led secondaries 
rule, the preferential treatment rule, and the restricted activities 
rule, the Commission adopted staggered compliance dates that provide 
for the following compliance periods: for advisers with $1.5 billion 
or more in private funds assets under management, a 12-month 
compliance period (ending on Sept. 14, 2024) and for advisers with 
less than $1.5 billion in private funds assets under management, an 
18-month compliance period (ending on Mar. 14, 2025). The amended 
Advisers Act compliance provision for registered investment advisers 
had a Nov. 13, 2023, compliance date. See Private Fund Advisers 
Adopting Release, sections IV, VI.C.1.
    \492\ Prohibition Against Conflicts of Interest in Certain 
Securitizations, Release No. 33-11254 (Nov. 27, 2023) [88 FR 85396 
(Dec. 7, 2023)] (``Securitizations Conflicts Adopting Release''). 
The new rule prohibits an underwriter, placement agent, initial 
purchaser, or sponsor of an asset-backed security (including a 
synthetic asset-backed security), or certain affiliates or 
subsidiaries of any such entity, from engaging in any transaction 
that would involve or result in certain material conflicts of 
interest. The compliance date for securitization participants to 
comply with the prohibition is Jun. 9, 2025. Securitizations 
Conflicts Adopting Release, section II.I.
    \493\ Form PF: Reporting Requirements for All Filers and Large 
Hedge Fund Advisers, Release No. IA-6546 (Feb. 8, 2024) [89 FR 17984 
(Mar. 12, 2024)] (``February 2024 Form PF Adopting Release''). The 
Form PF amendments are designed to enhance the Financial Stability 
Oversight Council's ability to monitor systemic risk as well as 
bolster the SEC's regulatory oversight of private fund advisers and 
investor protection efforts. The compliance date for the rule is 
Mar. 12, 2025. February 2024 Form PF Adopting Release, section II.F.
    \494\ See infra sections IV.D and IV.E. In addition, commenters 
indicated there could be overlapping compliance costs between the 
final amendments and proposals that have not been adopted. See, 
e.g., IAA Comment Letter 2, Exhibit A; IAA Comment Letter 1; CAI 
Comment Letter; FSI Comment Letter. Proposed rules that commenters 
mentioned included Cybersecurity Risk Management for Investment 
Advisers, Registered Investment Companies, and Business Development 
Companies, Release No. 33-11028 (Feb. 9, 2022), 87 FR 13524 (Mar. 9, 
2022); Enhanced Disclosures by Certain Investment Advisers and 
Investment Companies About Environmental, Social, and Governance 
Investment Practices, Release No. 33-11117 (Oct. 7, 2022) [87 FR 
63016] (Oct. 18, 2022)]; Open-End Fund Liquidity Risk Management 
Programs and Swing Pricing; Form N-PORT Reporting, Release No. 33-
11130 (Nov. 2, 2022), [87 FR 77172 (Dec. 16, 2022)]; Safeguarding 
Advisory Client Assets, Release No. IA-6240 (Feb. 15, 2023), [88 FR 
14672 (Mar. 9, 2023)]; and Cybersecurity Risk Management Rule for 
Broker-Dealers, Clearing Agencies, Major Security-Based Swap 
Participants, the Municipal Securities Rulemaking Board, National 
Securities Associations, National Securities Exchanges, Security-
Based Swap Data Repositories, Security-Based Swap Dealers, and 
Transfer Agents, Release No. 34-97142 (Mar. 15, 2023) [88 FR 20212 
(Apr. 5, 2023)]. To the extent those proposals are adopted, the 
baseline in those subsequent rulemakings will reflect the existing 
regulatory requirements at that time.
---------------------------------------------------------------------------

    The parties directly affected by the final amendments, the 
``covered institutions,'' \495\ include every broker-dealer (3,476 
entities),\496\ every funding portal (92 entities),\497\ every 
investment company (13,766 distinct legal entities),\498\ every 
investment adviser (15,565 entities) registered with the 
Commission,\499\ and every transfer agent (315 entities) registered 
with the Commission or another appropriate regulatory agency.\500\ In 
addition, the final amendments will affect current and prospective 
customers of covered institutions as well as certain service providers 
to covered institutions.\501\ The final amendments will impact hundreds 
of millions of customers. For example, as discussed in more detail in 
subsequent sections, carrying broker-dealers report a total of 233 
million customer accounts,\502\ registered investment advisers report a 
total of more than 51 million individual clients,\503\ and transfer 
agents report around 250 million individual accounts.\504\
---------------------------------------------------------------------------

    \495\ See infra section IV.C.3.
    \496\ Of these, 303 are dually registered as investment 
advisers. See infra section IV.C.3.a. These numbers exclude notice-
registered broker-dealers, who will be deemed in compliance with the 
final provision through the substituted compliance provisions of 
Regulation S-P. See supra section II.B.3. For this release, the 
number of broker-dealers dually registered as investment advisers 
was estimated based on FOCUS filings for broker-dealers during the 
third quarter of 2023, Form BD filings as of Sept. 2023, and Form 
ADV filings for investment advisers as of Oct. 5, 2023. The 
Proposing Release cited a figure of 502 as of Dec. 2021. The correct 
number of broker-dealers dually registered as investment advisers as 
of Dec. 2021 in the Proposing Release should be 328. This change 
would not have affected the Commission's assessment of economic 
effects at Proposal as these assessments were focused primarily on 
effects at the level of individual covered institutions and their 
customers.
    \497\ See infra section IV.C.3.b.
    \498\ See infra section IV.C.3.d, in particular Table 4, for 
statistics on the different types of investment companies. Many of 
these distinct legal entities represent different series of a common 
registrant. Moreover, many of the registrants are themselves part of 
a larger family of companies (although BDCs and ESCs are not grouped 
in families, see Form N-2 and Form 40-APP). See infra footnote 660. 
We estimate there are 313 such families. See infra section IV.C.3.d. 
For this release, the number of families was estimated by counting 
unique family names in Form N-CEN filings as of Sept. 30, 2023. The 
Proposing Release cited a figure of 1,093 using 2021 N-CEN filings. 
The correct number of distinct fund families using 2021 N-CEN 
filings in the Proposing Release should be 327. This change would 
not have affected the Commission's assessment of economic effects at 
Proposal as these assessments were focused primarily on effects at 
the level of individual covered institutions and their customers.
    \499\ See infra section IV.C.3.c.
    \500\ See infra section IV.C.3.e.
    \501\ See infra section IV.C.3.f.
    \502\ See infra section IV.C.3.a.
    \503\ See infra section IV.C.3.c.
    \504\ See infra section IV.C.3.e.
---------------------------------------------------------------------------

1. Safeguarding Customer Information: Risks and Practices
    Over the last two decades, the widespread adoption of digitization 
and the migration toward internet-based products and services has 
radically changed the manner in which firms interact with customers. 
This trend has also applied to the financial services industry.\505\ 
Alongside this progress, the industry has observed increased exposure 
to cyberattacks that threaten not only the financial firms themselves, 
but also their customers. Hence, the trend toward digitization has 
increasingly turned the problem of safeguarding customer records and 
information into one of cybersecurity.\506\

[[Page 47732]]

Cyber threat intelligence surveys find the financial sector to be a 
highly attacked industry,\507\ making the problem of cybersecurity 
particularly acute for financial firms. The customer records and 
information in their possession can be quite sensitive (e.g., personal 
identifying information, bank account numbers, financial transactions) 
and their compromise could lead to substantial harm.\508\
---------------------------------------------------------------------------

    \505\ See Michael Grebe et al., Digital Maturity Is Paying Off, 
BCG (June 7, 2018), available at https://www.bcg.com/publications/2018/digital-maturity-is-paying-off.
    \506\ This is not to say that this is exclusively a problem of 
cybersecurity. Generally, however, the risks associated with purely 
physical forms of compromise are of a smaller magnitude, as large-
scale compromise using physical means is cumbersome. The largest 
publicly known incidents of compromised information have appeared to 
involve electronic access to digital records, as opposed to physical 
access to records or computer hardware. For a partial list of recent 
data breaches and their causes. See, e.g., Michael Hill and Dan 
Swinhoe, The 15 Biggest Data Breaches of the 21st Century, CSO (Nov. 
8, 2022), available at https://www.csoonline.com/article/2130877/the-biggest-data-breaches-of-the-21st-century.html (last visited 
Apr. 9, 2024); Drew Todd, Top 10 Data Breaches of All Time, 
SecureWorld (Sept. 14, 2022), available at https://www.secureworld.io/industry-news/top-10-data-breaches-of-all-time 
(last visited Apr. 9, 2024).
    \507\ See, e.g., IBM, X-Force Threat Intelligence Index 2022 
(Feb. 2022), available at https://www.ibm.com/downloads/cas/ADLMYLAZ.
    \508\ See, e.g., David W. Opderbeck, Cybersecurity and Data 
Breach Harms: Theory and Reality, 82 Md. L. Rev. 1001 (2023) (``A 
criminal actor can use stolen PII in true identity theft to open new 
lines of credit in the victim's name, including new credit cards, 
personal loans, business loans, or mortgages. Criminal actors also 
employ true identity theft to file for tax refunds, welfare, 
insurance, or pension benefits in the victim's name.'').
---------------------------------------------------------------------------

    Certain recent changes in the industry, including changes discussed 
by commenters, have continued the trend toward digitization and the 
importance of cybersecurity. For example, the shift to remote work has 
brought new cybersecurity challenges. One commenter stated that 91 
percent of data security professionals saw negative risk implications 
from remote and hybrid work.\509\ The same commenter cited a report 
finding that in 2022, the cost of a data breach was on average nearly 
$1 million higher when remote work was a factor in the breach and more 
than $1 million higher in organizations with a share of employees 
working remotely between 80 percent and 100 percent compared with 
organizations where less than 20 percent of employees worked 
remotely.\510\ Remote work arrangements have significantly expanded 
following the onset of the COVID-19 pandemic in the United States in 
2020,\511\ and a recent study found the financial services industry to 
be the fifth most flexible industry in terms of work location 
flexibility.\512\
---------------------------------------------------------------------------

    \509\ See Better Markets Comment Letter, citing Hugo Guzman, 
Remote Work Leading to Big Data-Loss Problems, Law.com (Mar. 7, 
2023).
    \510\ See Better Markets Comment Letter citing IBM, Cost of a 
Data Breach Report 2022 (July 2022) (``2022 IBM Cost of Data Breach 
Report''), available at https://www.ibm.com/downloads/cas/3R8N1DZJ. 
The 2023 version of the same report does not address remote work 
specifically.
    \511\ Census Press Release, U.S. Census Bureau Releases New 2021 
American Community Survey 1-year Estimates for All Geographic Areas 
With Populations of 65,000 or More (Sept. 15, 2022), available at 
https://www.census.gov/newsroom/press-releases/2022/people-working-
from-home.html#:~:text=SEPT.,by%20the%20U.S.%20Census%20Bureau.
    \512\ See The Flex Index, Q3 2023 Flex Report, available at 
https://www.flex.scoopforwork.com/reports/flex-report-2023-q3 (last 
visited Apr. 9, 2024).
---------------------------------------------------------------------------

    The financial sector is one of the biggest spenders on 
cybersecurity measures: a recent survey found that financial firms 
spent an average of approximately 13.6 percent of their technology 
budget on cybersecurity in 2023, compared to an overall average across 
industries of 11.6 percent.\513\ While spending on cybersecurity 
measures in the financial services industry is considerable, it may 
nonetheless be inadequate--even in the estimation of financial firms 
themselves. According to one recent survey, 58 percent of financial 
firms self-reported ``underspending'' on cybersecurity measures.\514\ 
In addition, some covered institutions increasingly use third-party 
vendors to provide a wide range of functions, which may implicate a 
review of those service providers' cybersecurity controls.\515\
---------------------------------------------------------------------------

    \513\ See James Rundle, Cybersecurity Budgets Grow, But at a 
Slower Pace, Wall St J. (Sept. 29, 2023), available at https://www.wsj.com/articles/cybersecurity-budgets-grow-but-at-a-slower-pace-89ce3d3c. One commenter agreed that total cybersecurity costs 
are significant. See Better Markets Comment Letter (``While the 
magnitude of dollar losses is difficult to estimate, it is clear 
that companies must expend significant resources to prevent 
breaches, detect breaches that do occur, contain the damage from 
breaches, prevent future breaches, and in some cases make customers 
whole.'').
    \514\ See IIF/McKinsey Report, supra footnote 450.
    \515\ See, e.g., FINRA, Regulatory Notice 21-29: Vendor 
Management and Outsourcing (Aug. 13, 2021), available at https://www.finra.org/sites/default/files/2021-08/Regulatory-Notice-21-29.pdf (encouraging firms that ``use--or are contemplating using--
Vendors to review [. . .] obligations and assess whether their 
supervisory procedures and controls for outsourced activities or 
functions are sufficient to maintain compliance with applicable 
rules''). See also infra section IV.C.3.f for a discussion of 
different types of covered institutions' reliance on service 
providers.
---------------------------------------------------------------------------

    Before adopting these amendments, the Commission did not require 
covered institutions to notify customers (or the Commission) in the 
event of a data breach, and so statistics relating to data breaches 
that occurred at covered institutions were not readily available. 
However, data compiled from notifications required under various State 
laws indicate that in 2022 the number of data breaches reported in the 
U.S. was 1,802--a 3 percent decrease over 2021, but a 63 percent 
increase over 2020.\516\ Of these, 268 (15 percent) were reported by 
firms in the financial services industry.\517\ However, the report 
estimating these statistics states that the 1,802 breaches reported are 
a minimum estimate and states that in the U.S., the number of breach 
notices issued per business day in 2022 (7 notices) was much lower than 
in the European Union (356 notices) in 2021 (the last year for which 
data is available).\518\ One commenter cited a report stating that 
nearly half of U.S. consumers had been affected by data breaches where 
a firm holding their personal data was hacked, compared to a global 
average of 33 percent of consumers.\519\
---------------------------------------------------------------------------

    \516\ See IRTC Data Breach Annual Report.
    \517\ See id.
    \518\ See id. See also Better Markets Comment Letter. The report 
suggests that this disparity may be related to the fact that in the 
European Union, enforcement officials, together with the 
organization affected by a breach, make the determination that the 
breach puts individuals or businesses at risk and therefore requires 
notification. See also infra section IV.D.1.b(4).
    \519\ See EPIC Comment Letter, citing Thales, 2022 Thales 
Consumer Digital Trust Index (Sept. 2022).
    \520\ See IBM, Cost of a Data Breach Report 2023 (July 2023) 
(``2023 IBM Cost of Data Breach Report''), available at https://www.ibm.com/reports/data-breach?utm_content=SRCWW&p1=Search&p4=43700077723822555&p5=p&&msclkid=45aa555fae8d1f62fb9c3066eddb719a&gclid=45aa555fae8d1f62fb9c3066eddb719a&gclsrc=3p.ds.
---------------------------------------------------------------------------

    The average total cost of a data breach for a U.S. firm in 2023 was 
estimated to be $9.48 million by one report.\520\ While the report does 
not provide estimates for U.S. financial services firms specifically, 
it estimated that world-wide, the cost of a data breach for financial 
services firms averaged $5.90 million, and that average costs for U.S. 
firms were approximately twice the world-wide average.\521\ Hence, we 
can estimate that for U.S. financial firms, the cost of a data breach 
was about $12 million. The bulk of these costs is attributed to 
detection and escalation (36 percent), lost business (29 percent), and 
post-breach response (27 percent); customer notification is estimated 
to account for only a small fraction (8 percent) of these costs.\522\ 
For the U.S.

[[Page 47733]]

financial industry as a whole, this implies an estimate of aggregate 
notification costs under the baseline of between $200 million and $250 
million.\523\ Because these estimates are based on data breach 
incidence rates for all firms, and because financial firms are part of 
one of the most attacked industries,\524\ the actual aggregate 
notification costs are likely higher than this estimated range.
---------------------------------------------------------------------------

    \521\ The 2023 IBM Cost of Data Breach Report estimates that the 
global average cost of a data breach is $4.45 million. One 
commenter, citing the 2022 IBM Cost of Data Breach Report, stated 
that the average cost of a data breach in 2022 was $4.35 million, 
which is a global average. See Better Markets Comment Letter. In the 
Proposing Release, we also cited the 2022 IBM Cost of Data Breach 
Report and stated that the cost of a data breach was $9.44 million, 
which applies to U.S. firms specifically.
    \522\ See 2023 IBM Cost of Data Breach Report.
    \523\ The $200 million figure is based on 8% (the customer 
notification portion) of an average cost of $9.48 million multiplied 
by 268 data breaches. The $250 million figure is based on the same 
calculation but using $12 million instead of $9.48 million. See 
supra footnotes 516 and 520 and accompanying text.
    \524\ See supra footnotes 507-512 and accompanying text.
---------------------------------------------------------------------------

    Some commenters supported the Proposing Release's assessment that 
data breaches are an important risk currently faced by covered 
institutions and their customers.\525\ One commenter cited an article 
describing a data breach at a financial institution that had cost that 
institution more than $150 million.\526\ Commenters also mentioned 
additional types of risks. One commenter stated that in addition to the 
financial costs imposed on firms by data breaches, individuals whose 
sensitive information is compromised also suffer harms, both financial 
and psychological, as many become victims of identity theft.\527\ 
Another commenter stated that the consequences of these breaches were 
staggering and that the Commission's proposals to establish minimum 
standards for incident response and breach notification could help with 
mitigation.\528\ The same commenter cited a report by the Government 
Accountability Office indicating that past victims of identity theft, 
which can be a consequence of data breaches, have ``lost job 
opportunities, been refused loans, or even been arrested for crimes 
they did not commit as a result of identity theft.'' \529\
---------------------------------------------------------------------------

    \525\ See, e.g., Better Markets Comment Letter; Nasdaq Comment 
Letter.
    \526\ See Better Markets Comment Letter, citing Emily Flitter & 
Karen Weise, Capital One Data Breach Compromises Data of Over 100 
Million, N.Y. Times (July 29, 2019), available at https://www.nytimes.com/2019/07/29/business/capital-one-data-breach-hacked.html.
    \527\ See Better Markets Comment Letter. Citing the IRTC Data 
Breach Annual Report, the same commenter also stated that globally, 
organizational data compromises impacted over 392 million individual 
victims in 2022.
    \528\ See EPIC Comment Letter.
    \529\ See EPIC Comment Letter citing U.S. Government 
Accountability Office, GAO-14-34, Agency Responses to Breaches of 
Personally Identifiable Information Need to be More Consistent (Dec. 
2013), available at http://www.gao.gov/assets/660/659572.pdf.
---------------------------------------------------------------------------

2. Regulations and Guidelines
    Two features of the existing regulatory framework are most relevant 
to the amendments: existing regulations that require covered 
institutions to notify customers in the event that their information is 
compromised; and existing regulations and guidelines that affect 
covered institutions' practices for safeguarding customers' 
information. While the relevance of the former is obvious, the latter 
is potentially more significant: regulations aimed at improving firms' 
practices for safeguarding customer information reduce the need for 
data breach notifications in the first place. In this section, we 
summarize these two aspects of the regulatory framework as well as 
existing annual notice delivery requirements.
a. State Law Customer Notification Requirements
(1) Scope of Requirements
    All 50 States and the District of Columbia impose some form of data 
breach notification requirement under State law. These laws vary in 
detail from State to State but have certain common features. State laws 
trigger data breach notification obligations when some type of 
``personal information'' of a State's resident is either accessed or 
acquired in an unauthorized manner, subject to various common 
exceptions. For the vast majority of States (46), a notification 
obligation is triggered only when there is unauthorized acquisition, 
while a handful of States (5) require notification whenever there is 
unauthorized access.\530\
---------------------------------------------------------------------------

    \530\ See, e.g., notification requirements in California (Cal. 
Civ. Code section 1798.82(a)) and Texas (Tex. Bus. & Com. Code 
section 521.053) triggered by the unauthorized acquisition of 
certain information, as compared to notification requirements in 
Florida (Fla. Stat. section 501.171) and New York (N.Y. Gen. Bus. 
Law section 899-AA) triggered by unauthorized access to personal 
information. ``States'' in this discussion includes the 50 U.S. 
States and the District of Columbia, for a total of 51. All State 
law citations are to the Sept. 2023 versions of State codes.
---------------------------------------------------------------------------

    Generally, States can be said to adopt either a basic or an 
enhanced definition of personal information. A typical example of a 
basic definition specifies personal information as the customer name 
linked to one or more pieces of nonpublic information such as Social 
Security number, driver's license number (or other State identification 
number), or financial account number together with any required 
credentials to permit access to said account.\531\ A typical enhanced 
definition includes additional types of nonpublic information that 
trigger the notification requirement; examples include: passport 
number, military identification number, or other unique identification 
number issued on a government document commonly used to verify the 
identity of a specific individual; unique biometric data generated from 
measurements or technical analysis of human body characteristics, such 
as a fingerprint, retina, or iris image, used to authenticate a 
specific individual.\532\ Enhanced definitions also trigger 
notification requirements when a username or email address in 
combination with a password or security question and answer that would 
permit access to an online account is compromised.\533\ Most States 
(37) adopt some form of enhanced definition, while a minority (14) 
adopt a basic definition.
---------------------------------------------------------------------------

    \531\ See, e.g., Kan. Stat. section 50-7a01(g) or Minn. Stat. 
section 325E.61(e).
    \532\ See, e.g., Md. Comm. Code section 14-3501 (defining 
``personal information'' to include credit card numbers, health 
information, health insurance information, and biometric data such 
as retina or fingerprint).
    \533\ See, e.g., Ariz. Code section 18-551 (defining ``personal 
information'' to include an individual's username or email address, 
in combination with a password or security question and answer, that 
allows access to an online account).
---------------------------------------------------------------------------

    One commenter stated that all States provided an exception to the 
notification requirement if the data compromised were encrypted.\534\ 
We found that States may include an explicit encryption or redaction 
exception in their definition of personal information,\535\ in their 
definition of breach,\536\ or in the determination that notification of 
affected individuals is necessary.\537\ Multiple States include at 
least two of these exceptions. States

[[Page 47734]]

vary, however, in the whether and how they define encryption or 
redaction.\538\
---------------------------------------------------------------------------

    \534\ See SIFMA Comment Letter 2 (``Note that all U.S. State 
data breach notification laws provide an encryption safe harbor.''); 
see also Liisa M. Thomas, Thomas on Data Breach: A Practical guide 
to Handling Data Breach Notifications Worldwide (Feb. 2023), at 
section 2:45 (``Thomas 2023'').
    \535\ See, e.g., Kan. Stat. section 50-7a01(g) (defining 
``personal information'' to include a consumer's first name or first 
initial and last name linked to any one or more of the specified 
data elements that relate to the consumer, when the data elements 
are neither encrypted nor redacted); Wyo. Stat. section 40-12-501 
(defining ``personal identifying information'' to exclude redacted 
data elements).
    \536\ See, e.g., Ariz. Code section 18-551 (defining ``breach'' 
to include unauthorized acquisition of and unauthorized access that 
materially compromises the security or confidentiality of 
unencrypted and unredacted computerized personal information).
    \537\ See, e.g., Minn. Stat. section 325E.61(a) (requiring 
notification of a breach to any resident whose unencrypted personal 
information was, or is reasonably believed to have been, acquired by 
an unauthorized person).
    \538\ We considered a safe harbor from the notification 
requirements for encrypted information. See infra section IV.F.3.
---------------------------------------------------------------------------

    Most States (43) provide an exception to the notification 
requirement if, following a breach of security, the entity investigates 
and determines that there is no reasonable likelihood that the 
individual whose personal information was breached has experienced or 
will experience certain harms (``no-harm exception'').\539\ Twenty of 
these States do not have a presumption of notification and instead 
require notification only if, for example, an investigation reveals a 
risk of harm or misuse.\540\ Although the types of harms vary by State, 
they most commonly include: ``harm'' generally (13), identity theft or 
other fraud (10), or misuse of personal information (8). Figure 1 plots 
the frequency of the various types of harms referenced in States' no-
harm exceptions.
---------------------------------------------------------------------------

    \539\ See, e.g., Fla. Stat. section 501.171(4)(c) and N.Y. Gen. 
Bus. Law section 899-AA(2)(a). Eight States, including California 
and Texas, do not have a no-harm exception and require notification 
even in the cases where there is no risk of harm.
    \540\ See, e.g., N.C. Stat. section 75-61(14) and Utah Code 13-
44-202(1).
[GRAPHIC] [TIFF OMITTED] TR03JN24.000

(2) Timing, Content, and Method of Notification
    In general, State laws provide a general principle for timing of 
notification (e.g., delivery shall be made ``without unreasonable 
delay,'' or ``in the most expedient time possible and without 
unreasonable delay'').\541\ Some States augment the general principle 
with a specific deadline (e.g., notice must be made ``in the most 
expedient time possible and without unreasonable delay, but not later 
than 30 days after the date of determination that the breach occurred'' 
unless certain exceptions apply).\542\ All States allow for a delay if 
it is requested by a law enforcement agency.\543\ Additionally, some 
States allow for a delay if necessary to determine the nature and scope 
of the breach or to restore the reasonable integrity of the information 
system.\544\ Figure 2 plots the frequency of different notification 
deadlines in

[[Page 47735]]

State laws. For States with specific deadlines, the figure 
distinguishes between States that allow an exception to determine the 
nature and scope of the breach or to restore the reasonable integrity 
of the information system, and those that do not.
---------------------------------------------------------------------------

    \541\ See, e.g., Cal. Civ. Code section 1798.82(a) (disclosure 
to be made ``in the most expedient time possible and without 
unreasonable delay'' but allowing for needs of law enforcement and 
measures to determine the scope of the breach and restore the 
system).
    \542\ See, e.g., Colo. Rev. Stat. section 6-1-716(2)(a) (notice 
to be made ``in the most expedient time possible and without 
unreasonable delay, but not later than thirty days after the date of 
determination that a security breach occurred, consistent with the 
legitimate needs of law enforcement and consistent with any measures 
necessary to determine the scope of the breach and to restore the 
reasonable integrity of the computerized data system''); Fla. Stat. 
section 501.171(4)(a) (notice to be made ``as expeditiously as 
practicable and without unreasonable delay . . . but no later than 
30 days after the determination of a breach'' unless delayed at the 
request of law enforcement or waived pursuant to the State's no-harm 
exception).
    \543\ See, e.g., Ala. Stat. section 8-38-5(c) (``If a federal or 
State law enforcement agency determines that notice to individuals 
required under this section would interfere with a criminal 
investigation or national security, the notice shall be delayed upon 
the receipt of written request of the law enforcement agency for a 
period that the law enforcement agency determines is necessary.''); 
Ark. Code section 4-110-105(c) (``The notification required by this 
section may be delayed if a law enforcement agency determines that 
the notification will impede a criminal investigation.''); Conn. 
Stat. section 36a-701b.(d) (``Any notification required by this 
section shall be delayed for a reasonable period of time if a law 
enforcement agency determines that the notification will impede a 
criminal investigation and such law enforcement agency has made a 
request that the notification be delayed.''); Md. Comm. Code section 
14-3504(d)(1) (notice may be delayed if ``a law enforcement agency 
determines that the notification will impede a criminal 
investigation or jeopardize homeland or national security''); N.C. 
Stat. section 75-65(c) (``The notice required by this section shall 
be delayed if a law enforcement agency informs the business that 
notification may impede a criminal investigation or jeopardize 
national or homeland security, provided that such request is made in 
writing or the business documents such request contemporaneously in 
writing, including the name of the law enforcement officer making 
the request and the officer's law enforcement agency engaged in the 
investigation.'').
    \544\ See, e.g., Tex. Bus. & Com. Code section 521.053 (notice 
to be made ``without unreasonable delay and in each case not later 
than the 60th day after the date on which the person determines that 
the breach occurred, except as provided by Subsection (d) or as 
necessary to determine the scope of the breach and restore the 
reasonable integrity of the data system'').
[GRAPHIC] [TIFF OMITTED] TR03JN24.001

    One commenter stated that, where State laws have a 30-day notice 
requirement, the 30-day periods generally do not begin to run until a 
determination has been made that the incident affected residents of 
that State that will require notice, and that the Commission's proposed 
30-day requirement would be triggered much sooner in the process.\545\ 
The same commenter also stated that notices are currently sent to 
individuals whose information is reasonably believed to have 
potentially been affected after the findings of an investigation are 
determined.\546\ To help analyze and respond to these comments, and 
also to provide additional context for our analysis of the possible 
effects of the final amendments,\547\ we conducted supplemental 
analysis of the frequency of different triggers for the specific 
deadline requirement in the 20 States that specify such a deadline. The 
results of this analysis are in Figure 3 and demonstrate variation in 
triggering events. For example, State laws specify that the 
notification of customers be made ``not later than sixty days from the 
discovery of the breach,'' \548\ or ``no later than 30 days after the 
determination of a breach or reason to believe a breach occurred.'' 
\549\ Many of these triggers use words such as ``determination'' or 
``confirmation,'' which, consistent with the commenter's observation, 
suggests investigation that might cause the specific deadline to be 
triggered later than the Commission's proposed or adopted notification 
trigger, although ``discovery of breach''--used in five States--could 
potentially be earlier.\550\
---------------------------------------------------------------------------

    \545\ See CAI Comment Letter (``While the Commission correctly 
notes in the S-P Proposing Release that some existing State laws 
also include a 30-day notice requirement, those requirements 
generally do not begin to run until a determination has been made 
that the incident affected residents of that State that will require 
notice.''). In the final amendments, as in the proposal, the 
beginning of the 30-day outside timeframe is a covered institution 
``becoming aware'' that unauthorized access to or use of customer 
information has occurred or is reasonably likely to have occurred. 
See proposed rule 248.30(b)(4)(iii); final rule 248.30(a)(4)(iii).
    \546\ See CAI Comment Letter.
    \547\ See infra section IV.D.1.b(2).
    \548\ See La. Rev. Stat. section 51:3074.
    \549\ See Fla. Stat. section 501.171(4)(a).
    \550\ See infra section IV.D.1.b(2).
---------------------------------------------------------------------------

BILLING CODE 8011-01-P

[[Page 47736]]

[GRAPHIC] [TIFF OMITTED] TR03JN24.002

BILLING CODE 8011-01-C
    One commenter stated that most State data breach notification laws 
did not specify a number of days to report a breach, and that of the 
States that did have a specific timeframe, many had an exception 
allowing for compliance with the GLBA in lieu of adherence to their 
timeframes.\551\ To help analyze and respond to this comment, and also 
to provide additional context for our analysis of the possible effects 
of the final amendments, we conducted supplemental analysis of the 
overlap between States that have a specific deadline and States that 
include a GLBA exception.\552\ We found that of the 20 States that have 
a specific deadline, 10 do not include a GLBA exception.\553\
---------------------------------------------------------------------------

    \551\ See SIFMA Comment Letter 2.
    \552\ See infra section IV.D.1.b(1).
    \553\ We discuss this exception and the States where it applies 
in section IV.D.1.b(1).
---------------------------------------------------------------------------

    Additionally, one commenter stated the establishment of a Federal 
minimum standard for data breach notification would satisfy State 
notice laws that provide exemptions for firms subject to such a 
requirement.\554\ To help analyze and respond to this comment, and also 
to provide additional context for our analysis of the possible effects 
of the final amendments,\555\ we conducted supplemental analysis of 
this question. We have found that some States excuse entities from 
individual notification under State law if the entities comply with the 
notification requirements of a Federal regulator or, in some cases, 
another State. Some States allow these substitute notifications to 
replace their own state-specific requirements on notice content and 
timing,\556\ while others only allow it if the provisions are at least 
as protective as State law.\557\
---------------------------------------------------------------------------

    \554\ See IAA Comment Letter 1.
    \555\ See infra section IV.D.1.b.
    \556\ See, e.g., Fla. Stat. section 501.171(4)(g) (``Notice 
provided pursuant to rules, regulations, procedures, or guidelines 
established by the covered entity's primary or functional federal 
regulator is deemed to be in compliance with the notice requirement 
in this subsection . . . .''); Va. Code. Ann. section 18.2-186.6(H) 
(``An entity that complies with the notification requirements . . . 
established by the entity's primary or functional state or federal 
regulator shall be in compliance with this section.''). According to 
Thomas 2023, approximately 15 States allow compliance with a primary 
regulator to replace their own State's required notification in some 
circumstances; see also ICI Comment Letter 1 (``Today, approximately 
13 states provide an exemption or exclusion from the state's breach 
notice requirements if the entity experiencing the breach has a duty 
under federal law to provide notice of the breach.''). See also 
infra section IV.D.1.b(1) on GLBA safe harbor provisions, which are 
similar but distinct.
    \557\ See, e.g., Colo. Rev. Stat. 6-1-716(3)(b) (``In the case 
of a conflict . . . the law or regulation with the shortest 
timeframe for notice to the individual controls.''); Iowa Code 
section 715C.2(7)(b) (exempting in the case of compliance ``with a 
state or federal law that provides greater protection to personal 
information and at least as thorough disclosure requirements for 
breach of security or personal information than that provided by 
this section'').
---------------------------------------------------------------------------

    Some commenters stated that different State laws currently have 
different requirements as to what content must be included in a notice 
to customers.\558\ One of these commenters further stated that, as a 
result, covered institutions may, when they experience a data breach 
incident today, send different notification letters to residents of 
different States for the same incident.\559\ To help analyze and

[[Page 47737]]

respond to these comments, and to provide additional context for our 
analysis of the possible effects of the final amendments,\560\ we 
conducted supplemental analysis of the frequency at which different 
items are currently required by State laws to be included in notices to 
customers. This analysis, shown in Figure 4, supports commenters' 
observation that different States have different requirements. While 
half of the States do not have such requirements, many States (25) 
provide minimum content to be included in the notices sent to 
individuals whose information has been affected by a breach. The most 
common required items include the type of information affected, contact 
information for consumer reporting agencies, and the date of the 
breach. Figure 4 plots the frequency of different items required by 
State laws to be included in the notices.
---------------------------------------------------------------------------

    \558\ See, e.g., IAA Comment Letter 1.
    \559\ See ICI Comment Letter 1 (``In discussing breach notices 
with our members, we understand it is not uncommon for their current 
breach response programs to include separate notification letters 
depending upon the state the individual resides in.''). One benefit 
of the final amendments will be to help ensure that all customers 
receive a minimum level of information regarding a given breach. See 
infra section IV.D.1.b(5).
    \560\ See infra section IV.D.1.b(5).
    [GRAPHIC] [TIFF OMITTED] TR03JN24.003
    
    States also differ in their requirements regarding the method that 
must be used to notify affected individuals.\561\ While all States 
allow for a written notification, most States impose conditions if the 
notice is sent electronically. For example, 37 States provide that a 
notice can be sent electronically only if the notice is consistent with 
the Electronic Signatures in Global and National Commerce Act.\562\ 
Fifteen States have as a condition that a primary method of 
communication between the entity and the affected residents be by 
electronic means.\563\ Five States impose no condition for electronic 
notices,\564\ and 2 States only require that the notifying institution 
have the email address of the affected individuals.\565\ In addition, 
26 States allow for the notice to be made over the phone.\566\ Of these 
26 States, 7 provide that a condition for a telephonic notice is that 
contact is made directly with the affected individuals.\567\
---------------------------------------------------------------------------

    \561\ We conducted this supplemental analysis to help analyze 
and respond to comments, and also to provide additional context for 
our analysis of the possible effects of the final amendments. See 
infra section IV.D.1.b(5).
    \562\ 15 U.S.C. 7001, et seq. See, e.g., Cal. Civ. Code section 
1798.82(j); Conn. Stat. section 36a-701b.(e); Ga. Code section 10-1-
911(4); Tex. Bus. & Com. Code section 521.053(e).
    \563\ See. e.g., Colo. Rev. Stat. section 6-1-716(1)(F); Del. 
Code Tit. 6 section 12B-101(5); Tenn. Code Ann. section 47-18-
2107(e).
    \564\ See, e.g., Ala. Code section 8-38-5(d); Fla. Stat. section 
501.171(4)(d); Va. Code. Ann. section 18.2-186.6(A).
    \565\ See Ariz. Code section 18-552(F); Ind. Code 24-4.9-3-4.
    \566\ See. e.g., Conn. Stat. section 36a-701b.(e); N.Y. Gen. 
Bus. Law section 899-AA(5); 73 Pa. Stat. section 2302.
    \567\ See, e.g., Ariz. Code section 18-552(F); Mo. Stat. 
407.1500 section 2(6); 9 Vt. Stat. Ann. section 2435(b)(6)(A).
---------------------------------------------------------------------------

    All States allow, under some conditions, for substitute 
notification instead of the required methods of notification discussed 
above. The most common conditions include a specified large number of 
individuals to notify and/or a minimum dollar cost to notify the 
affected individuals. These conditions vary widely across States.\568\ 
In most States, a substitute notice consists of all of the following 
elements: email notification to the affected individuals, a notice on 
the institution's website, and notification to major statewide 
media.\569\ However, other States have fewer requirements.\570\
---------------------------------------------------------------------------

    \568\ For example, some States allow for a substitute notice if 
the number of affected individuals is above 1,000 or 5,000 or if the 
cost of providing notice is above $5,000 or $10,000, while many 
States have a threshold of 500,000 affected individuals or a cost 
threshold of $250,000. See, e.g., Maine Rev. Stat. Tit. 10 section 
1347(4); Miss. Code section 75-24-29(6); N.H. Rev. Stat. section 
359-C:20(III); Cal. Civ. Code section 1798.82(j); Fla. Stat. section 
501.171(4)(f); N.Y. Gen. Bus. Law section 899-AA(5).
    \569\ See, e.g., DC Code section 28-3851(2); La. Rev. Stat. 
section 51:3074(G); N.J. Stat. section 56:8-163(d).; Va. Code. Ann. 
section 18.2-186.6(A).
    \570\ See, e.g., Ala. Code section 8-38-5(e) (``Substitute 
notice shall include both of the following: 1. A conspicuous notice 
on the internet website of the covered entity, if the covered entity 
maintains a website, for a period of 30 days. 2. Notice in print and 
in broadcast media, including major media in urban and rural areas 
where the affected individuals reside.''); Fla. Stat. section 
501.171(4)(f) (``Such substitute notice shall include the following: 
1. A conspicuous notice on the internet website of the covered 
entity if the covered entity maintains a website; and 2. Notice in 
print and to broadcast media, including major media in urban and 
rural areas where the affected individuals reside.''); Tex. Bus. & 
Com. Code section 521.053(f) (requiring that under certain 
conditions, ``the notice may be given by: (1) electronic mail, if 
the person has electronic mail addresses for the affected persons; 
(2) conspicuous posting of the notice on the person's website; or 
(3) notice published in or broadcast on major statewide media'').

---------------------------------------------------------------------------

[[Page 47738]]

(3) Notification by Service Providers
    Some data breach incidents involve service providers. Covered 
institutions may use service providers to perform certain business 
activities and functions, such as trading and order management, 
information technology functions, and cloud computing services. As a 
result of this outsourcing, service providers may receive, maintain, or 
process customer information, or be permitted to access it, and 
therefore a security incident at the service provider could expose 
information at or belonging to the covered institution. In general, 
State laws require persons and entities that maintain computerized data 
for other entities, but do not own or license that data, to notify the 
data-owning entity in the event of a data breach (so as to allow that 
entity to notify affected individuals).\571\ However, several State 
laws provide that a covered institution may contract with the service 
provider such that the service provider directly notifies affected 
individuals of a data breach.\572\ In addition, some States impose the 
responsibility of notifying affected individuals on entities that 
maintain or possess the data even if they do not own or license 
it.\573\
---------------------------------------------------------------------------

    \571\ See, e.g., Cal. Civ. Code section 1798.82(b); DC Code 
section 28-3852(b); N.Y. Gen. Bus. Law section 899-AA(3); Tex. Bus. 
& Com. Code section 521.053(c).
    \572\ See, e.g., Fla. Stat. section 501.171(6)(b); Ala. Code 
section 8-38-8. We do not have information on the frequency of such 
arrangements.
    \573\ See, e.g., Ky. Rev. Stat. 365.732(2) (``Any information 
holder shall disclose any breach of the security of the system, 
following discovery or notification of the breach in the security of 
the data, to any resident of Kentucky whose unencrypted personal 
information was, or is reasonably believed to have been, acquired by 
an unauthorized person.''); Maine Rev. Stat. Tit. 10 section 
1348(1)(B). (``If any other person who maintains computerized data 
that includes personal information becomes aware of a breach of the 
security of the system, the person shall conduct in good faith a 
reasonable and prompt investigation to determine the likelihood that 
personal information has been or will be misused and shall give 
notice of a breach of the security of the system following discovery 
or notification of the security breach to a resident of this State 
if misuse of the personal information has occurred or if it is 
reasonably possible that misuse will occur.''). See also Thomas 
2023, at section 2:21.
---------------------------------------------------------------------------

    Some commenters opposed the proposed provision that would have 
required service providers to notify covered institutions of a breach 
of sensitive customer information within 48 hours.\574\ A commenter 
further stated that our analysis of the effects of this requirement was 
incomplete.\575\ We conducted supplemental analysis of the notification 
timeframe required by State laws for entities that do not own or 
license the compromised data to help analyze and respond to these 
comments, and to provide additional context for our analysis of the 
possible effects of the final amendments.\576\
---------------------------------------------------------------------------

    \574\ See, e.g., ACLI Comment Letter.
    \575\ See Microsoft Comment Letter (``The cost-benefit analyses 
of the Proposed Rules do not identify why a 48-hour or shorter 
reporting period is optimal.''). See also supra section II.A.4 for a 
discussion of the length of notification period.
    \576\ See infra section IV.D.1.c.
---------------------------------------------------------------------------

    In general, State laws provide a window for notification of the 
entity that owns or licenses the data by the entity that maintains the 
data.\577\ Ten States provide a specific deadline of either 24 hours 
(one State),\578\ 10 days (four States),\579\ 45 days (four 
States),\580\ or 60 days (one State).\581\ Thirty-eight States provide 
instead a general principle such as ``as soon as practicable'' or 
``without unreasonable delay.'' \582\ In particular, 24 States require 
the notification to take place immediately after the discovery of the 
breach or the determination that a breach has occurred.\583\ Figure 5 
plots the frequency of these different provisions across State laws. 
This variation across State laws in timelines for (1) notification of 
the entity that owns or licenses the data by the entity that maintains 
the data and (2) notification of the affected individuals by the entity 
that owns or licenses the data can result in widely different lengths 
of time between the discovery of a breach and the time the affected 
individuals are notified. In addition, variations in these State laws 
could result in residents of one State receiving notice while residents 
of another receive no notice for the same data breach incident.\584\
---------------------------------------------------------------------------

    \577\ A small number of States do not require such a 
notification. For example, Rhode Island does not distinguish between 
entities that own or license the data and those entities that do 
not, requiring all entities to notify customers directly (R.I. Gen. 
Laws section 11-49.3-4(a)(1) (``Any municipal agency, State agency, 
or person that stores, owns, collects, processes, maintains, 
acquires, uses, or licenses data that includes personal information 
shall provide notification as set forth in this section of any 
disclosure of personal information, or any breach of the security of 
the system, that poses a significant risk of identity theft to any 
resident of Rhode Island whose personal information was, or is 
reasonably believed to have been, acquired by an unauthorized person 
or entity.''). Similarly, South Dakota does not have a provision for 
persons or businesses that do not own or license computerized 
personal data (SDCL sections 22-40-19 through 22-40-26).
    \578\ See Ga. Code section 10-1-912(b) (``Any person or business 
that maintains computerized data on behalf of an information broker 
or data collector that includes personal information of individuals 
that the person or business does not own shall notify the 
information broker or data collector of any breach of the security 
of the system within 24 hours following discovery, if the personal 
information was, or is reasonably believed to have been, acquired by 
an unauthorized person.'').
    \579\ See, e.g., Md. Comm. Code section 14-3504(c) (``Except as 
provided in subsection (d) of this section, the notification 
required under paragraph (1) of this subsection shall be given as 
soon as reasonably practicable, but not later than 10 days after the 
business discovers or is notified of the breach of the security of a 
system.'').
    \580\ See, e.g., Tenn. Code Ann. section 47-18-2107(c) (``Any 
information holder that maintains computerized data that includes 
personal information that the information holder does not own shall 
notify the owner or licensee of the information of any breach of 
system security if the personal information was, or is reasonably 
believed to have been, acquired by an unauthorized person. The 
disclosure must be made no later than forty-five (45) days from the 
discovery or notification of the breach of system security, unless a 
longer period of time is required due to the legitimate needs of law 
enforcement, as provided in subsection (d).'').
    \581\ See La. Rev. Stat. section 51:3074(E) (``The notification 
required pursuant to Subsections C and D of this Section shall be 
made in the most expedient time possible and without unreasonable 
delay but not later than sixty days from the discovery of the 
breach, consistent with the legitimate needs of law enforcement, as 
provided in Subsection F of this Section, or any measures necessary 
to determine the scope of the breach, prevent further disclosures, 
and restore the reasonable integrity of the data system.'').
    \582\ See, e.g., Miss. Code section 75-24-29(4) (``Any person 
who conducts business in this State that maintains computerized data 
which includes personal information that the person does not own or 
license shall notify the owner or licensee of the information of any 
breach of the security of the data as soon as practicable following 
its discovery, if the personal information was, or is reasonably 
believed to have been, acquired by an unauthorized person for 
fraudulent purposes.''); Va. Code. Ann. section 18.2-186.6(D) (``An 
individual or entity that maintains computerized data that includes 
personal information that the individual or entity does not own or 
license shall notify the owner or licensee of the information of any 
breach of the security of the system without unreasonable delay 
following discovery of the breach of the security of the system'').
    \583\ See, e.g., Ark. Code section 4-110-105(b), N.C. Stat. 
section 75-65(b), and Utah Code 13-44-202(3). For many of these 
States, this immediate notification can be delayed if the delay is 
requested by a law enforcement agency.
    \584\ See supra footnote 578 on South Dakota. In addition, in 
some States, notification from the service provider to the 
information owner is required only in the case of fraud or misuse. 
See, e.g., Miss. Code section 75-24-29(4) (requiring notification if 
the information was or is reasonably believed to have been acquired 
by an unauthorized person for fraudulent purposes); Colo. Rev. Stat. 
section 6-1-716(2)(b) (requiring notification if misuse of personal 
information about a Colorado resident occurred or is likely to 
occur).

---------------------------------------------------------------------------

[[Page 47739]]

[GRAPHIC] [TIFF OMITTED] TR03JN24.004

    Some of the service providers that will be affected by the final 
amendments are covered institutions themselves.\585\ Also, some 
entities that are covered institutions but not service providers under 
the final amendments could, under State law, be entities that maintain 
but do not own or license that data, meaning they may have an 
obligation under State law to notify the data owner.\586\ In 
particular, commenters stated that transfer agents were generally 
considered service providers of the securities issuers under State 
laws.\587\ State laws typically require transfer agents to notify the 
securities issuers in case of security breach, which in turn must 
notify the affected customers. One commenter stated that transfer 
agents were, in addition, often required by contract to notify their 
securities issuer clients in case of data breach.\588\ Another 
commenter stated that it was not uncommon for covered institutions to 
require, by contract or agreement, that their service providers, 
including transfer agents, notify them in case of security breach.\589\ 
Hence, we expect that all or almost all covered institutions and their 
service providers are already complying with one or more notification 
requirements, pursuant to either State law or contract.\590\
---------------------------------------------------------------------------

    \585\ See supra section II.A.3.a.
    \586\ This could be the case, for example, of transfer agents 
providing services only to publicly traded companies that are not 
covered institutions.
    \587\ See, e.g., Computershare Comment Letter (``It is also 
contrary to privacy laws that deem the issuer to be the `controller' 
or `business' with respect to securityholders and their data and 
deem the transfer agent based on its role to be the `processor' or 
`service provider.' '').
    \588\ See STA Comment Letter 2.
    \589\ See ICI Comment Letter 1.
    \590\ Even if a State does not have specific requirements for 
entities that do not own or license computerized personal or 
protected information (such as South Dakota, see supra footnote 
578), it is unlikely, by the nature of the transfer agent business, 
that a transfer agent would have access to customer information of 
individuals residing in this State only.
---------------------------------------------------------------------------

b. Customer Information Safeguards
    Regulation S-P, prior to the adoption of the amendments, required 
all covered institutions to adopt written policies and procedures 
reasonably designed to: ``(i) insure [sic] the security and 
confidentiality of customer records and information; (ii) protect 
against any anticipated threats or hazards to the security or integrity 
of customer records and information; and (iii) protect against 
unauthorized access to or use of customer records and information that 
could result in substantial harm or inconvenience to any customer.'' 
\591\ In addition, Regulation S-P established limitations on how 
covered institutions may disclose nonpublic personal information about 
a consumer to nonaffiliated third parties.\592\ It also established 
limitations on the further disclosure of nonpublic personal information 
received by a covered institution from a nonaffiliated financial 
institution, as well as limitations on the further disclosure of 
nonpublic personal information disclosed from a covered institution to 
a nonaffiliated third party.\593\ Before this adoption, Regulation S-P 
did not include specific provisions for how covered institutions were 
to satisfy their obligations to safeguard customer records and 
information when utilizing service providers.
---------------------------------------------------------------------------

    \591\ 17 CFR 248.30. See also Compliance Programs of Investment 
Companies and Investment Advisers, Investment Advisers Act Release 
No. 2204 (Dec. 17, 2003) [68 FR 74714 (Dec. 24, 2003)], at n.22 
(``Compliance Program Release'') (stating expectation that policies 
and procedures would address safeguards for the privacy protection 
of client records and information and noting the applicability of 
Regulation S-P); see also supra section II.B.2 explaining that prior 
to these final amendments, the safeguards rule did not apply to any 
transfer agents, and the disposal rule applied only to transfer 
agents registered with the Commission.
    \592\ See 17 CFR 248.10.
    \593\ See 17 CFR 248.11.
---------------------------------------------------------------------------

    Covered institutions that hold transactional accounts for consumers 
may also be subject to Regulation S-ID.\594\ Such entities must develop 
and implement a written identity theft program that includes policies 
and procedures to identify relevant types of identity theft red flags, 
detect the occurrence of those red flags, and respond appropriately to 
the detected red flags.\595\
---------------------------------------------------------------------------

    \594\ Regulation S-ID applies to ``financial institutions'' or 
``creditors'' that offer or maintain ``covered accounts.'' Entities 
that are likely to qualify as financial institutions or creditors 
and maintain covered accounts include most registered brokers, 
dealers, funding portals, investment companies, and some registered 
investment advisers. See 17 CFR 248.201; see also Identity Theft Red 
Flag Rules, Investment Advisers Act Release No. 3582 (Apr. 10, 2013) 
[78 FR 23637 (Apr. 19, 2013)] (``Identity Theft Release''); see also 
17 CFR 227.403(b).
    \595\ In a 2017 Risk Alert, the SEC Office of Compliance 
Inspections and Examinations (now called the Division of 
Examinations) noted that, based on observations from examinations of 
75 registrants, nearly all examined broker-dealers and most of the 
examined advisers had specific cybersecurity and Regulation S-ID 
policies and procedures. See EXAMS Risk Report, Observations from 
Cybersecurity Examinations (Aug. 7, 2017), available at https://www.sec.gov/files/observations-from-cybersecurity-examinations.pdf; 
see also Identity Theft Release. In addition, affected entities must 
also periodically update their identity theft programs. See 17 CFR 
248.201. Other rules also require updates to policies and procedures 
at regular intervals: see, e.g., Rule 38a-1 under the Investment 
Company Act; FINRA Rule 3120 (Supervisory Control System); and FINRA 
Rule 3130 (Annual Certification of Compliance and Supervisory 
Processes).

---------------------------------------------------------------------------

[[Page 47740]]

    In addition, broker-dealers that operate alternative trading 
systems exceeding specified volume thresholds are SCI entities subject 
to Regulation SCI and required, among other things, to have certain 
policies and procedures reasonably designed to ensure that their market 
systems have adequate levels of capacity, integrity, resiliency, 
availability, and security and take appropriate corrective action when 
``SCI events'' occur.\596\ SCI entities are required to disseminate 
information to their members or participants about certain types of SCI 
events.\597\ Upon the SCI entity having a reasonable basis to conclude 
that a certain type of SCI event (such as a ``systems intrusion'' that 
is not de minimis) has occurred, it is generally required to promptly 
disseminate information about the SCI event to those members and 
participants that the SCI entity has reasonably estimated may have been 
affected. If such ``SCI event'' is ``major,'' the information 
disseminated must be to all of the entity's members or 
participants.\598\ When required, the notification must include a 
summary description of the systems intrusion, including a description 
of the corrective action taken by the SCI entity and when the systems 
intrusion has been or is expected to be resolved, unless the SCI entity 
determines that dissemination of such information would likely 
compromise the security of the SCI entity's SCI systems or indirect SCI 
systems, or an investigation of the systems intrusion, and documents 
the reasons for such determination.\599\ Therefore, information about 
an ``SCI event'' caused by a cybersecurity incident may be required to 
be disseminated to some or all an SCI entity's members or participants 
pursuant to Regulation SCI.
---------------------------------------------------------------------------

    \596\ Regulation SCI is codified at 17 CFR 242.1000 through 
1007.
    \597\ 17 CFR 242.1002(c).
    \598\ 17 CFR 242.1002(c)(3).
    \599\ 17 CFR 242.1002(c).
---------------------------------------------------------------------------

    The safeguards rule of Regulation S-P did not, before this 
adoption, apply to transfer agents. In addition, the disposal rule did 
not apply to transfer agents registered with a regulatory agency other 
than the Commission.\600\ Thus, for these institutions, the final 
amendments create new requirements to adopt written policies and 
procedures that address administrative, technical, and physical 
safeguards for the protection of customer information and to take 
reasonable measures to protect against unauthorized access to or use of 
consumer information and customer information in connection with its 
disposal.\601\ Some transfer agents registered with a regulatory agency 
other than the Commission may already be subject to some of the Federal 
regulation described below. In addition, many States impose 
requirements regarding the safeguarding and the disposal of customer 
information.\602\ Hence, many transfer agents are likely to already 
have policies and procedures in the areas covered by these new 
requirements.
---------------------------------------------------------------------------

    \600\ See supra section II.B.2.
    \601\ See final rule 240.30(a)(1) and (b).
    \602\ Twenty States have customer information safeguard 
requirements, and 30 States have customer information disposal 
requirements. See, e.g., Cal. Civ. Code section 1798.81.5 (``A 
business that owns, licenses, or maintains personal information 
about a California resident shall implement and maintain reasonable 
security procedures and practices appropriate to the nature of the 
information, to protect the personal information from unauthorized 
access, destruction, use, modification, or disclosure.''); Del. Code 
Tit. 6 section 12B-100 (``Any person who conducts business in this 
State and owns, licenses, or maintains personal information shall 
implement and maintain reasonable procedures and practices to 
prevent the unauthorized acquisition, use, modification, disclosure, 
or destruction of personal information collected or maintained in 
the regular course of business.''); Fla. Stat. section 501.171(2) 
(``Each covered entity, governmental entity, or third-party agent 
shall take reasonable measures to protect and secure data in 
electronic form containing personal information.''). See also, e.g., 
Cal. Civ. Code section 1798.81 (``A business shall take all 
reasonable steps to dispose, or arrange for the disposal, of 
customer records within its custody or control containing personal 
information when the records are no longer to be retained by the 
business by (a) shredding, (b) erasing, or (c) otherwise modifying 
the personal information in those records to make it unreadable or 
undecipherable through any means.''); La. Rev. Stat. section 
51:3074(B) (``Any person that conducts business in the state or that 
owns or licenses computerized data that includes personal 
information, or any agency that owns or licenses computerized data 
that includes personal information shall take all reasonable steps 
to destroy or arrange for the destruction of the records within its 
custody or control containing personal information that is no longer 
to be retained by the person or business by shredding, erasing, or 
otherwise modifying the personal information in the records to make 
it unreadable or undecipherable through any means.''); N.J. Stat. 
section 56:8-162 (``A business or public entity shall destroy, or 
arrange for the destruction of, a customer's records within its 
custody or control containing personal information, which is no 
longer to be retained by the business or public entity, by 
shredding, erasing, or otherwise modifying the personal information 
in those records to make it unreadable, undecipherable or 
nonreconstructable through generally available means.'').
---------------------------------------------------------------------------

    Some covered institutions may also be subject to other regulators' 
rules and guidelines implicating customer information safeguards. 
Transfer agents supervised by one of the Banking Agencies may be 
subject to the Banking Agencies' Incident Response Guidance and to the 
Banking Agencies' Safeguards Guidance, for example.\603\ The Banking 
Agencies' Incident Response Guidance requires covered financial 
institutions to develop a response program covering assessment, 
notification to relevant regulators and law enforcement, incident 
containment, and customer notice.\604\ These guidelines require 
customer notification if a financial institution determines that misuse 
of sensitive customer information ``has occurred or is reasonably 
possible.'' \605\ They also require notices to occur ``as soon as 
possible,'' but permit delays if ``an appropriate law enforcement 
agency determines that notification will interfere with a criminal 
investigation and provides the institution with a written request for 
the delay.'' \606\ Under the guidelines, ``sensitive customer 
information'' means ``a customer's name, address, or telephone number, 
in conjunction with the customer's Social Security number, driver's 
license number, account number, credit or debit card number, or a 
personal identification number or password that would permit access to 
the customer's account.'' \607\ In addition, ``any combination of 
components of customer information that would allow someone to log onto 
or access the customer's account, such as user name and password or 
password and account number'' is also considered sensitive customer 
information under the guidelines.\608\ The Banking Agencies' Safeguards 
Guidance directs every financial institution covered by the

[[Page 47741]]

guidelines to require its service providers by contract to implement 
appropriate measures designed to protect against unauthorized access to 
or use of customer information that could result in substantial harm or 
inconvenience to any customer.\609\ In addition, the Banking Agencies' 
Incident Response Guidance directs that an institution's contract with 
its service provider should require the service provider to take 
appropriate actions to address incidents of unauthorized access to the 
financial institution's customer information, including notification to 
the institution as soon as possible of any such incident, to enable the 
institution to expeditiously implement its response program.\610\
---------------------------------------------------------------------------

    \603\ See Banking Agencies' Incident Response Guidance and 
Banking Agencies' Safeguards Guidance; see also Computershare 
Comment Letter (``Many registered transfer agents like Computershare 
US and Computershare Canada entities are banks or trust companies, 
and therefore already subject to state, federal, or provincial 
banking laws, rules, regulations and inter-agency guidelines.'' The 
commenter also refers to ``Title V, Subtitle A, of the Gramm-Leach-
Bliley Act, 15 U.S.C. 6801-6809; 12 CFR 30, Appendix B to Part 30--
Interagency Guidelines Establishing Information Security Standards; 
and New York State Department of Financial Services Cybersecurity 
Regulation, 23 NYCRR Part 500.'').
    \604\ See Banking Agencies' Incident Response Guidance at 
Supplement A, section II.A.
    \605\ See id., at Supplement A, section III.A.
    \606\ See id., at Supplement A, section III.A.
    \607\ See id., at Supplement A, section III.A.1.
    \608\ See id., at Supplement A, section III.A.1.
    \609\ See id., at Supplement A, section I.C.
    \610\ See id., at Supplement A, section II.
---------------------------------------------------------------------------

    The Banking Agencies' Safeguards Guidance requires certain 
financial institutions to implement a comprehensive written information 
security program that includes administrative, technical, and physical 
safeguards appropriate to the size and complexity of the entity and the 
nature and scope of its activities.\611\ This guidance requires that 
the information security program be designed to (1) ensure the security 
and confidentiality of customer information; (2) protect against any 
anticipated threats or hazards to the security or integrity of such 
information; (3) protect against unauthorized access to or use of such 
information that could result in substantial harm or inconvenience to 
any customer; and (4) ensure the proper disposal of customer 
information and consumer information.\612\
---------------------------------------------------------------------------

    \611\ See Banking Agencies' Safeguards Guidance, at section 
II.A.
    \612\ See id., at section II.B.
---------------------------------------------------------------------------

    Private funds may be subject to the FTC's recently amended FTC 
Safeguards Rule, which contains data security requirements to protect 
customer financial information.\613\ The FTC Safeguards Rule generally 
requires financial institutions to develop, implement, and maintain a 
comprehensive information security program,\614\ defined as the 
administrative, technical, and physical safeguards the financial 
institution uses to access, collect, distribute, process, protect, 
store, use, transmit, dispose of, or otherwise handle customer 
information.\615\ The rule also requires that the comprehensive 
information security program contain various elements, including an 
incident response plan.\616\ In addition, it requires financial 
institutions to take reasonable steps to select and retain service 
providers capable of maintaining appropriate safeguards for customer 
information and to require those service providers by contract to 
implement and maintain such safeguards.\617\ Since the date of our 
proposal, the FTC Safeguards Rule has been updated to require financial 
institutions to notify the FTC as soon as possible, and no later than 
30 days after discovery, of a security breach involving the unencrypted 
information of at least 500 consumers.\618\ Although the FTC Safeguards 
Rule does not contain a customer notification requirement, the FTC 
indicated that it ``intends to enter notification event reports into a 
publicly available database'' unless a law enforcement official 
requests delay.\619\
---------------------------------------------------------------------------

    \613\ The FTC Safeguards Rule applies to financial institutions 
of certain types ``that are not otherwise subject to the enforcement 
authority of another regulator under section 505 of the Gramm-Leach-
Bliley Act, 15 U.S.C. 6805.'' See 16 CFR 314.1(b). Private funds 
that are able to rely on section 3(c)(1) or 3(c)(7) of the 
Investment Company Act are not subject to Regulation S-P but they 
may be subject to the FTC Safeguards Rule. See supra footnote 2. 
Investment advisers registered with the Commission, including those 
that are advisers to private funds, are covered institutions for the 
purposes of the final amendments.
    \614\ See 16 CFR 314.3(a).
    \615\ See 16 CFR 314.2(i).
    \616\ See 16 CFR 314.4(h).
    \617\ See 16 CFR 314.4(f). The FTC Safeguards Rule does not 
contain a requirement that financial institutions require their 
service providers to notify them in case of a breach resulting in 
customer information being compromised.
    \618\ The amendments are effective May 13, 2024. See Standards 
for Safeguarding Customer Information, 88 FR 77499 (Nov. 13, 2023); 
see also FTC Press Release, FTC Amends Safeguards Rule to Require 
Non-Banking Financial Institutions to Report Data Security Breaches 
(Oct. 27, 2023), available at https://www.ftc.gov/news-events/news/press-releases/2023/10/ftc-amends-safeguards-rule-require-non-banking-financial-institutions-report-data-security-breaches.
    \619\ 88 FR at 77506. See also 16 CFR 315.4(j)(vi) (effective 
May 13, 2024), describing the conditions for a delay in notifying 
the public of the breach, if requested by law enforcement.
---------------------------------------------------------------------------

    In addition, many entities covered by this rule may be subject to 
other, more general information protection requirements.\620\ In 
particular, companies operating in foreign jurisdictions may need to 
comply with information protection requirements in their foreign 
markets. For example, the GDPR requires entities that process the 
personal data of EU citizens or residents to, among other things, do so 
in a manner that ensures appropriate security, integrity, and 
confidentiality.\621\ Other recent regulations in foreign jurisdictions 
may subject covered institutions to further rules intended to address 
cybersecurity risk management by financial institutions and some of 
their service providers.\622\ Hence, we expect that some of the 
entities covered by the final amendments, or their service providers, 
already have customer information safeguards in place because of other 
information protection regimes.
---------------------------------------------------------------------------

    \620\ See supra Section I (discussing other requirements); 
footnotes 245, 257 (examples of other regimes); see also Microsoft 
Comment Letter.
    \621\ GDPR, supra footnote 245, at Art. 5(1)(f); see also What 
is GDPR, the EU's New Data Protection Law?, available at https://gdpr.eu/what-is-gdpr/ (last visited Apr. 8, 2024). The GDPR places 
data protection obligations on organizations that process the 
personal data of EU citizens and residents. Among these are 
provisions requiring notification in the case of a breach: Art. 
34(1), for example, requires a personal data breach to be 
``communicated to the data subject without undue delay'' when the 
breach is likely to result in a high risk to the rights and freedoms 
of natural persons, unless certain exceptions (including an 
encryption exception) apply.
    \622\ See, e.g., Regulation (EU) 2022/2554 of the European 
Parliament and of the Council of 14 December 2022 on Digital 
Operational Resilience for the Financial Sector and Amending 
Regulations, Official J. of the Euro. Union (2022), available at 
https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32022R2554 (``DORA'').
---------------------------------------------------------------------------

    A variety of guidance is available to institutions seeking to 
address information security risk, particularly through the development 
of policies and procedures. These include NIST and CISA voluntary 
standards, both of which include assessment, containment, and 
notification elements similar to those included in these 
amendments.\623\ We do not have extensive data spanning all types of 
covered institutions on their use of these or similar guidelines or on 
their development of written policies and procedures to address 
incident response, and no commenter suggested such data. However, past 
Commission examination sweeps of broker-dealers and investment advisers 
suggest that such practices are widespread.\624\ Thus, we expect that 
institutions seeking to develop written policies and procedures likely 
would have encountered these and similar standards and may have 
included the critical elements of

[[Page 47742]]

assessment and containment, as well as notification.
---------------------------------------------------------------------------

    \623\ See NIST Special Publication 800-61, Revision 2 (Aug. 
2012) (``NIST Computer Security Incident Handling Guide''), 
available at https://csrc.nist.gov/publications/detail/sp/800-61/rev-2/final and CISA, Cybersecurity Incident & Vulnerability 
Response Playbooks (Nov. 2021) (``CISA Incident Response 
Playbook''), available at https://www.cisa.gov/sites/default/files/publications/Federal_Government_Cybersecurity_Incident_and_Vulnerability_Response_Playbooks_508C.pdf.
    \624\ See OCIE, SEC, Cybersecurity Examination Sweep Summary 
(Feb. 3, 2015), available at https://www.sec.gov/about/offices/ocie/cybersecurity-examination-sweep-summary.pdf (Written policies and 
procedures, for both the examined broker-dealers (82%) and the 
examined advisers (51%), discuss mitigating the effects of a 
cybersecurity incident and/or outline the plan to recover from such 
an incident. Similarly, most of the examined broker-dealers (88%) 
and many of the examined advisers (53%) reference published 
cybersecurity risk management standards.).
---------------------------------------------------------------------------

c. Annual Notice Delivery Requirement
    Under the baseline,\625\ a broker-dealer, funding portal, 
investment company, or registered investment adviser must generally 
provide an initial privacy notice to its customers not later than when 
the institution establishes the customer relationship and annually 
after that for as long as the customer relationship continues.\626\ If 
an institution chooses to share nonpublic personal information with a 
nonaffiliated third party other than as disclosed in an initial privacy 
notice, the institution must generally send a revised privacy notice to 
its customers.\627\
---------------------------------------------------------------------------

    \625\ For the purposes of the economic analysis, the baseline 
does not include the exception to the annual notice delivery 
requirement provided by the FAST Act. This statutory exception was 
self-effectuating and became effective on Dec. 4, 2015. See FAST 
Act, Public Law 114-94, section 75001, adding section 503(f) to the 
GLBA, codified at 15 U.S.C. 6803(f).
    \626\ 17 CFR 248.4 and 248.5.
    \627\ 17 CFR 248.8. Regulation S-P provides certain exceptions 
to the requirement for a revised privacy notice, including if the 
institution is sharing as permitted under rules 248.13, 248.14, and 
248.15 or with a new nonaffiliated third party that was adequately 
disclosed in the prior privacy notice.
---------------------------------------------------------------------------

    The types of information required to be included in the initial, 
annual, and revised privacy notices are identical. Each privacy notice 
must describe the categories of information the institution shares and 
the categories of affiliates and non-affiliates with which it shares 
nonpublic personal information.\628\ The privacy notices also must 
describe the type of information the institution collects, how it 
protects the confidentiality and security of nonpublic personal 
information, a description of any opt out right, and certain 
disclosures the institution makes under the FCRA.\629\
---------------------------------------------------------------------------

    \628\ See 17 CFR 248.6(a)(2) through (5) and (9).
    \629\ See 17 CFR 248.6(a)(1) (information collection); 
248.6(a)(8) (protecting nonpublic personal information), 248.6(a)(6) 
(opt out rights); 248.6(a)(7) (disclosures the institution makes 
under section 603(d)(2)(A)(iii) of the FCRA (15 U.S.C. 
1681a(d)(2)(A)(iii)), notices regarding the ability to opt out of 
disclosures of information among affiliates).
---------------------------------------------------------------------------

3. Market Structure
    The final amendments will affect five categories of covered 
institutions: broker-dealers other than notice-registered broker-
dealers, funding portals, registered investment advisers, investment 
companies, and transfer agents registered with the Commission or 
another appropriate regulatory agency. These institutions compete in 
several distinct markets and offer a wide range of services, including 
effecting customers' securities transactions, providing liquidity, 
pooling investments, transferring ownership in securities, advising on 
financial matters, managing portfolios, and consulting to pension 
funds. Many of the larger covered institutions belong to more than one 
category (e.g., a dually registered broker-dealer/investment adviser), 
and thus operate in multiple markets. In the rest of this section, we 
first outline the market for each class of covered institution and then 
consider service providers.
a. Broker-Dealers
    Broker-dealers include both brokers (persons engaged in the 
business of effecting transactions in securities for the account of 
others),\630\ as well as dealers (persons engaged in the business of 
buying and selling securities for their own accounts).\631\ Most 
brokers and dealers maintain customer relationships, and are thus 
likely to come into the possession of sensitive customer 
information.\632\ In the market for broker-dealer services, a 
relatively small set of large- and medium-sized broker-dealers dominate 
while thousands of smaller broker-dealers compete in niche or regional 
segments of the market.\633\ Broker-dealers provide a variety of 
services related to the securities business, including (1) managing 
orders for customers and routing them to various trading venues; (2) 
providing advice to customers that is in connection with and reasonably 
related to their primary business of effecting securities transactions; 
(3) holding customers' funds and securities; (4) handling clearance and 
settlement of trades; (5) intermediating between customers and 
carrying/clearing brokers; (6) dealing in corporate debt and equities, 
government bonds, and municipal bonds, among other securities; (7) 
privately placing securities; and (8) effecting transactions in mutual 
funds that involve transferring funds directly to the issuer. Some 
broker-dealers may specialize in just one narrowly defined service, 
while others may provide a wide variety of services.
---------------------------------------------------------------------------

    \630\ See 15 U.S.C. 78c(a)(4).
    \631\ See 15 U.S.C. 78c(a)(5).
    \632\ Such information would include the customers' names, tax 
numbers, telephone numbers, broker, brokerage account numbers, etc.
    \633\ See Regulation Best Interest: The Broker-Dealer Standard 
of Conduct, Release No. 34-86031 (June 5, 2019) [84 FR 33318 (July 
12, 2019)], at 33406.
---------------------------------------------------------------------------

    Based on an analysis of FOCUS filings and Form BD filings, there 
were 3,476 registered broker-dealers during the third quarter of 
2023.\634\ Of these, 303 were dually registered as investment 
advisers.\635\ There were over 233 million customer accounts reported 
by carrying brokers.\636\ However, the majority of broker-dealers are 
not ``carrying broker-dealers'' and therefore do not report the numbers 
of customer accounts.\637\ Therefore, we expect that this figure of 233 
million understates the total number of customer accounts because many 
of the accounts at carrying broker-dealers have corresponding accounts 
with non-carrying brokers. Both carrying and non-carrying broker-
dealers potentially possess sensitive customer information for the 
accounts that they maintain.\638\ Because non-carrying broker-dealers 
do not report on the numbers of customer accounts, it is not possible 
to ascertain with any degree of confidence the distribution of customer 
accounts across the broader broker-dealer population.
---------------------------------------------------------------------------

    \634\ The numbers in this section exclude notice-registered 
broker-dealers. See supra section II.B.3.
    \635\ See supra footnote 496.
    \636\ FOCUS filings and Form X-17A-5 Schedule I, Item I8080. For 
this release, the number of customer accounts reported by carrying 
brokers was estimated based on FOCUS filings during the third 
quarter of 2023 and Form X-17A-5 Schedule I, Item I8080 for 2022. 
The Proposing Release cited a figure of 72 million as of July 1, 
2022. The correct number of customer accounts reported by carrying 
brokers as of July 1, 2022, in the Proposing Release should be 220 
million. This change would not have affected the Commission's 
assessment of economic effects at Proposal as these assessments were 
focused primarily on effects at the level of individual covered 
institutions and their customers.
    \637\ See General Instructions to Form CUSTODY (as of Sept. 30, 
2022).
    \638\ This information includes name, address, age, and tax 
identification or Social Security number. See FINRA Rule 4512.
---------------------------------------------------------------------------

b. Funding Portals
    Funding portals act as intermediaries in facilitating securities-
based crowdfunding transactions that are subject to Regulation 
Crowdfunding.\639\ Securities-based crowdfunding involves using the 
internet to raise capital through small individual contributions from a 
large number of people. The crowdfunding transaction must be conducted 
through an intermediary registered with the Commission, but a statutory 
exemption allows that intermediary to forgo registration as a broker-
dealer. Therefore some, but not all, crowdfunding intermediaries are 
registered broker-dealers while others are funding portals.
---------------------------------------------------------------------------

    \639\ See 17 CFR part 227.
---------------------------------------------------------------------------

    Funding portals are registered with the Commission and are members 
of FINRA.\640\ They must provide investors

[[Page 47743]]

with educational materials, take measures to reduce the risk of fraud, 
make information available about the issuer and the offering, and 
provide communication channels to permit discussions about offerings on 
the funding portal's platform, among other related services.\641\ In 
facilitating crowdfunding transactions, funding portals may come into 
possession of investors' sensitive customer information, as investors 
are required to open an account with the funding portal before the 
funding portal may accept an investment commitment from them.\642\ 
Funding portals may have possession of sensitive customer information 
but, unlike broker-dealers, funding portals are statutorily prohibited 
from holding, managing, possessing, or handling investor funds or 
securities.\643\ These funding portals are required to direct investors 
to transmit money or other consideration for the securities directly to 
a qualified third party that has agreed in writing to hold the funds 
for the benefit of investors and the issuer and to promptly transmit or 
return the funds to the person entitled to the funds.\644\
---------------------------------------------------------------------------

    \640\ See Regulation Crowdfunding, Release No. 33-9974, (Oct. 
30, 2015) [80 FR 71388 (Nov. 16, 2015)] (``Regulation Crowdfunding 
Adopting Release''). An entity raising funds through securities-
based crowdfunding typically seeks small individual contributions 
from a large number of people. Individuals interested in the 
crowdfunding campaign--members of the ``crowd''--may share 
information about the project, cause, idea or business with each 
other and use the information to decide whether to fund the campaign 
based on the collective ``wisdom of the crowd.'' The JOBS Act 
established a regulatory structure for startups and small businesses 
to raise capital through securities offerings using the internet 
through crowdfunding. See id. at section I.A. Securities Act section 
4(a)(6) provides an exemption from registration for certain 
crowdfunding transactions. 15 U.S.C. 77d(a)(6). A company issuing 
securities in reliance on rules established by the Regulation 
Crowdfunding Adopting Release (17 CFR part 227, ``Regulation 
Crowdfunding'') is permitted to raise a maximum of $5 million in a 
twelve-month period and is required to conduct the transaction 
exclusively through an intermediary registered with the Commission, 
either a broker-dealer or a funding portal. See 17 CFR 227.100(a).
    \641\ See Regulation Crowdfunding Adopting Release at section 
II.
    \642\ See 17 CFR 227.302(a)(1). Regulation Crowdfunding Rule 302 
does not prescribe specific information that a funding portal must 
collect as part of opening an account.
    \643\ See 15 U.S.C. 78c(a)(80)(D).
    \644\ See 17 CFR 227.303(e)(2), which defines a ``qualified 
third party'' as (i) a registered broker or dealer that carries 
customer or broker or dealer accounts and holds funds or securities 
for those persons or (ii) a bank or credit union (where such credit 
union is insured by National Credit Union Administration) that has 
agreed in writing either to hold the funds in escrow for the persons 
who have the beneficial interests therein and to transmit or return 
such funds directly to the persons entitled thereto when so directed 
by the funding portal as described in paragraph (e)(3) of the rule, 
or to maintain a bank or credit union account (or accounts) for the 
exclusive benefit of investors and the issuer.
---------------------------------------------------------------------------

    As of December 31, 2023, there were 92 registered funding portals 
that were members of FINRA (excluding funding portals that had 
withdrawn their registration and FINRA membership).\645\ The 
crowdfunding intermediary market is highly concentrated.\646\ For 
example, based on staff analysis from May 16, 2016 (inception of 
Regulation Crowdfunding) through December 31, 2023, five intermediaries 
accounted for 70 percent of all initiated offerings, including one 
funding portal accounting for 29 percent of all initiated 
offerings.\647\
---------------------------------------------------------------------------

    \645\ See FINRA, ``Funding Portals We Regulate,'' at https://www.finra.org/about/funding-portals-we-regulate.
    \646\ The crowdfunding intermediary market includes all funding 
portals and some registered broker-dealers who may also serve as 
intermediaries of Regulation Crowdfunding transactions. See 17 CFR 
227.300(a).
    \647\ Based on staff analysis of EDGAR filings under Regulation 
Crowdfunding as of December 31, 2023. This includes all initiated 
offerings facilitated by either funding portals or registered 
broker-dealers.
---------------------------------------------------------------------------

c. Investment Advisers
    Registered investment advisers provide a variety of services to 
their clients, including financial planning advice, portfolio 
management, pension consulting, selecting other advisers, publication 
of periodicals and newsletters, security rating and pricing, market 
timing, and conducting educational seminars.\648\ Although advisers 
engaged in any of these activities are likely to possess sensitive 
customer information, the degree of sensitivity will vary widely across 
advisers. Some advisers may only hold the customer's address, payment 
details, and the customer's overall financial condition, while others 
may hold account numbers, tax identification numbers, access 
credentials to brokerage accounts, and other highly sensitive 
information.
---------------------------------------------------------------------------

    \648\ See Form ADV.
---------------------------------------------------------------------------

    Based on Form ADV filings received up to October 5, 2023, there are 
15,565 investment advisers registered with the Commission with a total 
of more than 51 million individual clients and $114 trillion in assets 
under management.\649\ Practically all (97 percent) of these advisers 
reported providing portfolio management services to their clients.\650\ 
Over half (57 percent) reported having custody of clients' cash or 
securities either directly or through a related person,\651\ with 
client funds in custody totaling $43 trillion.\652\
---------------------------------------------------------------------------

    \649\ Form ADV, Items 5D(a-b) (as of Oct. 5, 2023). Broadly, 
regulatory assets under management capture the current value of 
assets in securities portfolios for which the adviser provides 
continuous and regular supervisory or management services. See Form 
ADV, Part 1A Instruction 5.b.
    \650\ Form ADV, Items 5G(2-5) (as of Oct. 5, 2023).
    \651\ Here, ``custody'' means ``holding, directly or indirectly, 
client funds or securities, or having any authority to obtain 
possession of them.'' An adviser also has ``custody'' if ``a related 
person holds, directly or indirectly, client funds or securities, or 
has any authority to obtain possession of them, in connection with 
advisory services [the adviser] provide[s] to clients.'' See 17 CFR 
275.206(4)-2(d)(2).
    \652\ Form ADV, Items 9A and 9B (as of Oct. 5, 2023).

---------------------------------------------------------------------------

[[Page 47744]]

[GRAPHIC] [TIFF OMITTED] TR03JN24.005

    Figure 6 plots the cumulative distribution of the number of 
individual clients handled by investment advisers registered with the 
Commission. The distribution is highly skewed: 13 advisers each 
reported having more than one million clients while 95 percent of 
advisers reported having fewer than 2,000 clients. Many such advisers 
are quite small, with half reporting fewer than 62 clients.\653\
---------------------------------------------------------------------------

    \653\ Form ADV, Items 5D(a) and (b) (as of Oct. 5, 2023).
---------------------------------------------------------------------------

    Similarly, most investment advisers registered with the Commission 
are limited geographically. These advisers must generally make a 
``notice filing'' with a State in which they have a place of business 
or six or more clients.\654\ Figure 7 plots the frequency distribution 
of the number of such filings. Based on notice filings, 57 percent of 
investment advisers registered with the Commission operated in fewer 
than four States, and 37 percent operated in only one State.\655\
---------------------------------------------------------------------------

    \654\ See General Instructions to Form ADV (as of Oct. 5, 2023).
    \655\ Form ADV, Item 2.C (as of Oct. 5, 2023). This includes 
1,887 advisers who do not make any notice filings.

---------------------------------------------------------------------------

[[Page 47745]]

[GRAPHIC] [TIFF OMITTED] TR03JN24.006

d. Investment Companies
    Investment companies are companies that issue securities and are 
primarily engaged in the business of investing in securities. 
Investment companies invest money they receive from investors on a 
collective basis, and each investor shares in the profits and losses in 
proportion to that investor's interest in the investment company. 
Investment companies subject to the final amendments include registered 
open-end and closed-end funds, business development companies 
(``BDCs''), Unit Investment Trusts (``UITs''), employee securities' 
companies (``ESCs''), and management company separate accounts 
(``MCSAs''). Because they are not operating companies, investment 
companies do not have ``customers'' as such, and thus are unlikely to 
possess significant amounts of nonpublic ``customer'' information in 
the conventional sense. They may, however, have access to nonpublic 
information about their investors.\656\
---------------------------------------------------------------------------

    \656\ The definition of ``customer information'' in the final 
amendments includes information about investment companies' 
investors. See final rule Sec. Sec.  248.30(d)(5)(i) and 248.3(t).
---------------------------------------------------------------------------

    Table 4 summarizes the investment company universe that will be 
subject to the final amendments. In total, as of September 30, 2023, 
there were 13,766 investment companies, including 12,183 open-end 
management investment companies, 682 closed-end managed investment 
companies, 702 UITs,\657\ 141 BDCs,\658\ approximately 43 ESCs, and 15 
MCSAs. Many of the investment companies that will be subject to the 
final amendments are part of a ``family'' of investment companies.\659\ 
Such families often share infrastructure for operations (e.g., 
accounting, auditing, custody, legal), and potentially marketing and 
distribution. We expect that many of the compliance costs and other 
economic costs discussed in the following sections will likely be borne 
at the family level.\660\ We estimate that there were up to 1,131 
distinct operational entities (families and unaffiliated investment 
companies) in the investment company universe.\661\
---------------------------------------------------------------------------

    \657\ For this release, the number of UITs includes N-4, N-6, N-
8B-2, and S-6 filers as of Sept. 30, 2023. The Proposing Release 
cited a figure of 662 UITs using 2021 N-CEN filings. The correct 
number of UITs using 2021 N-CEN filings in the Proposing Release 
should be 703. This change would not have affected the Commission's 
assessment of economic effects at Proposal as these assessments were 
focused primarily on effects at the level of individual covered 
institutions and their customers.
    \658\ For this release, the number of BDCs was estimated using 
London Stock Exchange Group (``LSEG'') BDC Collateral data as of 
Sept. 2023.
    \659\ As used here, ``family'' refers to a set of funds 
reporting the same family investment company name (Form N-CEN Item 
B.5) or filing under the same registrant name (Form N-CEN Item 
B.1.A).
    \660\ For example, each investment company in a family is likely 
to share common policies and procedures.
    \661\ For this release, the number of unaffiliated entities was 
estimated using N-CEN filings as of Sept. 30, 2023. The Proposing 
Release cited a figure of 476 using 2021 N-CEN filings. The correct 
number of the unaffiliated entities using 2021 N-CEN filings in the 
Proposing Release should be 609. This change would not have affected 
the Commission's assessment of economic effects at Proposal as these 
assessments were focused primarily on effects at the level of 
individual covered institutions and their customers.
---------------------------------------------------------------------------

BILLING CODE 8011-01-P

[[Page 47746]]

[GRAPHIC] [TIFF OMITTED] TR03JN24.007

BILLING CODE 8011-01-C
e. Transfer Agents
    Transfer agents maintain records of security ownership and are 
responsible for processing changes of ownership (``transfers''), 
communicating information from the firm to its security-holders (e.g., 
sending annual reports), replacing lost stock certificates, etc. 
However, in practice, most securities registered in the U.S. are held 
in ``street name,'' where the ultimate ownership information is not 
maintained by the transfer agent but rather in a hierarchal ledger. In 
this structure, securities owned by individuals are not registered in 
the name of the individual with the transfer agent. Rather, the 
individual's broker maintains the records of the individual's ownership 
claim on securities. Brokers, in turn, have claims on securities held 
by a single nominee owner who maintains records of the claims of the 
various brokers.\662\ In such cases, the transfer agent is not aware of 
the ultimate owner of the securities and therefore does not hold 
sensitive information belonging to those owners, as only the broker 
holds this information.
---------------------------------------------------------------------------

    \662\ In the U.S., this owner is generally Cede & Co., a 
partnership organized by the Depository Trust & Clearing 
Corporation.
---------------------------------------------------------------------------

    Despite the prevalence of securities held in street name, a large 
number of individuals nonetheless hold securities directly through a 
transfer agent. Securities held directly may be held either in the form 
of a physical stock certificate or in book-entry form through the 
Direct Registration System (``DRS''). In either case, the transfer 
agent would need to maintain sensitive information about the 
individuals who own the securities. For example, to handle a request 
for replacement certificate, the transfer agent would need to confirm 
the identity of the individual making such a request and to maintain a 
record of such confirmation. Similarly, to effect DRS transfers, a 
transfer agent would need to provide a customer's identification 
information in the message to the DRS.
    In 2023, there were 251 transfer agents registered with the 
Commission, with an additional 64 registered with the Banking 
Agencies.\663\ As discussed above,\664\ differences in the baseline 
regulation of these transfer agents affect their current notification 
obligations.\665\ Among the 315 transfer agents, 132 are considered 
small entities.\666\ By registration, 100 of these small transfer

[[Page 47747]]

agents are registered with the Commission and 32 are registered with 
the Banking Agencies.\667\
---------------------------------------------------------------------------

    \663\ Form TA-1 (as of Sept. 30, 2023).
    \664\ See supra footnotes 601 and 604 and accompanying text.
    \665\ See infra sections IV.D.2.b and IV.E (discussing benefits 
and costs, and competitive effects, relative to the baseline).
    \666\ See infra section VI.C. Estimate based on the number of 
transfer agents that reported a value of fewer than 1,000 for items 
4(a) and 5(a) on Form TA-2 collected by the Commission as of Sept. 
30, 2023.
    \667\ Id.
---------------------------------------------------------------------------

    On average, each transfer agent reported around 1 million 
individual accounts, with the largest reporting 61 million.\668\ Figure 
8 plots the cumulative distribution of the number of individual 
accounts reported by registered transfer agents. Approximately one 
third of registered transfer agents reported no individual 
accounts,\669\ and 58 percent reported fewer than ten thousand 
individual accounts.\670\
---------------------------------------------------------------------------

    \668\ Form TA-2 Items 5(a) (as of Sept. 30, 2023). This analysis 
is limited to the 265 transfer agents that filed form TA-2. For the 
205 transfer agents registered with the Commission that filed form 
TA-2, the average number of individual accounts is 1.2 million; for 
the 60 transfer agents registered with the Banking Agencies that 
filed form TA-2, the average number of individual accounts is 69 
thousand.
    \669\ Some registered transfer agents outsource many functions--
including tracking the ownership of securities in individual 
accounts--to other transfer agents (``service companies''). See Form 
TA-1 Item 6 (as of June 20, 2022).
    \670\ Form TA-2, Items 5(a) (as of Sept. 30, 2023).
    [GRAPHIC] [TIFF OMITTED] TR03JN24.008
    
f. Service Providers
    The final amendments require that a covered institution's incident 
response program include the establishment, maintenance, and 
enforcement of written policies and procedures reasonably designed to 
require oversight, including through due diligence and monitoring, of 
service providers. These policies and procedures must be reasonably 
designed to ensure service providers take appropriate measures to 
protect against unauthorized access to or use of customer information 
and to notify covered institutions of an applicable breach in 
security.\671\ These requirements on a covered institution will affect 
a service provider that ``receives, maintains, processes, or otherwise 
is permitted access to customer information through its provision of 
services directly to [the] covered institution.'' \672\
---------------------------------------------------------------------------

    \671\ See final rule 248.30(a)(5).
    \672\ Final rule 248.30(d)(10).
---------------------------------------------------------------------------

    Covered institutions' relationships with a wide range of service 
providers will be affected. Specialized service providers with 
offerings geared toward outsourcing of covered institutions' core 
functions will generally fall under the requirements. Those offering 
customer relationship management, customer billing, portfolio 
management, customer portals (e.g., customer trading platforms), 
customer acquisition, tax document preparation, proxy voting, and 
regulatory compliance (e.g., AML/KYC) will likely fall under the 
requirements. Some of these specialized service providers will be 
themselves covered institutions.\673\ In addition, various less-
specialized service providers might potentially fall under the 
requirements. Service providers offering Software-as-a-Service (SaaS) 
solutions for email, file storage, and similar general-purpose services 
might potentially be in a position to receive, maintain, or process 
customer information. Similarly, providers of Infrastructure-as-a-
Service (IaaS), Platform-as-a-Service (PaaS), as well as those offering 
more ``traditional'' consulting services (e.g., IT contractors) will in 
many cases be ``otherwise [ ] permitted access to customer 
information'' and might fall under the provisions.
---------------------------------------------------------------------------

    \673\ For example, many investment companies rely on third-party 
investment advisers and transfer agents.
---------------------------------------------------------------------------

    In the Proposing Release, we stated that the financial services 
industry is increasingly relying on service providers through various 
forms of outsourcing.\674\ We also stated that we were unable to 
quantify or characterize in much detail the structure of the relevant 
service provider markets due to data limitations.\675\ One commenter 
stated that this resulted in an analysis that fails to meaningfully 
address the associated costs.\676\ While this commenter did not 
identify any additional data sources, in response we have conducted a 
further review of industry literature.\677\ While we

[[Page 47748]]

continue to find certain data limitations, we also have identified 
certain additional informative data points on covered institutions' 
reliance on service providers.\678\ A recent notice issued by FINRA 
states that FINRA's members, which include broker-dealers, ``are 
increasingly using third-party vendors to perform a wide range of core 
business and regulatory oversight functions,'' a trend that has 
accelerated with the COVID-19 pandemic.\679\ One report describes the 
results of a 2022 survey of 248 advisers and independent broker-
dealers.\680\ The survey found that 32 percent of the registered 
investment advisers and 50 percent of the independent broker-dealers 
that responded to the survey reported outsourcing investment management 
functions, and that while these proportions had not changed 
significantly in the past decade, half of the respondents who do 
outsource some of these functions reported an increase in their use of 
service providers. In addition, a different recent report finds that 33 
percent of asset managers surveyed outsource their entire back-office 
function and 20 percent outsource their entire middle-office 
function.\681\ By the nature of their business models, most of the 
operations of investment companies are carried out by service 
providers.\682\ Finally, many transfer agents outsource many 
functions.\683\ Hence, all types of covered institutions affected by 
the final amendments commonly retain service providers to some extent.
---------------------------------------------------------------------------

    \674\ See Proposing Release at section III.C.3.e; see also Bank 
for International Settlements, Outsourcing in Financial Services 
(Feb. 15, 2005), available at https://www.bis.org/publ/joint12.htm.
    \675\ See Proposing Release at section III.C.3.e.
    \676\ See IAA Comment Letter 1.
    \677\ In addition, in response to this commenter, we have added 
further details on the current regulatory framework, in particular 
with respect to the obligations of covered institutions regarding 
their service providers and the notification obligations of service 
providers. See supra section IV.C.2. Also, we have supplemented the 
analysis of the benefits and costs of the final amendments' service 
provider requirements. See infra section IV.D.1.c. The supplemental 
review described here is designed to help us analyze and respond to 
commenters, and also to provide additional context for this 
analysis.
    \678\ Potential service providers include a wide range of firms 
fulfilling a variety of functions. The internal organization of 
covered institutions, including their reliance on service providers, 
is not generally publicly observable. Although certain regulatory 
filings shed a limited light on the use of third-party service 
providers (e.g., transfer agents' reliance on third parties for 
certain functions and investment advisers' reliance on third parties 
for recordkeeping), we are unaware of any data sources that provide 
detail on the reliance of covered institutions on service providers.
    \679\ See FINRA, Regulatory Notice 21-29, supra footnote 515.
    \680\ See FlexShares, The Race to Scalability 2022 (July 2022).
    \681\ See Cerulli Associates, Asset Managers Turn to Outsourcing 
Providers for Operating Model Sustainability (Nov. 22, 2022), 
available at https://www.cerulli.com/press-releases/asset-managers-turn-to-outsourcing-providers-for-operating-model-sustainability 
(``Cerulli Report'').
    \682\ See Investment Company Institute, How US-Registered 
Investment Companies Operate and the Core Principles Underlying 
Their Regulation (May 2022), available at https://www.ici.org/system/files/2023-06/us-reg-funds-principles.pdf.
    \683\ See supra footnote 670. See also Interagency Guidance on 
Third-Party Relationships: Risk Management, 88 FR 37920, 37937 (June 
9, 2023), which may cover some transfer agents registered with a 
regulatory agency other than the Commission.
---------------------------------------------------------------------------

D. Benefits and Costs of the Final Rule Amendments

    The final amendments can be divided into four main components. 
First, they create a requirement for covered institutions to adopt 
policies and procedures for the protection of customer information. The 
policies and procedures must include an incident response program to 
address unauthorized access to or use of customer information, 
including by providing notification to individuals affected by an 
incident during which their sensitive customer information was, or is 
reasonably likely to have been, accessed or used without authorization. 
The response program must also include the establishment, maintenance, 
and enforcement of written policies and procedures reasonably designed 
to require oversight of service providers, including to ensure service 
providers take appropriate measures to protect against unauthorized 
access to or use of customer information. Second, the amendments define 
the information covered by the safeguards rule and the disposal 
rule,\684\ and extend the application of the safeguards rule to 
transfer agents. Third, the amendments require covered institutions 
(other than funding portals) to maintain and retain records documenting 
compliance with the amended rules.\685\ Fourth, they incorporate into 
regulation an existing statutory exemption for annual privacy notices. 
Below we discuss the benefits and the costs of each component in turn.
---------------------------------------------------------------------------

    \684\ See final rule 248.30(a)(1), 248.30(b), 248.30(d)(1), and 
248.30(d)(5).
    \685\ As discussed above, funding portals are not subject to the 
recordkeeping obligations found under Rule 17a-4. Funding portals 
are instead obligated, pursuant to Rule 404 of Regulation 
Crowdfunding, to make and preserve all records required to 
demonstrate their compliance with Regulation S-P for five years, the 
first two years in an easily accessible place. See supra footnote 
385; see also 17 CFR 227.404(a)(5).
---------------------------------------------------------------------------

    Some commenters criticized, generally, the discussion of benefits 
and costs in the Proposing Release. One commenter stated that the 
Commission should ``undertake a more expansive, accurate, and 
quantifiable assessment of the specific and cumulative costs, burdens, 
and economic effects that would be placed on investment advisers by the 
proposed requirements, as well as of the potential unintended 
consequences for their clients.'' \686\ Another commenter stated a need 
for more in-depth analysis of how the proposed amendments might impact 
transfer agents, their customers (issuers of securities), and 
securityholders.\687\ Other commenters did not directly disagree with 
the analysis in the Proposing Release, but stated that the proposed 
amendments would place a high overall burden on covered institutions, 
including smaller institutions.\688\
---------------------------------------------------------------------------

    \686\ See IAA Comment Letter 1.
    \687\ See STA Comment Letter 2.
    \688\ See, e.g., SIFMA Comment Letter 2; ASA Comment Letter.
---------------------------------------------------------------------------

    In response to these commenters, we have supplemented the analysis 
of the benefits and the costs of the final amendments regarding the 
timing requirement for notification of customers affected by a breach, 
including by providing more details on how the requirements differ from 
the baseline; \689\ different elements required to be included in a 
notice to affected individuals; \690\ different requirements relating 
to service providers; \691\ and the extension of the rule's scope to 
include all transfer agents.\692\ As discussed below, we have also made 
changes to the final amendments that will reduce compliance costs for 
all covered institutions, including those that are smaller in 
size.\693\
---------------------------------------------------------------------------

    \689\ See infra section IV.D.1.b(2); see also supra section 
IV.C.2.a(2).
    \690\ See infra section IV.D.1.b(5); see also supra section 
IV.C.2.a(2).
    \691\ See infra section IV.D.1.c; see also supra sections 
IV.C.2.a(3) and IV.C.3.f.
    \692\ See infra section IV.D.1.b; see also supra section 
IV.C.2.a(3).
    \693\ See infra footnote 1058 and accompanying text.
---------------------------------------------------------------------------

    Several commenters stated that the Commission should consider the 
cumulative costs of implementing the proposed amendments and other 
recent Commission rules and proposed rules.\694\ Specifically, one 
commenter stated that ``there can be no doubt that the costs of 
compliance--direct and indirect--rise with each regulation and directly 
impact the ability of [covered institutions] to invest in other aspects 
of their businesses'' and that the Commission should ``consider the 
cumulative effects that'' the final amendments and other adopted rules 
will have on covered institutions' ``operational limitations and, more 
importantly, resource constraints, in determining the compliance 
dates.'' \695\ That commenter and others mentioned proposals which 
culminated in several adopted rules.\696\
---------------------------------------------------------------------------

    \694\ See supra footnote 482.
    \695\ See IAA Comment letter 2.
    \696\ See supra footnotes 483-493.
---------------------------------------------------------------------------

    Consistent with its long-standing practice, the Commission's 
economic analysis in each adopting release

[[Page 47749]]

considers the incremental benefits and costs for the specific rule--
that is, the benefits and costs stemming from that rule compared to the 
baseline. The Commission acknowledges the possibility that complying 
with more than one rule may entail costs that could exceed the costs if 
the rules were to be complied with separately. Four of the rules 
identified by commenters have compliance dates that occur before the 
effective date of the final amendments,\697\ such that there is no 
overlap in compliance periods. The compliance periods for the other 
rules overlap in part, but the compliance dates adopted by the 
Commission in recent rules are generally spread out over an 
approximately three-year period from 2023 to 2026,\698\ which could 
limit the number of implementation activities occurring simultaneously. 
Where overlap in compliance periods exists, the Commission acknowledges 
that there may be additional costs on those covered institutions 
subject to one or more other rules as well as implications of those 
costs, such as impacts on entities' ability to invest in other aspects 
of their businesses.\699\
---------------------------------------------------------------------------

    \697\ The compliance dates for the Electronic Recordkeeping 
Adopting Release occurred in 2023, and the compliance date for the 
Settlement Cycle Adopting Release is May 28, 2024. The compliance 
dates for the May 2023 SEC Form PF Adopting Release and the Form N-
PX Adopting Release are June 11, 2024, and July 1, 2024, 
respectively.
    \698\ See supra section IV.C. In addition, we adopted longer 
compliance periods for all covered institutions relative to the 
proposal, and an even longer compliance period for smaller covered 
institutions. See supra section II.F.
    \699\ See, e.g., IAA Comment letter 2 (describing the types of 
implementation activities, such as updating internal controls, and 
training).
---------------------------------------------------------------------------

    Covered institutions subject to the final amendments in this 
rulemaking may be subject to one or more of the other adopted rules 
commenters named depending on whether those institutions' activities 
fall within the scope of the other rules. Specifically, the rules and 
amendments in the February 2024 Form PF Adopting Release, and those 
rules and amendments in the Private Fund Advisers Adopting Release for 
which the compliance dates have not already passed, apply to advisers 
to private funds: as private fund advisers are a subset of the covered 
institutions affected by the amendments, only a subset of covered 
institutions face compliance costs associated with these recent rules 
and amendments.\700\ The Public Company Cybersecurity Rules apply only 
to public companies, not all covered institutions.\701\ The amendments 
adopted in the Money Market Fund Adopting Release place a compliance 
burden on money market funds and certain liquidity fund advisers 
registered with the Commission, which are also a subset of covered 
institutions.\702\ The Investment Company Names Adopting Release 
amended requirements for those registered investment companies and BDCs 
with names with terms suggesting that the fund has particular 
characteristics, which are a subset of the funds affected by the final 
amendments.\703\ The Beneficial Ownership Adopting Release amended 
disclosure requirements that apply only to persons who beneficially own 
more than five percent of a covered class of equity securities.\704\ 
The rule adopted in the Securitization Conflicts Adopting Release 
affects only certain entities (and their affiliates and subsidiaries) 
that participate in securitization transactions.\705\ We acknowledge 
that covered institutions subject to multiple rules may still 
experience increased costs associated with implementing multiple rules 
at once as well as implications of those costs, such as impacts on 
those institutions' ability to invest in other aspects of their 
businesses.
---------------------------------------------------------------------------

    \700\ See Private Fund Advisers Adopting Release, at section 
VI.C.1; February 2024 Form PF Adopting Release, at section IV.B.2.
    \701\ See Public Company Cybersecurity Rules, at section IV.B.2. 
One commenter also suggested the Commission should consider the 
relationship between reporting obligations in the proposed 
amendments and the Public Company Cybersecurity Rules. See ASA 
Comment Letter. We modified the final amendments, relative to the 
proposal, to align with the Public Company Cybersecurity Rules with 
regard to disclosure delays for national security or public safety 
reasons. See supra section II.A.(d)(2).
    \702\ See Money Market Fund Adopting Release, at section IV.B.
    \703\ See Investment Company Names Adopting Release, at section 
IV.C.
    \704\ See Beneficial Ownership Adopting Release, at section 
IV.B.3.
    \705\ See Securitization Conflicts Adopting Release, at section 
IV.B.2.
---------------------------------------------------------------------------

1. Written Policies and Procedures
    In this section, we discuss the effects of written policies and 
procedures requirements in the final amendments, focusing on those 
relating to the incident response program required under the final 
amendments. Specifically, while the final amendments require covered 
institutions to develop, implement, and maintain written policies and 
procedures that address administrative, technical, and physical 
safeguards for the protection of customer information,\706\ general 
written policies and procedures to protect customer information are 
already part of the baseline.\707\ The primary new requirements pertain 
to written policies and procedures that must include an incident 
response program to address unauthorized access to or use of customer 
information.
---------------------------------------------------------------------------

    \706\ See final rule 248.30(a)(1).
    \707\ Prior to this adoption, Regulation S-P already required 
covered institutions to adopt policies and procedures reasonably 
designed to protect customer information. See supra section 
IV.C.2.b. Transfer agents were not previously covered by the 
safeguards rule and were not, before this adoption, required by the 
Commission to have such written policies and procedures in place. We 
analyze the benefits and costs that are specific to transfer agents 
in section IV.D.2.b.
---------------------------------------------------------------------------

    We expect that requiring written policies and procedures for the 
response program will improve the effectiveness of response programs in 
multiple ways, which will benefit covered institutions and their 
customers. Written policies and procedures are a practical prerequisite 
for organizations to implement standard operating procedures and have 
been recognized as effective at improving outcomes in critical 
environments.\708\ We expect that this will also be the case for 
response programs for data breach incidents. Written policies and 
procedures can help ensure that the covered institution's personnel 
know what corrective actions to take and when in the event of a data 
breach. Written policies and procedures can also help ensure that the 
incident is handled in an optimal manner. Moreover, establishing 
incident response procedures ex ante can facilitate discussion among 
the covered institution's staff and expose flaws in the incident 
response procedures before they are used in a real response. This may 
also lead to covered institutions improving their customer information 
safeguards, which could reduce the likelihood of unauthorized access to 
or use of customer information in the first place.\709\
---------------------------------------------------------------------------

    \708\ Other Commission regulations, such as the Investment 
Company Act and Investment Advisers Act compliance rules, require 
policies and procedures. 17 CFR 270.38a-1(a)(1), 275.206(4)-7(a). 
The utility of written policies and procedures is recognized outside 
the financial sector as well; for example, standardized written 
procedures have been increasingly embraced in the field of medicine. 
See, e.g., Robert L. Helmreich, Error Management as Organizational 
Strategy, In Proceedings of the IATA Human Factors Seminar, Vol. 1., 
Citeseer (1998); see also Joseph Alex, Chaparro Keebler, Elizabeth 
Lazzara & Anastasia Diamond, Checklists: A Review of Their Origins, 
Benefits, and Current Uses as a Cognitive Aid in Medicine, 
Ergonomics in Design, 2019 Q. Hum. Fac. App. 27 (2019). We are not 
aware of any studies that assess the efficacy of written policies 
and procedures specifically in the context of financial regulation, 
and no commenter provided such sources.
    \709\ See infra section IV.D.1.b(3) for examples of how covered 
institutions could enhance their customer information safeguards.

---------------------------------------------------------------------------

[[Page 47750]]

    We do not anticipate that the final requirement for written 
policies and procedures will result in substantial new benefits from 
its application to large covered institutions, those with a national 
presence, or those already subject to comparable Federal regulations. 
As stated above,\710\ all States and the District of Columbia generally 
require businesses to notify their customers when certain customer 
information is compromised. States do not typically require the 
adoption of written policies and procedures for the handling of such 
incidents.\711\ However, despite the lack of explicit statutory 
requirements, covered institutions--especially those with a national 
presence--may have developed and implemented written policies and 
procedures for a response program that incorporates various standard 
elements, including for assessment, containment, and notification.\712\ 
Given the numerous and distinct State data breach laws, it would be 
difficult for larger covered institutions operating in multiple States 
to comply effectively with existing State laws without having some 
written policies and procedures in place. As such covered institutions 
are generally larger, they are more likely to have compliance staff 
dedicated to designing and implementing regulatory policies and 
procedures, which could include policies and procedures regarding 
incident response. Moreover, to the extent that covered institutions 
that have already developed written policies and procedures for 
incident response have based such policies and procedures on common 
cyber incident response frameworks (e.g., NIST Computer Security 
Incident Handling Guide, CISA Cybersecurity Incident Response 
Playbook),\713\ generally accepted industry best practices, or other 
applicable regulatory guidelines,\714\ these large covered 
institutions' written policies and procedures are likely to include the 
elements of assessment, containment, and notification, and to be 
substantially consistent with the requirements of the final amendments. 
Thus, we do not anticipate that the final requirement for written 
policies and procedures will result in substantial new benefits from 
its application to these institutions.
---------------------------------------------------------------------------

    \710\ See supra section IV.C.2.
    \711\ Some States do, however, require businesses to have 
procedures to protect personal information. See, e.g., Cal. Civil 
Code section 1798.81.5 and N.Y. Gen. Bus. Law. section 899-BB.
    \712\ Various industry guidebooks, frameworks, and government 
recommendations share many common elements, including the ones 
included in the final amendments. See, e.g., NIST Computer Security 
Incident Handling Guide and CISA Incident Response Playbook.
    \713\ See supra footnote 625.
    \714\ For example, the Banking Agencies' Incident Response 
Guidance states that covered institutions that are subsidiaries of 
U.S. bank holdings companies should develop response programs that 
include assessment, containment, and notification elements. See 
supra discussion of Banking Agencies' Incident Response Guidance in 
text accompanying footnote 605.
---------------------------------------------------------------------------

    For the same reasons, this requirement is unlikely to impose 
significant new costs for these institutions. As discussed below, we 
estimate that certain costs associated with developing and implementing 
policies and procedures to comply with the final amendments will be, on 
average, $15,445 per year per covered institution.\715\ Here, we expect 
the main costs associated with the final requirement to be the costs of 
reviewing, and possibly updating, existing policies and procedures to 
ensure that they satisfy the new requirements. Hence, we expect these 
reviews and updates will result in these covered institutions incurring 
direct compliance costs generally smaller than the costs of developing 
and implementing new policies and procedures. If covered institutions 
respond to this requirement by improving their customer information 
safeguards beyond what is required by the final amendments, they will 
incur additional costs.\716\ We expect that the costs incurred by these 
covered institutions as a result of this requirement will ultimately be 
passed on to customers of these institutions.\717\
---------------------------------------------------------------------------

    \715\ This estimate is an annual average for the first three 
years. The corresponding ongoing annual costs beyond the first three 
years are estimated to be on average $5,425 per year per covered 
institution. See infra section V. We expect that for some 
institutions, the actual costs might be lower than these estimates. 
For example, there may be some portability between funds belonging 
to the same family of investment companies, which could mitigate 
costs per investment company. See supra section IV.C.3.d. We 
estimate that these costs will be higher for transfer agents because 
transfer agents were not, before this adoption, covered by the 
safeguards rule. In addition, transfer agents registered with a 
regulatory agency other than the Commission were not, before this 
adoption, covered by the disposal rule. See infra footnote 1003 and 
accompanying text.
    \716\ Because covered institutions could decide to enhance their 
customer information safeguards in many different ways, we are 
unable to quantify expected costs resulting from such enhancements. 
See infra section IV.D.1.b(3) for examples of how covered 
institutions could enhance their customer information safeguards as 
a result of the final amendments.
    \717\ Costs incurred by larger covered institutions as a result 
of the final amendments will generally be passed on to their 
customers in the form of higher fees. However, smaller covered 
institutions--which are likely to face higher costs relative to 
their size--may not be able to do so. See infra section IV.E.
---------------------------------------------------------------------------

    We expect that the final written policies and procedures 
requirements will have more substantial benefits and costs for smaller 
covered institutions without a national presence, such as small 
registered investment advisers and broker-dealers who cater to a 
clientele based on geography, as compared to larger covered 
institutions. Before this adoption, some of these covered institutions 
may have had lower incentives to develop and implement written policies 
and procedures for a response program and may therefore have been less 
likely to have such policies and procedures in place for several 
reasons. First, the incentives to develop and implement policies and 
procedures for a response program may vary for covered institutions of 
different sizes. Some smaller covered institutions may already 
prioritize response programs, for example because the firm views 
reputational costs of a cybersecurity breach or other type of 
unauthorized access to or use of customer information as posing the 
potential for serious harm to the firm. However, for other smaller 
covered institutions, the firm and its managers may view response 
programs as lower priority because, for example, the potential 
reputational cost of an unauthorized access to or use of customer 
information may be relatively smaller than it would be for a larger 
firm. This would be the case to the extent that the firm and its 
managers perceive that the firm has a lower franchise value (the 
present value of the future profits that a firm is expected to earn as 
a going concern) and lower brand equity (the value of potential 
customers' perceptions of the firm). Thus, the costs of potential 
reputational harm may be perceived to be lower than at larger firms. 
Moreover, the cost of developing and implementing written policies and 
procedures for a response program is proportionately large compared to 
larger covered institutions since it involves fixed costs.
    Second, some covered institutions could potentially have, before 
this adoption, complied effectively with the relevant State data breach 
notification laws without adopting written policies and procedures to 
deal with customer notification: they may only have needed to 
consider--on an ad hoc basis--the notification requirements of the 
small number of States in which their customers reside.\718\ Hence, for 
such covered institutions, the cost of developing policies and 
procedures will be relatively larger, but the benefits for

[[Page 47751]]

the customers of these institutions will also be larger.
---------------------------------------------------------------------------

    \718\ As discussed above, many registered investment advisers 
have clients in only a few States. See supra section IV.C.3.c.
---------------------------------------------------------------------------

    We expect that for such covered institutions, the final amendments 
will likely impose additional compliance costs related to written 
policies and procedures for safeguarding customer information.\719\ 
Certain costs associated with developing and implementing policies and 
procedures to comply with the final amendments are estimated to be 
$15,445 generally per year per covered institution, but may vary 
depending on the size of the institution and the current state of their 
existing policies and procedures.\720\ Furthermore, as for larger 
covered institutions, if these covered institutions respond to this 
requirement by improving their customer information safeguards beyond 
what is required by the final amendments, they will incur additional 
costs. While these smaller covered institutions might potentially pass 
some of the costs resulting from the final amendments on to customers 
in the form of higher fees, their ability to do so may be limited due 
to the presence of larger competitors with more customers across which 
to spread costs.\721\ In addition, covered institutions that improve 
their customer notification procedures in response to the final 
amendments might suffer reputational costs resulting from the 
additional notifications.\722\
---------------------------------------------------------------------------

    \719\ The existing policies and procedures were already required 
under Regulation S-P before this adoption; see 17 CFR 248.30. The 
final amendments may also generate additional costs to covered 
institutions who decide to improve their customer information 
safeguards to avoid the potential reputational harm associated with 
the customer notification requirements. However, one commenter 
stated that the FTC has often noted that reasonable security 
measures are a relatively low cost. See EPIC Comment Letter. Such 
improvements in customer information safeguards would also provide 
potential benefits to customers in addition to reducing the risk of 
reputational harm for the covered institutions.
    \720\ This estimate is an annual average for the first three 
years. The corresponding ongoing annual costs beyond the first three 
years are estimated to be on average $5,425 per year per covered 
institution. See infra section V. We expect that for some 
institutions, the actual costs might be lower than these estimates. 
For example, there may be some portability between funds belonging 
to the same family, which could mitigate costs. See supra section 
IV.C.3.d.
    \721\ See supra section IV.C.3. Developing and implementing 
written policies and procedures for a response program involves 
fixed costs. Larger institutions can spread these costs over a 
larger number of customers, resulting in a smaller increase in the 
price that each customer pays. Smaller institutions must spread 
these costs over a smaller number of customers, resulting in a 
larger price increase per customer. This could result in smaller 
institutions losing more customers as a result of the increase in 
price. Hence, smaller institutions could decide to absorb more of 
the costs compared to large institutions in order to avoid losing 
customers.
    \722\ See supra section IV.B; see also infra section IV.D.1.b.
---------------------------------------------------------------------------

    Some commenters stated that many covered institutions already had 
policies and procedures in place.\723\ These commenters also stated 
that these policies and procedures would need to be reviewed and 
updated to comply with the amendments, but to different extents. On the 
one hand, one commenter stated that its members already complied with 
much of the proposal's content through State regulations, such as the 
requirements that companies maintain written cybersecurity policies and 
procedures, respond to cyber incidents, notify authorities and 
consumers of certain cyber incidents, and dispose of consumer 
data.\724\ A second commenter stated that the customer notification 
requirements would need to be incorporated into existing policies and 
procedures.\725\ These commenters' perspectives are consistent with our 
view that the final rules will impose a fairly limited burden for 
covered institutions bringing existing policies and procedures into 
compliance with the new requirements. On the other hand, a different 
commenter stated that written incident response program policies and 
procedures and recordkeeping requirements would need to be created and 
implemented,\726\ indicating higher potential burden. Hence, we 
continue to expect that the policies and procedures requirements will 
potentially have different effects on different covered 
institutions.\727\ In a change from the proposal and after considering 
commenters' concerns, we are now adopting a longer compliance period 
for all covered institutions relative to the proposal, and an even 
longer compliance period of 24 months for smaller covered institutions, 
which are less likely to already have policies and procedures broadly 
consistent with the final amendments.\728\
---------------------------------------------------------------------------

    \723\ See, e.g., IAA Comment Letter 1; SIFMA Comment Letter 2.
    \724\ See ACLI Comment Letter.
    \725\ See SIFMA Comment Letter 2.
    \726\ See IAA Comment Letter 1.
    \727\ For example, some covered institutions, such as transfer 
agents, may not have existing notification procedures since they may 
not have been required, under State law, to notify customers in case 
of a breach. See supra section IV.C.2.a(3); infra section IV.D.2.b.
    \728\ The compliance period for larger institutions under the 
final amendments is 18 months from the date of publication in the 
Federal Register. The proposed compliance period for all covered 
institutions was 12 months from the effective date of the final 
amendments. See supra section II.F.
---------------------------------------------------------------------------

    Two commenters discussed how the proposed amendments would affect 
an entity that is dually registered as an investment adviser and 
broker-dealer. One commenter stated that it appreciated the approach of 
the proposal, which applies uniformly to the two types of covered 
institutions and would allow for streamlining of processes.\729\ 
Another commenter stated that bringing both sides of the entity into 
compliance with the proposed amendments would impose a significant 
burden and require a dual registrant to modify both sides of the 
entity' compliance frameworks.\730\ We do not expect a significant 
burden, because we expect that these institutions could generally 
implement a single set of procedures to comply with many of the 
provisions of the final amendments, which would limit these additional 
burdens.\731\ To the extent entities registered as more than one 
category of covered institution arrange their business such that there 
are separate policies and procedures for each category, those entities 
may encounter additional cost burden when complying with the final 
amendments. For example, an entity that creates two different incident 
response programs for its advisory and broker-dealer operations could 
bear as much as twice the cost burden as the same entity would bear 
when creating one incident response program,\732\ although there may be 
efficiencies to the extent that development of one program informs the 
other. The final amendments, however, do not prevent that entity from 
using the same incident response program across its categories of 
covered institutions.
---------------------------------------------------------------------------

    \729\ See FSI Comment Letter.
    \730\ See Cambridge Comment Letter.
    \731\ For example, we expect that these institutions will be 
able to implement a single set of procedures to satisfy the customer 
notification requirements.
    \732\ For example, annual average costs of $30,890 associated 
with preparation of written policies and procedures instead of 
annual average costs of $15,445. See, e.g., infra footnote 856 and 
accompanying text.
---------------------------------------------------------------------------

    In the remainder of this section, we first consider the benefits 
and costs associated with requiring covered institutions to have a 
response program generally. We then analyze the benefits and the costs 
of the notification requirements vis-[agrave]-vis the notification 
requirements already in force under the various existing State laws. We 
conclude this section with an analysis of the benefits and costs of the 
response program's service provider provisions.
a. Response Program
    The final amendments require covered institutions' written policies 
and procedures to include a response program ``reasonably designed to 
detect, respond to, and recover from unauthorized access to or use of

[[Page 47752]]

customer information, including customer notification procedures.'' 
\733\ The response program must address incident assessment, 
containment, as well as customer notification and oversight of service 
providers.\734\
---------------------------------------------------------------------------

    \733\ Final rule 248.30(a)(3).
    \734\ See final rule 248.30(a)(3).
---------------------------------------------------------------------------

    The question of how best to structure the response to an incident 
resulting in unauthorized access to or use of customer information has 
received considerable attention from firms, IT consultancies, 
government agencies, standards bodies, and industry groups, resulting 
in numerous reports with recommendations and summaries of best 
practices.\735\ While the emphasis of these reports varies, certain key 
components are common across many incident response programs. For 
example, NIST's Computer Security Incident Handling Guide identifies 
four main phases to cyber incident handling: (1) preparation; (2) 
detection and analysis; (3) containment, eradication, and recovery; and 
(4) post-incident activity.\736\ The assessment, containment, and 
notification prongs of the final policies and procedures requirements 
correspond to the latter three phases of the NIST recommendations. 
Similar analogues are found in other reports, recommendations, and 
other regulators' guidelines.\737\ Thus, the required procedures of the 
incident response program are substantially consistent with industry 
best practices and these other regulatory documents that seek to 
develop effective policies and procedures in this area.
---------------------------------------------------------------------------

    \735\ See supra section IV.C.1.
    \736\ See NIST Computer Security Incident Handling Guide.
    \737\ See supra text accompanying footnote 604.
---------------------------------------------------------------------------

    While some commenters suggested that some specific provisions of 
the amendments be better aligned with existing regulation,\738\ other 
commenters stated that the Commission's proposal would generally align 
the amendments with other regulatory frameworks such as the Banking 
Agencies' Incident Response Guidance.\739\ One of these commenters 
stated that consistency across regulatory requirements facilitates 
firms' operations, provides for efficiencies in their operations, and 
better serves customers.\740\ In the final amendments, we have revised 
some requirements from the proposal to better align them with existing 
regulatory framework. For example, one commenter stated that a 72-hour 
deadline would improve alignment with other existing requirements and 
that this would significantly reduce complexity and compliance burdens 
for covered institutions and their service providers.\741\ Consistent 
with other regulatory frameworks,\742\ the final amendments require 
that covered institutions ensure that their service providers take 
appropriate measures to provide notification to the covered institution 
as soon as possible, but no later than 72 hours after becoming aware 
that a breach in security has occurred.\743\
---------------------------------------------------------------------------

    \738\ See SIFMA Comment Letter 2; Computershare Comment Letter.
    \739\ See, e.g., ICI Comment Letter 1; Nasdaq Comment Letter.
    \740\ See ICI Comment Letter 1.
    \741\ See Microsoft Comment Letter; see also supra footnote 245 
and accompanying text.
    \742\ See supra footnote 257 and accompanying text.
    \743\ The proposed amendments instead had a requirement of 48 
hours. See Proposing Release at section II.A.3.
---------------------------------------------------------------------------

    Similar to the written policies and procedures requirement, we 
expect the benefits and the costs of the response program requirements 
to vary across covered institutions. In general, costs will be larger 
for entities that do not have any related incident response programs or 
related policies and procedures. For those entities, costs may include 
needing to familiarize themselves with the new requirements, initial 
set-up costs for new systems to monitor when customers need to be 
notified, new notification systems, and development and implementation 
of new policies and procedures associated with response programs. 
Therefore, on the one hand, the effects of the requirements are likely 
to be small for covered institutions with a national presence who are 
likely to already have such programs in place.\744\ For such 
institutions, we expect direct compliance costs to be largely limited 
to reviews and, if needed, updates of existing policies and 
procedures.\745\ On the other hand, we expect greater benefits and 
costs for smaller, more geographically limited covered institutions 
since they are less likely to have an existing incident response 
program. The benefits ensuing from these institutions incorporating 
incident response programs to their written policies and procedures can 
be expected to arise from improved efficacy in notifying affected 
customers and--more generally--from improvements in the manner in which 
such incidents are handled. The response program requirements might 
potentially provide substantial benefit in a specific incident, for 
example in the case of a data breach at an institution that does not 
currently have an incident response program and is unprepared to 
promptly respond in keeping with law and best practice. Such an 
institution will also bear the full costs associated with adopting and 
implementing procedures complying with the final amendments.\746\
---------------------------------------------------------------------------

    \744\ In addition, as discussed above, private funds may be 
subject to the FTC Safeguards Rule, which requires an incident 
response plan. See supra footnotes 614 and 617 and accompanying 
text. Hence, we expect that private funds advisers that are 
registered with the Commission may already have an incident response 
plan in place.
    \745\ We expect these reviews and updates will result in 
entities incurring costs generally smaller than the costs of 
adopting and implementing new procedures. See supra section IV.D.1.
    \746\ See supra footnote 721 and accompanying text for a 
discussion of certain quantified costs associated with developing 
and implementing policies and procedures. See also infra section V.
---------------------------------------------------------------------------

    In addition to helping ensure that customers are notified when 
their data are breached,\747\ having reasonably designed strategies for 
incident assessment and containment ex ante might reduce the frequency 
and scale of breaches through more effective intervention and improved 
managerial awareness, providing further indirect benefits. Any such 
improvements to covered institutions' processes will benefit their 
customers (e.g., by reducing harms to customers resulting from data 
breaches), as well as the covered institutions themselves (e.g., by 
reducing the expected costs of handling data breaches), representing 
further indirect benefits of the rule.
---------------------------------------------------------------------------

    \747\ The benefits and costs specific to the notification 
requirements are analyzed in detail in section IV.D.1.b below.
---------------------------------------------------------------------------

    We lack data on efficacy of incident assessment, incident 
containment, or customer notification that would allow us to quantify 
the economic benefits of the final requirements, and no commenter 
suggested such data. Similarly, we lack data, and no commenter 
suggested such data, that would allow us to quantify the indirect 
economic costs, such as reputational cost of any potential increase in 
the frequency of customer notification or the indirect costs of 
customer information protection improvements that may be undertaken to 
avoid such reputational costs. In the aggregate, however, considering 
the amendments in the context of the baseline, these benefits and costs 
are likely to be limited. As we have discussed above,\748\ all States 
have previously enacted data breach notification laws with 
substantially similar aims and, therefore, we think it likely that many 
institutions have response programs to support compliance with these 
laws. In addition, we anticipate that larger covered institutions with 
a national presence--which account for the bulk of

[[Page 47753]]

covered institutions' customers--have already developed written 
incident response programs consistent with the proposed requirements in 
most respects.\749\ Thus, the benefits and costs of requiring written 
incident response programs will be the most significant for smaller 
covered institutions without a national presence--institutions whose 
policies affect relatively few customers.
---------------------------------------------------------------------------

    \748\ See supra section IV.C.2.a.
    \749\ See supra footnote 713 and accompanying text.
---------------------------------------------------------------------------

    In support of the proposed response program requirement, some 
commenters stated that response programs had benefits beyond the 
notification of affected individuals. One commenter stated that 
effective cybersecurity practices and system safeguards, including 
incident response and notification, were critical for the financial 
markets and services industry and the regulators tasked with oversight 
of this sector.\750\ Another commenter stated that the costs associated 
with the incident response programs and more robust notification regime 
served an important forcing function for entities that might otherwise 
not adequately invest in safeguards on the front end.\751\ This 
commenter also cited a report stating that having an incident plan is 
one of the steps organizations can take to protect their data.\752\ In 
addition, in support of the Proposing Release, commenters cited sources 
offering additional context and evidence of the benefits of incident 
response programs. A report cited by a commenter states that businesses 
with an incident response team that tested their incident response plan 
saw an average of $2.66 million lower breach costs compared to 
organizations without an incident response team and that did not test 
their incident response plan.\753\ A more recent version of the same 
report states that businesses which both had an incident response team 
and tested their incident response plan took 54 fewer days to identify 
and contain a data breach, compared to businesses that did not have a 
response team nor test their incident response plan (252 days as 
compared to 306 days).\754\ This information generally supports our 
view that incident response programs will have benefits for both 
covered institutions and their customers. However, because the 
amendments' requirements differ from those analyzed in these reports, 
we are unable to use these estimates to precisely quantify the benefits 
of the amendments in terms of prevention of and response to data breach 
incidents involving customer information. Nevertheless, to the extent 
that different reasonably designed incident response programs yield 
benefits of similar magnitudes, the final amendments will have benefits 
of similar magnitude for the covered institutions that do not currently 
have an incident response program in place, with associated benefits 
for the customers of these institutions.
---------------------------------------------------------------------------

    \750\ See Google Comment Letter.
    \751\ See EPIC Comment Letter. Potential reputational costs, and 
the associated potential loss of customers, that could result from 
customer notification will incentivize covered institutions to spend 
more on information safeguards. However, additional costs associated 
with the required response program are unlikely to provide such 
incentives. Once informed, the customers will have the possibility 
to stop doing business with covered institutions they wish to avoid.
    \752\ See EPIC Comment Letter, citing Internet Society's Online 
Trust Alliance, 2018 Cyber Incident & Breach Trends Report (July 9, 
2019), available at https://www.internetsociety.org/wp-content/uploads/2019/07/OTA-Incident-Breach-Trends-Report_2019.pdf.
    \753\ See Better Markets Comment Letter. The commenter cited the 
2022 IBM Cost of Data Breach Report which finds that the cost of a 
data breach for organizations without an incident response team and 
that did not test their incident response plan was $5.92 million, 
while the costs for organizations with an incident response team 
that tested its incident response plan was $3.26 million. Equivalent 
numbers are not available in the 2023 version of the report.
    \754\ See 2023 IBM Cost of Data Breach Report.
---------------------------------------------------------------------------

b. Notification Requirements
    The final requirements provide for a Federal minimum standard for 
data breach notification, applicable to the sensitive customer 
information of all customers of covered institutions (including 
customers of other financial institutions whose information has been 
provided to a covered institution),\755\ regardless of their state of 
residence. The information value of a data breach notification standard 
is a function of its various provisions and how these provisions 
interact to provide customers with thorough, timely, and accurate 
information about how and when their information has been compromised. 
Customers receiving notices that are more thorough, timely, and 
accurate have a better chance of taking effective remedial actions, 
such as placing holds on credit reports, changing passwords, and 
monitoring account activity.\756\ These customers will also be better 
able to make informed decisions about whether to continue to do 
business with institutions that have been unable to prevent their 
information from being compromised. Similarly, non-customers who learn 
of a data breach, for example from individuals notified as a result of 
the final amendments, might use this information to evaluate their 
potential use of a covered institution.
---------------------------------------------------------------------------

    \755\ See final rule 248.30(d)(5)(i).
    \756\ Commenters agreed that a breach notification allows 
customers to take mitigating actions limiting the negative effects 
of a breach. See, e.g., EPIC Comment Letter. One commenter also 
stated that the value of any required disclosure depended largely on 
the extent to which it conveyed clear, comprehensible, and usable 
information. See Better Markets Comment Letter.
---------------------------------------------------------------------------

    As discussed above, all 50 States and the District of Columbia 
already have data breach notification laws that apply, in varying ways, 
to compromises of their residents' information.\757\ Thus, the benefits 
of the adopted Federal minimum standard for notification of customers 
(vis-[agrave]-vis the baseline) will vary depending on each customer's 
State of residence, with the greatest benefits accruing to customers 
that reside in States with the least informative customer notification 
requirements.\758\
---------------------------------------------------------------------------

    \757\ See supra section IV.C.2.a. In addition, some covered 
institutions may be required to share information with certain 
individuals about certain events under other Federal regulations 
such as Regulation SCI or the Banking Agencies' Incident Response 
Guidance. See supra section IV.C.2.b.
    \758\ In some cases, large benefits could also accrue to 
customers that reside in States with broader and more informative 
breach notification laws if they reside in States where such laws 
are not applicable to entities in compliance with the GLBA. See 
infra section IV.D.1.b(1).
---------------------------------------------------------------------------

    Unfortunately, with the data available, it is not practicable to 
decompose the marginal contributions of the various State law 
provisions to the overall ``strength'' of State data breach laws. 
Consequently, it is not possible for us to quantify on a state-by-state 
basis the benefits of the adopted Federal minimum standard to customers 
residing in the various States. In considering the benefits of the 
final notification requirement, we limit consideration to the 
``strength'' of individual provisions of the final amendments vis-
[agrave]-vis the corresponding provisions under State laws and consider 
the number of customers that might potentially benefit from each.
    Similarly--albeit to a somewhat lesser extent--the costs to covered 
institutions will also vary depending on the geographical distribution 
of each covered institution's customers. Generally, the costs 
associated with the final amendments will be greater for covered 
institutions whose customers reside in States with less informative 
customer notification laws than for those whose customers reside in 
States with broader and more informative notification laws. In 
particular, smaller covered institutions whose customers are 
concentrated in States where State data breach laws result in less 
informative customer notification are likely to face higher costs since 
they may have to issue additional notices to comply with the 
amendments. The costs

[[Page 47754]]

associated with notice issuance comprise both administrative costs and 
reputational costs. Certain costs arising from notice issuance are 
covered in the Paperwork Reduction Act analysis in section V and are 
estimated to be on average $5,178 per year per covered 
institution.\759\ We lack data, and no commenter suggested such data, 
that would allow us to quantify the reputational cost resulting from 
any potential increase in the frequency of customer notification or the 
indirect costs of customer information protection improvements that may 
be undertaken by covered institutions to avoid such reputational costs.
---------------------------------------------------------------------------

    \759\ This estimate is an annual average for the first three 
years. The corresponding ongoing annual costs beyond the first three 
years are estimated to be on average $3,862 per year per covered 
institution. See infra section V.
---------------------------------------------------------------------------

    Although some commenters stated that a Federal notification 
requirement was not needed given existing State law requirements,\760\ 
other commenters supported this proposed provision.\761\ One commenter 
stated that a significant advantage would be that in several States, it 
would relieve covered institutions from having to issue state-specific 
breach notices under State law.\762\ Another commenter further stated 
that a Federal breach notification requirement ``would satisfy State 
notice laws that provide exemptions for firms subject to such a 
requirement, which will help to a degree to reduce the confusion and 
notification burdens arising from the patchwork of State data breach 
notification requirements.'' \763\ Another commenter stated that the 
benefits of a Federal minimum standard would outweigh the burden of the 
new notification requirements.\764\
---------------------------------------------------------------------------

    \760\ See, e.g., CAI Comment Letter (stating that the proposed 
amendments' requirements ``would simply add another layer on top of 
these existing requirements and would likely go entirely unnoticed 
by consumers, while complicating compliance efforts for covered 
institutions and raising additional compliance and legal risk''). We 
disagree with these commenters and discuss in detail in the 
subsections below the benefits of different provisions of the 
notification requirements over the baseline.
    \761\ See, e.g., ICI Comment Letter 1; IAA Comment Letter 1.
    \762\ See ICI Comment Letter 1.
    \763\ See IAA Comment Letter 1; see also supra footnote 557 and 
accompanying text. Another commenter stated that the proposed 
notification requirements would not replace State law requirements 
and that covered institutions would continue to have to comply 
beyond the Federal minimum standard for at least 20 States. See FSI 
Comment Letter.
    \764\ See FSI Comment Letter.
---------------------------------------------------------------------------

    In the rest of this section, we consider key provisions of the 
final notification requirements, their potential benefits to customers 
(vis-[agrave]-vis existing State notification laws), and their costs.
(1) GLBA Safe Harbors
    A number of State data breach laws provide exceptions to 
notification for entities subject to and in compliance with the GLBA. 
These ``GLBA Safe Harbors'' may result in customers not receiving any 
data breach notification from registered investment advisers, broker-
dealers, funding portals, investment companies, or transfer agents. The 
final amendments will help ensure customers receive notice of breach in 
cases where they may not currently because notice is not required under 
State law.
    Based on an analysis of State laws, we found that 19 States provide 
a GLBA Safe Harbor.\765\ Together, these States account for 24 percent 
of the U.S. population, or approximately 17 million potential customers 
who may benefit from this provision.\766\ While we do not have data on 
the exact geographical distribution of customers across all covered 
institutions, we are able to identify registered investment advisers 
whose customers reside exclusively in GLBA Safe Harbor States.\767\ We 
estimate that there are 679 such advisers, representing 4.4 percent of 
the registered adviser population, and that these advisers represent in 
total more than 97,000 clients.\768\ We expect that a similar 
percentage of broker-dealers would be found to be operating exclusively 
in GLBA Safe Harbor States.
---------------------------------------------------------------------------

    \765\ States with exceptions that specifically mention the GLBA 
include Arizona, Connecticut, the District of Columbia, Delaware, 
Iowa, Kentucky, Maryland, Minnesota, Missouri, Nevada, New Mexico, 
Oregon, Rhode Island, South Carolina, South Dakota, Tennessee, Utah, 
Virginia, and Wisconsin. Additional States have exceptions for 
compliance with a primary Federal regulator, as discussed supra.
    \766\ Estimates of the numbers of potential customers are based 
on State population adjusted by the percentage of households 
reporting direct stock ownership (21%). See U.S. Census Bureau, 
Apportionment Report (2020), available at https://www2.census.gov/programs-surveys/decennial/2020/data/apportionment/apportionment-2020-table01.xlsx (last visited Apr. 12, 2024); see also Federal 
Reserve Board, Survey of Consumer Finances (2022), available at 
https://www.federalreserve.gov/econres/scfindex.htm (last visited 
Apr. 9, 2024).
    \767\ Based on Form ADV, Item 2.C as of Oct. 5, 2023; see also 
supra footnote 655.
    \768\ Based on Form ADV, Item 5.D as of Oct. 5, 2023; see also 
supra footnote 650.
---------------------------------------------------------------------------

    Changing the effect of the GLBA Safe Harbors is not likely to 
impose significant direct compliance costs on most covered 
institutions. For the reasons outlined above, many covered institutions 
have customers residing in States without a GLBA Safe Harbor and we 
therefore expect them to have existing procedures for notifying 
customers under State law. Additionally, some jurisdictions require 
notification policies or actual notification as condition of the safe 
harbor.\769\ However, covered institutions whose customer base is 
limited to GLBA Safe Harbor States may not have implemented any 
procedures to notify customers in the event of a data breach. These 
covered institutions may face higher costs than entities with some 
notification procedures already in place, but the customers of these 
institutions will benefit the most from the final amendments by 
receiving notice they may not have otherwise received.
---------------------------------------------------------------------------

    \769\ See, e.g., D.C. Code section 28-3852(g).
---------------------------------------------------------------------------

    One commenter agreed that some State laws provided exemptions from 
their notice requirements under the GLBA but disagreed that this 
implied benefits for the amendments, stating that the proposed 
amendments would not preempt State notification requirements and would 
instead add another variation on existing requirements to be accounted 
for by covered institutions, with limited real benefits to affected 
individuals.\770\ The final amendments will create new and to various 
extents different notification requirements for covered institutions 
with customers residing in States without GLBA exemptions. However, we 
disagree with this commenter's assertion that benefits to affected 
individuals will be limited. As discussed above, State laws vary in 
detail from State to State.\771\ We discuss below how the final 
amendments will impose a Federal minimum standard for customer 
notification and how we expect this standard to benefit customers.
---------------------------------------------------------------------------

    \770\ See CAI Comment Letter (``Although some state laws do 
provide exemptions from their state specific notice requirements 
where a notice is provided consistent with requirements under the 
Gramm-Leach Bliley Act (GLBA), most do not. This proposed new 
requirement would not serve to preempt those generally applicable 
state notice requirements, and would not establish a new singular 
standard. It would just be another variation on existing 
requirements to be accounted for, with limited real benefit to 
affected individuals.'').
    \771\ See supra section IV.C.2.a.
---------------------------------------------------------------------------

(2) Accelerated Timing of Customer Notification
    The final amendments require covered institutions to provide notice 
to customers in the event of some data breaches as soon as practicable, 
but not later than 30 days, after becoming aware that unauthorized 
access to or use of customer information has occurred or is reasonably 
likely to have occurred.\772\ As discussed in section IV.C.2.a, 
existing State laws vary in terms of notification timing. Most States 
(31) do not include a specific deadline for

[[Page 47755]]

notifying customers, but rather require that the notice be given in an 
expedient manner and/or that it be provided without unreasonable delay. 
These States account for 60 percent of the U.S. population, with 
approximately 42 million potential customers residing in these 
States.\773\ Four States have a 30-day deadline; we estimate that close 
to 8 million potential customers reside in these States. The remaining 
16 States provide for longer notification deadlines. For the estimated 
20 million potential customers residing in these 16 States, the final 
amendments' 30-day outside timeframe might tighten the notification 
timeframes.\774\ In addition, the 30-day outside timeframe is likely to 
tighten notification timeframes for the approximately 42 million 
potential customers residing in States with no specific deadline.
---------------------------------------------------------------------------

    \772\ See final rule 248.30(a)(4)(iii).
    \773\ See supra Figure 2; see also supra footnote 767.
    \774\ State deadlines are either 30, 45, or 60 days, but differ 
in terms of triggers of those deadlines; see supra Figure 3.
---------------------------------------------------------------------------

    Even though the timing language in State laws without specific 
deadlines generally suggests that notices must be prompt, we have 
evidence that the notices are frequently sent significantly later than 
30 days after the affected institution learns of the breach. The 
Proposing Release references data from California and Washington, which 
we explain in more detail below. California requires that such notice 
be given ``in the most expedient time possible and without unreasonable 
delay.'' \775\ Nevertheless, data from the California Office of the 
Attorney General, regarding notices sent to more than 500 California 
residents for any one incident, indicate that for the notices for which 
these data are available, the average time from discovery to 
notification was 144 days in 2022, and 91 percent of these notices were 
sent later than 30 days after the discovery of the breach.\776\ Hence, 
we expect that the aggregate effects of a 30-day notification outside 
timeframe might be significant for the 42 million potential customers 
residing in States with no specific deadline.\777\
---------------------------------------------------------------------------

    \775\ See Cal. Civil Code section 1798.82.
    \776\ This analysis was performed using data from the State of 
California Department of Justice, Office of the Attorney General, 
Search Data Security Breaches (2023), available at https://oag.ca.gov/privacy/databreach/list (last visited Apr. 8, 2024). 
California law requires that a sample copy of a breach notice sent 
to more than 500 California residents be provided to the California 
Attorney General. Four-hundred fifty-six such notices were reported 
in the year of 2022. Of those notices, 164 (36%) included both the 
date of the discovery of the breach and the date the notice was sent 
to affected individuals. For those 164 notices, the average number 
of days between discovery and notice was 144 and the median number 
of days was 107. One hundred fifty of these notices (91%) were sent 
more than 30 days after discovery. The minimum number of days was 0 
and the maximum was 538. The Proposing Release cited an average 
number of days between discovery and notice of 197 (for calendar 
year 2021). The correct number should be 97. This change would not 
have affected the Commission's assessment, in the Proposing Release, 
that there would be substantial economic benefits from a new 
notification deadline in an amended Regulation S-P, as both 
estimates are substantially larger than 30 days.
    \777\ The final amendments' 30-day notification timeframe starts 
when a covered institution becomes aware that unauthorized access to 
or use of customer information has occurred or is likely to have 
occurred. See final rule 248.30(a)(4)(iii). The analysis performed 
here relies instead on an entity's description of when it discovered 
or became aware of a breach, which could refer to a different point 
in time.
---------------------------------------------------------------------------

    In addition, because the final amendments will not provide for 
broad exceptions to the 30-day notification requirement,\778\ in many 
cases the amendments will tighten notification timeframes even for the 
8 million potential customers residing in States with a 30-day 
deadline. For example, in Washington, the State law requires that the 
notice be given ``without unreasonable delay, and no more than thirty 
calendar days after the breach was discovered.'' \779\ However, the law 
also allows for a delay ``at the request of law enforcement'' or ``due 
to any measures necessary to determine the scope of the breach and 
restore the reasonable integrity of the data system.'' \780\ Data from 
the Washington Attorney General's Office indicate that for the notices 
for which these data are available, the average time from discovery to 
notification was 137 days in 2022 and the median time was 93 days.\781\ 
Eighty-seven percent of these notices were sent later than 30 days 
after the discovery of the breach, presumably as a result of these 
exceptions.\782\ Hence, we expect that the timing requirements of the 
final amendments will result in many notices being sent earlier even in 
some States with a 30-day deadline.
---------------------------------------------------------------------------

    \778\ See supra footnote 544 and accompanying text.
    \779\ See RCW 19.255.010(8).
    \780\ See RCW 19.255.010(8).
    \781\ This analysis was performed using data from the Washington 
State Office of the Attorney General, Data Breach Notifications, 
available at https://www.atg.wa.gov/data-breach-notifications (last 
visited Apr. 8, 2024). Washington law requires that any business, 
individual, or public agency that is required to issue a security 
breach notification to more than 500 Washington residents as a 
result of a single security breach shall electronically submit a 
single sample copy of that security breach notification. One hundred 
and eighty-five such notices were reported in the year 2022. For 121 
(65%) of those notices, data is available for both the date of the 
discovery of the breach and the date the notice was sent to affected 
individuals. For those 121 notices, the average number of days 
between discovery and notice was 137 and the median number of days 
was 93. One hundred four notices (87%) were sent more than 30 days 
after discovery. The minimum number of days was 4 and the maximum 
was 651.
    \782\ These numbers should be interpreted with care, since what 
different firms describe as the time at which they ``discover'' a 
breach could vary. See also supra footnote 778.
---------------------------------------------------------------------------

    Tighter notification deadlines should increase customers' ability 
to take effective measures to counter threats resulting from their 
sensitive information being compromised. Such measures may include 
placing holds on credit reports or engaging in more active monitoring 
of account and credit report activity.
    In practice, however, when it takes a long time to discover a data 
breach, a relatively short delay between discovery and customer 
notification may have little impact on customers' ability to take 
effective countermeasures.\783\ Based on the data from the California 
Office of the Attorney General, the average number of days between the 
start of a breach and its discovery was 46 days in 2022, with a median 
of 7 days and a standard deviation of 126 days.\784\ In addition, data 
from the Washington Attorney General's Office show that in 2022, there 
were on average 94 days between the time a breach occurred and its 
discovery, with a median of 10 days and a standard deviation of 319 
days.\785\

[[Page 47756]]

This suggests that time to discovery is likely to prevent issuance of 
timely customer notices in many but not all cases. As plotted in Figure 
9, while some firms take many months--even years--to discover a data 
breach, others do so in a matter of days: 66 percent of firms were able 
to detect a breach within 2 weeks and 77 percent were able to do so 
within 30 days.\786\ Thus, while the adopted 30-day notification 
outside timeframe may not always substantially improve the timeliness 
of customer notices, in many cases it may improve timeliness.
---------------------------------------------------------------------------

    \783\ In other words, the utility of a notice is likely to 
exhibit decay. For example, if a breach is discovered immediately, 
the utility of receiving a notification within 1 day is considerably 
greater than the utility of receiving a notification in 30 days. 
However, if a breach is discovered only after 200 days, the 
difference in expected utility from receiving a notification on day 
201 versus day 231 is smaller: with each passing day some 
opportunities to prevent the compromised information from being 
exploited are lost (e.g., unauthorized wire transfer), with each 
passing day opportunities to discover the compromise grow (e.g., 
noticing an unauthorized transaction), and with each passing day the 
compromised information becomes less valuable (e.g., passwords, 
account numbers, addresses, etc., generally change over time).
    \784\ See supra footnote 777 describing the methodology. Many 
breaches, for example in the case of ransomware attacks or 
compromises of physical equipment, are discovered on the day that 
they happen or shortly thereafter.
    \785\ See supra footnote 782 describing the methodology. A few 
factors could influence the estimated length of time between a 
breach and its discovery by the notifying entity. First, the two 
States discussed here (California and Washington) require firms to 
report the date on which the breach started. In instances where 
firms do not know this information, they could report the discovery 
date instead. This would result in an underestimate of the time 
between when a breach occurs and its discovery. Second, as discussed 
above, different firms could interpret the meaning of discovery 
differently. See supra footnote 783. Third, the discovery date used 
for this estimate is the date on which the notifying entity 
discovers the breach. If the breach happened at a service provider, 
it is possible that the service provider discovered the breach 
earlier and notified its client later. Hence, the numbers reported 
here likely overestimate the amount of time the affected entity took 
to discover the breach when the breach affected an entity different 
from the notifying entity. For comparison, according to IBM, in 2023 
it took an average of 207 days to identify a data breach. See 2023 
IBM Cost of Data Breach Report.
    \786\ Based on data from the State of California Department of 
Justice, Office of the Attorney General. See supra footnote 777; 
footnote 785 and accompanying text. The equivalent numbers for 
Washington are 56% and 73%, based on data from the Washington State 
Office of the Attorney General. See supra footnote 782; footnote 786 
and accompanying text.
[GRAPHIC] [TIFF OMITTED] TR03JN24.009

    While we do not expect that the 30-day outside timeframe for 
customer notification will impose significant direct costs relative to 
a longer timeframe (or relative to having no fixed timeframe), the 
shorter outside timeframe might potentially lead to indirect costs 
arising from notification potentially interfering with incident 
containment efforts. Based on data from the Washington Attorney 
General's Office for the fiscal year of 2022, ``containment'' of data 
breaches generally occurs quickly--7.6 days on average.\787\ However, 
according to IBM's study for 2022, it takes an average of 70 days to 
``contain'' a data breach.\788\ The discrepancy suggests that there 
exists some ambiguity in the interpretation of ``containment,'' raising 
the possibility that the 30-day notification outside timeframe might 
require customer notification to occur before some aspects of incident 
containment have been completed and potentially interfering with 
efforts to do so.\789\
---------------------------------------------------------------------------

    \787\ In the data provided by the Washington Attorney General, 
``containment'' (data field DaysToContainBreach) is defined as ``the 
total number of days it takes a notifying entity to end the exposure 
of consumer data, after discovering the breach.'' See supra footnote 
782.
    \788\ In the IBM study, ``containment'' refers to ``the time it 
takes for an organization to resolve a situation once it has been 
detected and ultimately restore service.'' See 2022 IBM Cost of Data 
Breach Report. We use the 2022 average here (70 days) to align with 
the date of the Washington and California State data, but note that 
IBM reports for 2021 and 2023 reported averages of 75 and 73 days, 
respectively. See Proposing Release at n.466; 2023 IBM Cost of Data 
Breach Report. Some of the discrepancy may be due to variation in 
how entities report the date at which the breach started in the data 
for Washington; see supra footnote 786.
    \789\ For example, the notice may prompt the attacker to 
accelerate efforts to obtain or use sensitive information before the 
vulnerability can be completely contained.

---------------------------------------------------------------------------

[[Page 47757]]

    Some commenters opposed the proposed timeframe for customer 
notifications.\790\ One commenter stated that the proposed outside 
timeframe of 30 days after becoming aware of a breach was insufficient 
time to provide a meaningful notification to impacted individuals, 
particularly in complex cases.\791\ Another commenter stated that the 
proposed 30-day outside timeframe was ``unjustified and arbitrary'' and 
that it was ``likely to be insufficient for proper investigation and 
notification.'' \792\ Another commenter stated that the proposed timing 
requirement was overly rigid and did not account for the wide variety 
and complexity of cybersecurity incidents, and that 30 days after 
becoming aware of a possible incident was not enough time to accomplish 
the many steps required to be able to issue notifications to affected 
individuals.\793\ This commenter detailed these steps as ``needing to 
respond to and remediate the security incident directly, conduct a 
forensic investigation to determine what information may have been 
affected, analyze the affected data to determine what sensitive 
customer information is contained in affected data, extract or obtain 
the information needed to make notification to affected users, hire 
vendors and arrange identity protection services for affected 
individuals, and actually send the notifications.'' \794\ These 
commenters, as well as other commenters, suggested longer or less 
specific timeframes.\795\
---------------------------------------------------------------------------

    \790\ See, e.g., ACLI Comment Letter; IAA Comment Letter 1.
    \791\ See ACLI Comment Letter. See also Cambridge Comment 
Letter; IAA Comment Letter 1.
    \792\ See Federated Comment Letter.
    \793\ See CAI Comment Letter.
    \794\ See CAI Comment Letter.
    \795\ See, e.g., FSI Comment Letter (``We recommend that the 
notification requirement under Reg S-P be revised from `as soon as 
practicable, but not later than 30-days' to `as soon as practicable, 
but not later than 60-days' after a firm becomes aware that 
unauthorized access to or use of customer information has occurred 
or is reasonably likely to occur.''); Cambridge Comment Letter (``A 
period of, for example, 60 days would be more realistic, while 
achieving the Proposals' same goals.''); IAA Comment Letter 1 (``We 
recommend a 45-day rather than a 30-day notification requirement to 
provide a more reasonable amount of time for advisers to perform 
investigation and risk assessments, collect the information 
necessary to include in client notices, and provide notices in 
complex cases.'').
---------------------------------------------------------------------------

    A different commenter instead stated that the final required 
timeframe should not be longer than 30 days, citing an article stating 
that ``an analysis of the current State data breach notification laws 
shows that requiring notification within thirty days of a breach to 
affected consumers would be appropriate.'' \796\ This article further 
adds that a ``thirty-day time limit will give an organization ample 
time to conduct a full investigation'' and ``ensure that consumers are 
notified of a breach in a timely manner so they can take the proper 
steps to mitigate any losses and protect their personal information 
from further exposure to cybercriminals through credit freezes, credit 
monitoring, and the like.'' The same commenter suggested that the 
deadline be shortened to 14 days after becoming aware of an 
incident.\797\
---------------------------------------------------------------------------

    \796\ See Better Markets Comment Letter, citing Gregory S. 
Gaglione Jr., The Equifax Data Breach: An Opportunity to Improve 
Consumer Protection and Cybersecurity Efforts in America, 67 Buff. 
L. Rev. 1133 (2019).
    \797\ See Better Markets Comment Letter.
---------------------------------------------------------------------------

    After considering these comments, we are adopting the notification 
timeframe as proposed. Under the final amendments, covered institutions 
will be required to provide notice to affected customers as soon as 
practicable, but not later than 30 days, after becoming aware that 
unauthorized access to or use of customer information has occurred or 
is reasonably likely to have occurred. Commenters stated that this 
notification timeframe may result in customers receiving notices that 
are less accurate or receiving some notices that are unnecessary. The 
final amendments' notification timeframe may, in some cases, result in 
customers receiving less informative notices than they would have 
received under a longer notification timeframe, since covered 
institutions will have less time to understand the incident before 
sending the notice. This 30-day timeframe may also result in instances 
where a notification will be sent but, had the covered institution been 
able to fully investigate the breach in the prescribed timeframe, the 
covered institution would have been able to determine that notification 
was not required.\798\ If unnecessary notifications are sent, as 
commenters suggest could occur, these instances may result in customers 
taking unnecessary mitigating actions, and the costs of these actions 
will be a cost of the final amendments.\799\ These instances will also 
result in additional costs associated with customer notification, such 
as administrative costs related to preparing and distributing notices 
and potential reputational costs (including indirect costs of customer 
information protection improvements that may be undertaken to avoid 
such reputational costs) for covered institutions; we have accounted 
for these additional costs associated with notification in our 
estimates of some of the costs arising from notice issuance.\800\ 
However, the 30-day notification timeframe preserves the benefits of 
the proposed, relatively short notification timeframe and allows 
customers to take rapid and effective mitigating actions.\801\
---------------------------------------------------------------------------

    \798\ Longer investigations are likely to correlate with more 
complicated incidents and are less likely to result in a 
determination that notice is not required. We therefore do not 
expect that a longer notification outside timeframe would have led 
to significantly fewer required notices.
    \799\ See infra section IV.D.1.b(4) for a discussion of the 
effect of unnecessary notification.
    \800\ Certain costs arising from notice issuance are covered in 
the Paperwork Reduction Act analysis in section V and are estimated 
to be on average $5,178 per year per covered institution. This 
estimate is an annual average for the first three years. The 
corresponding ongoing annual costs beyond the first three years are 
estimated to be on average $3,862 per year per covered institution. 
See infra section V. We have increased these estimates from the 
proposal in response to commenters. See infra section V.
    \801\ We have further reviewed, in response to commenters, 
evidence that customers prefer an early notification. A survey of 
U.S. individuals found that notifying customers immediately was one 
of main steps the respondents would recommend to firms after a data 
breach, providing evidence that extending the timeframe is likely to 
therefore reduce the benefits of the notification requirement. See 
Lillian Ablon et al., Consumer Attitudes Toward Data Breach 
Notifications and Loss of Personal Information, RAND Corporation 
(2016), available at https://www.rand.org/pubs/research_reports/RR1187.html. Customers who receive notices faster are better able to 
take appropriate mitigating actions.
---------------------------------------------------------------------------

    In some circumstances, requiring customers to be notified within 30 
days may hinder law enforcement investigation of an incident by 
potentially making an attacker aware of the attack's detection.\802\ It 
could also make other threat actors aware of vulnerabilities in a 
covered institution's systems, which they could then try to exploit. 
The final amendments allow a covered institution to delay notification 
of customers if the Attorney General determines that the notice 
required poses a substantial risk to national security or public safety 
and notifies the Commission of such determination in writing.\803\ The 
main benefit of this delay is to decrease the likelihood of the 
potential situations described above where law enforcement is hindered. 
The delay might, in some cases, lead to a better protection of national 
security and public safety. Another benefit of the delay is that it 
might give covered institutions more time to assess the scope of the 
incident and gather the information to be included in the notice to 
customers in particularly complex cases. However, the delay provisions 
might also, in some cases, result in customers being notified later, 
which

[[Page 47758]]

would decrease the benefits of such notification, as described 
above.\804\ Where investigations do not rise to the level of meeting 
the prescribed conditions for delayed notification, customer 
notification could alert attackers that their intrusion has been 
detected and could potentially impact law enforcement's investigation.
---------------------------------------------------------------------------

    \802\ The attacker could then work to remove evidence on the 
covered institution's systems, thereby making the identity of the 
attacker harder to uncover by law enforcement.
    \803\ See final rule 248.30(a)(4)(iii).
    \804\ See supra text following footnote 783.
---------------------------------------------------------------------------

    Because we do not have data on the frequency with which an 
investigation will rise to the level of meeting the final amendments' 
conditions for delayed notification, and because we do not have data on 
the scope of the effect on national security or public safety of 
breaches being revealed to the attackers, nor did commenters identify 
such data, we are unable to precisely estimate the costs and benefits 
of this provision. However, we expect that such events will be 
relatively rare.\805\
---------------------------------------------------------------------------

    \805\ See SIFMA comment letter 2 (``The Commission should be 
aware that under present practice and experience, the number of 
cases where delay is requested or mandated by other government 
entities, or court orders, is quite limited--so the SEC need not 
assume or fear that notification delays would become routine or be 
otherwise abused.''). In addition, the State of California requires 
that, if a notice sent to individuals affected by a breach was 
delayed at the request of law enforcement agency, the notice mention 
such delay. See Cal. Civil Code section 1798.82. Of the 456 notices 
reported in 2022, only 4 indicated that they were delayed at the 
request of law enforcement. See supra footnote 777 for a description 
of these data. Because the final amendments' conditions for a 
notification delay are stricter than those under California law, we 
expect that the frequency at which covered institutions will delay 
notifications for national security and public safety reasons will 
be even lower.
---------------------------------------------------------------------------

(3) Broader Scope of Information Triggering Notification
    In the final amendments, ``sensitive customer information'' is 
defined more broadly than in most State laws, yielding a customer 
notification trigger that is broader in scope than the various State 
law notification triggers included under the baseline.\806\ The broader 
scope of information triggering the notice requirements will cover more 
data breaches impacting customers than the notice requirements under 
the baseline. This broader scope might benefit customers who will be 
made aware of more cases where their information has been compromised. 
At the same time, the broader scope might lead to false alarms--cases 
where the ``sensitive customer information'' divulged does not 
ultimately harm the customer. Such false alarms might be problematic if 
they reduce customers' responsiveness to data breach notices. In 
addition, the scope will also likely imply additional costs for covered 
institutions, which may need to adapt their processes for safeguarding 
information to encompass a broader range of customer information and 
may need to issue additional notices.\807\
---------------------------------------------------------------------------

    \806\ See final rule 248.30(d)(9) and supra section IV.C.2.a(1).
    \807\ Estimates of certain costs related to notice issuance are 
discussed in section V.
---------------------------------------------------------------------------

    In the final amendments, ``sensitive customer information'' is 
defined as ``any component of customer information alone or in 
conjunction with any other information, the compromise of which could 
create a reasonably likely risk of substantial harm or inconvenience to 
an individual identified with the information.'' \808\ The definition's 
basis in ``any component of customer information'' creates a broader 
scope than under State notification laws. In addition to identification 
numbers, PINs, and passwords, many other pieces of nonpublic 
information have the potential to satisfy this standard. For example, 
many financial institutions have processes for establishing identity 
that require the user to provide a number of pieces of information 
that--on their own--are not especially sensitive (e.g., mother's maiden 
name, name of a first pet, make and model of first car), but which--
together--could allow access to a customer's account. The compromise of 
some subset of such information will thus potentially require a covered 
institution to notify customers under the final amendments.
---------------------------------------------------------------------------

    \808\ Final rule 248.30(d)(9).
---------------------------------------------------------------------------

    The definitions of information triggering notice requirements under 
State laws are generally much more circumscribed and can be said to 
fall into one of two types: basic and enhanced. Basic definitions are 
used by 14 States, which account for 21 percent of the U.S. 
population.\809\ In these States, only the compromise of a customer's 
name together with one or more enumerated pieces of information 
triggers the notice requirement. Typically, the enumerated information 
is limited to Social Security number, a driver's license number, or a 
financial account number combined with an access code. For the 
estimated 15 million potential customers residing in these States,\810\ 
a covered institution's compromise of the customer's account login and 
password would not necessarily result in a notice, nor would a 
compromise of his credit card number and PIN.\811\ Such compromises 
could nonetheless lead to substantial harm or inconvenience. Thus, the 
final amendments will significantly enhance the notification 
requirements applicable to these customers.
---------------------------------------------------------------------------

    \809\ See supra section IV.C.2.a(1).
    \810\ See supra footnote 767.
    \811\ See supra text accompanying footnote 532.
---------------------------------------------------------------------------

    States adopting enhanced definitions for information triggering 
notice requirements extend the basic definition to include username/
password and username/security question combinations.\812\ These 
definitions may also include additional enumerated items whose 
compromise (when linked with the customer's name) can trigger the 
notice requirement (e.g., biometric data, tax identification number, 
and passport number).\813\ For the estimated 55 million potential 
customers residing in the States with enhanced definitions,\814\ the 
benefits from the final amendments will be somewhat more limited. 
However, even for these customers, the amendments will tighten the 
effective notification requirement. There are many pieces of 
information not covered by the enhanced definitions whose compromise 
might potentially lead to substantial harm or inconvenience. For 
example, under California law, the compromise of information such as a 
customer's email address in combination with a security question and 
answer would only trigger the notice requirement if that information 
would--in itself--permit access to an online account. Under many such 
State laws, the compromise of information such as a customer's name, 
combined with his or her transaction history, account balance, or other 
information not specifically enumerated would not necessarily trigger 
the notice requirement.
---------------------------------------------------------------------------

    \812\ See supra section IV.C.2.a(1).
    \813\ See id.
    \814\ See supra footnote 767.
---------------------------------------------------------------------------

    The broader scope of information triggering a notice requirement 
under the final amendments will benefit customers. As discussed above, 
many pieces of information not covered under State data breach laws 
could, when compromised, cause substantial harm or inconvenience. Under 
the amendments, data breaches involving such information might require 
customer notification in cases where State law does not, and thus 
potentially increase customers' ability to take actions to mitigate the 
effects of such breaches. At the same time, there is some risk that the 
broader minimum standard will lead to notifications resulting from data 
compromises that--while troubling--are ultimately less likely to cause 
substantial harm or inconvenience.\815\ A

[[Page 47759]]

large number of such unnecessary notices might undermine the 
effectiveness of the notice regime.\816\
---------------------------------------------------------------------------

    \815\ This may be the case even though the amendments include an 
exception from notification when the covered institution determines, 
after investigation, that the sensitive customer information has not 
been, and is not reasonably likely to be, used in a manner that 
would result in substantial harm or inconvenience. For example, the 
covered institution could decide to forgo investigations and always 
notify, or it could investigate but not reach a conclusion that 
satisfied the terms of the exception.
    \816\ See infra section IV.D.1.b(4) for a discussion of the 
effects of notification specifically.
---------------------------------------------------------------------------

    The broader minimum standard for notification is likely to result 
in higher costs for covered institutions. There will be increased 
administrative costs related to preparing and distributing notices for 
covered institutions who will send out additional notices as a result 
of the scope of information triggering a notice requirement under the 
final amendments. As discussed below, we estimate that certain costs 
associated with the preparation and distribution of notices will be, on 
average, $5,178 per year per covered institution.\817\
---------------------------------------------------------------------------

    \817\ This estimate is an annual average for the first three 
years. The corresponding ongoing annual costs beyond the first three 
years are estimated to be on average $3,862 per year per covered 
institution. See infra section V.
---------------------------------------------------------------------------

    In addition, it is possible that covered institutions have 
developed processes and systems designed to provide enhanced 
information safeguards for the specific types of information enumerated 
in the various State laws. For example, it is likely that IT systems 
deployed by financial institutions only retain information such as 
passwords or answers to security questions in hashed form, reducing the 
potential for such information to be compromised. Similarly, it is 
likely that such systems limit access to information such as Social 
Security numbers to a limited set of employees. It may be costly for 
covered institutions to upgrade these systems to expand the scope of 
enhanced information safeguards.\818\ In some cases, it may be 
impractical to expand the scope of such systems. For example, while it 
may be feasible for covered institutions to strictly limit access to 
Social Security numbers, passwords, or answers to secret questions, it 
may not be feasible to apply such limits to account numbers, 
transaction histories, account balances, related accounts, or other 
potentially sensitive customer information. In these cases, the adopted 
minimum standard might not have a significant prophylactic effect and 
might lead to an increase in reputation and litigation costs for 
covered institutions resulting from more frequent breach notifications.
---------------------------------------------------------------------------

    \818\ We lack data, and no commenter suggested such data, that 
would allow us to quantify the indirect costs resulting from any 
potential upgrade to customer information safeguards that covered 
institutions could choose to implement as a result of the final 
amendments in order to avoid potential reputational costs associated 
with customer notification following a breach.
---------------------------------------------------------------------------

    Furthermore, because the definition of sensitive customer 
information is based on a determination that the compromise of this 
information could create a ``reasonably likely risk of substantial harm 
or inconvenience to an individual identified with the information,'' 
\819\ it could increase costs related to incident evaluation, outside 
legal services, and litigation risk. While we lack data, and no 
commenter suggested such data, that would allow us to quantify all of 
these costs, we discuss below certain costs associated with developing 
and implementing policies and procedures to comply with the final 
amendments, including costs for internal and external counsel.\820\ 
This subjectivity could reduce consistency in the propensity of covered 
institutions to provide notice to customers, reducing the utility of 
such notices in customers' inferences about covered institutions' 
safeguarding efforts.
---------------------------------------------------------------------------

    \819\ Final rule 248.30(d)(9). See supra section II.A.3.c; infra 
section IV.D.1.b(4).
    \820\ See infra section V.
---------------------------------------------------------------------------

    Some commenters opposed the proposed amendments' definition of 
sensitive customer information, suggesting either a better alignment 
with existing regulation,\821\ or that the final amendments specify a 
list of customer information included in the definition.\822\ Covered 
institutions will have to devote some resources determining what 
specific pieces of information are included in the scope of the final 
notification requirements. However, different types of covered 
institutions may keep different types of customer information, the 
information collected by covered institutions might change in the 
future, and the type of information that could create a reasonably 
likely risk of substantial harm or inconvenience to an individual might 
also change in the future. Thus, having a wide and general range of 
sensitive customer information trigger the amendments' notice 
requirement will provide benefits to the affected customers, who may 
not receive a notice under the baseline. In addition, as discussed 
above, existing regulations adopt widely different definitions of 
customer information triggering a breach notification, making alignment 
difficult.\823\
---------------------------------------------------------------------------

    \821\ See Computershare Comment Letter; ICI Comment Letter 1; 
SIFMA Comment Letter 2.
    \822\ See CAI Comment Letter; SIFMA Comment Letter 2.
    \823\ See supra section IV.C.2.a(1).
---------------------------------------------------------------------------

(4) Notification Trigger
    The final amendments include a requirement for a covered 
institution to provide notice to individuals whose sensitive customer 
information was, or is reasonably likely to have been, accessed or used 
without authorization, unless, after a reasonable investigation of the 
facts and circumstances of the incident of unauthorized access to or 
use of sensitive customer information, the covered institution has 
determined that sensitive customer information has not been, and is not 
reasonably likely to be, used in a manner that would result in 
substantial harm or inconvenience.\824\ As discussed above, the final 
amendments reflect a presumption of notification: a covered institution 
must provide a notice unless it determines notification is not required 
following a reasonable investigation.\825\ Moreover, if the covered 
institution is unable to determine which customers are affected by a 
data breach, a notice to all potentially affected customers is 
required.\826\ The resulting presumptions of notification are important 
because although it is usually possible to determine what information 
could have been compromised in a data breach, it is often not possible 
to determine what information was compromised or to estimate the 
potential for such information to be used in a way that is likely to 
cause harm.\827\ Because of this, it may not be feasible to establish 
the likelihood of sensitive customer information being used in a manner 
that would result in substantial harm or inconvenience or of sensitive 
customer information pertaining to a specific individual being accessed 
or used without authorization. Consequently, in the absence of the 
presumptions of notification, it may be possible for covered 
institutions to avoid notifying customers in cases where it is unclear 
what information was compromised or whether sensitive customer 
information was or is reasonably likely to be used in

[[Page 47760]]

a manner that would result in substantial harm or inconvenience.
---------------------------------------------------------------------------

    \824\ See final rule 248.30(a)(4)(i).
    \825\ See supra section II.A.3. A covered institution's 
determination that there is no risk of harm or inconvenience may 
also take into consideration whether the compromised data was 
encrypted. See supra section II.A.3.b. We expect that this could 
mitigate the risk of unnecessary notification. We considered a safe 
harbor from the definition of sensitive customer information for 
encrypted information. See infra section IV.F.3.
    \826\ See final rule 248.30(a)(4)(ii); see also supra section 
II.A.3.a.
    \827\ Many covered institutions, especially smaller investment 
advisers and broker-dealers, are unlikely to have elaborate software 
for logging and auditing data access. For such entities, it may be 
impossible to determine what specific information was exfiltrated 
during a data breach.
---------------------------------------------------------------------------

    Currently, 20 States' notification laws do not include a 
presumption of notification.\828\ We do not have data with which to 
estimate reliably the effect of these presumptions on the propensity of 
covered institutions to issue customer notifications, and no commenter 
suggested such data. However, we expect that for the estimated 20 
million potential customers residing in the 20 States without a 
presumption of notification,\829\ some notifications that will be 
required under the final amendments would not occur under the baseline. 
Thus, we anticipate that the final amendments will improve these 
customers' ability to take actions to mitigate the effects of data 
breaches. In addition, the final amendments' presumptions for 
notification rest on a concept of ``substantial harm or inconvenience'' 
that is likely to be wider than the equivalent concept of ``harm'' used 
in some State laws.\830\ Hence, we also expect that the presumptions of 
notification will have potential benefits even for the customers 
residing in some of the States with a presumption of notification.
---------------------------------------------------------------------------

    \828\ See supra section IV.C.2.a(1).
    \829\ See id.; see also supra footnote 767.
    \830\ See supra section II.A.3.c for a discussion of the concept 
of ``substantial harm or inconvenience.'' Some states use a narrower 
definition of harm, for example including only fraud or financial 
harm. See supra section IV.C.2.a(1); see also Fla. Stat. section 
501.171(4)(c) and Iowa Code section 715C.2(6) for examples of States 
with a presumption for notification but a narrower concept of harm.
---------------------------------------------------------------------------

    The increased sensitivity of the notification trigger resulting 
from the presumptions of notification will result in additional costs 
for covered institutions, who will bear higher reputational costs 
(including indirect costs of customer information protection 
improvements that may be undertaken to avoid such reputational costs) 
as well as some additional direct compliance costs (e.g., mailing 
notices, responding to customer questions, etc.) due to more breaches 
requiring customer notification. While we are unable to quantify all of 
these additional costs,\831\ we estimate that certain costs associated 
with the preparation and distribution of notices will be, on average, 
$5,178 per year per covered institution.\832\
---------------------------------------------------------------------------

    \831\ As stated above, we do not have data with which to 
estimate reliably the effect of these presumptions on the propensity 
of covered institutions to issue customer notifications, and no 
commenter suggested such data. In addition, as stated above, we lack 
data, and no commenter suggested such data, that would allow us to 
quantify the indirect economic costs, such as reputational cost of 
any potential increase in the frequency of customer notification. 
See supra section IV.D.1.a.
    \832\ This estimate is an annual average for the first three 
years. The corresponding ongoing annual costs beyond the first three 
years are estimated to be on average $3,862 per year per covered 
institution. See infra section V.
---------------------------------------------------------------------------

    Some commenters disagreed with the proposed requirement that if a 
covered institution were unable to determine which customers were 
affected by a data breach, it would have had to notify all individuals 
whose sensitive customer information resided in the customer 
information system that was, or was reasonably likely to have been, 
accessed or used without authorization.\833\ One commenter stated that 
this would result in significant over-notification of individuals, and 
that this would unnecessarily disturb and frighten individuals who 
likely were not affected.\834\ The commenter also stated that the 
proposed requirements would significantly increase costs and litigation 
risk for covered institutions and possibly their service providers and 
other financial institutions whose information resides on the 
system.\835\ Another commenter stated that this proposed provision 
would create reputational risks for transfer agents and that it 
believed resources would be better spent investigating the incident and 
determining the impacted securityholders.\836\ Another commenter stated 
that this proposed requirement would be unnecessarily burdensome for 
covered institutions and that it could have negative consequences for 
clients, noting that there would be a risk that too much information 
could be overwhelming and lead to desensitization.\837\
---------------------------------------------------------------------------

    \833\ See, e.g., CAI Comment Letter; IAA Comment Letter 1.
    \834\ See CAI Comment Letter.
    \835\ See CAI Comment Letter.
    \836\ See Computershare Comment Letter.
    \837\ See IAA Comment Letter 1.
---------------------------------------------------------------------------

    Another commenter disagreed with the proposed requirement that a 
covered institution would have had to notify customers whose 
information was compromised unless the covered institution could 
determine that the event would not result in a risk of substantial harm 
or inconvenience for these individuals, suggesting instead that the 
standard be harmonized further with the Banking Agencies' Incident 
Response Guidance and with many State laws so as to require 
notification only if the covered institution affirmatively could find 
risk of harm.\838\ This commenter stated that the proposed presumption 
of notification could lead to excessive and unnecessary notifications 
to consumers where a low likelihood of harm were present, which could 
result in consumers spending time and effort needlessly monitoring 
accounts or taking actions such as instituting a credit freeze, and 
simultaneously desensitize consumers to a notification for an actual 
breach where significant harm could result.\839\
---------------------------------------------------------------------------

    \838\ See SIFMA Comment Letter 2.
    \839\ See SIFMA Comment Letter 2.
---------------------------------------------------------------------------

    After considering these comments, we have determined that the 
presumptions of notification should be included in the final 
amendments. On the one hand, we acknowledge, as commenters stated,\840\ 
that unnecessary notifications could occur and negatively affect 
covered institutions and their customers as a result of these 
presumptions. Unnecessary notifications will result in costs for 
covered institutions, including the costs associated with notification 
such as administrative costs related to preparing and distributing 
notices as well as reputational costs, litigation risk, or diversion of 
resources identified by commenters.\841\ More broadly, as stated by 
commenters,\842\ unnecessary notification could reduce customers' 
responsiveness to data breach notices, for example by decreasing 
customers' ability to discern which notices require action. Unnecessary 
notification could also desensitize customers to notices, thereby 
leading to a decrease in the reputational costs of notification. This 
could decrease covered institutions' incentives to invest in customer 
information safeguards in order to avoid such reputational costs.\843\ 
However, the risks of unnecessary notification reducing the benefits of 
the rule are mitigated by the fact that notification is not required in 
cases where the covered institution can determine, after a reasonable 
investigation, that there is no risk of substantial harm or 
inconvenience for the customers whose information has been compromised. 
In addition, in a change from the proposal, the final amendments 
explicitly provide that a covered institution need not provide notice 
to an individual whose sensitive customer information resides in the 
customer information system that was, or was reasonably likely to have 
been, accessed or used without authorization if the covered institution 
reasonably determines that this individual's sensitive customer

[[Page 47761]]

information was not accessed or used without authorization.\844\
---------------------------------------------------------------------------

    \840\ See supra footnotes 834-840 and accompanying text.
    \841\ Id.
    \842\ See IAA Comment Letter 1; SIFMA Comment Letter 2.
    \843\ Estimates of certain costs related to notice issuance are 
discussed above. See supra footnote 833 and accompanying text.
    \844\ See final rule 248.30(a)(4)(ii).
---------------------------------------------------------------------------

    On the other hand, adopting these presumptions of notification will 
allow potentially affected customers to take appropriate mitigating 
actions. In support of the proposed presumption of notification, 
another commenter stated that any risk that a presumption to notify 
individuals could lead to a volume of notices that would inure affected 
individuals to the notices and result in their not taking proactive 
action would be outweighed by the risk that individuals would not be 
notified at all and would not have the opportunity to decide for 
themselves whether to take action.\845\ To support this statement, this 
commenter referenced a study stating that requiring a determination of 
misuse to trigger disclosure permits additional discretion to the 
breached entity which, coupled with the existence of a disclosure 
disincentive,\846\ might bias an institution's investigation of a data 
leak and might lead to a conclusion that consumer notification was not 
required.\847\ We agree with this commenter. In addition, as discussed 
above, allowing covered institutions to conduct a full investigation 
before determining whether customers need to be notified could 
significantly reduce the benefits of such notification, and thus of the 
final amendments, by delaying the notice.\848\
---------------------------------------------------------------------------

    \845\ See Better Markets Comment Letter.
    \846\ See supra section IV.B.
    \847\ See Better Markets Comment Letter, citing Paul M. Schwartz 
and Edward J. Janger, Notification of Data Security Breaches, 105 
Mich. L. Rev. 913, 939 (2007). In addition, a report cited by the 
same commenter discusses the frequency of notification and how it 
relates to specific notification trigger. The report links higher 
frequency of notification to a requirement that a government 
official participate in the determination that a data breach creates 
risk for the affected parties, and therefore that notification is 
required. See IRTC Data Breach Annual Report; see also supra 
footnote 518 and accompanying text.
    \848\ See supra section II.A.3.a; see also supra section 
IV.D.1.b(2) for a discussion of the benefits of timely notification.
---------------------------------------------------------------------------

(5) Content and Method of Notice
    The proposed amendments included a list of information that would 
have had to be included in a customer notice.\849\ Many of these 
content requirements remain in the final amendments.\850\ While some 
commenters agreed generally with the proposed notice content 
requirements,\851\ other commenters disagreed with the proposed 
inclusion of some elements and stated that our analysis of these 
requirements in the Proposing Release was insufficient.\852\ In 
response to these commenters, we conducted supplemental analysis of the 
frequency at which different items are required in existing State laws, 
and are including a supplemental analysis of the costs and benefits of 
each of the required elements vis-[agrave]-vis this baseline.\853\
---------------------------------------------------------------------------

    \849\ See proposed rule 248.30(b)(4)(iv).
    \850\ See final rule 248.30(a)(4)(iv).
    \851\ See, e.g., Better Markets Comment Letter.
    \852\ See, e.g., CAI Comment Letter.
    \853\ See supra section IV.C.2.a(2).
---------------------------------------------------------------------------

    The main benefit of requiring specific content to be included in 
the notice is to help ensure that customers residing in different 
States receive similar information when their information is 
compromised in the same breach. Because State law requirements differ 
in terms of required content, covered institutions may send different 
notices to different individuals.\854\ The final amendments will help 
ensure that all customers receive a minimum of information regarding a 
given breach affecting their information and are therefore equally able 
to take appropriate mitigating actions.
---------------------------------------------------------------------------

    \854\ See ICI Comment Letter 1 (``In discussing breach notices 
with our members, we understand it is not uncommon for their current 
breach response programs to include separate notification letters 
depending upon the state the individual resides in.'').
---------------------------------------------------------------------------

    The final amendments provide that the notice must include a 
description of the incident, including the information that was 
breached and the approximate date at which it occurred, as well as 
contact information where customers can inquire about the incident. In 
addition, the notice must include information on recommended actions 
affected customers can take. We expect that these required items will 
help customers take appropriate mitigating action to protect themselves 
from further effect of the breach. Including these elements might 
require some covered institutions to modify their existing processes 
for notification, which will incur some costs.\855\ We expect that 
these costs will be passed on to customers.
---------------------------------------------------------------------------

    \855\ These costs are included in the policies and procedures 
costs discussed in section IV.D.1 above. As discussed below, we 
estimate that certain costs associated with developing and 
implementing policies and procedures to comply with the final 
amendments will be, on average, $15,445 per year per covered 
institution. This estimate is an annual average for the first three 
years. The corresponding ongoing annual costs beyond the first three 
years are estimated to be on average $5,425 per year per covered 
institution. See infra section V.
---------------------------------------------------------------------------

    The first required item is a general description of the incident 
and the type of sensitive customer information that was or is 
reasonably believed to have been accessed or used without 
authorization.\856\ We received no comment on this specific 
requirement. Obtaining this information is crucial for customers as it 
will allow them to assess the level of risk and to take appropriate 
mitigating actions. This will also allow them to avoid spending time 
and resources on mitigating actions related to information that was not 
affected by the breach. We expect that most covered institutions who 
already have notification processes already include this information, 
since 22 States require that the notice describe the type of 
information affected by the breach and 13 States require a description 
of the incident to be included.\857\ As a result, we expect that the 
benefits will be the greatest for customers of institutions who do not 
operate nationally and operate only in States without such 
requirements. We estimate that there are approximately 51 million 
potential customers residing in the 38 States that do not require a 
description of the incident, and 35 million potential customers 
residing in the 29 States that do not require the type of customer 
information compromised to be included in the notice.\858\ We expect 
the costs to be the highest for the covered institutions operating only 
in those States.
---------------------------------------------------------------------------

    \856\ See final rule 248.30(a)(4)(iv)(A).
    \857\ See supra section IV.C.2.a(2).
    \858\ See supra footnote 767.
---------------------------------------------------------------------------

    The second item required by the final amendments is the date of the 
incident, the estimated date of the incident, or the date range within 
which the incident occurred, if the information is reasonably possible 
to determine at the time the notice is provided.\859\ One commenter 
disagreed with this proposed requirement, stating that it would imply 
that covered institutions subject to both Regulation S-P and the 
Banking Agencies' Incident Response Guidance would have to revise their 
long-standing breach notices to add the information.\860\ This 
commenter also stated that the Proposing Release did not detail a basis 
for this inclusion. Including the date of the breach, even if it is the 
approximate date, will provide useful information to the affected 
customers and help them make better decisions about the mitigating 
actions to take. In particular, customers could review their account 
statements back to the date where the breach happened.\861\ An 
additional benefit of this inclusion will be to provide information to 
customers about how effectively a

[[Page 47762]]

covered institution was able to detect and assess a breach. This will 
help reduce the information asymmetry about a covered institution's 
customer information safeguards and help customers be better informed 
when deciding which covered institutions to retain for their financial 
services needs.
---------------------------------------------------------------------------

    \859\ See final rule 248.30(a)(4)(iv)(B).
    \860\ See ICI Comment Letter 1.
    \861\ See supra footnote 210 and accompanying text.
---------------------------------------------------------------------------

    There are 13 States requiring the notice to include an approximate 
date (or date range) for the breach, and 38 States without such a 
requirement.\862\ These 38 States account for 70 percent of the U.S. 
population and 49 million estimated potential customers.\863\ For these 
customers, the final amendments might result in their receiving 
information they would not have otherwise received. Because 13 States 
already require that the notice include an approximate date, we expect 
that the costs will be minimal for the covered institutions that 
operate nationally. For the covered institutions that do not operate 
nationally, the final amendments might require them to adapt their 
procedures to include additional information in the notices to 
customers.
---------------------------------------------------------------------------

    \862\ See supra section IV.C.2.a(2).
    \863\ See supra footnote 767.
---------------------------------------------------------------------------

    The third item required by the final amendments is ``contact 
information sufficient to permit an affected individual to contact the 
covered institution to inquire about the incident, including the 
following: a telephone number (which should be a toll-free number if 
available), an email address or equivalent method or means, a postal 
address, and the name of a specific office to contact for further 
information and assistance.'' \864\ One commenter disagreed with this 
proposed requirement, stating that it was unclear what purpose or 
benefit this requirement would have for the affected individuals and 
adding that it would place significant burdens on the internal 
operations of the covered institution.\865\ Another commenter also 
disagreed with this proposed requirement, stating that covered 
institutions should have flexibility in determining the contact 
information to provide, based on how they normally interact with their 
customers, and suggesting that the final amendments only require one of 
the listed contact methods.\866\ The requirement to include multiple 
contact methods provides valuable options for affected customers, who 
may have differing preferences and aptitudes in their use of contact 
methods.\867\ We do not expect that this requirement will overly burden 
covered institutions, even for those institutions that will need to 
adapt their processes to the new requirements.\868\ In addition, 
nothing in this requirement prevents a covered institution from 
providing additional contact methods.
---------------------------------------------------------------------------

    \864\ Final rule 248.30(a)(4)(iv)(C).
    \865\ See CAI Comment Letter.
    \866\ See SIFMA Comment Letter 2.
    \867\ In addition, the final amendments will not preclude a 
covered institution from providing the contact information of a 
third-party service provider. See supra footnote 211.
    \868\ Ten States require the notice to include a phone number as 
contact information while two States require the notice to include a 
physical address. See supra section IV.C.2.a(2).
---------------------------------------------------------------------------

    The final amendments also require the notice to include a 
recommendation that the customer review account statements and 
immediately report suspicious activity to the covered institution (if 
the individual has an account with the covered institution); an 
explanation of what a fraud alert is and how an individual may place 
one; a recommendation that the individual periodically obtain credit 
reports; an explanation of how the individual may obtain a credit 
report free of charge; and information about the availability of online 
guidance from the FTC and usa.gov regarding steps an individual can 
take to protect against identity theft, a statement encouraging the 
individual to report any incidents of identity theft to the FTC, and 
the FTC's website address.\869\ One commenter supported these proposed 
requirements, stating that the proposed notice requirements avoided 
common problems with the content of many data breach notifications, 
such as confusing language, a lack of details, and insufficient 
attention to the practical steps customers should take in 
response.\870\ We expect that these additional elements will provide 
useful information to affected customers regarding potential mitigating 
actions to take and help ensure that these customers are able to react 
appropriately to the notice. We expect that while these requirements 
will impose costs on covered institutions whose notification process 
does not already include these elements,\871\ these costs will be 
limited and passed on to the customers.\872\ We received no comments 
opposing these requirements.
---------------------------------------------------------------------------

    \869\ See final rule 248.30(a)(4)(iv)(D) through (H).
    \870\ See Better Markets Comment Letter.
    \871\ Because some States require some of these elements to be 
included in the notification to affected individuals, we expect that 
many covered institutions already have procedures similar to those 
required by the final amendments. See supra section IV.C.2.a(2).
    \872\ As discussed above, these costs will represent only a 
fraction of the policies and procedures costs discussed in section 
IV.D.1 above. See supra footnote 856 and accompanying text.
---------------------------------------------------------------------------

    The proposed amendments included a provision that would have 
required the notice to include a description of what has been done by 
the covered institution to protect the sensitive customer information 
from further unauthorized access or use. One commenter disagreed with 
this proposed requirement, stating that it ``would be extremely useful 
to threat actors and not particularly useful to clients.'' \873\ After 
considering this comment, we have decided to exclude this provision 
from the final amendments.\874\ In addition to reducing the perceived 
risk of providing a roadmap for threat actors, we expect that this 
change will accelerate the process of preparing the notice, thereby 
reducing the associated costs.
---------------------------------------------------------------------------

    \873\ See IAA Comment Letter 1.
    \874\ See supra section II.A.3.e.
---------------------------------------------------------------------------

    The final amendments require that notice must be transmitted by a 
means designed to ensure that each affected individual can reasonably 
be expected to receive actual notice in writing.\875\ Some commenters 
discussed the alignment between the requirements of the final 
amendments and those of existing regulation affecting covered 
institutions. In particular, one commenter stated that a Federal 
notification requirement would complicate compliance efforts for 
covered institutions already complying with similar State laws.\876\ On 
the other hand, another commenter stated that the proposed amendments' 
alignment with existing requirements would allow covered institutions 
to leverage existing programs.\877\ We analyze here the expected 
benefits and costs of this provision of the final amendments vis-
[agrave]-vis the baseline.\878\
---------------------------------------------------------------------------

    \875\ See final rule 248.30(a)(4)(i). Under the final 
amendments, the notice can be sent electronically. See supra 
footnote 200 and accompanying text.
    \876\ See CAI Comment Letter.
    \877\ See FSI Comment Letter.
    \878\ See supra section IV.C.2.a(2).
---------------------------------------------------------------------------

    We expect that the main benefit of this provision will be to help 
ensure that customers whose sensitive personal information has been 
breached receive the required information. We expect that the costs of 
this provision will be limited for most covered institutions since most 
States require similar methods of notification.\879\ Hence, we expect 
that most covered institutions will not have to significantly modify 
their procedures and processes for notice issuance in order to satisfy 
this provision of the final amendments.
---------------------------------------------------------------------------

    \879\ See id.
---------------------------------------------------------------------------

    However, we do expect some benefits in some instances. First, 26 
States allow

[[Page 47763]]

a notice to be made over the telephone.\880\ While 7 of these States 
require direct contact with the affected individuals when the notice is 
given using this method, 19 do not have such requirements.\881\ We 
expect that for the 21 million potential customers residing in the 19 
States allowing for telephonic notices but without such 
requirements,\882\ receiving a written notice may result in clearer 
information and in a higher likelihood of taking appropriate mitigating 
actions.
---------------------------------------------------------------------------

    \880\ See id.
    \881\ See supra footnote 568 and accompanying text.
    \882\ See supra footnote 767.
---------------------------------------------------------------------------

    Second, many States allow for electronic notifications. While most 
of these States require that this be done only under certain conditions 
that are similar to the final amendments' conditions, some States have 
conditions that are significantly looser. The final amendments provide 
that the notice can be provided through electronic means to customers 
who have agreed to receive information electronically.\883\ In 
contrast, five States allow electronic notification without 
restriction, and two States require only that the institution has an 
email address for the affected individuals.\884\ We expect that for the 
11 million potential customers residing in these seven States \885\--
that allow electronic notification even to customers who have not 
explicitly agreed to receiving electronic notification--the final 
amendments will help ensure that they receive a notice in a format that 
they are expecting.\886\
---------------------------------------------------------------------------

    \883\ See supra footnote 200 and accompanying text.
    \884\ See supra footnotes 565 and 566 and accompanying text.
    \885\ See supra footnote 767.
    \886\ We acknowledge that the final amendments may result in 
some customers receiving a notice in a format that they do not 
prefer. For example, customers could agree to an electronic notice 
but still receive a notice by mail, which they may be less likely to 
see or respond to.
---------------------------------------------------------------------------

    Third, all States allow for a substitute notice under certain 
conditions.\887\ Substitute notification requirements vary across 
States but must generally include an email notification to affected 
individuals, a notice on the entity's website, and notification to 
major statewide media.\888\ The final amendments do not provide for 
such substitute notice and instead have the same notice requirements in 
all cases. We expect that the final amendments will strengthen the 
benefits of notification by helping ensure that affected individuals 
are made aware of the relevant information regarding a breach of their 
sensitive information. Examples of customers who would benefit include 
customers who: interact infrequently with the covered institution, 
thereby not visiting the institution's website regularly; who do not 
consume local or State news sources; or who may be wary or skeptical of 
receiving such information by email if they have not given their prior 
informed consent (for example, customers who are used to receiving 
communications from the covered institution by mail only or who 
interact with the covered institution very rarely). In other States, 
the requirements for substitute notice include fewer elements.\889\ We 
expect that for the customers residing in these States, the final 
amendments will help ensure that they are made aware of the breach and 
provided an appropriate notice.
---------------------------------------------------------------------------

    \887\ These conditions often include a certain minimum number of 
affected individuals to notify and a minimum dollar cost to notify 
these individuals. See supra footnote 569 and accompanying text.
    \888\ See supra section IV.C.2.a(2).
    \889\ See supra footnote 571 and accompanying text.
---------------------------------------------------------------------------

    The final amendments require written notification, which may be 
provided electronically if certain conditions are met, such as if the 
customer has agreed to receive information electronically.\890\ Not all 
State notification provisions include similar consent conditions for 
electronic communication.\891\ Therefore, the final amendments may 
result in additional compliance costs in the instances where, prior to 
the final amendments, the covered institutions would have sent email 
notices or used substitute notification, but will instead have to 
obtain customer consent for electronic notification or else send 
individual notices by mail because their methods of electronic delivery 
are not consistent with existing Commission guidance on electronic 
delivery, for example if they have not obtained customer consent to 
receive electronic communications.\892\ However, given the variety of 
State law conditions and requirements, we expect that most notices 
being sent already satisfy many of these provisions and we therefore 
expect that these provisions will result in limited additional 
costs.\893\
---------------------------------------------------------------------------

    \890\ See supra section II.A.3.e. and footnote 200.
    \891\ See supra footnote 885 and accompanying text.
    \892\ Id. Because some States have conditions for sending an 
electronic notice that are different from those under the final 
amendments, we expect that there might be some cases where a covered 
institution will be required to send a notice by mail when it could 
have sent an electronic notice under State law. See supra footnotes 
884 through 888 and accompanying text.
    \893\ An analysis of the notices sent to residents of California 
and Washington suggests that notices are frequently sent by postal 
mail. Both States allow for electronic notification if the notice is 
consistent with the Electronic Signatures in Global and National 
Commerce Act (15 U.S.C. 7001). Nevertheless, we have found that in 
California, at least 90% of the notices appear to be sent by mail. 
The equivalent number is 89% for Washington. We identified the 
notices sent by mail (as opposed to those sent by email or 
satisfying other substitute notice requirements) as those including 
a redacted or mock recipient address, an address for a return mail 
processing center, or an explicit mention such as ``Via First-Class 
Mail.'' It is possible that notices containing none of these 
elements are sent by mail, and therefore we expect that the true 
percentages are likely to be higher than those reported here. See 
supra footnotes 777 and 782 and accompanying text for details on the 
notice data used for this analysis.
---------------------------------------------------------------------------

c. Service Provider Provisions
    The final amendments require that a covered institution's incident 
response program include the establishment, maintenance, and 
enforcement of written policies and procedures reasonably designed to 
require oversight, including through due diligence and monitoring, of 
service providers. Specifically, these written policies and procedures 
must be reasonably designed to ensure the service providers take 
appropriate measures to protect against unauthorized access to or use 
of customer information and provide notification to the covered 
institution as soon as possible, but no later than 72 hours after 
becoming aware that a breach in security has occurred resulting in 
unauthorized access to a customer information system. Upon receipt of 
such notification, a covered institution must initiate its incident 
response program.\894\ In the final amendments, ``service provider'' is 
defined as ``any person or entity that receives, maintains, processes, 
or otherwise is permitted access to customer information through its 
provision of services directly to a covered institution.'' \895\ Thus, 
the requirements might affect arrangements with a broad range of 
entities, including potentially email providers, customer relationship 
management systems, cloud applications, and other technology vendors.
---------------------------------------------------------------------------

    \894\ See final rule 248.30(a)(5)(i).
    \895\ Final rule 248.30(d)(10).
---------------------------------------------------------------------------

    As modern business processes increasingly rely on service 
providers,\896\ ensuring consistency in regulatory requirements 
increasingly requires consideration of the functions performed by 
service providers and how these functions interact with the regulatory 
regime.\897\ Ignoring such aspects could incentivize covered 
institutions to attempt to outsource functions to service providers to 
avoid the requirements that would apply if the

[[Page 47764]]

functions were performed in-house. Thus, the service provider 
requirements will strengthen the benefits of the final amendments by 
helping ensure that they have similar effects regardless of how a 
covered institution chooses to implement its business processes (i.e., 
whether those processes are implemented in-house or outsourced).
---------------------------------------------------------------------------

    \896\ See supra section IV.C.3.f
    \897\ See supra section IV.C.2.a(3).
---------------------------------------------------------------------------

    Commenters supported the proposal's objective to safeguard customer 
information in the case where this information rests with service 
providers.\898\ One commenter stated that third-party service providers 
were specifically a favored attack vector, adding that the Commission's 
attention to this risk was well-directed.\899\ Another commenter stated 
that it did not disagree that service providers should protect 
sensitive customer information and be required to provide timely 
notification of a breach to the covered institution.\900\ Another 
commenter stated that service providers that have access to customer 
information should be contractually required to take appropriate risk-
based measures and diligence designed to protect against unauthorized 
access to or use of customer information, including notification of a 
covered institution in the event of certain types of breaches in 
security.\901\ Another commenter recognized and supported the 
importance of covered institutions having appropriate policies and 
procedures to manage the cybersecurity and privacy risks posed by 
service providers that process their customer information.\902\
---------------------------------------------------------------------------

    \898\ See, e.g., EPIC Comment Letter; SIFMA Comment Letter 2.
    \899\ See EPIC Comment Letter.
    \900\ See IAA Comment Letter 1.
    \901\ See SIFMA Comment Letter 2.
    \902\ See CAI Comment Letter.
---------------------------------------------------------------------------

    Some commenters criticized the analysis of the proposed service 
provider provisions.\903\ One commenter stated, referring to the 
proposed service provider written agreement obligation, that the 
Commission had failed to address the costs in any meaningful way and 
was thus dismissive of them.\904\ Another commenter stated that the 
Proposing Release included no discussion or estimate of the costs that 
renegotiating contracts with service providers or hiring new service 
providers would impose on brokers.\905\ In addition, some commenters 
disagreed with our analysis of specific parts of the requirements, 
stating that the analysis in the Proposing Release did not identify why 
a 48-hour reporting period was optimal,\906\ or stating that the 
breadth of the definition of service providers was disproportionate to 
the benefits and risks presented.\907\ In response to these commenters, 
we have modified this aspect of the amendments, as discussed in greater 
detail above.\908\ These modifications mitigate, but may not eliminate 
entirely, commenters' concerns regarding the costs associated with the 
service provider provisions of the proposed amendments. We also have 
supplemented the economic analysis of the service provider provisions 
in response to comments as follows. First, we have supplemented the 
analysis of the potential costs to covered institutions. This includes 
an analysis of the indirect effects of the final amendments on covered 
institutions' service providers, and how these effects may affect 
covered institutions and their customers,\909\ for example where costs 
to service providers are passed on to covered institutions, and 
ultimately to covered institutions' customers,\910\ or have negative 
competitive effects that impact covered institutions.\911\ Second, we 
are providing supplemental analysis specifically on the timeline 
requirement and the definition of service providers.\912\
---------------------------------------------------------------------------

    \903\ See, e.g., IAA Comment Letter 1; ASA Comment Letter.
    \904\ See IAA Comment Letter 1.
    \905\ See ASA Comment Letter. In the Proposing Release, we 
requested data that could help us quantify the costs and benefits 
that we were unable to quantify. We did not receive data or 
estimates from commenters that could help us quantify the costs of 
renegotiating contracts or hiring new service providers. See 
Proposing Release at section III.G, question 110.
    \906\ See Microsoft Comment Letter.
    \907\ See IAA Comment Letter 1 (``We believe the proposed 
definition of Service Provider is unrealistically and unnecessarily 
broad, reaching service providers where there are little or no 
marginal benefits to their inclusion and the costs (time, money, 
personnel, etc.) to advisers would be substantial.'').
    \908\ See supra section II.A.4.
    \909\ See infra footnotes 928-936 and accompanying text.
    \910\ See infra text accompanying footnote 933.
    \911\ See infra section IV.E.
    \912\ Additional context for this analysis is provided in 
section IV.C.3.f.
---------------------------------------------------------------------------

    The costs to covered institutions of implementing the final 
amendments will be influenced by the potential burdens on service 
providers that may result from the amendments. If implementing 
procedures that satisfy covered institutions' requirements were 
costless for them, service providers would be likely to agree to 
implement the requirements without much negotiation and the costs to 
covered institutions would be minimal. If, instead, such procedures 
were costly to implement for service providers, more negotiation would 
be required, which would be costlier for all parties involved. In 
addition, in this case, the service providers might increase the price 
of their services, further increasing the costs for covered 
institutions.\913\ We discuss further below the expected indirect 
effects of the final amendments on service providers and how these 
effects may affect covered institutions.\914\
---------------------------------------------------------------------------

    \913\ Because we are not aware of any data, and no commenter 
suggested any data, that could be used to estimate how much service 
providers will pass through increased costs to covered institutions, 
we are unable to quantify the magnitude of the potential increased 
costs for covered institutions.
    \914\ See infra text accompanying footnote 927.
---------------------------------------------------------------------------

    However, even if, as in the scenario described above, the cost per 
service provider turns out to be minimal for covered institutions, the 
total cost might still become significant for covered institutions that 
have a large number of service providers. Even in this case, covered 
institutions will need to devote time and resources to verify that they 
satisfy the final requirements with respect to each of their service 
providers. In addition, covered institutions will need to devote time 
and resources to oversee their service providers throughout their 
relationship with these service providers.\915\ We are unable to 
quantify these costs, as the range would be too wide to be informative 
and commenters did not provide any data that would yield an estimation 
of such a range. The range of costs for covered institutions is likely 
to be wide given the varied nature of the uses of service providers by 
financial institutions. For instance, the cost for covered institutions 
that do not rely on service providers is likely to be minimal. However, 
for those covered institutions that have more complex arrangements with 
service providers, the cost would be significantly higher. The cost 
depends on a large number of factors that vary across covered 
institutions.\916\ For example, the cost

[[Page 47765]]

would depend on the number of service providers used, the extent to 
which service providers are used for multiple functions, each service 
provider's access to relevant customer information, as well as the 
staffing needs of the covered institutions.
---------------------------------------------------------------------------

    \915\ See supra section II.A.4. For PRA purposes, we have 
identified certain types of staff who we anticipate would be 
involved in implementing the rules. See infra section V.B. It is 
possible that those staff members may also be involved in oversight 
of service providers.
    \916\ In a proposing release pertaining to service providers, 
the Commission anticipated a range of compliance costs associated 
with required oversight of service providers by registered 
investment advisers. For example, in the proposing release, the 
Commission estimated a range of $44,106.67-$132,320 in ongoing 
annual costs per adviser associated with the proposed due diligence 
requirements (and further costs associated with proposed monitoring 
requirements and other aspects of the proposed rule). We do not 
believe those ranges of cost estimates are determinative in the 
context of the final amendments here. In particular, the scope of 
the final amendments differs substantially from the scope of that 
proposal. Those cost estimates pertained to a service provider's 
performance of outsourced functions that meet two elements: (1) 
those necessary for the adviser to provide its investment advisory 
services in compliance with the Federal securities laws; and (2) 
those that, if not performed or performed negligently, would be 
reasonably likely to cause a material negative impact on the 
adviser's ability to provide investment advisory services. By 
contrast, the final amendments here pertain to the protection of 
customer information in the case of all outsourced functions to all 
service providers. See Outsourcing by Investment Advisers, Release 
No. 6176 (Oct. 26, 2022) [87 FR 68816, 68821 (Nov. 16, 2022)].
---------------------------------------------------------------------------

    The definition of service provider in the final amendments will 
affect the costs to covered institutions by determining the number of 
service providers for which covered institutions will have to perform 
these tasks. The final amendments adopt a definition of service 
provider to mean ``any person or entity that receives, maintains, 
processes, or otherwise is permitted access to customer information 
through its provision of services directly to a covered institution.'' 
\917\ Many commenters opposed the proposed definition of service 
provider.\918\ These commenters suggested narrower definitions which 
would exclude a covered institution's affiliates.\919\ In addition, one 
commenter stated that the proposed definition was unrealistically and 
unnecessarily broad, reaching service providers where there would be 
few or no marginal benefits to their inclusion and the costs (time, 
money, personnel, etc.) to covered institutions would be 
substantial.\920\ This commenter suggested that the definition of 
service provider be limited to persons or entities with permitted 
access to sensitive customer information only.\921\
---------------------------------------------------------------------------

    \917\ Final rule 248.30(d)(10).
    \918\ See, e.g., IAA Comment Letter 1; Schulte Comment Letter. 
The definition of service provider in the final amendments is 
identical to the definition that was in the proposal. See supra 
section II.A.4.
    \919\ See IAA Comment Letter 1 (stating that ``the IAA believes 
that it is neither appropriate nor necessary to treat affiliates 
that provide services to an affiliated firm through a shared 
services or similar model as Service Providers''); Schulte Comment 
Letter (``We believe that the proposed definition of `service 
provider' should exclude a Covered Institution's affiliates.''); 
SIFMA Comment Letter 2 (``The associations also recommend that the 
Commission exclude affiliates of covered institutions from the 
definition of service providers, as affiliates are part of the same 
enterprise information/cybersecurity oversight as the covered 
institutions.''); CAI Comment Letter (``The Committee requests that 
proposed Rule 30(e)(10) be revised to specifically exclude 
affiliates and other entities under common control with the covered 
institution.'').
    \920\ See IAA Comment Letter 1.
    \921\ See IAA Comment Letter 1. This commenter also requested, 
if the proposed written contract requirement were to be kept in the 
final amendments, that it apply only to those service providers that 
have physical or virtual access to a covered institution's customer 
information system.
---------------------------------------------------------------------------

    We acknowledge that fulfilling the requirements for each of their 
service providers will impose costs on the covered institutions. 
However, the potential benefits are also large given the increasing 
reliance of covered institutions on service providers.\922\ Individual 
customers have no control over a covered institution's decisions to 
perform activities in-house or to outsource them. As such, these 
customers have little control over who has access to their information. 
A broad definition of service providers will contribute to safeguard 
customers' information and will help ensure that customers are notified 
in the event their sensitive information is compromised, no matter 
where this information resides. Furthermore, the modifications in the 
final amendments to require covered institutions to establish, 
maintain, and enforce written policies and procedures reasonably 
designed to require oversight, including through due diligence and 
monitoring, of service providers, instead of requiring written 
contracts as was proposed,\923\ will alleviate the commenters' concerns 
over the potential inclusion of affiliates. Since affiliates are likely 
to have policies and procedures similar to those of covered 
institutions,\924\ we expect that both the benefits and the costs of 
implementing this provision of the requirements will be minimal.
---------------------------------------------------------------------------

    \922\ See supra section IV.C.3.f.
    \923\ See proposed rule 248.30(b)(5)(i).
    \924\ See IAA Comment Letter 1 (``Many advisers are structured 
in a manner that makes it administratively beneficial for them to 
obtain services from affiliates. These services often are provided 
by affiliates in a manner established by the organization's policies 
without the need for formal contracts because the affiliates are 
typically subject to company-wide policies and standards relating to 
safeguarding PII. Moreover, the information security policies of 
affiliates are typically subject to oversight by an organizational 
component that monitors compliance.'') and Schulte Comment Letter 
(``We note that affiliates are typically included within the scope 
of a Covered Institution's cybersecurity policies and procedures and 
would also be covered by an applicable incident response plan.'').
---------------------------------------------------------------------------

    The indirect effects of the final amendments on service providers 
might also affect the costs borne by covered institutions and, 
ultimately, their customers. In particular, these indirect effects may 
generate costs to service providers, which may be passed on (at least 
partly) to covered institutions and ultimately to covered institutions' 
customers,\925\ or may result in negative competitive effects on 
service provider industries that then impact the services offered to 
covered institutions and their customers.\926\ The potential indirect 
effects on service providers that will result from the final amendments 
can be divided into three parts.\927\ First, entities that meet the 
definition of service providers will likely take appropriate measures 
to protect against unauthorized access to or use of customer 
information to facilitate covered institutions' compliance with the 
final amendments. We expect that many service providers already take 
such measures.\928\ Hence, we expect that the number of service 
providers who will modify their business processes for this specific 
requirement is limited. Such modifications will benefit not only the 
customers whose information is being better protected and the covered 
institutions relying on the service providers, but also the service 
providers themselves, to the extent that the modifications decrease the 
likelihood of unauthorized access to their customer information systems 
which could affect their operations or reputation.
---------------------------------------------------------------------------

    \925\ See infra text accompanying footnote 933.
    \926\ See infra section IV.E.
    \927\ We are unable to quantify the indirect costs associated 
with these indirect effects that would be incurred by service 
providers as a result of the final amendments, as the cost range 
would be too wide to be informative. The uncertainty around these 
costs is due to a number of factors, including variation in 
complexity of service provider functions provided to covered 
institutions, the degree of market concentration across service 
provider markets (and hence the number of covered institutions a 
service provider may need to work with to comply with the rule), and 
variation in current service provider practices. The costs to any 
single service provider of meeting the burden for any single 
function for any single covered institution may therefore have 
substantial variance. For example, in certain cases a few service 
providers may perform the same function for many covered 
institutions and hence benefit from economies of scale. By contrast, 
service providers in less concentrated industries would potentially 
face higher costs.
    \928\ For example, many States impose some form of requirements 
regarding the safeguard and the disposal of customer information. 
See supra footnote 603. In addition, the FTC Safeguards Rule 
requires financial institutions to take reasonable steps to select 
and retain service providers capable of maintaining appropriate 
safeguards for customer information and to require those service 
providers by contract to implement and maintain such safeguards. See 
supra footnote 618 and accompanying text. Hence, we expect that the 
service providers of private funds subject to the FTC Safeguards 
Rule already have customer information safeguards in place. This 
could lower the costs of the service provider provisions of the 
final amendments for the private funds advisers that are registered 
with the Commission and that are therefore covered institutions. See 
supra footnote 614 and accompanying text. Furthermore, service 
providers that are subject to other regimes such as the GDPR or DORA 
may already have appropriate safeguards in place.

---------------------------------------------------------------------------

[[Page 47766]]

    Second, covered institutions' policies and procedures will need to 
be reasonably designed to ensure that service providers take 
appropriate measures to provide notification of unauthorized access to 
a customer information system to the covered institutions as soon as 
possible, but no later than 72 hours after becoming aware that the 
breach has occurred. This provision might also result in a number of 
service providers adapting their businesses processes. However, 
considering that 24 States require entities that maintain but do not 
own or license customer information data to notify the entity that owns 
or licenses such data ``immediately'' in case of a breach of security, 
we expect that many service providers already have processes in place 
to ensure that such notification is made.\929\ For the service 
providers who do not already have such processes in place, this 
approach will create benefits for the customers who will be informed in 
a timely manner in the event their sensitive information is 
compromised.
---------------------------------------------------------------------------

    \929\ In addition, other existing regulations have 72-hour 
reporting or notification deadlines. See supra footnote 257 and 
accompanying text; see also supra footnote 245.
---------------------------------------------------------------------------

    Third, because the final amendments require covered institutions to 
establish, maintain, and enforce written policies and procedures 
reasonably designed to require oversight, including through due 
diligence and monitoring, of service providers who have access to their 
customers' information, these service providers will face requests for 
information from covered institutions or otherwise participate in the 
covered institutions' oversight activities. This will impose costs on 
service providers, but it will also strengthen the benefits of the 
amendments by helping ensure that customer information is appropriately 
protected even when it is residing in service providers' systems.
    For service providers that provide specialized services aimed at 
covered institutions, the final amendments may create market pressure 
to enhance service offerings that facilitate covered institutions' 
compliance with the requirements.\930\ Such enhancement will entail 
costs for specialized service providers, including the actual cost of 
adapting business processes, as discussed above, to accommodate the 
requirements.\931\ That said, we do not expect that these costs will 
represent an undue burden as both the specialized service providers and 
the covered institutions are operating in a highly regulated industry 
and might be accustomed to adapting their business processes to meet 
regulatory requirements. Moreover, more specialized service providers 
may be likely to have particularly sensitive or valuable information 
about the customers of covered institutions, and therefore the investor 
protection benefits in those cases may be substantial. With respect to 
service providers providing services aimed at a broad range of 
institutions, such as those providing email or customer-relationship 
management services, covered institutions are likely to represent a 
small fraction of their customer base. These service providers may be 
unwilling to adapt their business processes to the regulatory 
requirements of a small subset of their customers if they do not 
already have such processes in place.
---------------------------------------------------------------------------

    \930\ A service provider involved in any business-critical 
function likely ``receives, maintains, processes, or otherwise is 
permitted access to customer information.'' See final rule 
248.30(d)(10).
    \931\ We have no data on the number of specialized service 
providers used by covered institutions and on the frequency with 
which these service providers already adapt their business processes 
to regulatory changes, and no commenter suggested such data.
---------------------------------------------------------------------------

    For the service providers that already have in place processes 
satisfying the covered institutions' requirements, we expect that the 
costs to both the service providers and the covered institutions will 
be minimal and will mostly result from covered institutions' oversight 
duties. If service providers modify their business processes to 
facilitate covered institutions' compliance with the final amendments' 
requirements, we anticipate they likely will pass costs on to covered 
institutions, and ultimately covered institutions may pass these costs 
on to customers.\932\ We also expect that there might be a fraction of 
service providers who will be unwilling to take the steps necessary to 
facilitate covered institutions' compliance with the final amendments. 
In such cases, the covered institutions will need to either switch 
service providers and bear the associated switching costs or perform 
the functions in-house and establish the appropriate processes as a 
result.\933\ We expect that these costs will be particularly acute for 
smaller covered institutions which lack bargaining power with large 
service providers, and that these costs might be passed on to 
customers.\934\ However, the amendments will create benefits arising 
from enhanced efficacy of the regulation.\935\
---------------------------------------------------------------------------

    \932\ See supra footnote 718.
    \933\ Such switching costs could include the time and other 
resources necessary to find an alternative service provider, conduct 
appropriate due diligence, and negotiate prices and services 
provided. Performing the functions in-house may also be more costly 
than outsourcing them for covered institutions. A recent report 
finds that 73% of surveyed asset managers cite cost considerations 
when deploying outsourcing solutions. See Cerulli Report. The 
competitive effects associated with the cases where service 
providers choose to stop providing services to covered institutions 
as a result of the final amendments are discussed below. See infra 
section IV.E.
    \934\ We expect that smaller covered institutions may be less 
able to pass these costs to customers. See supra footnote 718.
    \935\ From the perspective of current or potential customers, 
the implications of customer information safeguard failures are 
similar whether the failure occurs at a covered institution or at 
one of its service providers.
---------------------------------------------------------------------------

    The proposal included a requirement that a covered institution's 
response program must include written policies and procedures requiring 
the institution, pursuant to a written contract between the covered 
institution and its service providers, to require that service 
providers take appropriate measures that are designed to protect 
against unauthorized access to or use of customer information.\936\ 
While one commenter supported this proposed requirement,\937\ other 
commenters suggested that the final amendments not require written 
contracts with service providers,\938\ stating that doing so would 
impose significant costs on covered institutions.\939\ After 
considering these comments, we are requiring that covered institutions 
establish, maintain, and enforce written policies and procedures to 
require oversight of service providers instead of requiring written 
contracts.\940\ This change, while enhancing the policies and 
procedures obligations, will provide covered institutions with greater 
flexibility in achieving compliance with the requirements, which could 
reduce compliance costs without significantly reducing the benefits of 
the final

[[Page 47767]]

amendments.\941\ Providing this flexibility will also help address 
commenters' concerns that requiring a written contractual agreement 
could harm covered institutions, particularly those that are relatively 
small and may not have sufficient negotiating power or leverage to 
demand specific contractual provisions from a larger third-party 
service provider.\942\ However, in a scenario where a covered 
institution has an existing contract with a service provider that is 
renegotiated as a result of the final amendments, the covered 
institution may incur additional costs.\943\ In addition, in a scenario 
where a service provider would have agreed to a written contract under 
the proposed amendments but will not under the final amendments, a 
covered institution may have to exert greater efforts to oversee this 
service provider than would have been necessary had it signed a written 
contract with this service provider.\944\
---------------------------------------------------------------------------

    \936\ See proposed rule 248.30(b)(5)(i).
    \937\ See ICI Comment Letter 1.
    \938\ See, e.g., SIFMA Comment Letter 2; IAA Comment Letter 1.
    \939\ See, e.g., SIFMA Comment Letter 2 (``Requiring each 
service provider to revise its contract with a covered institution 
within 12 months of the Proposal's finalization would add an 
unnecessary burden to both covered institutions and service 
providers, as well as a potential significant cost.''); IAA Comment 
Letter 1 (``Even if Service Providers agreed to enter into written 
agreements with advisers as proposed, advisers and Service Providers 
would both likely incur significant negotiation and implementation 
costs, which we do not believe are justified, especially when an 
alternative and less burdensome approach is available.''); STA 
Comment Letter 2 (stating that ``transfer agents, because of their 
relatively small size, simply do not have the negotiating power to 
demand contractual terms requiring third party service providers to 
maintain certain policies and procedures, or to demand permission to 
perform due diligence on a service provider's systems, policies, and 
procedures.'').
    \940\ See supra section II.A.4 and final rule 248.30(a)(5).
    \941\ See supra section II.A.4; see also, e.g., AWS Comment 
Letter.
    \942\ See, e.g., IAA Comment Letter 1.
    \943\ It is difficult for us to quantify these costs, as we have 
no data on the provisions of existing contracts between covered 
institutions and their service providers relating to customer 
information safeguards, and no commenter suggested such data. Such 
costs are likely to be contract specific, as they will depend on the 
degree to which each existing contract may be revised as a result of 
the final amendments. Many such contracts may not be revised at all, 
while others may undergo more revisions. Moreover, in many cases, 
even where a contract could be revised as a means of complying with 
the final requirements, the covered institution may pursue 
compliance by other means.
    \944\ There are a variety of ways in which covered institutions 
will be able to satisfy the oversight requirement. See supra section 
II.A.4.
---------------------------------------------------------------------------

    We also proposed that the measures taken by service providers 
include notification to the covered institution as soon as possible, 
but no later than 48 hours after becoming aware of a breach in security 
resulting in unauthorized access to a customer information system 
maintained by the service provider.\945\ While one commenter supported 
this proposed requirement,\946\ other commenters stated that a longer 
deadline would be preferable.\947\ One commenter also suggested a 
change from ``becoming aware'' to ``determining'' that a breach has 
occurred in order to minimize pressure to report on service providers 
while an investigation is being conducted.\948\
---------------------------------------------------------------------------

    \945\ See proposed rule 248.30(b)(5)(i).
    \946\ See ICI Comment Letter 1 (``We concur with the Commission 
requiring service providers to notify a covered institution notice 
within 48 hours of a breach impacting the covered institution or its 
affected individuals.'').
    \947\ See, e.g., Microsoft Comment Letter (``Specifically, where 
the SEC determines that a cybersecurity incident reporting 
requirement is appropriate, the applicable rule should provide that 
the entity with the notification responsibility shall provide the 
required notice to the recipient as soon as possible but no later 
than 72 hours. The reporting deadline should begin to run once the 
entity with notification responsibilities has a reasonable basis to 
conclude that a notifiable incident has occurred or is 
occurring.''); ACLI Comment Letter (``In the early days of 
containment and remediation it is often difficult to determine 
exactly what data has been compromised, making the 48-hour timeframe 
overly short and burdensome.'').
    \948\ See Google Comment Letter.
---------------------------------------------------------------------------

    After considering these comments, we have changed this provision. 
The final amendments require covered institutions to ensure that their 
service providers notify them of a breach as soon as possible, but no 
later than 72 hours after becoming aware that an applicable breach has 
occurred.\949\ We expect that the change to 72 hours will reduce the 
cost to service providers not only because it will give them more time 
to assess an incident before notifying the covered institution, but 
also because it aligns with existing regulation.\950\ Hence, we expect 
that this change will decrease compliance costs for covered 
institutions by making service providers more likely to agree to the 
requirements, which will decrease negotiation and switching costs for 
covered institutions.\951\ We also expect that this will alleviate some 
of the commenters' concerns about having insufficient negotiating power 
to negotiate specific with service providers.\952\ While this change 
may result in a longer period of time before customers receive 
notification of a breach, thereby decreasing the benefits of such 
notification,\953\ it might also reduce the number of unnecessary 
notifications to covered institutions and, in turn, to customers.\954\
---------------------------------------------------------------------------

    \949\ See final rule 248.30(a)(5)(i).
    \950\ See supra footnote 257 and accompanying text.
    \951\ Alignment with existing regulation makes it more likely 
that service providers already have policies and procedures in place 
to comply with this requirement.
    \952\ See, e.g., STA Comment Letter 2.
    \953\ See supra section IV.D.1.b(2) for a discussion of the 
benefits of a timely notice to customers.
    \954\ See Microsoft Comment Letter (``Premature reporting 
according to a 48-hour or shorter deadline, in our experience, 
increases the likelihood of reporting inaccurate or incomplete 
information, which is of little-to-no value and tends to create 
confusion and uncertainty.''). See also supra section IV.D.1.b(4) 
for a discussion of the effects of unnecessary notification. We 
expect that the change made to the notification timing requirements 
for service providers will mitigate these effects.
---------------------------------------------------------------------------

    The final amendments provide, as proposed, that a covered 
institution may enter into a written agreement with a service provider 
to notify individuals affected by a breach on the covered institution's 
behalf.\955\ Some commenters supported this proposed requirement.\956\ 
We expect that this provision could reduce the compliance costs of the 
amendments, especially in the case where the breach happens at the 
service provider. In this case, the service provider may be in a better 
position to collect the relevant information and provide the required 
notice to customers.\957\
---------------------------------------------------------------------------

    \955\ See final rule 248.30(a)(5)(ii).
    \956\ See Schulte Comment Letter (``Covered Institutions should 
be permitted to reach commercial agreements that delegate notice 
obligations to service providers, as long as the notice actually 
provided to customers with potentially impacted data satisfies the 
Covered Institution's notice obligations.''); ICI Comment Letter 1 
(``We also concur with the Commission that covered institutions 
should be permitted to have their service providers send breach 
notices to affected individuals on behalf of the covered 
institution.'').
    \957\ One commenter stated that ``if the service provider was 
the victim of a cyber attack that included unauthorized access to 
Covered Institution sensitive customer information, then the service 
provider would be better situated to notify the affected 
customers.'' See Schulte Comment Letter. Even when the service 
provider notifies customers directly, the obligation to ensure that 
the affected individuals are notified rests with the covered 
institution. See supra section II.A.4 and final rule 
248.30(a)(5)(iii).
---------------------------------------------------------------------------

    It is possible that a breach that will trigger a notification 
obligation might occur at a covered institution that will also be a 
service provider to another covered institution.\958\ The final 
amendments provide that the obligation to ensure that affected 
individuals are notified rests with the covered institution where the 
breach occurred.\959\ If this covered institution is also a service 
provider to another covered institution, it retains the obligation, as 
a service provider, to notify this other covered institution of the 
breach.\960\ This will allow the other covered institution to initiate 
its own incident response program and to perform its oversight duties 
on its service providers, and contribute to enhance the protection of 
customer information. We modified the final amendments such that only 
one covered institution needs to notify the affected customers.\961\ By 
requiring only one

[[Page 47768]]

notice to be sent for a given incident, this modification will reduce 
compliance costs--since only one covered institution will have to 
devote resources to preparing and sending the notice--and reduce 
potential confusion for the affected customers.\962\ We do not expect 
this modification to reduce the benefit for such customers, who will 
still receive a timely notice.
---------------------------------------------------------------------------

    \958\ For additional discussions of the cases where multiple 
covered institutions are involved in the same incident, see supra 
section II.A.3.a and infra section IV.D.2.a.
    \959\ The amendments allow the two covered institutions to 
coordinate with each other as to which institution will send the 
notice to the affected individuals. See supra section II.A.3.a.
    \960\ Because this service provider is itself a covered 
institution, it will have appropriate policies and procedures in 
place. Hence, we do not expect that notifying the other covered 
institution will imply significant costs.
    \961\ See supra section II.A.3.a. Some commenters stated that 
the proposed amendments could be interpreted to lead to duplicative 
notices. See, e.g., CAI Comment Letter (``This dynamic could also 
create duplicative notification obligations where there is 
unauthorized access to sensitive customer information that is held 
or maintained by one financial institution on behalf of another, 
since proposed Rule 30 [sic--rule 248.30] notification obligations 
would appear to apply to both financial institutions simultaneously 
even though only one set of customer information was accessed.''). 
The revisions specify that only one notification is required in that 
circumstance.
    \962\ Duplicative notices may nevertheless happen as a result of 
different requirements from other existing regulations. See supra 
section IV.C.2.a(3).
---------------------------------------------------------------------------

2. Extending the Scope of the Safeguards Rule and the Disposal Rule
a. Definition of Customer Information
    The final amendments more closely align the scope of the safeguards 
rule with the scope of the disposal rule. They also broaden the scope 
of information covered by the rules to all customer information, 
regardless of whether the customers are a covered institution's own, or 
those of another financial institution whose customer information has 
been provided to the covered institution.\963\ The final amendments 
define customer information, for any covered institution other than a 
transfer agent, as ``any record containing nonpublic personal 
information'' about a customer of a financial institution, whether in 
paper, electronic or other form, that is in the possession of a covered 
institution or that is handled or maintained by the covered institution 
or on its behalf. Such information is customer information regardless 
of whether it pertains to (a) individuals with whom the covered 
institution has a customer relationship or (b) the customers of other 
financial institutions where such information has been provided to the 
covered institution.\964\ For transfer agents, customer information is 
defined as any record containing nonpublic personal information 
``identified with any natural person, who is a securityholder of an 
issuer for which the transfer agent acts or has acted as transfer 
agent, that is handled or maintained by the transfer agent or on its 
behalf.'' \965\
---------------------------------------------------------------------------

    \963\ See supra section II.A.3.a.
    \964\ Final rule 248.30(d)(5)(i).
    \965\ Final rule 248.30(d)(5)(ii).
---------------------------------------------------------------------------

    While some commenters supported the proposed scope of the rules 
regarding the definition of customer information,\966\ one commenter 
stated that the rule should focus on sensitive customer information, 
and that the breadth of the proposed amendments was disproportionate to 
the risks of disclosure.\967\ This commenter also stated that applying 
the service provider requirements to all service providers that have 
access to any customer information would be disproportionate to the 
benefits and risk presented and suggested that it apply only to service 
providers with access to sensitive customer information.\968\
---------------------------------------------------------------------------

    \966\ See, e.g., EPIC Comment Letter; Better Markets Comment 
Letter.
    \967\ See IAA Comment Letter 1.
    \968\ See IAA Comment Letter 1.
---------------------------------------------------------------------------

    We acknowledge that applying the policies and procedures 
requirements to all customer information will impose costs that would 
not be incurred if the amendments covered only sensitive customer 
information. However, this approach creates important benefits. For 
example, the disclosure of customer information could be used for 
phishing attacks or similar efforts to access sensitive customer 
information. Moreover, with respect to policies and procedures 
specifically, the costs of creating policies and procedures for all 
information should not be much larger than the cost of creating them 
for only sensitive customer information, because the cost is in the 
creation of the policies and procedures rather than in their 
application. We acknowledge, however, that in some organizations the 
sensitive customer information could be located in different systems or 
accessible to different employees, such that policies and procedures 
for non-sensitive information would be different. In addition, covered 
institutions' existing policies and procedures may be less likely to 
meet the new requirements as a result of the breadth of the definition 
and would thus require modifications.
    Because the final amendments extend the scope of customer 
information subject to protection to information possessed by a covered 
institution regardless of whether the customers are a covered 
institution's own, or those of another financial institution whose 
customer information has been provided to the covered institution, the 
benefits of the final amendments will extend to a wide range of 
individuals such as prospective customers, account beneficiaries, 
recipients of wire transfers, or any other individual whose customer 
information a covered institution comes to possess, so long as the 
individuals are customers of a financial institution.\969\ We 
anticipate that, in many instances, the preventative measures taken by 
covered institutions to safeguard customer information in response to 
the final amendments will generally also protect these additional 
individuals.\970\ Hence, while we expect that these measures could have 
potential significant benefits for these additional individuals, we do 
not expect them to result in significant additional costs for the 
covered institutions. However, we acknowledge that, in certain 
instances, this may not be the case. For example, information about 
prospective customers used for sales or marketing purposes may be 
housed in separate systems from the covered institution's ``core'' 
customer account management systems and require additional efforts to 
secure. Regarding the measures taken by covered institutions to comply 
with the final amendments' incident response program requirements, 
following a data breach, we do not anticipate that extending the scope 
of information covered by the final amendments to include these 
additional individuals will have a significant effect. These costs will 
include additional reputational harm and litigation as well as 
increased notice delivery costs. However, given that the distinction 
between customers and other individuals is generally not relevant under 
existing State notification laws--which apply to information pertaining 
to residents of a given State--we expect that most covered institutions 
will have already undertaken to protect and provide notification of 
data breaches to these additional individuals.
---------------------------------------------------------------------------

    \969\ See final rule 248.30(d)(5).
    \970\ For example, measures aimed at strengthening information 
safeguards such as improved user access control or staff training 
will likely protect a covered institution's customer information 
systems regardless of whether they house the information of the 
covered institution's own customers or those of another financial 
institution.
---------------------------------------------------------------------------

    Some commenters agreed that covered institutions should safeguard 
the customer information they receive from other financial 
institutions.\971\ Other commenters disagreed with the proposed 
requirement that a covered institution would have to notify individuals 
whose sensitive customer information was compromised even when these 
individuals were not the covered institution's customers.\972\ Some 
commenters stated that it would be impractical for covered institutions 
to identify and contact such individuals, or that it could confuse 
these

[[Page 47769]]

individuals.\973\ However, such individuals will benefit from their 
information being included in the scope of the amendments' 
requirements. Another commenter stated that this provision of the 
requirement could lead to duplicative notification obligations if the 
two financial institutions involved--that is, the institution that 
received the information and the institution that provided the 
information--were both covered institutions.\974\ After considering 
comments, we have modified the amendments to avoid requiring that 
multiple covered institutions notify the same affected individuals for 
a given incident.\975\ The final amendments require that when an 
incident occurs at a covered institution or at one of its service 
providers that is not itself a covered institution, the covered 
institution has the obligation to ensure that a notice is provided to 
affected individuals, regardless of whether this covered institution 
has a customer relationship with the individuals. If this covered 
institution received the customer information from another covered 
institution, the two covered institutions can coordinate with each 
other to decide who will send the notice. As discussed above,\976\ we 
expect that this modification will reduce compliance costs without 
reducing the benefits of the final amendments.
---------------------------------------------------------------------------

    \971\ See, e.g., ICI Comment Letter 1; Better Markets Comment 
Letter.
    \972\ See, e.g., SIFMA Comment Letter 2; CAI Comment Letter.
    \973\ See ACLI Comment Letter; SIFMA Comment Letter 2; Federated 
Comment Letter.
    \974\ See CAI Comment Letter.
    \975\ See final rule 248.30(a)(4); see also supra sections 
II.A.3.a and IV.D.1.c.
    \976\ See supra section IV.D.1.c.
---------------------------------------------------------------------------

b. Extension To Cover All Transfer Agents
    The final amendments extend both the safeguards rule and the 
disposal rule to apply to any transfer agent registered with the 
Commission or another appropriate regulatory agency. Before this 
adoption, the safeguards rule did not apply to any transfer agents, and 
the disposal rule only applied to transfer agents registered with the 
Commission.\977\ In addition to requiring transfer agents to design an 
incident response program, the benefits and costs of which are 
discussed separately above,\978\ the amendments create an additional 
obligation on transfer agents to develop, implement, and maintain 
written policies and procedures that address administrative, technical, 
and physical safeguards for the protection of customer 
information.\979\ Moreover, the final amendments create an obligation 
on transfer agents registered with a regulatory agency other than the 
Commission to develop, implement, and maintain written policies and 
procedures that address the proper disposal of customer 
information.\980\
---------------------------------------------------------------------------

    \977\ See supra section II.B.2.
    \978\ See supra section IV.D.
    \979\ See final rule 248.30(a).
    \980\ See 17 CFR 248.30(a).
---------------------------------------------------------------------------

    As discussed in sections II.B.2 and IV.C.3.e, in the U.S., transfer 
agents provide the infrastructure for tracking ownership of securities. 
Maintaining such ownership records necessarily entails holding or 
accessing non-public information about a large swath of the U.S. 
investing public.\981\ Given the highly concentrated nature of the 
transfer agent market,\982\ a general failure of customer information 
safeguards at a transfer agent could negatively impact large numbers of 
customers.\983\
---------------------------------------------------------------------------

    \981\ One commenter disagreed with this notion, stating that 
many transfer agents do not have the type or scope of personal 
information which could lead to further complications for 
shareholders. See STA Comment Letter 2. Transfer agents that do not 
possess customer information as defined in final rule 248.30(d)(5) 
will not be covered by the amendments and as such will not be 
subject to its associated costs.
    \982\ See supra section IV.C.3.e.
    \983\ More than 40% of registered transfer agents maintain 
records for more than 10,000 individual accounts. See supra Figure 
8.
---------------------------------------------------------------------------

    One commenter stated that because transfer agents' customers are 
not the individuals whose information they hold but the issuers of 
securities, the proposed amendments were ill-fitting, which decreased 
their efficacy and increased their complications.\984\ This commenter 
also stated that the proposed amendments were not well-suited for 
transfer agents, and that this highlighted the need for a more in-depth 
analysis of how the final amendments may impact transfer agents, their 
customers (the issuers of securities), and securityholders.\985\ In 
response to this commenter, we have supplemented below the analysis of 
the benefits and costs of extending the scope of Regulation S-P to 
transfer agents.\986\
---------------------------------------------------------------------------

    \984\ See STA Comment Letter 2.
    \985\ See STA Comment Letter 2.
    \986\ Additional context is provided in section IV.C.3.f. See 
also supra section II.B.2 for a discussion of why the amendments are 
appropriate for transfer agents.
---------------------------------------------------------------------------

    The final amendments extend the scope of the safeguards rule to 
cover any transfer agent registered with the Commission or another 
appropriate regulatory agency. As discussed above,\987\ the safeguards 
rule requires covered institutions to develop written policies and 
procedures, including a response program reasonably designed to detect, 
respond to, and recover from unauthorized access to or use of customer 
information, including customer notification procedures. The benefits 
and costs of the response program, as detailed above,\988\ will also 
apply to transfer agents. Additionally, because transfer agents may be 
considered service providers under State law, or may maintain but not 
own or license customer information data, they are likely to be 
required by State law to notify the entity that owns or licenses the 
data (the issuer of the securities), which in turn could be required to 
notify the affected individuals (the holders of the securities).\989\ 
Hence, it is possible that the final amendments will result in two 
notices being sent for the same incident--one by the issuer of the 
securities, as required by State law, and one by the issuer's transfer 
agent, as required by the final amendments.
---------------------------------------------------------------------------

    \987\ See supra section IV.D.1.
    \988\ See supra section IV.D.1.a; see also infra footnote 1003 
and accompanying text for a discussion on additional costs for 
transfer agents.
    \989\ See supra section IV.C.2.a(3).
---------------------------------------------------------------------------

    Some commenters stated that a second notification would have 
negative consequences for customers without providing any 
benefits.\990\ One commenter stated that the proposed requirements 
would not provide shareholders with helpful, new information but rather 
that two different notices, from two different entities, concerning the 
same breach would likely result in shareholder confusion.\991\ Another 
commenter added that this second notice could potentially result in 
confusion, questions, and unnecessary costs to the transfer agent and 
the issuer.\992\
---------------------------------------------------------------------------

    \990\ See, e.g., STA Comment Letter 2.
    \991\ See STA Comment Letter 2.
    \992\ See Computershare Comment Letter.
---------------------------------------------------------------------------

    We disagree that no helpful, new information will be provided to 
the affected customers. In the situation where State law requires a 
notification from the issuer and the final amendments require a 
notification from the transfer agent as a covered institution, the 
final amendments will help ensure that the individuals whose 
information has been breached receive an informative and timely notice, 
with the benefits over the baseline described above.\993\ 
Securityholders will benefit by potentially receiving additional and 
more timely information on a given breach.\994\ In addition, in 
response to

[[Page 47770]]

commenters' concerns, we have modified the final amendments such that, 
for the cases where multiple notifying entities are covered 
institutions, only one notice needs to be sent to satisfy the 
amendments' requirements.\995\ Furthermore, some States allow for the 
entity that is the victim of a breach, but does not own or license the 
data, to notify individuals directly.\996\ Hence, we expect that in 
some instances, the notice required by the final amendments will 
satisfy the State law requirements and only one notice will be sent. In 
these instances, additional costs related to the second notice will be 
avoided. For the instances where two notices will nevertheless be sent, 
we acknowledge that a second notification will impose costs on the 
transfer agent or its customer the issuer. As discussed below, we 
estimate that certain costs associated with the preparation and 
distribution of notices will be, on average, $5,178 per year per 
covered institution.\997\ We understand it is possible that, in some 
cases, customers may be confused when receiving a notice from an entity 
they do not recognize and may read the notification as a phishing 
attempt or another nefarious scheme. However, we do not expect that a 
second notice will impose significant costs on the affected customers, 
and we expect that this confusion will be mitigated by the content of 
the notice. As discussed in section IV.D.1.b(5), the notice is required 
to include a description of the incident in general terms. We expect 
that this description will help explain the situation in the case where 
customers do not have a direct relationship with the transfer agent 
sending the notice and, therefore, that it will reduce potential 
customer confusion from duplicative notification, as discussed 
above.\998\
---------------------------------------------------------------------------

    \993\ See supra section IV.D.1.b.
    \994\ See supra section IV.D.1.b. Commenters stated that issuers 
may already have adopted policies and procedures to adhere to the 
strictest standards thereby already notifying securityholders 
consistent with the proposed amendments. See Computershare Comment 
Letter; STA Comment Letter 2. We acknowledge that this may be the 
case.
    \995\ See supra sections IV.D.1.c and IV.D.2.a for additional 
discussions of the case where two covered institutions are involved 
in the same incident.
    \996\ See, e.g., Wyo. Stat. section 40-12-502(g) (``The person 
who maintains the data on behalf of another business entity and the 
business entity on whose behalf the data is maintained may agree 
which person or entity will provide any required notice as provided 
in subsection (a) of this section, provided only a single notice for 
each breach of the security of the system shall be required.''). See 
also supra section IV.C.2.a(3).
    \997\ This estimate is an annual average for the first three 
years. The corresponding ongoing annual costs beyond the first three 
years are estimated to be on average $3,862 per year per covered 
institution. See infra section V.
    \998\ See supra section II.B.2.
---------------------------------------------------------------------------

    Before this adoption, transfer agents that are registered with the 
Commission were not required to notify customers directly in case of a 
breach under Federal law.\999\ As discussed above, we also expect that, 
under State law, transfer agents are likely to be considered service 
providers (or entities that use or maintain but do not own or license 
data) and as such are typically only required to notify the issuer of 
securities in case of breach.\1000\ Hence, we expect that to satisfy 
the amendments' requirements, these transfer agents might need to 
design and implement a response program and notification procedures, 
which will require some resources.\1001\ As discussed below, we 
estimate that certain costs associated with developing and implementing 
policies and procedures, which include the response program and 
notification procedures, to comply with the final amendments will be, 
on average, $17,950 per year per transfer agent.\1002\ In addition, as 
for other types of covered institutions, if transfer agents respond to 
this requirement by improving their customer information safeguards 
beyond what is required by the final amendments, they will incur 
additional costs.\1003\ We expect that the different costs resulting 
from the written policies and procedures requirement will be passed on 
to the transfer agents' customers (the issuers of securities) and 
ultimately to the holders of these securities.
---------------------------------------------------------------------------

    \999\ In 2023, there were 251 such transfer agents. See supra 
section IV.C.3.e.
    \1000\ However, there are some States where transfer agents may 
be required by State law to notify the affected individuals 
directly. See supra footnote 574 and accompanying text.
    \1001\ Transfer agents registered with the Commission may 
already have such procedures in place and may already be notifying 
customers. See ICI Comment Letter 1 (``We understand that this is a 
common practice today for investment companies wherein their 
transfer agents assume responsibility for sending affected customers 
breach notices.''). However, we do not have data on how common such 
arrangements are and commenters did not provide such data.
    \1002\ This estimate is an annual average for the first three 
years. The corresponding ongoing annual costs beyond the first three 
years are estimated to be on average $5,425 per year per transfer 
agent. See infra section V. These estimated costs are higher than 
for other types of covered institutions because transfer agents were 
not, before this adoption, covered by the safeguards rule. In 
addition, transfer agents registered with a regulatory agency other 
than the Commission were not, before this adoption, covered by the 
disposal rule. The final amendments extend both the safeguards rule 
and the disposal rule to apply to any transfer agent registered with 
the Commission or another appropriate regulatory agency. The 
additional costs that could be incurred by transfer agents as a 
result are discussed below. See infra text accompanying footnote 
1021.
    \1003\ We are unable to quantify expected costs resulting from 
such enhancements. See supra footnote 717 and accompanying text.
---------------------------------------------------------------------------

    Transfer agents that are registered with an appropriate regulatory 
agency other than the Commission may already be required to notify 
affected individuals in case of a breach under the Banking Agencies' 
Incident Response Guidance.\1004\ As discussed above, although the 
notification requirement under the final amendments is largely aligned 
with the Banking Agencies' Incident Response Guidance, there are some 
differences.\1005\ Hence, for these institutions, we expect that the 
costs of the requirements will primarily be to review and, if needed, 
update their notification procedures to ensure consistency with the 
amendments, though there may be some costs associated with updating 
procedures to achieve consistency with the final amendments.\1006\ As 
discussed below, we estimate that certain costs associated with 
developing and implementing policies and procedures to comply with the 
final amendments will be, on average, $17,950 per year per transfer 
agent.\1007\
---------------------------------------------------------------------------

    \1004\ In 2023, there were 64 such transfer agents; see supra 
section IV.C.3.e; see also supra section IV.C.2.b.
    \1005\ For example, the Banking Agencies' Incident Response 
Guidance requires entities to notify customers ``as soon as 
possible,'' but does not specify a precise deadline, whereas the 
final amendments require that the notice be sent as soon as 
practicable, but not later than 30 days, after becoming aware that 
unauthorized access to or use of sensitive customer information has 
occurred or is reasonably likely to have occurred. In addition, the 
Banking Agencies' Incident Response Guidance has a different 
definition of ``sensitive customer information'' and has different 
requirements regarding an entity's service providers. See supra 
section IV.C.2.b for a description of the Banking Agencies' Incident 
Response Guidance's requirements.
    \1006\ We expect these reviews and updates will result in the 
entities incurring costs generally smaller than the costs of 
adopting and implementing new policies and procedures, as discussed 
in Section V.
    \1007\ This estimate is an annual average for the first three 
years. The corresponding ongoing annual costs beyond the first three 
years are estimated to be on average $5,425 per year per transfer 
agent. See infra section V.
---------------------------------------------------------------------------

    One commenter supported the proposed inclusion of transfer agents 
in the safeguards rule, stating that it would eliminate the asymmetry 
between the transfer agents registered with the Commission and those 
registered with another regulatory agency and that it would promote 
investor protection, regulatory parity, and fair competition among 
firms.\1008\ We agree with this commenter. Another commenter stated 
that expanding the regulation's scope to include transfer agents was 
long overdue.\1009\
---------------------------------------------------------------------------

    \1008\ See Better Markets Comment Letter.
    \1009\ See ICI Comment Letter 1.
---------------------------------------------------------------------------

    Other commenters opposed the proposed inclusion.\1010\ One 
commenter

[[Page 47771]]

stated that requiring transfer agents to notify customers directly 
would create undue costs for transfer agents, that the proposed 
amendments included a potential for conflicting regulations where there 
are overlapping State and Federal regulations, and that this would lead 
to unnecessary expenses as transfer agents attempt to develop policies 
and procedures capable of addressing these potentially conflicting 
regulations.\1011\ This commenter suggested that the Commission either 
preempt State law or prepare and produce a cost-benefit analysis 
identifying the specific ways in which the amendments would be an 
improvement over existing regulations.\1012\ Another commenter--a 
transfer agent--stated that it already had policies and procedures to 
notify issuers of securities in accordance with State law and that 
notifying the securityholders directly could violate some of its 
existing contracts with issuers.\1013\
---------------------------------------------------------------------------

    \1010\ See STA Comment Letter 2; Computershare Comment Letter.
    \1011\ See STA Comment Letter 2. The commenter did not describe 
such conflicts.
    \1012\ See STA Comment Letter 2.
    \1013\ See Computershare Comment Letter (``However, as state 
breach notification laws have been in effect for nearly two decades, 
Computershare has long-standing policies and procedures for 
notification, and contractual obligations to clients that are 
designed to track state law requirements. Such contract provisions 
may specifically prohibit Computershare as the transfer agent from 
notifying securityholders as the issuers have the requirement to 
notify their securityholders under state law.'').
---------------------------------------------------------------------------

    In response to commenters and as discussed above,\1014\ we have 
modified the final amendments to minimize the likelihood of multiple 
notices being sent for the same incident, which will decrease 
compliance costs.\1015\ The final amendments do not necessarily require 
covered institutions to notify affected customers directly in case of 
breach, but instead provide that a covered institution must ensure that 
the required notice is sent.\1016\ Hence, if a transfer agent has a 
contract with an issuer that prevents it from notifying securityholders 
directly, the transfer agent will be able to, under the final 
amendments, enter into an agreement with the issuer so that the issuer 
sends the notice on its behalf.\1017\ In consideration of the 
commenter's request for an analysis that considers the incremental 
effects of the rule over existing regulations, we have (i) conducted 
supplemental analyses of the baseline regarding State law 
requirements,\1018\ and (ii) supplemented the analysis of the benefits 
and costs of the final amendments over this baseline, highlighting the 
different areas where the final amendments will improve over existing 
regulations.\1019\
---------------------------------------------------------------------------

    \1014\ See supra section IV.D.
    \1015\ See also supra section II.B.2 for a discussion of how the 
final amendments permit transfer agents and issuers to develop 
arrangements to address potentially conflicting regulations.
    \1016\ See final rule 248.30(a)(4).
    \1017\ Such contract renegotiation will involve some costs for 
the transfer agents. It is difficult for us to quantify these costs, 
as we have no data on the provisions of existing contracts between 
transfer agents and security issuers relating to customer 
notification of data breaches, and no commenter suggested such data. 
Such costs are likely to be contract specific, as they will depend 
on the degree to which each existing contract may be revised as a 
result of the final amendments. Many such contracts may not be 
revised at all, while others may undergo more revisions. Moreover, 
in many cases, even where a contract could be revised as a means of 
complying with the final requirements, the covered institution may 
pursue compliance by other means.
    \1018\ See supra section IV.C.2.
    \1019\ See supra section IV.D.1.b.
---------------------------------------------------------------------------

    The final amendments to the safeguards rule also require transfer 
agents to develop, implement, and maintain written policies and 
procedures that address administrative, technical, and physical 
safeguards for the protection of customer information.\1020\ In 
general, transfer agents with written policies and procedures to 
safeguard customer information would be at reduced risk of experiencing 
such safeguard failures.\1021\ Because some State laws require written 
policies and procedures to protect customer information,\1022\ and 
because transfer agents, by the nature of their business models, are 
likely to hold information about individuals residing in a large number 
of States, we expect that most transfer agents already have policies 
and procedures in place.\1023\ In addition, transfer agents registered 
with a regulatory agency other than the Commission may also be subject 
to the Banking Agencies' Safeguards Guidance or other Federal 
regulation.\1024\ Hence, we expect the costs of this requirement to be 
limited and to consist mostly of reviewing and updating existing 
policies and procedures to ensure consistency with the safeguards 
rule.\1025\ As discussed below, we estimate that certain costs 
associated with developing and implementing policies and procedures to 
comply with the final amendments will be, on average, $17,950 per year 
per transfer agent.\1026\
---------------------------------------------------------------------------

    \1020\ See final rule 248.30(a)(1).
    \1021\ See supra section IV.D.1 for a discussion of the benefits 
of written policies and procedures generally.
    \1022\ See supra section IV.C.2.b.
    \1023\ In addition, some transfer agents may also be subject to 
other regulations, such as the GDPR, and already have customer 
information safeguards in place as a result. See supra section 
IV.C.2.b.
    \1024\ See supra footnote 604 and accompanying text.
    \1025\ We expect these reviews and updates will result in the 
entities incurring costs generally smaller than the costs of 
adopting and implementing new policies and procedures, as discussed 
in section V.
    \1026\ This estimate is an annual average for the first three 
years. The corresponding ongoing annual costs beyond the first three 
years are estimated to be on average $5,425 per year per transfer 
agent. See infra section V. As discussed above, these estimates 
reflect all of the policies and procedures required by the final 
amendments, including those regarding the incident response program. 
See supra footnote 1003 and accompanying text.
---------------------------------------------------------------------------

    The final amendments extend the disposal rule to transfer agents 
registered with a regulatory agency other than the Commission.\1027\ 
The amendments require these transfer agents to properly dispose of 
customer information by taking reasonable measures to protect against 
unauthorized access to or use of the information in connection with its 
disposal.\1028\ Because these transfer agents are subject to regulatory 
requirements and to State laws which require proper disposal of 
customer information,\1029\ we expect that they are likely to already 
have procedures in place for the disposal of customer information. 
Therefore, to the extent that transfer agents already have in place 
procedures that are consistent with these provisions of the final 
amendments, the benefits and costs relating to this requirement will be 
reduced for these institutions and for the customers whose information 
is covered by this requirement. Hence, we expect the costs of this 
requirement to be limited and to consist mostly of reviewing and 
updating existing policies and procedures to ensure consistency with 
the safeguards rule.\1030\ As discussed below, we estimate that certain 
costs associated with developing and implementing policies and 
procedures to comply with the final amendments will be, on average, 
$17,950 per year per transfer agent.\1031\
---------------------------------------------------------------------------

    \1027\ Transfer agents registered with the Commission were 
already subject to the disposal rule before this adoption. See 17 
CFR 248.30(b).
    \1028\ See 17 CFR 248.30(b).
    \1029\ The Banking Agencies' Safeguards Guidance requires that a 
covered entity's information security program be designed to ensure 
the proper disposal of customer information and consumer 
information. See supra footnote 612 and accompanying text; see also 
supra section IV.C.2.b for a discussion of State law disposal 
requirements.
    \1030\ We expect these reviews and updates will result in the 
entities incurring costs generally smaller than the costs of 
adopting and implementing new policies and procedures, as discussed 
in section V.
    \1031\ This estimate is an annual average for the first three 
years. The corresponding ongoing annual costs beyond the first three 
years are estimated to be on average $5,425 per year per transfer 
agent. See infra section V. As discussed above, these estimates 
reflect all of the policies and procedures required by the final 
amendments, including those regarding the incident response program. 
See supra footnote 1003 and accompanying text.

---------------------------------------------------------------------------

[[Page 47772]]

3. Recordkeeping
    The recordkeeping provisions of the final amendments require 
covered institutions (other than funding portals) to make and maintain 
written records documenting compliance with the requirements of the 
safeguards rule and of the disposal rule.\1032\ Each covered 
institution (other than funding portals) is required to make and 
maintain written records documenting its compliance with, among other 
things: its written policies and procedures required under the final 
amendments, including those relating to its service providers and its 
consumer information and customer information disposal practices; its 
assessments of the nature and scope of any incidents involving 
unauthorized access to or use of customer information; any 
notifications of such incidents received from service providers; steps 
taken to contain and control such incidents; and, where applicable, any 
investigations into the facts and circumstances of an incident 
involving sensitive customer information, and the basis for determining 
that sensitive customer information has not been, and is not reasonably 
likely to be, used in a manner that would result in substantial harm or 
inconvenience.\1033\
---------------------------------------------------------------------------

    \1032\ See final rule 248.30(c). As discussed above, funding 
portals have recordkeeping requirements that are different from 
those of other covered institutions under the final amendments. See 
supra footnote 385.
    \1033\ See the various provisions of final rule 248.30(a) and 
248.30(b)(2).
---------------------------------------------------------------------------

    These recordkeeping requirements will help facilitate the 
Commission's inspection and enforcement capabilities. Covered 
institutions may react to this enhanced ability of the Commission staff 
to detect deficiencies and impose sanctions against non-compliance due 
to the recordkeeping requirements by taking more care to comply with 
the substance of the amendments, which may result in material 
improvement in the response capabilities of covered institutions and 
mitigate potential harm resulting from the lack of an adequate response 
program. As such, the amendments' recordkeeping requirements might 
benefit customers through channels described in section IV.D.1.
    One commenter supported the proposed recordkeeping 
requirements.\1034\ Another commenter requested a clarification of the 
proposed requirements, suggesting that the text in the final amendments 
include more detail.\1035\ In response to this commenter, we have 
provided a more detailed description of the requirements in the rule 
text of the final amendments.\1036\ We expect that this change will 
mitigate compliance costs for covered institutions.
---------------------------------------------------------------------------

    \1034\ See ICI Comment Letter 1.
    \1035\ See IAA Comment Letter 1.
    \1036\ See supra section II.C and final rule 240.30(d)(1).
---------------------------------------------------------------------------

    We do not expect the final recordkeeping requirements to impose 
substantial compliance costs. As covered institutions are currently 
subject to similar recordkeeping requirements applicable to other 
required policies and procedures, we do not anticipate that covered 
institutions will need to invest in new recordkeeping staff, systems, 
or procedures to satisfy the new recordkeeping requirements.\1037\ The 
incremental administrative costs arising from maintaining additional 
records related to these provisions using existing systems are covered 
in the Paperwork Reduction Act analysis in section V and are estimated 
to be $420 per year per covered institution other than funding portals, 
and $630 per year per funding portal.\1038\
---------------------------------------------------------------------------

    \1037\ See, e.g., 17 CFR 240.17a-3; 17 CFR 275.204-2; 17 CFR 
270.31a-1; and 17 CFR 240.17Ad-7. Where permitted, entities may 
choose to use third-party providers in meeting their recordkeeping 
obligations. See, e.g., 17 CFR 275.204-2(e)(2).
    \1038\ See infra section V. As discussed above, funding portals 
have recordkeeping requirements that are different from those of 
other types of covered institutions. See supra footnote 385.
---------------------------------------------------------------------------

4. Exception From Annual Notice Delivery Requirement
    The final amendments incorporate into the regulation an existing 
statutory exception to the requirement that a broker-dealer, investment 
company, or registered investment adviser deliver an annual privacy 
notice to its customers.\1039\ An institution may rely on the exception 
to forgo notice if it has not changed its policies and practices with 
regard to disclosing nonpublic personal information from those it most 
recently provided to the customer via privacy notice.\1040\ The effect 
of the exception is to eliminate the requirement to send the same 
privacy policy notice to customers on multiple occasions. As such 
notices would provide no new information, receiving multiple copies of 
such notices is unlikely to provide any significant benefit to 
customers. Moreover, we expect that widespread reliance on the proposed 
exception is more likely to benefit customers, by providing clearer 
signals of when privacy policies have changed.\1041\ At the same time, 
reliance on the exception will reduce costs for covered institutions. 
However, we expect these cost savings to be limited to the 
administrative burdens discussed in section V.\1042\ We received one 
comment supporting the proposed exception.\1043\ We did not receive any 
comments suggesting alternatives to the proposed exception or 
suggesting that we not proceed with it.
---------------------------------------------------------------------------

    \1039\ See supra section II.D; see also 15 U.S.C. 6803(f). 
Additionally, under existing statutory exceptions notice is not 
required when the institution provides certain information to a 
third party to perform services for or functions on behalf of the 
institution, such as information sharing necessary to perform 
transactions on behalf of the customer, information sharing directed 
by the customer, or reporting to credit reporting agencies. See 15 
U.S.C. 6802(e).
    \1040\ See final rule 248.5(e)(1)(ii).
    \1041\ In other words, reducing the number of privacy notices 
with no new content allows customers to devote more attention to 
parsing notices that do contain new content.
    \1042\ See infra footnote 1119.
    \1043\ See ICI Comment Letter 1.
---------------------------------------------------------------------------

    Because the exception became effective when the statute was 
enacted, the aforementioned benefits are likely to have already been 
realized. Consequently, we do not expect that its inclusion will have 
any economic effects relative to the current status quo.

E. Effects on Efficiency, Competition, and Capital Formation

    As discussed above, market imperfections might lead to 
underinvestment in customer information safeguards, and to information 
asymmetry about incidents resulting in unauthorized access to or use of 
customer information.\1044\ This information asymmetry might prevent 
customers whose sensitive information was compromised from taking 
timely mitigating actions. The final amendments aim to mitigate the 
inefficiency resulting from these imperfections by imposing mandates 
for policies and procedures. Specifically, the amendments require 
covered institutions to include a response program for incidents 
involving unauthorized access to or use of customer information. This 
response program must address assessment and containment of such 
incidents, and might thereby reduce potential underinvestment in these 
areas, improving customer information safeguards as a result.\1045\ In 
addition, by requiring notification to customers about certain 
safeguard failures, the amendments could reduce the aforementioned 
information asymmetry and help customers choose a covered

[[Page 47773]]

institution that meets their needs or preferences. The notification 
requirement, by imposing reputational costs on institutions whose 
safeguards of customer information fail, might also provide covered 
institutions with greater incentives to improve their safeguards, 
contributing to lowering the probability of a breach even further.
---------------------------------------------------------------------------

    \1044\ See supra section IV.B.
    \1045\ See supra section IV.D (discussing the benefits and costs 
of the response program requirements).
---------------------------------------------------------------------------

    While the amendments have the potential to mitigate these 
inefficiencies, the scale of the overall effect is difficult to 
estimate. Due to the presence of existing regulations, including State 
notification laws, and existing security practices,\1046\ these 
inefficiencies are likely to be of limited magnitude. However, to the 
extent that they remain, the amendments might contribute to reduce 
them.\1047\ Insofar as the proposed amendments alter covered 
institutions' practices, the improvement--in terms of the effectiveness 
of covered institutions' response to incidents, customers' ability to 
respond to breaches of their sensitive customer information, and in 
reduced information asymmetry about covered institutions' efforts to 
safeguard this information--is impracticable to quantify due to data 
limitations discussed previously.\1048\
---------------------------------------------------------------------------

    \1046\ See supra sections IV.C.1 and IV.C.2.
    \1047\ Section IV.D.1.b discusses in detail how the amendments' 
requirements differ from existing State notification laws.
    \1048\ See, e.g., supra sections IV.A. and IV.D.1.
---------------------------------------------------------------------------

    The final provisions will not have first order effects on channels 
typically associated with capital formation (e.g., taxation policy, 
financial innovation, capital controls, investor disclosure, market 
integrity, intellectual property, rule-of-law, and diversification). 
Thus, the final amendments are unlikely to lead to significant effects 
on capital formation.\1049\
---------------------------------------------------------------------------

    \1049\ While we do not expect first-order effects on capital 
formation, we agree with one commenter who stated that the 
amendments would contribute to promote transparency and consistency 
on capital markets, which would benefit investors, issuers, and 
other market participants. See Nasdaq Comment Letter. In addition, 
as discussed below, there might be incremental effects on the 
capital formation associated with issuers relying on funding 
portals. See infra text accompanying footnote 1053.
---------------------------------------------------------------------------

    Because the amendments are likely to impose proportionately larger 
direct and indirect costs on smaller and more geographically limited 
covered institutions, these institutions' competitiveness vis-[agrave]-
vis their larger peers might be affected. Such covered institutions--
which may be less likely to have written policies and procedures for 
incident response programs already in place--will face 
disproportionately higher costs resulting from the proposed 
amendments.\1050\ Thus, the amendments might have negative effects on 
competition, to the extent these higher costs represent a barrier to 
entry or limit smaller institutions' viability as a competitive 
alternative to larger institutions. However, given the considerable 
competitive challenges arising from economies of scale and scope 
already faced by smaller firms, we do not anticipate that the costs 
associated with this adoption will significantly alter these challenges 
and therefore expect the incremental effects of these amendments on 
competition to be limited.
---------------------------------------------------------------------------

    \1050\ The development of policies and procedures entails a 
fixed cost component that imposes a proportionately larger burden on 
smaller firms. We expect smaller broker-dealers and investment 
advisers will be most affected. See supra sections IV.C.3.a and 
IV.C.3.c.
---------------------------------------------------------------------------

    On the other hand, the amendments may have positive competitive 
effects also. Because safeguarding customer information, including 
through cybersecurity, is disproportionately more expensive for smaller 
institutions,\1051\ customers today may already suspect that smaller 
institutions have more severe under-investments in cybersecurity than 
larger institutions and may therefore avoid smaller institutions. If 
disproportionately large costs faced by smaller institutions cause 
existing and potential customers to suspect that these institutions are 
more likely to avoid such costs, the existing information asymmetry may 
be greater for these institutions. Smaller institutions may be unable 
to overcome these suspicions on their own absent regulatory policy, and 
so asymmetries of information may represent a barrier to entry for 
smaller institutions. In this case, if the amendments result in 
customers having better information on the covered institutions' 
efforts towards protecting customer information, there will be a 
positive effect on competition. Hence, the overall effect on smaller 
and more geographically limited covered institutions' competitiveness 
remains difficult to predict.
---------------------------------------------------------------------------

    \1051\ See, e.g., Anna Cartwright et al., Cascading Information 
On Best Practice: Cyber Security Risk Management in UK Micro and 
Small Businesses and the Role of IT Companies, Computers & Security 
131 (2023) for a list of articles discussing the cybersecurity 
challenges faced by small businesses.
---------------------------------------------------------------------------

    With respect to funding portals, the situation could be different. 
As discussed above, the final amendments are likely to impose 
proportionately larger costs on smaller covered institutions,\1052\ 
including smaller funding portals. At the margin, it is possible that 
the final amendments will result in a smaller number of funding 
portals, which could result in a smaller number of crowdfunding 
intermediaries available to potential issuers. Crowdfunding 
intermediaries facilitate capital raising by smaller issuers relying 
upon Regulation Crowdfunding to offer or sell securities. To the extent 
that the final amendments result in a decrease in the availability of 
funding portals or in an increase in the costs of utilizing 
crowdfunding intermediaries for issuers or investors, they may have 
incremental negative effects on capital formation associated with 
issuers relying on such intermediaries. However, we expect the 
incremental negative effect on competition that could result from this 
to be mitigated by the already significant degree of concentration 
among crowdfunding intermediaries observed today.\1053\ We further 
expect these effects to be mitigated to the extent that issuers may be 
able to switch to using other intermediaries for their Regulation 
Crowdfunding offerings, such as larger funding portals. Lastly, the 
amendments may have a positive effect on capital formation in offerings 
under Regulation Crowdfunding to the extent that the additional 
procedural requirements in the final amendments increase protection of 
customer information and thereby attract additional potential 
investors. Hence, the overall effect remains difficult to predict.
---------------------------------------------------------------------------

    \1052\ See supra footnote 1051.
    \1053\ See supra section IV.C.3.b.
---------------------------------------------------------------------------

    Two commenters raised concerns about barriers to entry 
disproportionately affecting smaller covered institutions. One 
commenter stated that smaller advisers had been significantly affected 
by ``one-size-fits-all'' regulations that effectively require 
substantial fixed investments in infrastructure, personnel, technology, 
and operations, adding that they were concerned that these stressors 
and barriers would negatively affect smaller advisers' ability to 
continue to serve their clients.\1054\ Another commenter stated that we 
had done ``little analysis'' about the impact of recent proposals on 
small broker-dealers, competition within the brokerage industry, and 
whether the proposals could contribute to barriers for new entrants 
into the markets.\1055\ We acknowledge these

[[Page 47774]]

commenters' concerns about smaller covered institutions and, as 
discussed above, understand that smaller covered institutions might be 
disproportionately affected by the final amendments.\1056\ In response 
to these concerns, we have changed the final amendments from the 
proposal. We expect that some of these changes may mitigate costs and 
may reduce, but not eliminate, the degree to which the final amendments 
act as a barrier to entry.\1057\ We have also responded to commenters' 
concerns by adopting longer compliance periods for all covered 
institutions relative to the proposal and an even longer compliance 
period for smaller covered institutions.\1058\ The final amendments 
provide 24 months for smaller covered institutions to comply with the 
final amendments after the date of publication in the Federal Register, 
compared to 18 months for larger covered institutions.\1059\ Since 
smaller covered institutions are those most likely to exit the market 
in response to high compliance costs, this longer compliance period 
will mitigate the negative effect of the final amendments on 
competition, for example by giving smaller covered institutions 
opportunities to learn about compliance with the final requirements 
from larger covered institutions' earlier compliance.\1060\
---------------------------------------------------------------------------

    \1054\ See IAA Comment Letter 1.
    \1055\ See ASA Comment Letter. In the Proposing Release, we 
discussed that the compliance costs of the proposed amendments could 
be higher for smaller covered institutions such as small broker-
dealers who do not have a national presence. See Proposing Release 
at section III.D.1.a. We also discussed the potential negative 
competitive effects of the proposed amendments on smaller covered 
institutions and requested comments on the way we characterized the 
effects on competition. See Proposing Release at sections III.F. and 
III.G. We received no comment letter discussing specifically how the 
proposed amendments would affect the level of competition in the 
different markets in which covered institutions operate.
    \1056\ See supra footnote 1051 and accompanying text.
    \1057\ These changes include (1) requiring that a service 
provider notify the affected covered institution of a breach in a 
period of 72 hours instead of 48 hours; and (2) requiring that 
covered institutions oversee, monitor, and conduct due diligence on 
their service providers to ensure that they take appropriate 
measures to protect customer information and notify the covered 
institution in case of breach instead of requiring written 
contracts. See supra section IV.D.1.c on the expected effects of 
these changes. Because smaller covered institutions are more likely 
to have limited bargaining power when negotiating with their service 
providers, we expect that these changes may particularly reduce the 
burdens on those entities and may reduce, but will not eliminate, 
the extent to which these requirements act as a barrier to entry.
    \1058\ The proposed compliance period was 12 months from 
effective date for all covered institutions. See Proposing Release 
at section II.I.
    \1059\ See supra Table 3 for a description of small covered 
institutions for the purposes of the final amendments' tiered 
compliance period.
    \1060\ See FSI Comment Letter (``We propose a longer 
implementation period for smaller broker-dealers and investments 
advisers to allow these firms to benefit from implementation for 
larger industry participants.'').
---------------------------------------------------------------------------

    With respect to competition among transfer agents, the situation 
could be different. Because transfer agents registered with a 
regulatory agency other than the Commission may already have been 
required to notify customers in case of breach,\1061\ whereas the 
transfer agents registered with the Commission may, before this 
adoption, have only been required, by State law, to notify the security 
issuer, the latter group may face disproportionately high compliance 
costs compared to the former group since they might have to design and 
implement new policies and procedures, including the required incident 
response program and notification procedures.\1062\ This might affect 
their competitiveness vis-[agrave]-vis the transfer agents registered 
with a regulatory agency other than the Commission.\1063\ Because 
transfer agents registered with the Commission may already have 
procedures in place to notify individuals affected by a data 
breach,\1064\ the magnitude of this effect is difficult to estimate.
---------------------------------------------------------------------------

    \1061\ See supra section IV.C.2.b.
    \1062\ In 2023, there were 251 transfer agents registered with 
the Commission and 64 transfer agents registered with another 
appropriate regulatory agency. See supra section IV.C.3.e.
    \1063\ In addition, because designing and implementing new 
policies and procedures entails fixed costs, competition among 
transfer agents registered with the Commission may be affected. See 
supra discussion of potential competition effects on covered 
institutions of different sizes.
    \1064\ See supra footnote 1002. In addition, we expect that many 
transfer agents already have some processes in place to contact 
customers since communicating information from the issuer to its 
security-holders is one of the core functions of transfer agents.
---------------------------------------------------------------------------

    One commenter supported the proposed extension of the scope of the 
safeguard and disposal rules to all transfer agents and stated that it 
would promote fair competition among these firms by reducing asymmetry 
in the requirements with which different types of transfer agents must 
comply.\1065\ We agree with this commenter that including all transfer 
agents in the scope of both the safeguards rule and the disposal rule 
will contribute to enhanced competition in the market for transfer 
agents.\1066\
---------------------------------------------------------------------------

    \1065\ See Better Markets Comment Letter.
    \1066\ In particular, applying the final amendments to all 
transfer agents may be beneficial for competition, to the extent 
that applying different regulations to different entities could 
exacerbate existing differences in the competitive landscape. See 
supra section IV.C.3.e (discussing that transfer agents registered 
with the Banking Agencies are on average smaller than transfer 
agents registered with the Commission).
---------------------------------------------------------------------------

    With respect to efficiency and competition among covered 
institutions' service providers, the overall effects of the final 
amendments are difficult to predict. The final amendments require 
covered institutions to ensure that their service providers protect 
against unauthorized access to or use of customer information and 
notify the covered institution in case of a breach. The final 
amendments also require covered institutions to oversee their service 
providers to ensure that these measures are enforced.\1067\ As 
discussed above,\1068\ we expect that most service providers will 
continue their relationships with covered institutions, but some 
service providers might not. We expect that four possible scenarios may 
happen:
---------------------------------------------------------------------------

    \1067\ See final rule 248.30(a)(5).
    \1068\ See supra section IV.D.1.c.
---------------------------------------------------------------------------

     Scenario 1: The service provider already has the processes 
and procedures in place to satisfy the covered institution's 
obligations under the final amendments and is willing to cooperate with 
the oversight activities of the covered institution.
     Scenario 2: The service provider does not have the 
necessary processes and procedures in place but is willing to adapt 
them to satisfy the covered institution's obligations under the final 
amendments and to cooperate with the oversight activities of the 
covered institution.
     Scenario 3: The service provider does not have the 
necessary processes and procedures in place and is not willing to adapt 
to satisfy the covered institution's obligation under the final 
amendments.\1069\
---------------------------------------------------------------------------

    \1069\ See supra section IV.C.3.f. Because taking the 
appropriate measures to satisfy the amendments' requirements entails 
fixed costs, we expect that smaller service providers are more 
likely to exit (or not enter) this market than larger service 
providers.
---------------------------------------------------------------------------

     Scenario 4: The service provider already has the processes 
and procedures in place to satisfy the covered institution's 
obligations under the final amendments but is not willing to cooperate 
with the oversight activities of the covered institution.
    Under scenarios 1 and 2, the relationship between the covered 
institution and its service provider is maintained. Hence, we do not 
expect significant effects on efficiency and competition in these 
cases.\1070\ On the other hand, scenarios 3 and 4 imply that the 
covered institution will have to either switch to a new service 
provider or perform the former service provider's functions in-house. 
If the covered institution is unable to find a new service provider 
that is equivalent in its ability to provide the services, this is 
likely to result in a second-best outcome for the covered institution 
and therefore to result in a loss of efficiency.\1071\

[[Page 47775]]

Scenario 4 could also lead to covered institutions being forced to 
switch away from large, established service providers and instead to 
rely on smaller, less established providers that may be less capable of 
addressing the vulnerabilities within its control. This situation could 
result in a reduced ability to protect customer information.
---------------------------------------------------------------------------

    \1070\ The other benefits and costs of these scenarios are 
discussed in section IV.D.1.c.
    \1071\ Under scenario 3, we expect this effect on efficiency to 
be limited since the service providers who are the most efficient at 
the outsourced function are likely to also be more effective at 
protecting customer information. We expect this effect to be more 
significant under scenario 4.
---------------------------------------------------------------------------

    Commenters identified service providers exiting the market as a 
significant potential cost of the proposed requirements.\1072\ We 
expect that the changes that we have made to the final amendments, 
including the change from a written contract requirement to a 
requirement to oversee service providers and the change to an extended 
notification deadline of 72 hours, will reduce the likelihood of 
scenario 4 by giving covered institutions more flexibility in how they 
choose to satisfy the service provider requirements of the final 
amendments.\1073\ This will reduce the likelihood of this potential 
negative outcome. However, such an outcome is still possible and to the 
extent that it occurs, it will represent a cost of the final 
amendments.
---------------------------------------------------------------------------

    \1072\ See ACLI Comment Letter (``If service providers are 
unable or unwilling to change their practices, this requirement 
could cause regulated entities to end essential service provider 
arrangements with inadequate alternatives''); SIFMA Comment Letter 2 
(``Indeed, some service providers may not agree to the contemplated 
new terms, which could limit the number of service providers that 
agree to such requirements, causing an undue reliance on a small 
group of service providers in the industry. Another possible result 
is that the least commercially savvy service providers would agree 
to these terms, which could increase unqualified providers working 
in the industry.''); CAI Comment Letter (``In practice, this will 
often force covered institutions to choose between either using the 
best and most dependable service providers or complying with these 
regulatory requirements, since many leading service providers (such 
as cloud service providers) do not negotiate the standard terms of 
their services with customers and those standard terms generally 
would not meet the proposed contractual requirements.'').
    \1073\ See supra section II.A.4. In addition, some commenters 
mentioned costs associated specifically with written contracts. See, 
e.g., ASA Comment Letter; IAA Comment Letter 1. These contracting 
costs could also apply to service providers and potentially result 
in these service providers terminating their relationship with 
covered institutions.
---------------------------------------------------------------------------

    Because scenarios 3 and 4 result in service providers exiting the 
market, they also have effects on competition. While scenario 3 would 
result in an overall decrease in the number of service providers 
available to covered institutions, it would not necessarily reduce 
competition among service providers who are able and willing to satisfy 
covered institutions' requirements. In fact, the final amendments will 
prevent service providers that are not willing to satisfy the minimum 
requirements from operating in that market and from potentially 
undercutting service providers who do satisfy the requirements. This 
will improve the competitiveness of the service providers who are able 
and willing to satisfy the requirements. The situation is different for 
scenario 4, which would result in a decrease in the number of service 
providers with adequate customer information safeguards and 
notification procedures. This would result in a decrease in 
competition, and this is a potential cost of the regulation.
    One commenter stated that the proposed amendments could lead to 
service providers not agreeing with the new requirements, adding that 
it could result in covered institutions relying on a small group of 
service providers in the industry.\1074\ This commenter also stated 
that some service providers may choose not to enter into agreements 
with covered institutions as a result of the proposed amendments.\1075\ 
We acknowledge that this is a risk of the final amendments. However, we 
expect that the modifications that we have made to the service provider 
provisions of the final amendments will reduce the costs to service 
providers of satisfying covered institutions' requirements,\1076\ and 
might therefore reduce the likelihood of this potential negative 
outcome.
---------------------------------------------------------------------------

    \1074\ See SIFMA Comment Letter 2.
    \1075\ See id.
    \1076\ See supra section IV.D.1.c.
---------------------------------------------------------------------------

    Because of the reasons described above,\1077\ we are unable to 
estimate the likelihood of the different scenarios and, therefore, we 
are unable to quantify the efficiency and competition effects of the 
service provider provisions of the final amendments.
---------------------------------------------------------------------------

    \1077\ See id.
---------------------------------------------------------------------------

    Some commenters requested that the Commission consider interactions 
between the effects of the proposed rule and other recent Commission 
rules, as well as practical realities such as implementation 
timelines.\1078\ As discussed above, the Commission acknowledges that 
overlapping compliance periods may in some cases increase costs, 
particularly for smaller entities with more limited compliance 
resources.\1079\ This effect can negatively impact competition because 
these entities may be less able to absorb or pass on these additional 
costs, making it difficult for them to remain in business or compete. 
We acknowledge that to the extent overlap occurs, there could be costs 
that could affect competition. However, we do not expect these costs to 
be significant, for two reasons. First, the final amendments mitigate 
overall costs relative to the proposal,\1080\ including by adopting 
longer compliance periods for all covered institutions, and an even 
longer compliance period for smaller covered institutions because they 
may have more limited compliance resources. The final amendments also 
reduce costs for both larger and smaller entities, relative to the 
proposal, notably by removing the proposed requirement to have a 
written contract with service providers. Thus, any higher costs or 
potential negative effects on competition due to overlapping compliance 
periods raised in the context of the proposal may be mitigated under 
the final amendments. Second, as explained in section IV.D, many of the 
rules commenters named affect limited sets of covered institutions, and 
the compliance dates are generally spread out over a more than three-
year period, including several that precede the compliance dates of the 
final amendments. These factors will limit the incidence of covered 
institutions affected by overlapping compliance dates.
---------------------------------------------------------------------------

    \1078\ See supra section IV.C.
    \1079\ See supra section IV.D.
    \1080\ See supra section IV.B.
---------------------------------------------------------------------------

    Additionally, we anticipate that neither the recordkeeping 
provisions nor the exception from annual privacy notice delivery 
requirements will have a notable impact on efficiency, competition, or 
capital formation due to their limited economic effects.\1081\ As 
discussed elsewhere, we do not expect the recordkeeping requirements to 
impose material compliance costs, and we therefore expect the economic 
effects of the exception to be limited. And, as the economic effects of 
the recordkeeping provisions are limited, any overlapping compliance 
dates involving recordkeeping will likewise have limited effect on 
competition.
---------------------------------------------------------------------------

    \1081\ See final rule 248.30(c) and final rule 248.5; see also 
supra sections IV.D.3 and IV.D.4.
---------------------------------------------------------------------------

F. Reasonable Alternatives Considered

    In formulating the final amendments, we have considered various 
reasonable alternatives. These alternatives are discussed below.
1. Reasonable Assurances From Service Providers
    Rather than requiring the establishment, maintenance, and 
enforcement of written policies and procedures reasonably designed to

[[Page 47776]]

require oversight, including through due diligence and monitoring, of 
service providers to ensure service providers take appropriate measures 
to protect against unauthorized access to or use of customer 
information and provide notification to the covered institution if a 
breach of security occurs,\1082\ the Commission considered requiring 
covered institutions to obtain ``reasonable assurances'' from service 
providers instead. One commenter supported this alternative for some 
service providers.\1083\ This alternative requirement would be a lower 
threshold than the final provisions requiring the establishment, 
maintenance, and enforcement of written policies and procedures 
designed to require oversight, and as such would be less costly to 
reach but also less protective for customers.
---------------------------------------------------------------------------

    \1082\ See final rule 248.30(a)(5)(i).
    \1083\ See SIFMA Comment letter 2. Other commenters also 
suggested alternative thresholds that would be lower than the final 
amendments' provisions. See, e.g., IAA Comment Letter 1; AWS Comment 
Letter.
---------------------------------------------------------------------------

    Under this alternative we would have used the final amendments' 
definition of ``service provider,'' which is ``any person or entity 
that receives, maintains, processes, or otherwise is permitted access 
to customer information through its provision of services directly to a 
covered institution.'' \1084\ Thus, similar to the final amendments, 
this alternative could affect a broad range of service providers 
including, potentially: email providers, customer relationship 
management systems, cloud applications, and other technology vendors. 
Depending on the States where they operate, these service providers may 
already be subject to State laws applicable to businesses that 
``maintain'' computerized data containing private information.\1085\ 
Additionally, it is likely that any service provider that offers a 
service involving the maintenance of customer information to U.S. 
financial firms generally, or to any specific financial firm with a 
national presence, has processes in place to ensure compliance with 
these State laws.
---------------------------------------------------------------------------

    \1084\ Final rule 248.30(d)(10).
    \1085\ See, e.g., Cal. Civil Code section 1798.81.5(b) and 
1798.82(b); N.Y. Gen. Bus. Law section 899-AA(3).
---------------------------------------------------------------------------

    For those service providers that provide specialized services aimed 
at covered institutions, this alternative would, like the final 
amendments, create market pressure to enhance service offerings so as 
to provide the requisite assurances and facilitate covered 
institutions' compliance with the requirements.\1086\ These service 
providers might have little choice other than to adapt their services 
to provide the required assurances, which would result in additional 
costs for the service providers related to adapting business processes 
to accommodate the requirements. In general, we expect these costs 
would be limited in scale in the same ways the costs of the final 
amendments are limited in scale: specialized service providers are 
adapted to operating in a highly regulated industry and are likely to 
have policies and procedures in place to facilitate compliance with 
State data breach laws. And, as with the final amendments, we generally 
anticipate that such costs would largely be passed on to covered 
institutions and ultimately their customers. As compared to the final 
amendments' requirements, we expect that ``reasonable assurances'' 
would in many cases require fewer changes to business processes and, 
accordingly, lower costs.\1087\ However, this alternative--without 
more--could also be less protective than the final amendments.
---------------------------------------------------------------------------

    \1086\ A service provider involved in any business-critical 
function likely ``receives, maintains, processes, or otherwise is 
permitted access to customer information.'' See final rule 
248.30(d)(10).
    \1087\ See supra section II.A.4 for a discussion of sufficient 
safeguards for ensuring compliance with covered institution's 
obligations under the final amendments.
---------------------------------------------------------------------------

    With respect to service providers providing services aimed at a 
broad range of institutions (e.g., email, or customer-relationship 
management), the situation could be different. For these providers, 
covered institutions are likely to represent a small fraction of their 
customer base. As under the final service provider provisions, these 
service providers may again be unwilling to adapt their business 
processes to the regulatory requirements of a small subset of their 
customers under this alternative.\1088\ Some may be unwilling to make 
the assurances needed, although we anticipate that they would be 
generally more willing to make assurances than to participate in the 
covered institutions' oversight activities.\1089\ If the covered 
institution could not obtain the reasonable assurances required under 
this alternative, the covered institution would need to switch service 
providers and bear the associated switching costs, while the service 
providers would suffer loss of customers. Although the costs of 
obtaining reasonable assurances would likely be lower than under the 
final service provider provisions, and the need to switch providers 
less frequent, these costs could nonetheless be particularly acute for 
smaller covered institutions who lack bargaining power with some 
service providers. And, as outlined above, this alternative would be 
less protective than the final amendments' requirements.
---------------------------------------------------------------------------

    \1088\ See supra section IV.D.1.c (discussing the final 
requirement for covered institutions to require policies and 
procedures reasonably designed to oversee, monitor, and conduct due 
diligence on service providers).
    \1089\ See id. Additionally, the service provider's standard 
terms and conditions might in some situations provide reasonable 
assurances adequate to meet the requirement.
---------------------------------------------------------------------------

2. Lower Threshold for Customer Notice
    The Commission considered lowering the threshold for customer 
notice, such as one based on the ``possible misuse'' of sensitive 
customer information (rather than the adopted threshold requiring 
notice when sensitive customer information was, or is reasonably likely 
to have been, accessed or used without authorization), or even 
requiring notification of any breach without exception. One commenter 
suggested that the final amendments require notification when the 
unauthorized access to or use of sensitive customer information was 
``reasonably possible'' instead of ``reasonably likely.'' \1090\ A 
lower threshold would increase the number of notices customers receive. 
Although more frequent notices could potentially reveal incidents that 
warrant customers' attention and thereby potentially increase the 
benefits accruing to customers from the notice requirement discussed in 
section IV.D.1.b, they would also increase the number of false alarms. 
Such false alarms could be problematic if they reduce customers' 
ability to discern which notices require action.
---------------------------------------------------------------------------

    \1090\ See NASAA Comment Letter. In addition, another commenter 
suggested requiring customer notification for any incident of 
unauthorized access to or use of sensitive customer information 
regardless of the risk of use in a manner that would result in 
substantial harm or inconvenience. See Better Markets Comment 
Letter.
---------------------------------------------------------------------------

    Although a lower threshold could impose some additional compliance 
costs on covered institutions (due to additional notices being sent), 
we would not anticipate the additional direct compliance costs to be 
significant.\1091\ Of more economic significance to covered 
institutions would be the resulting reputational effects.\1092\ 
However, the direction of these effects is difficult to predict. On the 
one hand, increased notices resulting from a lower threshold can be 
expected to lead to additional reputational costs for firms

[[Page 47777]]

required to issue more of such notices. On the other hand, lower 
thresholds could result in customers receiving a large number of 
notices. In this case, notices could become no longer notable, likely 
leading to the negative reputation effects associated with such notices 
being reduced.
---------------------------------------------------------------------------

    \1091\ The direct compliance costs of notices are discussed in 
section V.
    \1092\ See supra section IV.B.
---------------------------------------------------------------------------

3. Encryption Safe Harbor
    The Commission considered including a safe harbor to the 
notification requirement for breaches in which only encrypted 
information was compromised. Several commenters supported an encryption 
safe harbor.\1093\ An encryption safe harbor would also align with many 
existing State laws.\1094\ Assuming that such an alternative safe 
harbor would be sufficiently circumscribed to prevent its application 
to insecure encryption algorithms, or to secure algorithms used in a 
manner as to render them insecure, the economic effects of its 
inclusion would be largely indistinguishable from the final amendments. 
This is because under the final amendments, notification is triggered 
by the ``reasonable likelihood'' that sensitive customer information 
was accessed or used without authorization.\1095\ Given the 
computational complexity involved in deciphering information encrypted 
using modern encryption algorithms and secure procedures,\1096\ the 
compromise of such encrypted information would generally not give rise 
to ``a reasonably likely risk of substantial harm or inconvenience to 
an individual identified with the information.'' \1097\ It would thus 
not constitute ``sensitive customer information,'' meaning that the 
threshold for providing notice would not be met. In addition, when 
determining that the compromised sensitive customer information has not 
been, and is not reasonably likely to be, used in a manner that would 
result in substantial harm or inconvenience, a covered institution may 
consider encryption as a factor.\1098\ Hence, in some cases, an 
explicit encryption safe harbor would be superfluous. In certain other 
cases, however, an explicit encryption safe harbor may not be as 
protective as the final amendments' Federal minimum standard for 
determining whether the compromise of customer information could create 
``a reasonably likely risk of substantial harm or inconvenience to an 
individual identified with the information.'' \1099\ It may also become 
outdated as technologies and security practices evolve. Thus, while an 
explicit (and appropriately circumscribed) safe harbor could provide 
some procedural efficiencies from streamlined application, it could 
also be misapplied.
---------------------------------------------------------------------------

    \1093\ See, e.g., SIFMA Comment Letter 2; AWS Comment Letter 1. 
See also supra section II.A.3.b for a discussion of the comments 
received on this matter.
    \1094\ See supra section IV.C.2.a(1).
    \1095\ See final rule 248.30(a)(3)(iii).
    \1096\ Here, ``secure procedures'' refers to the secure 
implementation of encryption algorithms and encompasses proper key 
generation and management, timely patching, user access controls, 
etc.
    \1097\ See final rule 248.30(d)(9); see also supra footnotes 139 
and 141 and accompanying text.
    \1098\ See final rule 248.30(a)(4); see also supra footnote 138 
and accompanying text.
    \1099\ See final rule 248.30(d)(9). The Aug. 2022 breach of the 
LastPass cloud-based password manager provides an illustrative 
example. In this data breach a large database of website credentials 
belonging to LastPass customers was exfiltrated. The customer 
credentials in this database were encrypted using a secure algorithm 
and the encryption keys could not have been exfiltrated in the 
breach, so an encryption safe harbor could be expected to apply in 
such a case. Nonetheless, customers whose encrypted passwords were 
divulged in the breach became potential targets for brute force 
attacks (i.e., attempts to decrypt the passwords by guessing a 
customer's master password) and to phishing attacks (i.e., attempts 
to induce an affected customer to divulge the master password). See 
Karim Toubba, Notice of Recent Security Incident, LastPass (Dec. 22, 
2022), available at https://blog.lastpass.com/2022/12/notice-of-recent-security-incident/; see also Craig Clough, LastPass Security 
Breach Drained Bitcoin Wallet, User Says, Portfolio Media (Jan. 4, 
2023), available at https://www.law360.com/articles/1562534/lastpass-security-breach-drained-bitcoin-wallet-user-says.
---------------------------------------------------------------------------

4. Longer Customer Notification Deadlines
    The Commission considered incorporating longer customer 
notification deadlines, such as 60 or 90 days instead of the adopted 30 
days, as well as providing no fixed customer notification deadline. 
Several commenters suggested longer customer notification 
deadlines.\1100\ Although longer notification deadlines would provide 
more time for covered institutions to rebut the presumption of 
notification discussed in section II.A.3.a, we expect that longer 
investigations would, in general, correlate with more serious or 
complicated incidents and would therefore be unlikely to end in a 
determination that sensitive customer information has not been and is 
not reasonably likely to be used in a manner that would result in 
substantial harm or inconvenience. We therefore do not expect that 
longer notification deadlines would ultimately lead to significantly 
fewer required notifications. Compliance costs conditional on notices 
being required (i.e., the actual furnishing of notices to customers) 
would be largely unchanged under alternative notice deadlines. That 
said, costs related to incident assessment would likely be somewhat 
lower due to the reduced urgency of determining the scope of an 
incident and a reduced likelihood that notifications would need to be 
made before an incident has been contained.\1101\ Arguably, longer 
notification deadlines may increase reputational costs borne by covered 
institutions that choose to take advantage of the longer deadlines. 
Overall, however, we do not expect that longer notification deadlines 
would lead to costs for covered institutions that differ significantly 
from the costs of the adopted 30-day outside timeframe.
---------------------------------------------------------------------------

    \1100\ See, e.g., FSI Comment Letter; IAA Comment Letter 1. See 
also supra footnote 796 and accompanying text and supra section 
II.A.3.d(1) for a discussion of the comments received on this 
matter.
    \1101\ See supra section IV.D.1.b(2).
---------------------------------------------------------------------------

    Providing for longer notifications deadlines would likely reduce 
the promptness with which some covered institutions issue notifications 
to customers, potentially reducing their customers' ability to take 
effective mitigating actions. In particular, as discussed in section 
IV.D.1.b(2), some breaches are discovered very quickly. For customers 
whose sensitive customer information is compromised in such breaches, a 
longer notification deadline could significantly reduce the 
timeliness--and value--of the notice.\1102\ On the other hand, where a 
public announcement could hinder containment efforts, a longer 
notification timeframe could yield benefits to the broader public (and/
or to the affected investors).\1103\
---------------------------------------------------------------------------

    \1102\ See supra footnote 784 and accompanying text.
    \1103\ See supra footnote 803 and accompanying text.
---------------------------------------------------------------------------

5. Broader National Security and Public Safety Delay in Customer 
Notification
    The Commission considered providing for a broader delay to the 30-
day notification outside timeframe by extending its applicability to 
cases where any appropriate law enforcement agency requests the 
delay.\1104\ This alternative delay would more closely align with the 
delays adopted by other regulators, such as the Banking

[[Page 47778]]

Agencies,\1105\ and by many States.\1106\ Several commenters suggested 
broader delays.\1107\ On the other hand, another commenter stated that 
the Commission should not allow for any law enforcement delay.\1108\
---------------------------------------------------------------------------

    \1104\ The final amendments differ from the proposal in that 
they allow for a longer national security and public safety delay 
under certain circumstances and allow for a delay if the notice 
poses a substantial risk to either public safety or national 
security (the proposal referred to national security risk only). 
However, the final amendments allow for such a delay only if the 
Attorney General informs the Commission, in writing, of such risk. 
See supra section II.A.3.d(2).
    \1105\ See Banking Agencies' Incident Response Guidance.
    \1106\ See, e.g., RCW 19.255.010(8); Fla. Stat. section 
501.171(4)(b).
    \1107\ See, e.g., Nasdaq Comment Letter; ICI Comment Letter 1.
    \1108\ See Better Markets Comment Letter.
---------------------------------------------------------------------------

    The principal function of a law enforcement delay is to allow a law 
enforcement or national security agency to prevent cybercriminals from 
becoming aware of their detection. Observing a cyberattack that is in 
progress can allow investigators to take actions that can assist in 
revealing the attacker's location, identity, or methods.\1109\ 
Notifying affected customers has the potential to alert attackers that 
their intrusion has been detected, hindering these efforts.\1110\ Thus, 
a broader delay could generally be expected to enhance law 
enforcement's efficacy in cybercrime investigations, which would 
potentially benefit affected customers through damage mitigation and 
benefit the general public through improved deterrence and increased 
recoveries, and by enhancing law enforcement's knowledge of attackers' 
methods. It would also potentially reduce compliance costs for covered 
institutions by aligning more closely with the existing regulations 
discussed above.\1111\
---------------------------------------------------------------------------

    \1109\ Cybersecurity Advisory: Technical Approaches to 
Uncovering and Remediating Malicious Activity, Cybersecurity & 
Infrastructure Sec. Agency (Sept. 24, 2020), available at https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-245a 
(explaining how and why investigators may ``avoid tipping off the 
adversary that their presence in the network has been discovered'').
    \1110\ Id.
    \1111\ See supra section IV.C.2.
---------------------------------------------------------------------------

    That said, use of the delay provisions would necessarily result in 
customers affected by a cyberattack being notified later, reducing the 
value to customers of such notices.\1112\ Incidents where law 
enforcement would like to delay customer notifications are likely to 
involve numerous customers, who--without timely notice--may be unable 
to take timely mitigating actions that could prevent additional 
harm.\1113\ Law enforcement investigations can also take time to 
resolve and, even when successful, their benefits to affected customers 
(e.g., recovery of criminals' ill-gotten gains) may be limited.
---------------------------------------------------------------------------

    \1112\ See supra footnote 784 and accompanying text.
    \1113\ See supra section IV.D.1.b(2).
---------------------------------------------------------------------------

    Information about cybercrime investigations is often confidential. 
The Commission does not have data on the prevalence of covert 
cybercrime investigations, their success or lack of success, their 
deterrent effect if any, or the impact of customer notification on 
investigations.\1114\ No commenter suggested such data. Thus, we are 
unable to quantify the costs and benefits of this alternative.\1115\
---------------------------------------------------------------------------

    \1114\ We do, however, have evidence that requests by law 
enforcement to delay customer notification are relatively rare 
events. See supra footnote 806.
    \1115\ We requested public comment on these topics in the 
Proposing Release but did not receive any.
---------------------------------------------------------------------------

V. Paperwork Reduction Act

A. Introduction

    Certain provisions of the final amendments contain ``collection of 
information'' requirements within the meaning of the Paperwork 
Reduction Act of 1995 (``PRA'').\1116\ We are submitting the final 
collection of information to the Office of Management and Budget 
(``OMB'') for review in accordance with the PRA.\1117\ The safeguards 
rule and the disposal rule we are amending will have an effect on the 
currently approved existing collection of information under OMB Control 
No. 3235-0610, the title of which is, ``Rule 248.30, Procedures to 
safeguard customer records and information; disposal of consumer report 
information.'' \1118\ An agency may not conduct or sponsor, and a 
person is not required to respond to, a collection of information 
unless it displays a currently valid OMB control number. The amended 
requirement to adopt policies and procedures constitutes a collection 
of information requirement under the PRA. The collection of information 
associated with the final amendments will be mandatory, and responses 
provided to the Commission in the context of its examination and 
oversight program concerning the final amendments will be kept 
confidential subject to the provisions of applicable law. A description 
of the final amendments, including the need for the information and its 
use, as well as a description of the types of respondents, can be found 
in section II above, and a discussion of the expected economic effects 
of the final amendments can be found in section III above. The 
Commission published notice soliciting comments on the collection of 
information requirements in the Proposing Release and submitted the 
proposed collections of information to OMB for review in accordance 
with 44 U.S.C. 3507(d) and 5 CFR 1320.11.
---------------------------------------------------------------------------

    \1116\ 44 U.S.C. 3501 through 3521.
    \1117\ 44 U.S.C. 3507(d); 5 CFR 1320.11.
    \1118\ The paperwork burden imposed by Regulation S-P's notice 
and opt-out requirements, 17 CFR 248.1 to 248.18, is currently 
approved under a separate OMB control number, OMB Control No. 3235-
0537. The final amendments will implement a statutory exception that 
has been in effect since late 2015. We do not believe that the 
amendment to implement the statutory exception makes any substantive 
modifications to this existing collection of information requirement 
or imposes any new substantive recordkeeping or information 
collection requirements within the meaning of the PRA. Similarly, we 
do not believe that the final amendments to: (i) Investment Company 
Act rules 31a-1(b) (OMB control number 3235-0178) and 31a-2(a) (OMB 
control number 3235-0179) for investment companies that are 
registered under the Investment Company Act, (ii) Investment 
Advisers Act rule 204-2 (OMB control number 3235-0278) for 
investment advisers, (iii) Exchange Act rule 17a-4 (OMB control 
number 3235-0279) for broker-dealers, and (iv) Exchange Act rule 
17Ad-7 (OMB control number 3235-0291) for transfer agents, makes any 
modifications to this existing collection of information requirement 
or imposes any new recordkeeping or information collection 
requirements. Accordingly, we believe that the current burden and 
cost estimates for the existing collection of information 
requirements remain appropriate, and we believe that the final 
amendments should not impose substantive new burdens on the overall 
population of respondents or affect the current overall burden 
estimates for this collection of information. We are, therefore, not 
revising any burden and cost estimates in connection with these 
amendments.
---------------------------------------------------------------------------

    The Commission did not receive any comments that specifically 
addressed the estimated PRA analysis in the Proposing Release but did 
receive comments regarding the costs and burdens of the proposed rules 
generally. Those comments are discussed in more detail in section IV 
above. In particular, several commentators raised concerns regarding 
the costs associated with negotiating and renegotiating written 
contracts with service providers.\1119\ One commenter did support the 
proposed written contract provision due to its very narrow scope.\1120\ 
In response to commenters' concerns about the costs of negotiating 
contracts, we have replaced the proposed requirement for a covered 
institution to have a written contract with a service provider with a 
requirement to implement written policies and procedures to oversee, 
monitor, and conduct due diligence on the service provider. In a 
modification from the proposal, rather than requiring written policies 
and procedures requiring the covered institution to

[[Page 47779]]

enter into a written contract with its service providers to take 
certain appropriate measures, the policies and procedures required by 
the final amendments must be reasonably designed to ensure service 
providers take appropriate measures to: (A) protect against 
unauthorized access to or use of customer information; and (B) provide 
notification to the covered institution regarding an incident affecting 
customer information in the timeframes and circumstances discussed 
above. The modifications to the proposal are designed to address many 
of commenters' concerns regarding the costs associated with the service 
provider provisions of the proposed amendments. We have not reduced the 
Proposing Release's PRA estimates, however, because the final 
amendments still require policies and procedures regarding service 
providers that we estimate will involve PRA burdens consistent with 
those we estimated for the proposed requirement. As discussed above, 
some commenters urged for more time to investigate incidents, 
suggesting that failing to do so would result in an increase in the 
amount of notices being provided.\1121\ We are increasing the estimates 
associated with the final rule with regards to the preparation and 
distribution of notices because these comments seem to suggest a view 
that the proposed estimates related to these burdens were too low. We 
have also adjusted the proposal's estimated annual burden hours and 
total time costs to reflect updated wage rates.
---------------------------------------------------------------------------

    \1119\ See STA and ComputerShares Comment Letters (transfer 
agents don't have the leverage to negotiate contracts with service 
providers); ASA Comment Letter (no discussion or estimate of the 
costs the written contract requirement would impose on brokers); IAA 
Comment Letter (individual advisers, particularly smaller advisers, 
lack leverage to engage in contractual negotiations with many 
service providers); ACLI Comment Letter; Cambridge Comment Letter; 
CAI Comment Letter; AWS Comment Letter; Google Comment Letter. Other 
commenters raised this issue but suggested extending the 
implementation period as a remedy. See NASDAQ Comment Letter; FIF 
Comment Letter; SIFMA Comment Letter 2.
    \1120\ See ICI Comment Letter.
    \1121\ See, e.g., supra footnote 165 and accompanying text.
---------------------------------------------------------------------------

B. Amendments to the Safeguards Rule and Disposal Rule

    As discussed above, the final amendments to the safeguards rule 
will require covered institutions to develop, implement, and maintain 
written policies and procedures that include incident response programs 
reasonably designed to detect, respond to, and recover from 
unauthorized access to or use of customer information, including 
customer notification procedures. The response program must include 
procedures to assess the nature and scope of any incident involving 
unauthorized access to or use of customer information; take appropriate 
steps to contain and control the incident; and provide notice to each 
affected individual whose sensitive customer information was, or is 
reasonably likely to have been, accessed or used without authorization 
(unless the covered institution makes certain determinations as 
specified in the final amendments).
    The final amendments to the disposal rule will require covered 
institutions that maintain or otherwise possess customer information, 
or consumer information to adopt and implement written policies and 
procedures that address proper disposal of such information, which will 
include taking reasonable measures to protect against unauthorized 
access to or use of the information in connection with its disposal.
    Finally, the final amendments will require covered institutions 
other than funding portals to make and maintain written records 
documenting compliance with the requirements of the safeguards rule and 
the disposal rule. Under the final amendments, the time periods for 
preserving records will vary by covered institution to be consistent 
with existing recordkeeping rules.\1122\
---------------------------------------------------------------------------

    \1122\ The final amendments will also broaden the scope of 
information covered by the safeguards rule and the disposal rule (to 
include all customer information in the possession of a covered 
institution or is handled or maintained on its behalf, and all 
consumer information that a covered institution maintains or 
otherwise possesses for a business purpose) and extend the 
application of the safeguards provisions to transfer agents 
registered with the Commission or another appropriate regulatory 
agency. These amendments do not contain collections of information 
beyond those related to the incident response program analyzed 
above.
---------------------------------------------------------------------------

    Based on FOCUS Filing, Form BD Filing, and Form BD-N data, as of 
the third quarter of 2023, there were 3,476 brokers or dealers, other 
than notice-registered brokers or dealers or funding portals. Based on 
Investment Adviser Registration Depository data, as of Oct. 5, 2023, 
there were 15,565 investment advisers registered with the Commission. 
As of Sept. 30, 2023, there were 13,766 investment companies.\1123\ 
Based on Form TA-1, as of Sept. 30, 2023, there were 251 transfer 
agents registered with the Commission and 64 transfer agents registered 
with the Banking Agencies. Based on staff analysis and publicly 
available filings, as of Dec. 31, 2023, there were 92 funding portals.
---------------------------------------------------------------------------

    \1123\ Data on investment companies registered with the 
Commission comes from Form N-CEN filings; data on BDCs comes from 
LSEG BDC Collateral; and data on employees' securities companies 
comes from Form 40-APP. See supra Table 4.
---------------------------------------------------------------------------

    Table 5 below summarizes our PRA initial and ongoing annual burden 
estimates associated with the final amendments to the safeguards rule 
and the disposal rule.

                                              Table 5--Amendments to Safeguards Rule and Disposal Rule--PRA
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                        Internal initial     Internal annual burden                                                 Annual external cost
                                          burden hours              hours \1\            Wage rate \2\        Internal time cost           burden
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                   PROPOSED ESTIMATES
--------------------------------------------------------------------------------------------------------------------------------------------------------
Adopting and implementing policies   60 hours..............  25 hours \3\..........  $455 (blended rate     $11,375 (equal to the  $2,655.\4\
 and procedures.                                                                      for compliance         internal annual
                                                                                      attorney and           burden x the wage
                                                                                      assistant general      rate).
                                                                                      counsel).
Preparation and distribution of      9 hours...............  8 hours \5\...........  $300 (blended rate     $2,400 (equal to the   $2,018.\6\
 notices.                                                                             for senior             internal annual
                                                                                      compliance examiner    burden x the wage
                                                                                      and compliance         rate).
                                                                                      manager).
Recordkeeping......................  1 hour................  1 hour................  $381 (blended rate     $381.................  $0.
                                                                                      for compliance
                                                                                      attorney and senior
                                                                                      programmer).
Total new annual burden per covered  ......................  34 hours (equal to the  .....................  $14,156 (equal to the  $4,673 (equal to the
 institution.                                                 sum of the above                               sum of the above       sum of the above two
                                                              three boxes).                                  three boxes).          boxes).
Number of covered institutions.....  ......................  x 32,897 covered        .....................  x 32,897 covered       16,449.\8\
                                                              institutions \7\.                              institutions.
Total new annual aggregate burden..  ......................  1,118,498 hours.......  .....................  $465,689,932.........  $76,866,177.
--------------------------------------------------------------------------------------------------------------------------------------------------------

[[Page 47780]]

 
                                                                     FINAL ESTIMATES
         Broker-dealers other than notice registered broker-dealers, investment advisers registered with the Commission and investment companies
--------------------------------------------------------------------------------------------------------------------------------------------------------
Adopting and implementing policies   60 hours..............  25 hours \3\..........  $501 (blended rate     $12,525 (equal to the  $2,920.\9\
 and procedures.                                                                      for compliance         internal annual
                                                                                      attorney and           burden x the wage
                                                                                      assistant general      rate).
                                                                                      counsel).
Preparation and distribution of      12 hours..............  9 hours \5\...........  $329 (blended rate     $2,961 (equal to the   $2,217.\10\
 notices.                                                                             for senior             internal annual
                                                                                      compliance examiner    burden x the wage
                                                                                      and compliance         rate).
                                                                                      manager).
Recordkeeping......................  1 hour................  1 hour................  $420 (blended rate     $420.................  $0.
                                                                                      for compliance
                                                                                      attorney and senior
                                                                                      programmer).
Total new annual burden per          ......................  35 hours (equal to the  .....................  $15,906 (equal to the  $5,137 (equal to the
 applicable covered institution.                              sum of the above                               sum of the above       sum of the above two
                                                              three boxes).                                  three boxes).          boxes).
Number of applicable covered         ......................  x 32,807 covered        .....................  x 32,807 covered       16,404.\8\
 institutions.                                                institutions \11\.                             institutions.
New annual applicable covered        ......................  1,148,245 hours.......  .....................  $521,828,142.........  $84,267,348.
 institutions aggregate burden.
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                     Transfer Agents
--------------------------------------------------------------------------------------------------------------------------------------------------------
Adopting and implementing policies   75 hours..............  30 hours \12\.........  $501 (blended rate     $15,030 (equal to the  $2,920.\9\
 and procedures.                                                                      for compliance         internal annual
                                                                                      attorney and           burden x the wage
                                                                                      assistant general      rate).
                                                                                      counsel).
Preparation and distribution of      12 hours..............  9 hours \5\...........  $329 (blended rate     $2,961 (equal to the   $2,217.\10\
 notices.                                                                             for senior             internal annual
                                                                                      compliance examiner    burden x the wage
                                                                                      and compliance         rate).
                                                                                      manager).
Recordkeeping......................  1 hour................  1 hour................  $420 (blended rate     $420.................  $0.
                                                                                      for compliance
                                                                                      attorney and senior
                                                                                      programmer).
Total new annual burden per          ......................  40 hours (equal to the  .....................  $18,411 (equal to the  $5,137 (equal to the
 transfer agent.                                              sum of the above                               sum of the above       sum of the above two
                                                              three boxes).                                  three boxes).          boxes).
Number of transfer agents..........  ......................  x 315 \13\............  .....................  x 315................  158.\8\
New annual transfer agent aggregate  ......................  12,600................  .....................  $5,799,465...........  $811,646.
 burden.
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                                     Funding Portals
--------------------------------------------------------------------------------------------------------------------------------------------------------
Adopting and implementing policies   60 hours..............  25 hours \3\..........  $501 (blended rate     $12,525 (equal to the  $2,920.\9\
 and procedures.                                                                      for compliance         internal annual
                                                                                      attorney and           burden x the wage
                                                                                      assistant general      rate).
                                                                                      counsel).
Preparation and distribution of      12 hours..............  9 hours \5\...........  $329 (blended rate     $2,961 (equal to the   $2,217.\10\
 notices.                                                                             for senior             internal annual
                                                                                      compliance examiner    burden x the wage
                                                                                      and compliance         rate).
                                                                                      manager).
Recordkeeping......................  1.5 hours \14\........  1.5 hours.............  $420 (blended rate     $630.................  $0.
                                                                                      for compliance
                                                                                      attorney and senior
                                                                                      programmer).
Total new annual burden per funding  ......................  35.5 hours (equal to    .....................  $16,116 (equal to the  $5,137 (equal to the
 portal.                                                      the sum of the above                           sum of the above       sum of the above two
                                                              three boxes).                                  three boxes).          boxes).
Number of funding portals..........  ......................  x 92..................  .....................  x 92.................  46.\8\
New annual funding portal aggregate  ......................  3,266.................  .....................  $1,482,672...........  $236,302.
 burden.
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                     Total Estimated Burdens of the Final Amendments
--------------------------------------------------------------------------------------------------------------------------------------------------------
Total new annual aggregate burden..  ......................  1,164,111 hours.......  .....................  $529,110,279.........  $85,315,296.
--------------------------------------------------------------------------------------------------------------------------------------------------------
                                                      TOTAL ESTIMATED BURDENS INCLUDING AMENDMENTS
--------------------------------------------------------------------------------------------------------------------------------------------------------
Current aggregate annual burden      ......................  +65,760 hours.........  .....................  .....................  +$0.
 estimates.
Revised aggregate annual burden      ......................  1,229,871 hours.......  .....................  $529,110,279.........  $85,315,296.
 estimates.
--------------------------------------------------------------------------------------------------------------------------------------------------------
Notes:
\1\ Includes initial burden estimates annualized over a 3-year period.
\2\ The Commission's estimates of the relevant wage rates are based on the SIFMA Wage Report. The estimated figures are modified by firm size, employee
  benefits, overhead, and adjusted to account for the effects of inflation.
\3\ Includes initial burden estimates annualized over a three-year period, plus 5 hours of ongoing annual burden hours. The estimate of 25 hours is
  based on the following calculation: ((60 initial hours/3) + 5 hours of additional ongoing burden hours) = 25 hours.

[[Page 47781]]

 
\4\ This estimated burden is based on the estimated wage rate of $531/hour, for 5 hours, for outside legal services. The Commission's estimates of the
  relevant wage rates for external time costs, such as outside legal services, takes into account staff experience, a variety of sources including
  general information websites, and adjustments for inflation.
\5\ Includes initial burden estimate annualized over a three-year period, plus 5 hours of ongoing annual burden hours. The estimate of 9 hours is based
  on the following calculation: ((12 initial hours/3 years) + 5 hours of additional ongoing burden hours) = 9 hours.
\6\ This estimated burden is based on the estimated wage rate of $531/hour, for 3 hours, for outside legal services and $85/hour, for 5 hours, for a
  senior general clerk.
\7\ Total number of covered institutions is calculated as follows: 3,401 broker-dealers other than notice registered broker-dealers + 15,129 investment
  advisers registered with the Commission + 13,965 investment companies + 335 transfer agents registered with the Commission + 67 transfer agents
  registered with the Banking Agencies = 32,897 covered institutions.
\8\ We estimate that 50% of covered institutions will use outside legal services for these collections of information. This estimate takes into account
  that covered institutions may elect to use outside legal services (along with in-house counsel), based on factors such as budget and the covered
  institution's standard practices for using outside legal services, as well as personnel availability and expertise.
\9\ This estimated burden is based on the estimated wage rate of $584/hour, for 5 hours, for outside legal services. The Commission's estimates of the
  relevant wage rates for external time costs, such as outside legal services, takes into account staff experience, a variety of sources including
  general information websites, and adjustments for inflation.
\10\ This estimated burden is based on the estimated wage rate of $584/hour, for 3 hours, for outside legal services and $93/hour, for 5 hours, for a
  senior general clerk.
\11\ Total number of applicable covered institutions is calculated as follows: 3,476 broker-dealers other than notice-registered broker-dealers or
  funding portals + 15,565 investment advisers registered with the Commission + 13,766 investment companies = 32,807 covered institutions. The burdens
  for funding portals and transfer agents are calculated separately.
\12\ Includes initial burden estimates annualized over a three-year period, plus 5 hours of ongoing annual burden hours. The estimate of 30 hours is
  based on the following calculation: ((75 initial hours/3) + 5 hours of additional ongoing burden hours) = 30 hours.
\13\ The number of transfer agents includes 251 transfer agents registered with the Commission + 64 transfer agents registered with the Banking Agencies
  = 315 transfer agents.
\14\ Funding portals are not subject to the recordkeeping obligations for brokers found under Rule 17a-4. Instead, they are obligated, pursuant to Rule
  404 of Regulation Crowdfunding, to make and preserve all records required to demonstrate their compliance with, among other things, Regulation S-P.
  While the final amendments do not modify funding portals' recordkeeping requirements to include the same enumerated list of obligations as those
  applied to brokers under the amendments to Rule 17a-4, funding portals generally should look to make and preserve the same scope of records in
  connection with demonstrating their compliance with this portion of Regulation S-P. Further, Rule 404 requires funding portals to preserve these
  records for a longer period of time than brokers are required to preserve records under Rule 17a-4. Due to this longer required period for records
  preservation, the estimated burden for funding portals is higher than for brokers.

VI. Final Regulatory Flexibility Act Analysis

    The Regulatory Flexibility Act (``RFA'') requires the Commission, 
in promulgating rules under Section 553 of the Administrative Procedure 
Act,\1124\ to consider the impact of those rules on small entities. We 
have prepared this Final Regulatory Flexibility Analysis (``FRFA'') in 
accordance with Section 604 of the RFA.\1125\ An Initial Regulatory 
Flexibility Analysis (``IRFA'') was prepared in accordance with the RFA 
and was included in the Proposing Release.\1126\
---------------------------------------------------------------------------

    \1124\ 5 U.S.C. 553.
    \1125\ 5 U.S.C. 604.6.
    \1126\ Proposing Release at section V.
---------------------------------------------------------------------------

A. Need for, and Objectives of, the Final Amendments

    The purpose of the final amendments is to limit potential harmful 
impacts to customers by enhancing and modernizing the protection of 
customer information. Among other things, the amendments update the 
rule's requirements to address the expanded use of technology and 
corresponding risks.
    The need for, and objectives of, the final amendments are described 
in Sections I and II above. We discuss the economic impact and 
potential alternatives to the amendments in Section IV, and the 
estimated compliance costs and burdens of the amendments under the PRA 
in Section V.

B. Significant Issues Raised by Public Comments

    In the Proposing Release, the Commission requested comment on any 
aspect of the IRFA, and particularly on the number of small entities 
that would be affected by the proposed amendments, the existence or 
nature of the potential impact of the proposed amendments on small 
entities discussed in the analysis, how the proposed amendments could 
further lower the burden on small entities, and how to quantify the 
impact of the proposed amendments.
    One commenter urged the Commission to conduct a more holistic cost-
benefit analysis, and in particular consider the disproportionate costs 
on smaller advisers.\1127\ The commenter noted that smaller advisers 
have been significantly burdened by one-size-fits-all regulations--both 
in isolation and cumulatively--that effectively require substantial 
fixed investments in infrastructure, personnel, technology, and 
operations.\1128\ Another commenter stated that the Commission did 
little analysis about the impact of these proposals on small broker-
dealers, competition within the brokerage industry, and whether they 
could contribute to barriers for new entrants into the markets.\1129\ 
We discuss the cost-benefit analysis and challenges small entities may 
face above.\1130\
---------------------------------------------------------------------------

    \1127\ See IAA Comment Letter 2.
    \1128\ See IAA Comment Letter 1.
    \1129\ See ASA Comment Letter.
    \1130\ See supra section IV.
---------------------------------------------------------------------------

    Additionally, multiple commenters discussed the burden small 
entities would face. For instance, several commenters stated that an 
increased compliance cost for implementing new systems, training 
employees, and conducting audits, may disproportionately affect smaller 
firms, inhibiting their ability to compete and grow.\1131\ Multiple 
commenters asserted small covered institutions, who may not have the 
negotiating power or leverage to demand specific contract provisions 
from large third-party service providers, would potentially be harmed 
by the written contract requirement for service providers.\1132\ 
Another commenter noted the outsized impact small broker-dealers 
face.\1133\ However, another commenter noted while small firms may be 
impacted by increased costs, this should not come at the expense of 
customer protection, and stated that driving competition towards better 
protections will ultimately benefit customers and promote a healthier 
market.\1134\
---------------------------------------------------------------------------

    \1131\ See Grey Comment Letter, Robinson Comment Letter, and 
Scouten Comment Letter; see also ASA Comment Letter.
    \1132\ See IAA Comment Letter 2; see also STA Comment Letter 2 
and Computershare Comment Letter.
    \1133\ See FSI Comment Letter.
    \1134\ See Wohlfahrt Comment Letter.
---------------------------------------------------------------------------

    Commenters proposed multiple alternatives to lower the burden on 
small entities. One commenter urged the Commission to provide a longer 
time to transition for smaller advisers.\1135\ Additionally, the 
commenter stated that it has frequently called on the Commission to 
take steps to tailor its rules to minimize impacts the proposed 
amendments would have on smaller advisers, for example through 
preserving a flexible, risk- and principles-based approach, excluding 
or exempting smaller advisers from specific requirements where the 
burdens on those advisers outweigh the benefits, and tiering and 
staggering

[[Page 47782]]

compliance timetables.\1136\ Likewise, another commenter proposed a 
longer implementation period for smaller broker-dealers and investments 
advisers to allow these firms to benefit from implementation for larger 
industry participants.\1137\
---------------------------------------------------------------------------

    \1135\ See IAA Comment Letter 1.
    \1136\ See IAA Comment Letter 2; see also STA Comment Letter 
suggesting exempting transfer agents that do not maintain a 
threshold number of shareholder accounts. See supra section IV.E for 
further discussion of exemption based upon size.
    \1137\ See FSI Comment Letter.
---------------------------------------------------------------------------

    We expect the benefits and the costs of the final amendments to 
vary across covered institutions.\1138\ For example, because smaller 
covered institutions are less likely to have an existing incident 
response program than larger covered institutions, some small entities 
may be more likely to face greater costs but also expect greater 
benefits complying with the final amendments, because they must adopt 
and implement new procedures. Creating new programs will likely cost 
more, but the new programs would result in improved efficacy in 
notifying customers and improve the manner incidents are handled. 
Smaller entities may have less negotiating power than larger entities, 
so requiring contracts with service providers could potentially be more 
detrimental to them than other entities. Additionally, smaller covered 
institutions are less likely to have a national presence, so small 
entities whose customers are concentrated in States with less 
informative customer notification laws are likely to face higher costs 
to comply with the final amendments. These costs and benefits may have 
an effect on competition for smaller entities.\1139\
---------------------------------------------------------------------------

    \1138\ See supra section IV.
    \1139\ See supra section IV.E.
---------------------------------------------------------------------------

    We have revised the final amendments in several ways to mitigate 
potential compliance costs that small entities may face, as raised by 
commenters. As previously discussed, the changes made to the service 
provider provisions of the amendments requiring that the covered 
institution's policies and procedures are reasonably designed to 
oversee, monitor, and conduct due diligence on service providers 
instead of requiring written contracts between covered institutions and 
their service providers, and requiring that the covered institution's 
policies and procedures be reasonably designed to ensure service 
providers take appropriate measures to notify covered institutions of 
an applicable breach in security within 72 hours instead of 48 hours) 
may reduce some costs relative to the proposal and facilitate their 
implementation, especially for smaller covered institutions.\1140\ For 
example, it could potentially reduce compliance costs by reducing the 
number of notices being sent (e.g., if the covered institution is able 
to determine that a notice is not needed or if it is able to determine 
with more precision which individuals must be notified).\1141\ 
Additionally, we are now adopting a longer compliance period of 24 
months for smaller covered institutions, who are less likely to already 
have policies and procedures broadly consistent with the final 
amendments.
---------------------------------------------------------------------------

    \1140\ See supra section IV.
    \1141\ See supra section IV.
---------------------------------------------------------------------------

    Moreover, the final amendments still maintain that the incident 
response program must include policies and procedures containing 
certain general elements but will not prescribe specific steps a 
covered institution must undertake when carrying out incident response 
activities, thereby enabling covered institutions to create policies 
and procedures best suited to their particular circumstances, including 
size. This design balances the necessity of maintaining general 
elements to achieve the investor protection objectives the amendments 
are designed to achieve, while still providing covered institutions the 
ability to tailor policies to their individual needs. We will not 
exempt small entities from any specific requirements, because entities 
of all sizes are vulnerable to the types of data security breach 
incidents we are trying to address, and therefore, no entity should be 
exempted from requirements, regardless of size.\1142\
---------------------------------------------------------------------------

    \1142\ See infra section VI.E for further discussion of 
exemption based upon size.
---------------------------------------------------------------------------

    Additionally, one commenter argued that the Commission does not 
accurately analyze the impact of its regulations on small advisers as 
required under the RFA because according to the commenter, virtually no 
SEC-registered advisers fall under the ``asset-based'' definition of 
small adviser adopted by the Commission.\1143\ However, the commenter 
believes that the vast majority of advisers are small businesses.\1144\ 
The commenter stated that the Commission adopted Rule 0-7 under the 
Advisers Act defining ``small business'' or ``small organization'' for 
purposes of treatment as a ``small entity'' under the RFA as including 
an investment adviser that has less than $25 million in assets under 
management, but with few exceptions, advisers are not permitted to 
register with the Commission unless they have at least $100 million in 
assets under management.\1145\ The commenter argued that this makes any 
analysis the Commission does regarding the impact on smaller advisers 
virtually meaningless.\1146\ As discussed below, we estimate that 
approximately 872 broker-dealers,\1147\ 132 transfer agents, 81 
investment companies, and 579 registered investment advisers may be 
considered small entities under the Regulatory Flexibility Act.\1148\ 
The Commission takes seriously the potential impact of any new rule on 
these advisers who meet this definition and on other smaller advisers 
that do not meet the definition of small entity under the Regulatory 
Flexibility Act, as considered and discussed throughout this release.
---------------------------------------------------------------------------

    \1143\ See IAA Comment Letter 2.
    \1144\ See IAA Comment Letter 2.
    \1145\ See IAA Comment Letter 2.
    \1146\ See IAA Comment Letter 2.
    \1147\ This 872 broker-dealers includes 89 funding portals.
    \1148\ See infra section VI.C.
---------------------------------------------------------------------------

C. Small Entities Subject to Final Amendments

    The final amendments to Regulation S-P will affect brokers, 
dealers, registered investment advisers, investment companies, and 
transfer agents, including entities that are considered to be a small 
business or small organization (collectively, ``small entity'') for 
purposes of the RFA. For purposes of the RFA, under the Exchange Act a 
broker or dealer is a small entity if it: (i) had total capital of less 
than $500,000 on the date in its prior fiscal year as of which its 
audited financial statements were prepared or, if not required to file 
audited financial statements, on the last business day of its prior 
fiscal year; and (ii) is not affiliated with any person that is not a 
small entity.\1149\ A transfer agent is a small entity if it: (i) 
received less than 500 items for transfer and less than 500 items for 
processing during the preceding six months; (ii) transferred items only 
of issuers that are small entities; (iii) maintained master shareholder 
files that in the aggregate contained less than 1,000 shareholder 
accounts or was the named transfer agent for less than 1,000 
shareholder accounts at all times during the preceding fiscal year; and 
(iv) is not affiliated with any person that is not a small 
entity.\1150\ Under the Investment Company Act, investment companies 
are considered small entities if they, together with other funds in the 
same

[[Page 47783]]

group of related funds, have net assets of $50 million or less as of 
the end of its most recent fiscal year.\1151\ Under the Investment 
Advisers Act, a small entity is an investment adviser that: (i) manages 
less than $25 million in assets; (ii) has total assets of less than $5 
million on the last day of its most recent fiscal year; and (iii) does 
not control, is not controlled by, and is not under common control with 
another investment adviser that manages $25 million or more in assets, 
or any person that has had total assets of $5 million or more on the 
last day of the most recent fiscal year.\1152\
---------------------------------------------------------------------------

    \1149\ 17 CFR 240.0-10. Funding portals, who are considered 
``brokers'' for purposes of this release unless otherwise noted, are 
also included in this definition. See 17 CFR 227.403(b); See also 
supra footnote 5.
    \1150\ Id.
    \1151\ 17 CFR 270.0-10.
    \1152\ 17 CFR 275.0-7.
---------------------------------------------------------------------------

    Based on Commission filings, we estimate that approximately 872 
broker-dealers,\1153\ 132 transfer agents,\1154\ 81 investment 
companies,\1155\ and 579 registered investment advisers \1156\ may be 
considered small entities.
---------------------------------------------------------------------------

    \1153\ Estimate based on Q3 2023 FOCUS Report data, staff 
analysis and public filings. This 872 broker-dealers includes 89 
funding portals.
    \1154\ Estimate based on the number of transfer agents that 
reported a value of fewer than 1,000 for items 4(a) and 5(a) on Form 
TA-2 collected by the Commission as of September 30, 2023.
    \1155\ Based on Commission staff approximation that 
approximately 41 open-end funds (including 10 exchange-traded 
funds), 23 closed-end funds, 3 UITs and 14 business development 
companies are small entities. This estimate is derived from an 
analysis of data obtained from Morningstar Direct and data reported 
to the Commission (e.g., N-PORT, N-CSR, 10-Q and 10-K) for the 
second quarter of 2023.
    \1156\ Based on SEC-registered adviser responses to Items 5.F. 
and 12 of Form ADV as of October 5, 2023.
---------------------------------------------------------------------------

D. Projected Reporting, Recordkeeping, and Other Compliance 
Requirements

    The final amendments to Regulation S-P will require covered 
institutions to develop incident response programs for unauthorized 
access to or use of customer information, as well as imposing a 
customer notification obligation in instances where sensitive customer 
information was, or is reasonably likely to have been, accessed or used 
without authorization. The final amendments also would include new 
mandatory recordkeeping requirements and language conforming Regulation 
S-P's annual privacy notice delivery provisions to the terms of a 
statutory exception.
    Under the final amendments, covered institutions would have to 
develop, implement, and maintain, within their written policies and 
procedures designed to comply with Regulation S-P, a program that is 
reasonably designed to detect, respond to, and recover from 
unauthorized access to or use of customer information, including 
customer notification procedures. Such policies and procedures will 
also need to require that covered institutions oversee, monitor, and 
conduct due diligence on service providers and ensure that service 
providers take appropriate measures to notify covered institutions of 
an applicable breach in security within 72 hours. Upon receipt of such 
notification, the covered institution must initiate its incident 
response program. As part of its incident response program, a covered 
institution may also enter into a written agreement with its service 
provider to have the service provider notify affected individuals on 
its behalf. However, the covered institution's obligation to ensure 
that affected individuals are notified in accordance with paragraph 
(a)(4) of the final amendments rests with the covered institution.
    In addition, covered institutions will be required to make and 
maintain specified written records designed to evidence compliance with 
these requirements.\1157\ Such records will be required to be 
maintained starting from when the record was made, or from when the 
covered institution terminated the use of the written policy or 
procedure, for the time periods stated in the amended recordkeeping 
regulations for each type of covered institution.
---------------------------------------------------------------------------

    \1157\ With regard to funding portals, please see discussion as 
to their applicable recordkeeping obligations supra footnote 385 and 
accompanying discussion.
---------------------------------------------------------------------------

    Some covered institutions, including covered institutions that are 
small entities, will incur increased costs involved in reviewing and 
revising their current safeguarding policies and procedures to comply 
with these obligations, including their cybersecurity policies and 
procedures. Initially, this will require covered institutions to 
develop as part of their written policies and procedures under the 
safeguards rule, a program reasonably designed to detect, respond to, 
and recover from any unauthorized access to or use of customer 
information, including customer notification procedures, in a manner 
that provides clarity for firm personnel. Further, in developing these 
policies and procedures, covered institutions will need to include 
policies and procedures requiring the covered institution to ensure its 
service providers take appropriate measures to protect against 
unauthorized access to or use of customer information, and notify the 
covered institution as soon as possible, but no later than 72 hours 
after becoming aware that a breach in security has occurred resulting 
in unauthorized access to a customer information system maintained by 
the service provider, and upon receipt of such notification, the 
covered institution must initiate its response program. However, as the 
Commission recognizes the number and varying characteristics (e.g., 
size, business, and sophistication) of covered institutions, these 
final amendments would help covered institutions to tailor these 
policies and procedures and related incident response program based on 
the individual facts and circumstances of the firm, and provide 
flexibility in addressing the general elements of the response program 
requirements based on the size and complexity of the covered 
institution and the nature and scope of its activities.
    In addition, the Commission acknowledges that the final amendments 
will impose greater costs on those transfer agents that are registered 
with another appropriate regulatory agency, if they are not currently 
subject to Regulation S-P, as well as those transfer agents registered 
with the Commission who are not currently subject to the safeguards 
rule. Such costs will include the development and implementation of 
necessary policies and procedures, the ongoing costs of required 
recordkeeping and maintenance requirements, and, where necessary, the 
costs to comply with the customer notification requirements of the 
final amendments. Such costs will also include the same minimal costs 
for employee training or establishing clear procedures for consumer 
report information disposal that are imposed on all covered 
institutions. To the extent that such costs are being applied to a 
transfer agent for the first time as a result of new obligations being 
imposed, the final amendments would incur higher present costs on those 
transfer agents than those covered institutions that are already 
subject to the safeguards rule and the disposal rule.
    To comply with these amendments on an ongoing basis, covered 
institutions will need to respond appropriately to incidents that 
entail the unauthorized access to or use of customer information. This 
will entail carrying out the established response program procedures to 
(i) assess the nature and scope of any incident involving unauthorized 
access to or use of customer information and identify the customer 
information systems and types of customer information that may have 
been accessed or used without authorization; (ii) take appropriate 
steps to contain and control the incident to prevent further 
unauthorized access to

[[Page 47784]]

or use of customer information; and (iii) notify each affected 
individual whose sensitive customer information was, or is reasonably 
likely to have been, accessed or used without authorization, unless the 
covered institution determines, after a reasonable investigation of the 
facts and circumstances of the incident of unauthorized access to or 
use of sensitive customer information, that the sensitive customer 
information has not been, and is not reasonably likely to be, used in a 
manner that would result in substantial harm or inconvenience.
    Where the covered institution determines notice is required, the 
covered institution will need to provide a clear and conspicuous 
notice, or ensure that such notice is provided, to each affected 
individual whose sensitive customer information was, or is reasonably 
likely to have been, accessed or used without authorization. This 
notice must be provided as soon as reasonably practicable, but not 
later than 30 days, after the covered institution becomes aware that 
unauthorized access to or use of sensitive customer information has, or 
is reasonably likely to have, occurred, absent an applicable request 
from the Attorney General. This notice will need to be transmitted by a 
means designed to ensure that each affected individual can reasonably 
be expected to receive actual notice in writing. Further, the covered 
institution will need to satisfy the specified content requirements of 
that notice,\1158\ the preparation of which will incur some incremental 
additional costs on covered institutions.
---------------------------------------------------------------------------

    \1158\ See final rule 248.30(a)(4)(iv). In particular, the 
covered institution would need to: (i) describe in general terms the 
incident and the type of sensitive customer information that was or 
is reasonably believed to have been accessed or used without 
authorization; (ii) include, if the information is reasonably 
possible to determine at the time the notice is provided, any of the 
following: the date of the incident, the estimated date of the 
incident, or the date range within which the incident occurred; 
(iii) include contact information sufficient to permit an affected 
individual to contact the covered institution to inquire about the 
incident, including the following: a telephone number (which should 
be a toll-free number if available), an email address or equivalent 
method or means, a postal address, and the name of a specific office 
to contact for further information and assistance; (iv) if the 
individual has an account with the covered institution, recommend 
that the customer review account statements and immediately report 
any suspicious activity to the covered institution; (v) explain what 
a fraud alert is and how an individual may place a fraud alert in 
the individual's credit reports to put the individual's creditors on 
notice that the individual may be a victim of fraud, including 
identity theft; (vi) recommend that the individual periodically 
obtain credit reports from each nationwide credit reporting company 
and that the individual have information relating to fraudulent 
transactions deleted; (vii) explain how the individual may obtain a 
credit report free of charge; and (viii) include information about 
the availability of online guidance from the FTC and usa.gov 
regarding steps an individual can take to protect against identity 
theft, a statement encouraging the individual to report any 
incidents of identity theft to the FTC, and include the FTC's 
website address where individuals may obtain government information 
about identity theft and report suspected incidents of identity 
theft.
---------------------------------------------------------------------------

    Finally, covered institutions will also face costs in complying 
with the new recordkeeping requirements imposed by these amendments 
that are incrementally more than those costs covered institutions 
already incur from their existing regulatory recordkeeping obligations, 
in light of their already existing record retention systems. However, 
the record maintenance provisions align with those most frequently 
employed as to each covered institution subject to this rulemaking, 
partially in an effort to minimize these costs to firms.
    Overall, incremental costs will be associated with the final 
amendments to Regulation S-P.\1159\ Some proportion of large or small 
institutions would be likely to experience some increase in costs to 
comply with the amendments.
---------------------------------------------------------------------------

    \1159\ Covered institutions are currently subject to similar 
recordkeeping requirements applicable to other required policies and 
procedures. Therefore, covered institutions will generally not need 
to invest in new recordkeeping staff, systems, or procedures to 
satisfy the new recordkeeping requirements.
---------------------------------------------------------------------------

    More specifically, we estimate that many covered institutions will 
incur one-time costs related to reviewing and revising their current 
safeguarding policies and procedures to comply with these obligations, 
including their cybersecurity policies and procedures. Additionally, 
some covered institutions, including transfer agents, may incur costs 
associated with establishing such policies and procedures as these 
amendments require if those covered institutions do not already have 
such policies and procedures. We also estimate that the ongoing, long-
term costs associated with the final amendments could include costs of 
responding appropriately to incidents that entail the unauthorized 
access to or use of customer information.

E. Agency Action To Minimize Effect on Small Entities

    The RFA directs us to consider alternatives that would accomplish 
our stated objectives, while minimizing any significant adverse impact 
on small entities. Accordingly, we considered the following 
alternatives:
    1. Establishing different compliance or reporting standards that 
take into account the resources available to small entities;
    2. The clarification, consolidation, or simplification of the 
reporting and compliance requirements under the rule for small 
entities;
    3. Use of performance rather than design standards; and
    4. Exempting small entities from coverage of the rule, or any part 
of the rule.
    With regard to the first alternative, the final amendments to 
Regulation S-P that will continue to permit institutions substantial 
flexibility to design safeguarding policies and procedures appropriate 
for their size and complexity, the nature and scope of their 
activities, and the sensitivity of the personal information at issue. 
However, it is necessary to require that covered institutions, 
regardless of their size, adopt a response program for incidents of 
unauthorized access to or use of customer information, which will 
include customer notification procedures.\1160\ The amendments to 
Regulation S-P arise from our concern with the increasing number of 
information security breaches that have come to light in recent years, 
particularly those involving institutions regulated by the Commission. 
Establishing different compliance or reporting requirements for small 
entities could lead to less favorable protections for these entities' 
customers and compromise the effectiveness of the amendments. However, 
we are providing smaller covered institutions a longer compliance 
period to establish and implement processes to comply with the final 
amendments.
---------------------------------------------------------------------------

    \1160\ See final rule 248.30(a)(3).
---------------------------------------------------------------------------

    With regard to the second alternative, the final amendments will, 
by their operation, simplify reporting and compliance requirements for 
small entities. Small covered institutions are likely to maintain 
personal information on fewer individuals than large covered 
institutions, and they are likely to have relatively simple personal 
information systems. The amendments will not prescribe specific steps a 
covered institution must take in response to a data breach, but instead 
would give the institution flexibility to tailor its policies and 
procedures to its individual facts and circumstances. The amendments 
therefore are intended to give covered institutions the flexibility to 
address the general elements in the response program based on the size 
and complexity of the institution and the nature and scope of its 
activities. Accordingly, the requirements of the amendments already 
will be simplified for small entities. In addition, the requirements of 
the amendments could

[[Page 47785]]

not be further simplified, or clarified or consolidated, without 
compromising the investor protection objectives the amendments are 
designed to achieve.
    With regard to the third alternative, the final amendments are 
design based. Rather than specifying the types of policies and 
procedures that an institution would be required to include in its 
response program, the amendments will require a response program that 
is reasonably designed to detect, respond to, and recover from both 
unauthorized access to and unauthorized use of customer information. 
With respect to the specific requirements regarding notifications in 
the event of a data breach, institutions provide only the information 
that seems most relevant for an affected customer to know in order to 
assess adequately the potential damage that could result from the 
breach and to develop an appropriate response.
    Finally, with regard to alternative four, an exemption for small 
entities would not be appropriate. Small entities are as vulnerable as 
large ones to the types of data security breach incidents we are trying 
to address. In this regard, the specific elements the final amendments 
must be considered and incorporated into the policies and procedures of 
all covered institutions, regardless of their size, to mitigate the 
potential for fraud or other substantial harm or inconvenience to 
investors. Exempting small entities from coverage of the amendments or 
any part of the amendments could compromise the effectiveness of the 
amendments and harm investors by lowering standards for safeguarding 
investor information maintained by small covered institutions. 
Excluding small entities from requirements that would be applicable to 
larger covered institutions also could create competitive disparities 
between large and small entities, for example by undermining investor 
confidence in the security of information maintained by small covered 
institutions.

Statutory Authority

    The Commission is amending Regulation S-P pursuant to authority set 
forth in sections 17, 17A, 23, and 36 of the Exchange Act [15 U.S.C. 
78q, 78q-1, 78w, and 78mm], sections 31 and 38 of the Investment 
Company Act [15 U.S.C. 80a-30 and 80a-37], sections 204, 204A, and 211 
of the Investment Advisers Act [15 U.S.C. 80b-4, 80b-4a, and 80b-11], 
section 628(a) of the FCRA [15 U.S.C. 1681w(a)], and sections 501, 504, 
505, and 525 of the GLBA [15 U.S.C. 6801, 6804, 6805, and 6825].

List of Subjects

17 CFR Part 240

    Reporting and recordkeeping requirements; Securities.

17 CFR Part 248

    Brokers, Consumer protection, Dealers, Investment advisers, 
Investment companies, Privacy, Reporting and recordkeeping 
requirements, Securities, Transfer agents.

17 CFR Parts 270 and 275

    Reporting and recordkeeping requirements; Securities.

Text of Rule Amendments

    For the reasons set out in the preamble, title 17, chapter II of 
the Code of Federal Regulations is amended as follows:

PART 240--GENERAL RULES AND REGULATIONS, SECURITIES EXCHANGE ACT OF 
1934

0
1. The authority citation for part 240 and the sectional authorities 
for Sec. Sec.  240.17a-14 and 240.17Ad-7 are revised to read, as 
follows:

    Authority: 15 U.S.C. 77c, 77d, 77g, 77j, 77s, 77z-2, 77z-3, 
77eee, 77ggg, 77nnn, 77sss, 77ttt, 78c, 78c-3, 78c-5, 78d, 78e, 78f, 
78g, 78i, 78j, 78j-1, 78j-4, 78k, 78k-1, 78l, 78m, 78n, 78n-1, 78o, 
78o-4, 78o-10, 78p, 78q, 78q-1, 78s, 78u-5, 78w, 78x, 78dd, 78ll, 
78mm, 80a-20, 80a-23, 80a-29, 80a-37, 80b-3, 80b-4, 80b-11, 
1681w(a)(1), 6801-6809, 6825, 7201 et seq., and 8302; 7 U.S.C. 
2(c)(2)(E); 12 U.S.C. 5221(e)(3); 18 U.S.C. 1350; Pub. L. 111-203, 
939A, 124 Stat. 1376 (2010); and Pub. L. 112-106, sec. 503 and 602, 
126 Stat. 326 (2012), unless otherwise noted.
* * * * *
    Section 240.17a-14 is also issued under Public Law 111-203, sec. 
913, 124 Stat. 1376 (2010).
* * * * *
    Section 240.17ad-7 is also issued under 15 U.S.C. 78b, 78q, and 
78q-1.
* * * * *

0
2. Amend Sec.  240.17a-4 by adding a reserved paragraph (e)(13) and 
adding paragraph (e)(14) to read as follows:


Sec.  240.17a-4  Records to be preserved by certain exchange members, 
brokers and dealers.

* * * * *
    (e) * * *
    (13) [Reserved]
    (14)(i) The written policies and procedures required to be adopted 
and implemented pursuant to Sec.  248.30(a)(1) of this chapter until 
three years after the termination of the use of the policies and 
procedures;
    (ii) The written documentation of any detected unauthorized access 
to or use of customer information, as well as any response to, and 
recovery from such unauthorized access to or use of customer 
information required by Sec.  248.30(a)(3) of this chapter for three 
years from the date when the records were made;
    (iii) The written documentation of any investigation and 
determination made regarding whether notification is required pursuant 
to Sec.  248.30(a)(4) of this chapter, including the basis for any 
determination made, any written documentation from the United States 
Attorney General related to a delay in notice, as well as a copy of any 
notice transmitted following such determination, for three years from 
the date when the records were made;
    (iv) The written policies and procedures required to be adopted and 
implemented pursuant to Sec.  248.30(a)(5)(i) of this chapter until 
three years after the termination of the use of the policies and 
procedures;
    (v) The written documentation of any contract or agreement entered 
into pursuant to Sec.  248.30(a)(5) of this chapter until three years 
after the termination of such contract or agreement; and
    (vi) The written policies and procedures required to be adopted and 
implemented pursuant to Sec.  248.30(b)(2) of this chapter until three 
years after the termination of the use of the policies and procedures;
* * * * *


Sec.  240.17Ad-7  [Redesignated as Sec.  240.17ad-7].

0
3. Redesignate Sec.  240.17Ad-7 as Sec.  240.17ad-7.

0
4. Amend newly redesignated Sec.  240.17ad-7 by:
0
a. Revising the section heading;
0
b. Adding a reserved paragraph (j); and
0
c. Adding paragraph (k).
    The revision and additions read as follows:


Sec.  240.17ad-7  (Rule 17Ad-7) Record retention.

* * * * *
    (j) [Reserved]
    (k) Every registered transfer agent shall maintain in an easily 
accessible place:
    (1) The written policies and procedures required to be adopted and 
implemented pursuant to Sec.  248.30(a)(1) of this chapter for no less 
than three years after the termination of the use of the policies and 
procedures;
    (2) The written documentation of any detected unauthorized access 
to or use of customer information, as well as any

[[Page 47786]]

response to, and recovery from such unauthorized access to or use of 
customer information required by Sec.  248.30(a)(3) of this chapter for 
no less than three years from the date when the records were made;
    (3) The written documentation of any investigation and 
determination made regarding whether notification is required pursuant 
to Sec.  248.30(a)(4) of this chapter, including the basis for any 
determination made, any written documentation from the United States 
Attorney General related to a delay in notice, as well as a copy of any 
notice transmitted following such determination, for no less than three 
years from the date when the records were made;
    (4) The written policies and procedures required to be adopted and 
implemented pursuant to Sec.  248.30(a)(5)(i) of this chapter until 
three years after the termination of the use of the policies and 
procedures;
    (5) The written documentation of any contract or agreement entered 
into pursuant to Sec.  248.30(a)(5) of this chapter until three years 
after the termination of such contract or agreement; and
    (6) The written policies and procedures required to be adopted and 
implemented pursuant to Sec.  248.30(b)(2) of this chapter for no less 
than three years after the termination of the use of the policies and 
procedures.

PART 248--REGULATIONS S-P, S-AM, and S-ID

0
5. The authority citation for part 248 continues to read as follows:

    Authority: 15 U.S.C. 78q, 78q-1, 78o-4, 78o-5, 78w, 78mm, 80a-
30, 80a-37, 80b-4, 80b-11, 1681m(e), 1681s(b), 1681s-3 and note, 
1681w(a)(1), 6801-6809, and 6825; Pub. L. 111-203, secs. 1088(a)(8), 
(a)(10), and sec. 1088(b), 124 Stat. 1376 (2010).
* * * * *

0
6. Amend Sec.  248.5 by revising paragraph (a)(1) and adding paragraph 
(e) to read as follows:


Sec.  248.5  Annual privacy notice to customers required.

    (a)(1) General rule. Except as provided by paragraph (e) of this 
section, you must provide a clear and conspicuous notice to customers 
that accurately reflects your privacy policies and practices not less 
than annually during the continuation of the customer relationship. 
Annually means at least once in any period of 12 consecutive months 
during which that relationship exists. You may define the 12-
consecutive-month period, but you must apply it to the customer on a 
consistent basis.
* * * * *
    (e) Exception to annual privacy notice requirement--(1) When 
exception available. You are not required to deliver an annual privacy 
notice if you:
    (i) Provide nonpublic personal information to nonaffiliated third 
parties only in accordance with Sec.  248.13, Sec.  248.14, or Sec.  
248.15; and
    (ii) Have not changed your policies and practices with regard to 
disclosing nonpublic personal information from the policies and 
practices that were disclosed to the customer under Sec.  248.6(a)(2) 
through (5) and (9) in the most recent privacy notice provided pursuant 
to this part.
    (2) Delivery of annual privacy notice after financial institution 
no longer meets the requirements for exception. If you have been 
excepted from delivering an annual privacy notice pursuant to paragraph 
(e)(1) of this section and change your policies or practices in such a 
way that you no longer meet the requirements for that exception, you 
must comply with paragraph (e)(2)(i) or (ii) of this section, as 
applicable.
    (i) Changes preceded by a revised privacy notice. If you no longer 
meet the requirements of paragraph (e)(1) of this section because you 
change your policies or practices in such a way that Sec.  248.8 
requires you to provide a revised privacy notice, you must provide an 
annual privacy notice in accordance with the timing requirement in 
paragraph (a) of this section, treating the revised privacy notice as 
an initial privacy notice.
    (ii) Changes not preceded by a revised privacy notice. If you no 
longer meet the requirements of paragraph (e)(1) of this section 
because you change your policies or practices in such a way that Sec.  
248.8 does not require you to provide a revised privacy notice, you 
must provide an annual privacy notice within 100 days of the change in 
your policies or practices that causes you to no longer meet the 
requirement of paragraph (e)(1) of this section.
    (iii) Examples. (A) You change your policies and practices in such 
a way that you no longer meet the requirements of paragraph (e)(1) of 
this section effective April 1 of year 1. Assuming you define the 12-
consecutive-month period pursuant to paragraph (a) of this section as a 
calendar year, if you were required to provide a revised privacy notice 
under Sec.  248.8 and you provided that notice on March 1 of year 1, 
you must provide an annual privacy notice by December 31 of year 2. If 
you were not required to provide a revised privacy notice under Sec.  
248.8, you must provide an annual privacy notice by July 9 of year 1.
    (B) You change your policies and practices in such a way that you 
no longer meet the requirements of paragraph (e)(1) of this section, 
and so provide an annual notice to your customers. After providing the 
annual notice to your customers, you once again meet the requirements 
of paragraph (e)(1) of this section for an exception to the annual 
notice requirement. You do not need to provide additional annual notice 
to your customers until such time as you no longer meet the 
requirements of paragraph (e)(1) of this section.


Sec.  248.17  [Amended]

0
7. Amend Sec.  248.17 in paragraph (b) by removing the words ``Federal 
Trade Commission'' and adding in their place ``Consumer Financial 
Protection Bureau'' and removing the words ``Federal Trade 
Commission's'' and adding in their place ``Consumer Financial 
Protection Bureau's''.

0
8. Revise Sec.  248.30 to read as follows:


Sec.  248.30  Procedures to safeguard customer information, including 
response programs for unauthorized access to customer information and 
customer notice; disposal of customer information and consumer 
information.

    (a) Policies and procedures to safeguard customer information--(1) 
General requirements. Every covered institution must develop, 
implement, and maintain written policies and procedures that address 
administrative, technical, and physical safeguards for the protection 
of customer information.
    (2) Objectives. These written policies and procedures must be 
reasonably designed to:
    (i) Ensure the security and confidentiality of customer 
information;
    (ii) Protect against any anticipated threats or hazards to the 
security or integrity of customer information; and
    (iii) Protect against unauthorized access to or use of customer 
information that could result in substantial harm or inconvenience to 
any customer.
    (3) Response programs for unauthorized access to or use of customer 
information. Written policies and procedures in paragraph (a)(1) of 
this section must include a program reasonably designed to detect, 
respond to, and recover from unauthorized access to or use of customer 
information, including customer notification procedures. This response 
program must include procedures for the covered institution to:
    (i) Assess the nature and scope of any incident involving 
unauthorized access

[[Page 47787]]

to or use of customer information and identify the customer information 
systems and types of customer information that may have been accessed 
or used without authorization;
    (ii) Take appropriate steps to contain and control the incident to 
prevent further unauthorized access to or use of customer information; 
and
    (iii) Notify each affected individual whose sensitive customer 
information was, or is reasonably likely to have been, accessed or used 
without authorization in accordance with paragraph (a)(4) of this 
section unless the covered institution determines, after a reasonable 
investigation of the facts and circumstances of the incident of 
unauthorized access to or use of sensitive customer information, that 
the sensitive customer information has not been, and is not reasonably 
likely to be, used in a manner that would result in substantial harm or 
inconvenience.
    (4) Notifying affected individuals of unauthorized access or use--
(i) Notification obligation. Unless a covered institution has 
determined, after a reasonable investigation of the facts and 
circumstances of the incident of unauthorized access to or use of 
sensitive customer information that occurred at the covered institution 
or one of its service providers that is not itself a covered 
institution, that sensitive customer information has not been, and is 
not reasonably likely to be, used in a manner that would result in 
substantial harm or inconvenience, the covered institution must provide 
a clear and conspicuous notice, or ensure that such notice is provided, 
to each affected individual whose sensitive customer information was, 
or is reasonably likely to have been, accessed or used without 
authorization. The notice must be transmitted by a means designed to 
ensure that each affected individual can reasonably be expected to 
receive actual notice in writing.
    (ii) Affected individuals. If an incident of unauthorized access to 
or use of customer information has occurred or is reasonably likely to 
have occurred, but the covered institution is unable to identify which 
specific individuals' sensitive customer information has been accessed 
or used without authorization, the covered institution must provide 
notice to all individuals whose sensitive customer information resides 
in the customer information system that was, or was reasonably likely 
to have been, accessed or used without authorization. Notwithstanding 
the foregoing, if the covered institution reasonably determines that a 
specific individual's sensitive customer information that resides in 
the customer information system was not accessed or used without 
authorization, the covered institution is not required to provide 
notice to that individual under this paragraph.
    (iii) Timing. A covered institution must provide the notice as soon 
as practicable, but not later than 30 days, after becoming aware that 
unauthorized access to or use of customer information has occurred or 
is reasonably likely to have occurred unless the United States Attorney 
General determines that the notice required under this rule poses a 
substantial risk to national security or public safety, and notifies 
the Commission of such determination in writing, in which case the 
covered institution may delay providing such notice for a time period 
specified by the Attorney General, up to 30 days following the date 
when such notice was otherwise required to be provided. The notice may 
be delayed for an additional period of up to 30 days if the Attorney 
General determines that the notice continues to pose a substantial risk 
to national security or public safety and notifies the Commission of 
such determination in writing. In extraordinary circumstances, notice 
required under this section may be delayed for a final additional 
period of up to 60 days if the Attorney General determines that such 
notice continues to pose a substantial risk to national security and 
notifies the Commission of such determination in writing. Beyond the 
final 60-day delay under this paragraph (a)(4)(iii), if the Attorney 
General indicates that further delay is necessary, the Commission will 
consider additional requests for delay and may grant such delay through 
Commission exemptive order or other action.
    (iv) Notice contents. The notice must:
    (A) Describe in general terms the incident and the type of 
sensitive customer information that was or is reasonably believed to 
have been accessed or used without authorization;
    (B) Include, if the information is reasonably possible to determine 
at the time the notice is provided, any of the following: the date of 
the incident, the estimated date of the incident, or the date range 
within which the incident occurred;
    (C) Include contact information sufficient to permit an affected 
individual to contact the covered institution to inquire about the 
incident, including the following: a telephone number (which should be 
a toll-free number if available), an email address or equivalent method 
or means, a postal address, and the name of a specific office to 
contact for further information and assistance;
    (D) If the individual has an account with the covered institution, 
recommend that the customer review account statements and immediately 
report any suspicious activity to the covered institution;
    (E) Explain what a fraud alert is and how an individual may place a 
fraud alert in the individual's credit reports to put the individual's 
creditors on notice that the individual may be a victim of fraud, 
including identity theft;
    (F) Recommend that the individual periodically obtain credit 
reports from each nationwide credit reporting company and that the 
individual have information relating to fraudulent transactions 
deleted;
    (G) Explain how the individual may obtain a credit report free of 
charge; and
    (H) Include information about the availability of online guidance 
from the Federal Trade Commission and usa.gov regarding steps an 
individual can take to protect against identity theft, a statement 
encouraging the individual to report any incidents of identity theft to 
the Federal Trade Commission, and include the Federal Trade 
Commission's website address where individuals may obtain government 
information about identity theft and report suspected incidents of 
identity theft.
    (5) Service providers. (i) A covered institution's response program 
prepared in accordance with paragraph (a)(3) of this section must 
include the establishment, maintenance, and enforcement of written 
policies and procedures reasonably designed to require oversight, 
including through due diligence and monitoring, of service providers, 
including to ensure that the covered institution notifies affected 
individuals as set forth in paragraph (a)(4) of this section. The 
policies and procedures must be reasonably designed to ensure service 
providers take appropriate measures to:
    (A) Protect against unauthorized access to or use of customer 
information; and
    (B) Provide notification to the covered institution as soon as 
possible, but no later than 72 hours after becoming aware that a breach 
in security has occurred resulting in unauthorized access to a customer 
information system maintained by the service provider. Upon receipt of 
such notification, the covered institution must initiate its incident 
response program adopted pursuant to paragraph (a)(3) of this section.
    (ii) As part of its incident response program, a covered 
institution may enter into a written agreement with its

[[Page 47788]]

service provider to notify affected individuals on the covered 
institution's behalf in accordance with paragraph (a)(4) of this 
section.
    (iii) Notwithstanding a covered institution's use of a service 
provider in accordance with paragraphs (a)(5)(i) and (ii) of this 
section, the obligation to ensure that affected individuals are 
notified in accordance with paragraph (a)(4) of this section rests with 
the covered institution.
    (b) Disposal of consumer information and customer information--(1) 
Standard. Every covered institution, other than notice-registered 
broker-dealers, must properly dispose of consumer information and 
customer information by taking reasonable measures to protect against 
unauthorized access to or use of the information in connection with its 
disposal.
    (2) Written policies, procedures, and records. Every covered 
institution, other than notice-registered broker-dealers, must adopt 
and implement written policies and procedures that address the proper 
disposal of consumer information and customer information according to 
the standard identified in paragraph (b)(1) of this section.
    (3) Relation to other laws. Nothing in this paragraph (b) shall be 
construed:
    (i) To require any covered institution to maintain or destroy any 
record pertaining to an individual that is not imposed under other law; 
or
    (ii) To alter or affect any requirement imposed under any other 
provision of law to maintain or destroy records.
    (c) Recordkeeping. (1) Every covered institution that is an 
investment company under the Investment Company Act of 1940 (15 U.S.C. 
80a), but is not registered under section 8 thereof (15 U.S.C. 80a-8), 
must make and maintain:
    (i) The written policies and procedures required to be adopted and 
implemented pursuant to paragraph (a)(1) of this section;
    (ii) The written documentation of any detected unauthorized access 
to or use of customer information, as well as any response to, and 
recovery from such unauthorized access to or use of customer 
information required by paragraph (a)(3) of this section;
    (iii) The written documentation of any investigation and 
determination made regarding whether notification is required pursuant 
to paragraph (a)(4) of this section, including the basis for any 
determination made, any written documentation from the United States 
Attorney General related to a delay in notice, as well as a copy of any 
notice transmitted following such determination;
    (iv) The written policies and procedures required to be adopted and 
implemented pursuant to paragraph (a)(5)(i) of this section;
    (v) The written documentation of any contract or agreement entered 
into pursuant to paragraph (a)(5) of this section; and
    (vi) The written policies and procedures required to be adopted and 
implemented pursuant to paragraph (b)(2) of this section.
    (2) In the case of covered institutions described in paragraph 
(c)(1) of this section, such records, apart from any policies and 
procedures, must be preserved for a time period not less than six 
years, the first two years in an easily accessible place. In the case 
of policies and procedures required under paragraphs (a) and (b)(2) of 
this section, covered institutions described in paragraph (c)(1) of 
this section must maintain a copy of such policies and procedures in 
effect, or that at any time within the past six years were in effect, 
in an easily accessible place.
    (d) Definitions. As used in this section, unless the context 
otherwise requires:
    (1) Consumer information means:
    (i) Any record about an individual, whether in paper, electronic or 
other form, that is a consumer report or is derived from a consumer 
report, or a compilation of such records, that a covered institution 
maintains or otherwise possesses for a business purpose regardless of 
whether such information pertains to:
    (A) Individuals with whom the covered institution has a customer 
relationship; or
    (B) To the customers of other financial institutions where such 
information has been provided to the covered institution.
    (ii) Consumer information does not include information that does 
not identify individuals, such as aggregate information or blind data.
    (2) Consumer report has the same meaning as in section 603(d) of 
the Fair Credit Reporting Act (15 U.S.C. 1681a(d)).
    (3) Covered institution means any broker or dealer, any investment 
company, and any investment adviser or transfer agent registered with 
the Commission or another appropriate regulatory agency (``ARA'') as 
defined in section 3(a)(34)(B) of the Securities Exchange Act of 1934.
    (4) Customer. (i) Customer has the same meaning as in Sec.  
248.3(j) unless the covered institution is a transfer agent registered 
with the Commission or another ARA.
    (ii) With respect to a transfer agent registered with the 
Commission or another ARA, for purposes of this section, customer means 
any natural person who is a securityholder of an issuer for which the 
transfer agent acts or has acted as a transfer agent.
    (5) Customer information. (i) Customer information for any covered 
institution other than a transfer agent registered with the Commission 
or another ARA means any record containing nonpublic personal 
information as defined in Sec.  248.3(t) about a customer of a 
financial institution, whether in paper, electronic or other form, that 
is in the possession of a covered institution or that is handled or 
maintained by the covered institution or on its behalf regardless of 
whether such information pertains to:
    (A) Individuals with whom the covered institution has a customer 
relationship; or
    (B) To the customers of other financial institutions where such 
information has been provided to the covered institution.
    (ii) With respect to a transfer agent registered with the 
Commission or another ARA, customer information means any record 
containing nonpublic personal information as defined in Sec.  248.3(t) 
identified with any natural person, who is a securityholder of an 
issuer for which the transfer agent acts or has acted as transfer 
agent, that is in the possession of a transfer agent or that is handled 
or maintained by the transfer agent or on its behalf, regardless of 
whether such information pertains to individuals with whom the transfer 
agent has a customer relationship, or pertains to the customers of 
other financial institutions and has been provided to the transfer 
agent.
    (6) Customer information systems means the information resources 
owned or used by a covered institution, including physical or virtual 
infrastructure controlled by such information resources, or components 
thereof, organized for the collection, processing, maintenance, use, 
sharing, dissemination, or disposition of customer information to 
maintain or support the covered institution's operations.
    (7) Disposal means:
    (i) The discarding or abandonment of consumer information or 
customer information; or
    (ii) The sale, donation, or transfer of any medium, including 
computer equipment, on which consumer information or customer 
information is stored.

[[Page 47789]]

    (8) Notice-registered broker-dealer means a broker or dealer 
registered by notice with the Commission under section 15(b)(11) of the 
Securities Exchange Act of 1934 (15 U.S.C. 78o(b)(11)).
    (9) Sensitive customer information. (i) Sensitive customer 
information means any component of customer information alone or in 
conjunction with any other information, the compromise of which could 
create a reasonably likely risk of substantial harm or inconvenience to 
an individual identified with the information.
    (ii) Examples of sensitive customer information include:
    (A) Customer information uniquely identified with an individual 
that has a reasonably likely use as a means of authenticating the 
individual's identity, including
    (1) A Social Security number, official State- or government-issued 
driver's license or identification number, alien registration number, 
government passport number, employer or taxpayer identification number;
    (2) A biometric record;
    (3) A unique electronic identification number, address, or routing 
code;
    (4) Telecommunication identifying information or access device (as 
defined in 18 U.S.C. 1029(e)); or
    (B) Customer information identifying an individual or the 
individual's account, including the individual's account number, name 
or online user name, in combination with authenticating information 
such as information described in paragraph (d)(9)(ii)(A) of this 
section, or in combination with similar information that could be used 
to gain access to the customer's account such as an access code, a 
credit card expiration date, a partial Social Security number, a 
security code, a security question and answer identified with the 
individual or the individual's account, or the individual's date of 
birth, place of birth, or mother's maiden name.
    (10) Service provider means any person or entity that receives, 
maintains, processes, or otherwise is permitted access to customer 
information through its provision of services directly to a covered 
institution.
    (11) Transfer agent has the same meaning as in section 3(a)(25) of 
the Securities Exchange Act of 1934 (15 U.S.C. 78c(a)(25)).

PART 270--RULES AND REGULATIONS, INVESTMENT COMPANY ACT OF 1940

0
9. The authority citation for part 270 is revised to read as follows:

    Authority:  15 U.S.C. 80a-1 et seq., 80a-34(d), 80a-37, 80a-39, 
1681w(a)(1), 6801-6809, 6825, and Pub. L. 111-203, sec. 939A, 124 
Stat. 1376 (2010), unless otherwise noted.
* * * * *
    Section 270.31a-2 is also issued under 15 U.S.C. 80a-30.

0
10. Amend Sec.  270.31a-1 by adding paragraph (b)(13) to read as 
follows:


Sec.  270.31a-1  Records to be maintained by registered investment 
companies, certain majority-owned subsidiaries thereof, and other 
persons having transactions with registered investment companies.

* * * * *
    (b) * * *
    (13)(i) The written policies and procedures required to be adopted 
and implemented pursuant to Sec.  248.30(a)(1);
    (ii) The written documentation of any detected unauthorized access 
to or use of customer information, as well as any response to, and 
recovery from such unauthorized access to or use of customer 
information required by Sec.  248.30(a)(3);
    (iii) The written documentation of any investigation and 
determination made regarding whether notification is required pursuant 
to Sec.  248.30(a)(4), including the basis for any determination made, 
any written documentation from the United States Attorney General 
related to a delay in notice, as well as a copy of any notice 
transmitted following such determination;
    (iv) The written policies and procedures required to be adopted and 
implemented pursuant to Sec.  248.30(a)(5)(i);
    (v) The written documentation of any contract or agreement entered 
into pursuant to Sec.  248.30(a)(5); and
    (vi) The written policies and procedures required to be adopted and 
implemented pursuant to Sec.  248.30(b)(2).
* * * * *

0
11. Amend Sec.  270.31a-2 by:
0
a. In paragraph (a)(7), removing the period at the end of the paragraph 
and adding ``; and'' in its place; and
0
b. Adding paragraph (a)(8).
    The addition reads as follows:


Sec.  270.31a-2  Records to be preserved by registered investment 
companies, certain majority-owned subsidiaries thereof, and other 
persons having transactions with registered investment companies.

    (a) * * *
    (8) Preserve for a period not less than six years, the first two 
years in an easily accessible place, the records required by Sec.  
270.31a-1(b)(13) apart from any policies and procedures thereunder and, 
in the case of policies and procedures required under Sec.  270.31a-
1(b)(13), preserve a copy of such policies and procedures in effect, or 
that at any time within the past six years were in effect, in an easily 
accessible place.
* * * * *

PART 275--RULES AND REGULATIONS, INVESTMENT ADVISERS ACT OF 1940

0
12. The authority citation for part 275 is revised to read as follows:

    Authority:  15 U.S.C. 80b-2(a)(11)(G), 80b-2(a)(11)(H), 80b-
2(a)(17), 80b-3, 80b-4, 80b-4a, 80b-6(4), 80b-6a, 80b-11, 
1681w(a)(1), 6801-6809, and 6825, unless otherwise noted.
* * * * *
    Section 275.204-2 is also issued under 15 U.S.C. 80b-6.
* * * * *

0
13. Amend Sec.  275.204-2 by adding paragraph (a)(25) to read as 
follows:


Sec.  275.204-2  Books and records to be maintained by investment 
advisers.

    (a) * * *
    (25)(i) The written policies and procedures required to be adopted 
and implemented pursuant to Sec.  248.30(a)(1);
    (ii) The written documentation of any detected unauthorized access 
to or use of customer information, as well as any response to, and 
recovery from such unauthorized access to or use of customer 
information required by Sec.  248.30(a)(3) of this chapter;
    (iii) The written documentation of any investigation and 
determination made regarding whether notification is required pursuant 
to Sec.  248.30(a)(4) of this chapter, including the basis for any 
determination made, any written documentation from the United States 
Attorney General related to a delay in notice, as well as a copy of any 
notice transmitted following such determination;
    (iv) The written policies and procedures required to be adopted and 
implemented pursuant to Sec.  248.30(a)(5)(i) of this chapter;
    (v) The written documentation of any contract or agreement entered 
into pursuant to Sec.  248.30(a)(5) of this chapter; and
    (vi) The written policies and procedures required to be adopted and 
implemented pursuant to Sec.  248.30(b)(2) of this chapter.
* * * * *

    By the Commission.

    Dated: May 16, 2024.
Vanessa A. Countryman,
Secretary.
[FR Doc. 2024-11116 Filed 5-31-24; 8:45 am]
 BILLING CODE 8011-01-P