Today, the Commission is considering amendments to require covered firms to notify their customers of data breaches.[1] I support these amendments because, through making critical updates to a rule first adopted in 2000, this proposal would help protect the privacy of customers’ financial data.
In 1999, Congress passed a provision to help ensure that financial firms protect their customers’ financial data. As a member of the Treasury Department team at the time, I was proud to work with then-Congressman Ed Markey on this important legislation. The provision mandated that six federal agencies adopt rules to advance consumers’ privacy. The SEC did so through Regulation S-P, which requires covered firms to notify customers about how they use their financial information.
When this provision first passed Congress, the hit 1998 romantic comedy “You’ve Got Mail” still was in theaters, in which Meg Ryan and Tom Hanks fell for one another while exchanging emails over, you guessed it, AOL. As my daughters would remind me, that is part of ancient history. They might suggest I sign up for a service like BeReal.
Let’s be real. Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially. Complaints about identity theft have gone up threefold in just the four years from 2017 to 2021, per the FBI’s Internet Crime Complaint Center.[2]
Investors would benefit from a financial privacy rule more modern than the AOL era. Though the current rule requires covered firms to notify customers about how they use their financial information, these firms have no requirement to notify customers about breaches. I think we should close this gap.
Thus, under our proposal, covered firms would be required to notify customers of breaches that might put their personal financial data at risk. Critically, firms would need to help customers understand how to protect themselves from harm that might result from the breach.
Second, to ensure that covered firms properly identify when breaches occur, firms would need to monitor to detect whether sensitive customer data was accessed. They also would need to take appropriate action to respond to such breaches.
Third, the proposal would make explicit that covered firms are obligated to take measures properly to dispose customer information. Recent recordkeeping charges settled by Morgan Stanley Smith Barney LLC speak to how important it is that market participants properly safeguard customer information.[3]
Fourth, the proposal would extend Reg S-P’s requirements to transfer agents. These firms maintain sensitive personal information relating to who owns a security, including when and how that security changes hands. I think it is important that transfer agents follow the same standards as the other covered firms, both when it comes to notifying about breaches and properly disposing of records.
We look forward to working with our fellow federal and state-level regulators to continue protecting customers from these breaches. In drafting this proposal, we benefitted from examining state-level laws to discern best practices.
I believe that these amendments, if adopted, would help customers maintain their privacy and protect themselves. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify… not as catchy as “You’ve Got Mail.”
But, you’ve got to agree… that’s good for investors.
I’d like to thank the members of the SEC staff who worked on this proposal, including:
- William Birdthistle, Sarah ten Siethoff, Thoreau Bartmann, Marc Mehrespand, Taylor Evenson, Aaron Ellias, Jessica Leonardo, Rachel Kuo, and Andrew Deglin in the Division of Investment Management;
- Haoxiang Zhu, David Saltiel, Andrea Orr, Emily Westerberg Russell, John Fahey, Devin Ryan, Edward Schellhorn, Susan Poklemba, Brice Prince, James Wintering, and Moshe Rothman in the Division of Trading and Markets;
- Jessica Wachter, Rebecca Orban, Lauren Moore, Alexander Schiller, Maciej Szefler, Charles Woodworth in the Division of Economic and Risk Analysis;
- Megan Barbero, Meredith Mitchell, Malou Louise Huth, Robert Teply, Ronesha Butler, Maureen Johansen, Natalie Shioji, Alice Wang, Cathy Ahn, Kerry Dingle, Jeff Berger and Tracey Hardin in the Office of the General Counsel;
- James Maclean, Carrie O’Brien, Joseph Murphy, Alexis Hall, Colin Ray, Eric Garvey, Tina Barry, Karen Stevenson, Chris Carpenter, Sal Montemarano, and Keith Kanyan in the Division of Examinations; and
- Christine Jeon, Margaret McGuire, Gregory Smolar, Amy Flaherty Hartman, and Chris Carpenter in the Division of Enforcement.
[1] As specified in the release, covered institutions subject to Regulation S-P include registered investment advisers, investment companies, broker-dealers, and registered transfer agents.
[2] Footnote 7 in the release included the following citation: “Federal Bureau of Investigation, 2021 Internet Crime Report (Mar. 22, 2022), at 7-8, available at https://www.ic3.gov/Media/PDF/AnnualReport/2021_IC3Report.pdf (stating that the FBI’s Internet Crime Complaint Center received 847,376 complaints in 2021(an increase of approximately 181% from 2017).The complaints included 51,629 related to identity theft and 51,829 related to personal data breaches (increases of approximately 193% and 68% from 2017, respectively)).”
[3] See Securities and Exchange Commission, “Morgan Stanley Smith Barney to Pay $35 Million for Extensive Failures to Safeguard Personal Information of Millions of Customers” (Sept. 20, 2022), available at https://www.sec.gov/news/press-release/2022-168.