On May 16, the U.S. Securities and Exchange Commission (“SEC”) adopted amendments to Regulation S-P, which implements the Gramm-Leach Bliley Act (“GLBA”) for SEC-regulated entities such as broker-dealers, investment companies, registered investment advisers, and transfer agents.

Among other requirements, the amendments require SEC-regulated entities to adopt written policies and procedures for an incident response program that is “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.”  Under the required incident response program, SEC-regulated entities must provide timely notification to individuals whose sensitive customer information was, or is reasonably likely to have been, accessed or used without authorization.  Other provisions address record keeping, annual privacy notices, and oversight of service providers, as well as expanding the scope of financial institutions and “customer information” covered by the rule.

The SEC had previously issued a proposed rule for comment in the Federal Register in April 2023.  Industry representatives raised a number of concerns with the rule, including conflicts between the proposed rule and state data breach laws and a lack of consistency with the safeguarding standards promulgated by other federal prudential regulators.  Despite these concerns, the final rule is substantially as proposed and reflects only minor revisions.  For example, the following changes have been made to the notification provisions of the final rule:

  • Clarification that the requirement does not apply in cases where a SEC-regulated entity reasonably determines that a specific individual’s sensitive customer information was not accessed or used without authorization.
  • Broadening the scope and timing requirements of the so-called “law enforcement exception” to allow delays in providing notifications where the Attorney General determines that notice would pose a substantial risk to public safety, in addition to national security.
  • No longer requiring that notifications include “what has been done to protect the sensitive customer information from further unauthorized access or use” given the risk that this information could advantage threat actors.

The final rule will become effective 60 days after publication in the Federal Register.

Photo of Sarah Parker Sarah Parker

Sarah Parker is an associate in the firm’s Washington Office. Her practice focuses on privacy, advertising, and consumer protection regulatory matters and government investigations.

Sarah also maintains an active pro bono practice, with a focus on criminal justice and civil rights litigation.

Photo of Libbie Canter Libbie Canter

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports…

Libbie Canter represents a wide variety of multinational companies on privacy, cyber security, and technology transaction issues, including helping clients with their most complex privacy challenges and the development of governance frameworks and processes to comply with global privacy laws. She routinely supports clients on their efforts to launch new products and services involving emerging technologies, and she has assisted dozens of clients with their efforts to prepare for and comply with federal and state privacy laws, including the California Consumer Privacy Act and California Privacy Rights Act.

Libbie represents clients across industries, but she also has deep expertise in advising clients in highly-regulated sectors, including financial services and digital health companies. She counsels these companies — and their technology and advertising partners — on how to address legacy regulatory issues and the cutting edge issues that have emerged with industry innovations and data collaborations.

As part of her practice, she also regularly represents clients in strategic transactions involving personal data and cybersecurity risk. She advises companies from all sectors on compliance with laws governing the handling of health-related data. Libbie is recognized as an Up and Coming lawyer in Chambers USA, Privacy & Data Security: Healthcare. Chambers USA notes, Libbie is “incredibly sharp and really thorough. She can do the nitty-gritty, in-the-weeds legal work incredibly well but she also can think of a bigger-picture business context and help to think through practical solutions.”

Photo of Mike Nonaka Mike Nonaka

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and…

Michael Nonaka is co-chair of the Financial Services Group and advises banks, financial services providers, fintech companies, and commercial companies on a broad range of compliance, enforcement, transactional, and legislative matters.

He specializes in providing advice relating to federal and state licensing and applications matters for banks and other financial institutions, the development of partnerships and platforms to provide innovative financial products and services, and a broad range of compliance areas such as anti-money laundering, financial privacy, cybersecurity, and consumer protection. He also works closely with banks and their directors and senior leadership teams on sensitive supervisory and strategic matters.

Mike plays an active role in the firm’s Fintech Initiative and works with a number of banks, lending companies, money transmitters, payments firms, technology companies, and service providers on innovative technologies such as bitcoin and other cryptocurrencies, blockchain, big data, cloud computing, same day payments, and online lending. He has assisted numerous banks and fintech companies with the launch of innovative deposit and loan products, technology services, and cryptocurrency-related products and services.

Mike has advised a number of clients on compliance with TILA, ECOA, TISA, HMDA, FCRA, EFTA, GLBA, FDCPA, CRA, BSA, USA PATRIOT Act, FTC Act, Reg. K, Reg. O, Reg. W, Reg. Y, state money transmitter laws, state licensed lender laws, state unclaimed property laws, state prepaid access laws, and other federal and state laws and regulations.

Photo of David Stein David Stein

David Stein advises clients on credit reporting, financial privacy, financial technology, payments, retail financial services, and fair lending issues. He assists a broad range of financial services firms, consumer reporting agencies, financial technology companies, and their vendors with regulatory, compliance, supervision, enforcement, and…

David Stein advises clients on credit reporting, financial privacy, financial technology, payments, retail financial services, and fair lending issues. He assists a broad range of financial services firms, consumer reporting agencies, financial technology companies, and their vendors with regulatory, compliance, supervision, enforcement, and transactional matters.

David has significant experience advising clients on compliance with the FCRA, GLBA, ECOA, EFTA, E-Sign Act, TILA, TISA, FDCPA, Dodd-Frank Wall Street Reform and Consumer Protection Act, and FTC Act, as well as state financial privacy laws. David is a member of the firm’s fintech and artificial intelligence initiatives and works with clients on issues related to cutting edge technologies, such as blockchain, virtual currencies, big data and data analytics, artificial intelligence, online lending, and payments technology.

David previously served in senior regulatory, policy-making, and management positions at the Consumer Financial Protection Bureau (CFPB) and the Federal Reserve Board (FRB). He played a significant role in developing regulations and policy on credit reporting, financial privacy, retail payments systems, consumer credit, fair lending, overdraft services, debit interchange, unfair or deceptive acts or practices, and mortgage origination and servicing. David draws upon his government experience in representing clients before the CFPB, the FRB, and other regulatory agencies and leverages his insights into the regulatory process to provide clients with practical, actionable advice.

Photo of Kerry Burke Kerry Burke

Kerry Shannon Burke has been helping public and private companies structure and execute capital markets and finance transactions and navigate the pitfalls of public company reporting and governance for over 25 years. Kerry regularly represents issuers, ranging from development stage ventures to large…

Kerry Shannon Burke has been helping public and private companies structure and execute capital markets and finance transactions and navigate the pitfalls of public company reporting and governance for over 25 years. Kerry regularly represents issuers, ranging from development stage ventures to large public companies, as well as underwriters and other institutional investors, with private and public debt and equity financings. She also has assisted public and private companies in structuring and negotiating financing transactions, including term loan and revolving credit facilities and acquisition financing.

Kerry is a “go-to” advisor for large public companies and their boards on corporate governance, SEC reporting, ESG, cybersecurity disclosure, succession planning and compliance program design. Kerry also assists private companies on governance and IPO readiness matters, including with respect to board and committee independence, internal and disclosure controls and similar matters.

Kerry has particular expertise counseling clients on the Investment Advisers Act and assists investment advisers, including private equity funds, hedge funds and venture capital funds, on various status questions and ongoing compliance matters.