Part 248-Regulation S-P: Privacy of Consumer Financial Information and Safeguarding Personal Information, 13692-13719 [E8-4612]

Agencies

• SECURITIES AND EXCHANGE COMMISSION

[Federal Register Volume 73, Number 50 (Thursday, March 13, 2008)]
[Proposed Rules]
[Pages 13692-13719]
From the Federal Register Online via the Government Printing Office [www.gpo.gov]
[FR Doc No: E8-4612]



[[Page 13691]]

-----------------------------------------------------------------------

Part III





Securities and Exchange Commission





-----------------------------------------------------------------------



17 CFR Part 248



Part 248--Regulation S-P: Privacy of Consumer Financial Information and 
Safeguarding Personal Information; Proposed Rule

Federal Register / Vol. 73, No. 50 / Thursday, March 13, 2008 / 
Proposed Rules

[[Page 13692]]


-----------------------------------------------------------------------

SECURITIES AND EXCHANGE COMMISSION

17 CFR Part 248

[Release Nos. 34-57427; IC-28178; IA-2712; File No. S7-06-08]
RIN 3235-AK08


Part 248--Regulation S-P: Privacy of Consumer Financial 
Information and Safeguarding Personal Information

AGENCY: Securities and Exchange Commission.

ACTION: Proposed rule.

-----------------------------------------------------------------------

SUMMARY: The Securities and Exchange Commission (``Commission'') is 
proposing amendments to Regulation S-P, which implements certain 
provisions of the Gramm-Leach-Bliley Act (``GLBA'') and the Fair Credit 
Reporting Act (``FCRA'') for entities regulated by the Commission. The 
proposed amendments would set forth more specific requirements for 
safeguarding information and responding to information security 
breaches, and broaden the scope of the information covered by 
Regulation S-P's safeguarding and disposal provisions. They also would 
extend the application of the disposal provisions to natural persons 
associated with brokers, dealers, investment advisers registered with 
the Commission (``registered investment advisers'') and transfer agents 
registered with the Commission (``registered transfer agents''), and 
would extend the application of the safeguarding provisions to 
registered transfer agents. Finally, the proposed amendments would 
permit a limited transfer of information to a nonaffiliated third party 
without the required notice and opt out when personnel move from one 
broker-dealer or registered investment adviser to another.

DATES: Comments must be received on or before May 12, 2008.

ADDRESSES: Comments may be submitted by any of the following methods:

Electronic Comments

     Use the Commission's Internet comment form (https://
www.sec.gov/rules/proposed.shtml); or
     Send an e-mail to rule-comments@sec.gov. Please include 
File Number S7-06-08 on the subject line; or
     Use the Federal eRulemaking Portal (https://
www.regulations.gov). Follow the instructions for submitting comments.

Paper Comments

     Send paper comments in triplicate to Nancy M. Morris, 
Secretary, Securities and Exchange Commission, 100 F Street, NE., 
Washington, DC 20549-1090.

All submissions should refer to File Number S7-06-08. This file number 
should be included on the subject line if e-mail is used. To help us 
process and review your comments more efficiently, please use only one 
method. The Commission will post all comments on the Commission's 
Internet Web site (https://www.sec.gov/rules/proposed.shtml). Comments 
are also available for public inspection and copying in the 
Commission's Public Reference Room, 100 F Street, NE., Washington, DC 
20549, on official business days between the hours of 10 a.m. and 3 
p.m. All comments received will be posted without change; we do not 
edit personal identifying information from submissions. You should 
submit only information that you wish to make available publicly.

FOR FURTHER INFORMATION CONTACT: Catherine McGuire, Chief Counsel, or 
Brice Prince, Special Counsel, Office of the Chief Counsel, Division of 
Trading and Markets, (202) 551-5550; or Penelope Saltzman, Acting 
Assistant Director, or Vincent Meehan, Senior Counsel, Office of 
Regulatory Policy, Division of Investment Management, (202) 551-6792, 
Securities and Exchange Commission, 100 F Street, NE., Washington, DC 
20549.

SUPPLEMENTARY INFORMATION: The Commission today is proposing amendments 
to Regulation S-P \1\ under Title V of the GLBA,\2\ the FCRA,\3\ the 
Securities Exchange Act of 1934 (the ``Exchange Act''),\4\ the 
Investment Company Act of 1940 (the ``Investment Company Act''),\5\ and 
the Investment Advisers Act of 1940 (the ``Investment Advisers 
Act'').\6\
---------------------------------------------------------------------------

    \1\ 17 CFR part 248. Unless otherwise noted, all references to 
rules under Regulation S-P will be to Part 248 of the Code of 
Federal Regulations (17 CFR 248).
    \2\ 15 U.S.C. 6801-6827.
    \3\ 15 U.S.C. 1681w.
    \4\ 15 U.S.C. 78a.
    \5\ 15 U.S.C. 80a.
    \6\ 15 U.S.C. 80b.
---------------------------------------------------------------------------

Table of Contents

I. Background
    A. Statutory Requirements and Current Regulation S-P Mandates
    B. Challenges Posed by Information Security Breaches
II. Discussion
    A. Information Security and Security Breach Response 
Requirements
    B. Scope of the Safeguards and Disposal Rules
    C. Records of Compliance
    D. Exception for Limited Information Disclosure When Personnel 
Leave Their Firms
III. General Request for Comments
IV. Paperwork Reduction Act
V. Cost-Benefit Analysis
VI. Initial Regulatory Flexibility Analysis
VII. Consideration of Burden on Competition and Promotion of 
Efficiency, Competition and Capital Formation
VIII. Small Business Regulatory Enforcement Fairness Act
IX. Statutory Authority
X. Text of Proposed Rules and Rule Amendments

I. Background

A. Statutory Requirements and Current Regulation S-P Mandates

    Subtitle A of Title V of the GLBA requires every financial 
institution to inform its customers about its privacy policies and 
practices, and limits the circumstances in which a financial 
institution may disclose nonpublic personal information about a 
consumer to a nonaffiliated third party without first giving the 
consumer an opportunity to opt out of the disclosure.\7\ In enacting 
the legislation, Congress also specifically directed the Commission and 
other federal financial regulators to establish and implement 
information safeguarding standards requiring financial institutions 
subject to their jurisdiction to adopt administrative, technical and 
physical information safeguards.\8\ The GLBA specified that these 
standards were to ``insure the

[[Page 13693]]

security and confidentiality of customer records and information,'' 
``protect against any anticipated threats or hazards to the security or 
integrity'' of those records, and protect against unauthorized access 
to or use of those records or information, which ``could result in 
substantial harm or inconvenience to any customer.'' \9\
---------------------------------------------------------------------------

    \7\ See 15 U.S.C. 6802(a) and (b). The GLBA and Regulation S-P 
draw a distinction between ``consumers'' and ``customers.'' A 
``consumer'' is defined in Section 3(g)(1) of Regulation S-P to mean 
an individual who obtains a financial product or service that is to 
be used primarily for personal, family, or household purposes. See 
17 CFR 248.3(g)(1). A ``customer'' is defined in Section 3(j) of 
Regulation S-P as a consumer who has a continuing relationship with 
the financial institution. See 17 CFR 248.3(j). The distinction 
between customer and consumer determines the notices that a 
financial institution must provide. Pursuant to Sections 4 and 5 of 
Regulation S-P, a financial institution must provide customers with 
an initial notice describing the institution's privacy policies when 
a customer relationship is formed and at least annually throughout 
the customer relationship. In contrast, if a consumer is not a 
customer, a financial institution must only provide a notice if it 
intends to share nonpublic personal information about the consumer 
with a nonaffiliated third party (outside of certain exceptions). 
See 17 CFR 248.4 and 248.5.
    \8\ The GLBA directed the Commission, the Federal Trade 
Commission (``FTC'') and state insurance authorities to implement 
the safeguarding standards by rule. See 15 U.S.C. 6805(b)(2). The 
GLBA directed the Office of the Comptroller of the Currency, the 
Board of Governors of the Federal Reserve System, the Federal 
Deposit Insurance Corporation (``FDIC'') and the Office of Thrift 
Supervision (collectively, the ``Banking Agencies'') and the 
National Credit Union Administration (``NCUA'') to implement the 
safeguarding standards by regulation or by guidelines. See 15 U.S.C. 
6805(b)(1).
    \9\ 15 U.S.C. 6801(b).
---------------------------------------------------------------------------

    In response to these directives, we adopted Regulation S-P in 
2000.\10\ Section 30(a) of Regulation S-P (the ``safeguards rule'') 
requires institutions to safeguard customer records and 
information,\11\ while other sections of the regulation implement the 
notice and opt out provisions of the GLBA.\12\ The safeguards rule 
currently requires institutions to adopt written policies and 
procedures for administrative, technical, and physical safeguards to 
protect customer records and information. The safeguards must be 
reasonably designed to meet the GLBA's objectives.\13\ This approach 
provides flexibility for institutions to safeguard customer records and 
information in accordance with their own privacy policies and practices 
and business models. The safeguards rule and the notice and opt out 
provisions currently apply to brokers, dealers, registered investment 
advisers, and investment companies.\14\
---------------------------------------------------------------------------

    \10\ See Privacy of Consumer Financial Information (Regulation 
S-P), Exchange Act Release No. 42974, Investment Company Act 
(``ICA'') Release No. 24543, Investment Advisers Act (``IAA'') 
Release No. 1883 (June 22, 2000), 65 FR 40334 (June 29, 2000). 
Pursuant to the GLBA directive, Regulation S-P is consistent with 
and comparable to the financial privacy rules adopted by other 
federal financial regulators in 2000. See FTC, Privacy of Consumer 
Financial Information, 65 FR 33646 (May 24, 2000); Banking Agencies, 
Privacy of Consumer Financial Information, 65 FR 35162 (June 1, 
2000); and NCUA, Privacy of Consumer Financial Information; 
Requirements for Insurance, 65 FR 31722 (May 18, 2000). See also 15 
U.S.C. 6804(a)(2) (directing federal financial regulators to consult 
and coordinate to assure, to the extent possible, that each agency's 
regulations are consistent and comparable with the regulations 
prescribed by the other agencies).
    In 2001, we amended Regulation S-P to permit futures commission 
merchants and introducing brokers that are registered by notice as 
broker-dealers in order to conduct business in security futures 
products under Section 15(b)(11)(A) of the Exchange Act (``notice-
registered broker-dealers'') to comply with Regulation S-P by 
complying with financial privacy rules that the Commodity Futures 
Trading Commission (``CFTC'') adopted that year. See 17 CFR 
248.2(b); Registration of Broker-Dealers Pursuant to Section 
15(b)(11) of the Securities Exchange Act of 1934, Exchange Act 
Release No. 44730 (Aug. 21, 2001), 66 FR 45138 (Aug. 27, 2001); see 
also CFTC, Privacy of Consumer Financial Information, 66 FR 21236 
(Apr. 27, 2001).
    \11\ 17 CFR 248.30(a).
    \12\ See 17 CFR 248.1-248.18. As described above, the GLBA and 
Regulation S-P require brokers, dealers, investment advisers 
registered with the Commission, and investment companies to provide 
an annual notice of their privacy policies and practices to their 
customers (and notice to consumers before sharing their nonpublic 
personal information with nonaffiliated third parties outside 
certain exceptions). See supra note 7; 15 U.S.C. 6803(a); 17 CFR 
248.4; 17 CFR 248.5. In general, the privacy notices must describe 
the institutions' policies and practices with respect to disclosing 
nonpublic personal information about a consumer to both affiliated 
and nonaffiliated third parties. 15 U.S.C. 6803; 17 CFR 248.6. The 
notices also must provide a consumer a reasonable opportunity to 
direct the institution generally not to share nonpublic personal 
information about the consumer (that is, to ``opt out'') with 
nonaffiliated third parties. 15 U.S.C. 6802(b); 17 CFR 248.7. (The 
privacy notice also must provide, where applicable under the FCRA, a 
notice and an opportunity for a consumer to opt out of certain 
information sharing among affiliates.) Sections 13, 14, and 15 of 
Regulation S-P (17 CFR 248.13, 17 CFR 248.14, and 17 CFR 248.15) set 
out exceptions from these general notice and opt out requirements 
under the GLBA. Section 13 includes exceptions for sharing 
information with other financial institutions under joint marketing 
agreements and with certain service providers. Section 14 includes 
exceptions for sharing information for everyday business purposes, 
such as maintaining or servicing accounts. Section 15 includes 
exceptions for disclosures made with the consent or at the direction 
of a consumer, disclosures for particular purposes such as 
protecting against fraud, disclosures to consumer reporting 
agencies, and disclosures to law enforcement agencies. In March 
2007, the Commission, together with the Banking Agencies, the CFTC, 
the FTC, and the NCUA, published for public comment in the Federal 
Register a proposed model privacy form that financial institutions 
could use for their privacy notices to consumers required by the 
GLBA. See Interagency Proposal for Model Privacy Form Under the 
Gramm-Leach-Bliley Act, Exchange Act Release No. 55497, IAA Release 
No. 2598, ICA Release No. 27755 (Mar. 20, 2007), 72 FR 14940 (Mar. 
29, 2007) (``Interagency Model Privacy Form Proposal'').
    \13\ Specifically, the safeguards must be reasonably designed to 
insure the security and confidentiality of customer records and 
information, protect against anticipated threats to the security or 
integrity of those records and information, and protect against 
unauthorized access to or use of such records or information that 
could result in substantial harm or inconvenience to any customer. 
See supra note 9 and accompanying text.
    \14\ Regulation S-P applies to investment companies as the term 
is defined in Section 3 of the Investment Company Act (15 U.S.C. 
80a-3), whether or not the investment company is registered with the 
Commission. See 17 CFR 248.3(r). Thus, a business development 
company, which is an investment company but is not required to 
register as such with the Commission, is subject to Regulation S-P. 
In this release, institutions to which Regulation S-P currently 
applies, or to which the proposed amendments would apply, are 
sometimes referred to as ``covered institutions.''
---------------------------------------------------------------------------

    Pursuant to the Fair and Accurate Credit Transactions Act of 2003 
(``FACT Act''), the Commission amended Regulation S-P in 2004 to 
protect against the improper disposal of consumer report 
information.\15\ Section 30(b) of Regulation S-P (the ``disposal 
rule'') currently applies to the institutions subject to the other 
provisions of Regulation S-P, except that it excludes notice-registered 
broker-dealers and includes registered transfer agents.
---------------------------------------------------------------------------

    \15\ 17 CFR 248.30(b). Section 216 of the FACT Act amended the 
FCRA by adding Section 628 (codified at 15 U.S.C. 1681w), which 
directed the Commission and other federal financial regulators to 
adopt regulations for the proper disposal of consumer information, 
and provides that any person who maintains or possesses consumer 
information or any compilation of consumer information derived from 
a consumer report for a business purpose must properly dispose of 
the information. See Disposal of Consumer Report Information, 
Exchange Act Release No. 50781, IAA Release No. 2332, ICA Release 
No. 26685 (Dec. 2, 2004), 69 FR 71322 (Dec. 8, 2004) (``Disposal 
Rule Adopting Release''). When we adopted the disposal rule, we also 
amended Regulation S-P to require that the policies and procedures 
institutions must adopt under the safeguards rule be in writing.
    The disposal rule requires transfer agents registered with the 
Commission, as well as brokers and dealers other than notice-
registered broker-dealers, investment advisers registered with the 
Commission, and investment companies that maintain or possess 
``consumer report information'' for a business purpose, to take 
``reasonable measures to protect against unauthorized access to or 
use of the information in connection with its disposal.''
    In order to provide clarity, the Disposal Rule Adopting Release 
included five examples intended to provide guidance on disposal 
measures that would be deemed reasonable under the disposal rule. 
See Disposal Rule Adopting Release at section II.A.2.
---------------------------------------------------------------------------

B. Challenges Posed by Information Security Breaches

    In recent years, we have become concerned with the increasing 
number of information security breaches that have come to light and the 
potential for identity theft and other misuse of personal financial 
information. Once seemingly confined mainly to commercial banks and 
retailers, this problem has spread throughout the business community, 
including the securities industry.\16\
---------------------------------------------------------------------------

    \16\ See Press Release, NASD, NASD Warns Investors to Protect 
Online Account Information, Brokerages Also Reminded of Obligation 
to Protect Customer Information from New Threats (July 28, 2005), 
https://www.finra.org/PressRoom/NewsReleases/2005NewsReleases/P014775 
(last visited Nov. 6, 2007). See also In re NEXT Financial Group, 
Inc., Exchange Act Release No. 56316 (Aug. 24, 2007), https://
www.sec.gov/litigation/admin/2007/34-56316.pdf, and Order 
Instituting Administrative and Cease-and-Desist Proceedings Pursuant 
to Sections 15(b) and 21C of the Securities Exchange Act of 1934 
(Aug. 24, 2007) (alleging violations of the notice and opt out 
provisions of Regulation S-P and the safeguards rule in connection 
with recruiting registered representatives), https://www.sec.gov/
litigation/admin/2007/34-56316-o.pdf.
---------------------------------------------------------------------------

    In the last two years, we have seen a significant increase in 
information security breaches involving institutions we regulate. 
Perhaps most disturbing is the increase in incidents involving the 
takeover of online brokerage accounts, including the use of the 
accounts by foreign nationals as part of ``pump-and-dump'' schemes.\17\ 
The financial

[[Page 13694]]

services sector also is a popular target for online targeted attacks, 
and ``phishing'' attacks in which fraudsters set up an Internet site 
designed to mimic a legitimate site and induce random Internet users to 
disclose personal information.\18\ In other recent incidents, 
registered representatives of broker-dealers disposed of information 
and records about clients or prospective clients in accessible areas, 
from which journalists were able to remove them. Sensitive securities-
related data also has been lost or stolen as a result of other 
incidents.\19\
---------------------------------------------------------------------------

    \17\ While some account takeovers may have been facilitated by 
investors failing to take adequate precautions against security 
threats such as ``keylogger'' programs and ``phishing'' attacks, 
many online brokerage firms have successfully reduced their exposure 
to account takeovers by improving their authentication and 
monitoring procedures. The Commission has been active in this area, 
and has brought several enforcement cases involving defendants in 
foreign jurisdictions. See, e.g., Litigation Release No. 20037 (Mar. 
12, 2007), available at https://www.sec.gov/litigation/litreleases/
2007/lr20037.htm (three Indian nationals charged with participating 
in an alleged fraudulent scheme to manipulate the prices of at least 
fourteen securities through the unauthorized use of other people's 
online brokerage accounts); and Litigation Release No. 19949 (Dec. 
19, 2006), available at https://www.sec.gov/litigation/litreleases/
2006/lr19949.htm (emergency asset freeze obtained; complaint alleged 
an alleged Estonia-based account intrusion scheme that targeted 
online brokerage accounts in the U.S. to manipulate the markets).
    \18\ In 2006, Symantec Corporation, a seller of information 
security and information management software, reported that in the 
first half of 2006, 84 percent of tracked phishing sites targeted 
the financial sector and 9 of the top 10 brands phished this period 
were from the financial sector. Because the financial services 
sector is a logical target for attackers increasingly motivated by 
financial gain, that sector was also the second most frequent target 
of Internet-based attacks (after home users). See Symantec, Symantec 
Internet Security Threat Report, Trends for January 06-June 06, at 
9, 23 (Sept. 2006), https://www.symantec.com/specprog/threatreport/
ent-whitepaper_symantec_internet_security_threat_report_x_
09_2006.en-us.pdf (last visited Nov. 6, 2007) (``Symantec September 
2006 Internet Security Threat Report''). Reportedly, employees of 
financial services firms ``are increasingly being invited to visit 
Web sites or download programs by people pretending to be colleagues 
or peers,'' followed by attack programs on the sites or in downloads 
that ``then open tunnels into the corporate network.'' More 
recently, although financial services-related spam reportedly ``made 
up 21 percent of all spam in the first six months of 2007, making it 
the second most common type of spam during this period,'' there was 
a 30-percent decline in stock market ``pump and dump'' spam ``due to 
a decline in spam touting penny stocks that was triggered by actions 
taken by the United States Securities and Exchange Commission, which 
limited the profitability of this type of spam by suspending trading 
of the stocks that are touted.'' See Symantec, Symantec Internet 
Security Threat Report, Trends for January-June 07, Volume XII, at 
107 (Sept. 2007), https://eval.symantec.com/mktginfo/enterprise/
white_papers/ent-whitepaper_internet_security_threat_report_
xii_09_2007.en-us.pdf (last visited Nov. 6, 2007) (citing 
Commission Press Release 2007-34, SEC Suspends Trading Of 35 
Companies Touted In Spam E-mail Campaigns (Mar. 8, 2007), available 
at https://www.sec.gov/news/press/2007/2007-34.htm).
    \19\ For example, in April 2005, a shipping company lost a 
computer backup tape containing account information for more than 
200,000 broker-dealer customers. The broker-dealer voluntarily 
notified its affected customers, although the data was compressed 
and the tape was thought to have been destroyed. In December 2005, a 
laptop computer containing unencrypted information that included 
names and account numbers of 158,000 customers and the names and 
Social Security numbers of 68,000 adviser personnel was stolen from 
a registered investment adviser, and in March 2006, a laptop 
computer containing the names, addresses, Social Security numbers, 
dates of birth, and other employment-related information of as many 
as 196,000 retirement plan participants was stolen from a benefits 
plan administration subsidiary of a registered investment adviser. 
In both cases, the laptops were taken from vehicles by thieves who 
appear to have stolen them for their value as computer hardware 
rather than for the information contained on them. The registered 
investment adviser voluntarily notified the more than 200,000 
clients and financial advisers whose information was compromised, 
while the benefits plan administrator voluntarily notified the 
nearly 200,000 retirement plan participants whose information was 
compromised, and offered to pay for a year of credit monitoring for 
each of them.
---------------------------------------------------------------------------

    Many firms in the securities industry are aware of these problems 
and have appropriate safeguards in place to address them.\20\ We are 
concerned, however, that some firms do not regularly reevaluate and 
update their safeguarding programs to deal with these increasingly 
sophisticated methods of attack.\21\ For this reason, and in light of 
the increase in reported security breaches and the potential for 
identity theft among the institutions we regulate, we believe that our 
previous approach, requiring safeguards that must be reasonably 
designed to meet the GLBA's objectives, merits revisiting.\22\
---------------------------------------------------------------------------

    \20\ Some institutions regulated by the Commission have already 
taken steps to strengthen their policies and procedures for 
safeguarding investors' information, such as by offering investors 
the use of password-generating tokens for online brokerage accounts. 
We also note that some firms have been sharing information about 
suspicious activity with one another for the purpose of combating 
identity theft. To the extent it might involve sharing nonpublic 
personal information about consumers of the firms, Regulation S-P 
does not prohibit such information sharing because Section 
15(a)(2)(ii) of Regulation S-P permits firms to disclose nonpublic 
personal information to a nonaffiliated third party for the purpose 
of protecting against fraud without first giving consumers notice of 
and an opportunity to opt out of the disclosures.
    \21\ According to a September 2007 report from Deloitte Touche 
Tohmatsu, for example, 37 percent of 169 surveyed financial 
institutions do not have an information security strategy in place, 
and 33 percent of these institutions do not conduct vulnerability 
testing, or only do so on an ad hoc basis. See Deloitte Touche 
Tohmatsu, 2007 Global Security Survey, at 12, 36 (Sept. 2007), 
https://www.deloitte.com/dtt/cda/doc/content/dtt_gfsi_
GlobalSecuritySurvey_20070901%281%29.pdf (last visited Nov. 6, 
2007).
    \22\ In 2004 we sought comment on whether to revise our 
safeguards rule to require institutions to address certain elements 
in designating their safeguarding policies and procedures. See 
Disposal of Consumer Report Information, Exchange Act Release No. 
50361, IAA Release No. 2293, ICA Release No. 20596 (Sept. 14, 2004), 
69 FR 56304 (Sept. 20, 2004) (``Disposal Rule Proposing Release''), 
at section II.B. At that time we decided not to revise the 
safeguards rule, but noted we would consider the comments we 
received in the event we proposed any amendment to the rule. See 
Disposal Rule Adopting Release, supra note 15, at section II.B. See 
also infra note 31.
---------------------------------------------------------------------------

    We also are concerned that while the information protected under 
the safeguards rule and the disposal rule includes certain personal 
information, it does not include other information that could be used 
to access investors' financial information if obtained by an 
unauthorized user. Finally we want to address other issues under 
Regulation S-P that have come to our attention, including the 
application of the regulation to situations in which a representative 
of one broker-dealer or registered investment adviser moves to another 
firm. Accordingly, today we are proposing amendments to the safeguards 
and disposal rules that are designed to address these concerns.

II. Discussion

    To help prevent and address security breaches in the securities 
industry and thereby better protect investor information, we propose to 
amend Regulation S-P in four principal ways. First, we propose to 
require more specific standards under the safeguards rule, including 
standards that would apply to data security breach incidents. Second, 
we propose to amend the scope of the information covered by the 
safeguards and disposal rules and to broaden the types of institutions 
and persons covered by the rules. Third, we propose to require 
institutions subject to the safeguards and disposal rules to maintain 
written records of their policies and procedures and their compliance 
with those policies and procedures. Finally, we are taking this 
opportunity to propose a new exception from Regulation S-P's notice and 
opt-out requirements to allow investors more easily to follow a 
representative who moves from one brokerage or advisory firm to 
another.

A. Information Security and Security Breach Response Requirements

    To help prevent and address security breaches at the institutions 
we regulate, we propose to require more specific standards for 
safeguarding personal information, including standards for responding 
to data security breaches. When we adopted Regulation S-P in 2001, the 
safeguards rule simply required institutions to adopt policies and 
procedures to address the safeguarding objectives stated in the GLBA. 
Following our adoption of the rule, the FTC and the Banking Agencies 
issued regulations with more detailed standards for safeguarding 
customer

[[Page 13695]]

records and information applicable to the institutions they 
regulate.\23\ We believe these standards include necessary elements 
that institutions should address when adopting and implementing 
safeguarding policies and procedures. We have therefore looked to the 
other agencies' standards in developing our proposal and tailored them, 
where appropriate, to develop proposed standards for the institutions 
we regulate.
---------------------------------------------------------------------------

    \23\ The Banking Agencies issued their guidelines for 
safeguarding customer records and information in 2001. See 
Interagency Guidelines Establishing Standards for Safeguarding 
Customer Information and Rescission of Year 2000 Standards for 
Safety and Soundness, 66 FR 8616 (Feb. 1, 2001) (``Banking 
Agencies'' Security Guidelines''). The FTC adopted its safeguards 
rule in 2002. See Standards for Safeguarding Customer Information, 
67 FR 36484 (May 23, 2002) (``FTC Safeguards Rule''). The Banking 
Agencies also have jointly issued guidance on responding to 
incidents of unauthorized access or use of customer information. See 
Interagency Guidance on Response Programs for Unauthorized Access to 
Customer Information and Customer Notice, 70 FR 15736 (Mar. 29, 
2005) (``Banking Agencies'' Incident Response Guidance''). More 
recently, through the Federal Financial Institutions Examination 
Council (``FFIEC''), the Banking Agencies jointly issued guidance on 
the authentication of customers in an Internet banking environment, 
and the Banking Agencies and the FTC jointly issued final rules and 
guidelines for identity theft ``red flags'' programs to detect, 
prevent, and mitigate identity theft in connection with the opening 
of certain accounts or certain existing accounts. See FFIEC, 
Authentication in an Internet Banking Environment (July 27, 2006), 
available at www.ffiec.gov/pdf/authentication_guidance.pdf 
(``Authentication Guidance''); Banking Agencies and FTC, Identity 
Theft Red Flags and Address Discrepancies under the Fair and 
Accurate Credit Transactions Act of 2003, 72 FR 63718 (Nov. 9, 2007) 
(``Final Red Flag Rules''). See also Banking Agencies and FTC, 
Identity Theft Red Flags and Address Discrepancies Under the Fair 
and Accurate Credit Transactions Act of 2003, 71 FR 40785 (July 18, 
2006) (``Proposed Red Flag Guidelines''). In March of this year, the 
FTC also published a brochure on data security, Protecting Personal 
Information: A Guide for Business (available at https://www.ftc.gov/
infosecurity/), and the FDIC issued a Supervisory Policy on Identity 
Theft, FIL-32-2007 (Apr. 11, 2007), available at https://
www.fdic.gov/news/news/financial/2007/fil07032a.html.
---------------------------------------------------------------------------

1. Revised Safeguarding Policies and Procedures
    As noted above, the safeguards rule requires institutions to adopt 
written policies and procedures that address administrative, technical 
and physical safeguards to protect customer records and information. 
The proposed amendments would further develop this requirement by 
requiring each institution subject to the safeguards rule to develop, 
implement, and maintain a comprehensive ``information security 
program,'' including written policies and procedures that provide 
administrative, technical, and physical safeguards for protecting 
personal information, and for responding to unauthorized access to or 
use of personal information.\24\ This program would have to be 
appropriate to the institution's size and complexity, the nature and 
scope of its activities, and the sensitivity of any personal 
information at issue.\25\ Consistent with current requirements for 
safeguarding policies and procedures, the information security program 
also would have to be reasonably designed to: (i) Ensure the security 
and confidentiality of personal information; (ii) protect against any 
anticipated threats or hazards to the security or integrity of personal 
information; and (iii) protect against unauthorized access to or use of 
personal information that could result in substantial harm or 
inconvenience to any consumer, employee, investor or securityholder who 
is a natural person.\26\ Although the term ``substantial harm or 
inconvenience'' is currently used in the safeguards rule, it is not 
defined. We propose to define the term to mean ``personal injury, or 
more than trivial financial loss, expenditure of effort or loss of 
time.'' \27\ This definition is intended to include harms other than 
identity theft that may result from failure to safeguard sensitive 
information about an individual. For example, a hacker could use 
confidential information about an individual for extortion by 
threatening to make the information public unless the individual agrees 
to the hacker's demands. ``Substantial harm or inconvenience'' would 
not include ``unintentional access to personal information by an 
unauthorized person that results only in trivial financial loss, 
expenditure of effort or loss of time,'' such as if use of the 
information results in an institution deciding to change the 
individual's account number or password.\28\ The rule would provide an 
example of what would not constitute harm or inconvenience that rises 
to the level of ``substantial,'' which should help clarify the scope of 
what would constitute ``substantial harm or inconvenience.''
---------------------------------------------------------------------------

    \24\ As amended, Section 30 would be titled, ``Information 
security programs for personal information; records of compliance.''
    \25\ See proposed paragraph (a)(1) of Section 30. The term 
``information security program'' would mean the administrative, 
technical, or physical safeguards used to access, collect, 
distribute, process, protect, store, use, transmit, dispose of, or 
otherwise handle personal information. See proposed paragraph (d)(6) 
of Section 30.
    \26\ See proposed paragraph (a)(2) of Section 30. Compare 17 CFR 
248.30(a)(1)-(3).
    \27\ See proposed paragraph (d)(12) of Section 30. ``Substantial 
harm or inconvenience'' would include theft, fraud, harassment, 
impersonation, intimidation, damaged reputation, impaired 
eligibility for credit, or the unauthorized use of the information 
identified with an individual to obtain a financial product or 
service, or to access, log into, effect a transaction in, or 
otherwise use the individual's account.
    \28\ See proposed paragraph (d)(12)(ii) of Section 30. Thus, for 
example the proposed definition would not encompass a firm's 
occasional, unintentional delivery of an individual's account 
statement to an incorrect address if the institution determined that 
the information was highly unlikely to be misused. This 
determination would have to be made promptly after the institution 
becomes aware of an incident of unauthorized access to sensitive 
personal information, and documented in writing. See proposed 
paragraph (a)(4)(iii) of Section 30.
---------------------------------------------------------------------------

    The proposed amendments also would specify particular elements that 
a program meeting the requirements of Regulation S-P must include.\29\ 
These elements are intended to provide firms in the securities industry 
with detailed standards for the policies and procedures that a well-
designed information security program should include to address recent 
identity theft-related incidents such as firms in the securities 
industry losing data tapes and laptop computers and failing to dispose 
properly of sensitive personal information, and hackers hijacking 
online brokerage accounts.\30\ These elements also are intended to 
maintain consistency with information safeguarding guidelines and rules 
adopted by the Banking Agencies and

[[Page 13696]]

FTC.\31\ In addition, these elements are consistent with policies and 
procedures we understand many institutions in the securities industry 
have already adopted. We understand that large and complex 
organizations generally have written policies that address information 
safeguarding procedures at several layers, from an organization-wide 
policy statement to detailed procedures that address particular 
controls.\32\
---------------------------------------------------------------------------

    \29\ Many of these elements are addressed by widely accepted 
information security standards. See, e.g., National Institute of 
Standards and Technology (``NIST''), Special Publication 800 series 
(Computer Security), for example Generally Accepted Principals and 
Practices for Securing Information Technology Systems (SP 800-14) 
(Sept. 1996), Guide to Intrusion Detection and Prevention Systems 
(IDPS) (SP 800-94) (Feb. 2007), and Guide to Secure Web Services (SP 
800-95) (Aug. 2007) (all available at https://csrc.nist.gov/
publications/PubsSPs.html), and bulletins dealing with computer 
security published by the NIST's Information Technology Laboratory 
(ITL), for example Secure Web Servers: Protecting Web Sites That Are 
Accessed By The Public (ITL January 2008) (available at https://
csrc.nist.gov/publications/PubsITLSB.html); Federal Information 
System Controls Audit Manual, General Accounting Office, Accounting 
and Information Management Division, Federal Information System 
Controls Audit Manual, GAO/AIMD-12.19.6 (known as ``FISCAM'') (Jan. 
1999) (available at https://www.gao.gov/special.pubs/ai12.19.6.pdf); 
International Organization for Standardization, Code of Practice for 
Information Security Management (ISO/IEC 27002:2005) (known among 
information security professionals as the ``British Standard,'' and 
formerly designated BS ISO/IEC 17799:2005 and BS 7799-1:2005) 
(available for purchase at https://www.standardsdirect.org/
iso17799.htm and at https://www.bsi-global.com/en/Shop/Publication-
Detail/?pid=000000000030166440); and Information Systems Audit and 
Control Association/IT Governance Institute, Control Objectives for 
Information and Related Technology (known as ``COBIT'') (last 
updated, and published as version 4.1, May 2007) (available at 
https://www.isaca.org).
    \30\ See supra notes 16-19 and accompanying text.
    \31\ See Banking Agencies' Security Guidelines and FTC 
Safeguards Rule, supra note 23. As noted above, we sought comment on 
whether to revise our safeguards rule in 2004. See supra note 22. At 
that time, several commenters noted that Rule 206(4)-7 under the 
Investment Advisers Act (17 CFR 275.206(4)-7) and Rule 38a-1 under 
the Investment Company Act (17 CFR 270.38a-1) require registered 
investment advisers and registered investment companies to have 
written policies and procedures reasonably designed to prevent 
violation of the federal securities laws, including safeguards for 
the protection of customer records and information under Regulation 
S-P. These rules also require registered investment advisers and 
funds to review, no less frequently than annually, the adequacy of 
these policies and procedures. See Comment Letter of the Investment 
Counsel Association of America (Oct. 20, 2004), at p. 3; Comment 
Letter of the Investment Company Institute (Oct. 20, 2004) at p. 2. 
Each of these letters is available at https://www.sec.gov/comments/
s73304.shtml. We do not intend for the proposed amendments to alter 
or conflict with these requirements.
    \32\ See Disposal Rule Proposing Release, supra note 22, at 69 
FR 56308 & n.29.
---------------------------------------------------------------------------

    Institutions subject to the rule would be required to:
    (i) Designate in writing an employee or employees to coordinate the 
information security program; \33\
---------------------------------------------------------------------------

    \33\ See proposed paragraph (a)(3)(i) of Section 30. Of course, 
the employee or employees designated to coordinate an institution's 
information security program would need to have sufficient authority 
and access to the institution's managers, officers and directors to 
effectively implement the program and modify it as necessary.
---------------------------------------------------------------------------

    (ii) Identify in writing reasonably foreseeable security risks that 
could result in the unauthorized disclosure, misuse, alteration, 
destruction or other compromise of personal information or personal 
information systems; \34\
---------------------------------------------------------------------------

    \34\ See proposed paragraph (a)(3)(ii) of Section 30. The term 
``personal information system'' would mean any method used to 
access, collect, store, use, transmit, protect or dispose of 
personal information. See proposed paragraph (d)(9) of Section 30.
---------------------------------------------------------------------------

    (iii) Design and document in writing and implement information 
safeguards to control the identified risks; \35\
---------------------------------------------------------------------------

    \35\ See proposed paragraph (a)(3)(iii) of Section 30.
---------------------------------------------------------------------------

    (iv) Regularly test or otherwise monitor and document in writing 
the effectiveness of the safeguards' key controls, systems, and 
procedures, including the effectiveness of access controls on personal 
information systems, controls to detect, prevent and respond to 
attacks, or intrusions by unauthorized persons, and employee training 
and supervision; \36\
---------------------------------------------------------------------------

    \36\ See proposed paragraph (a)(3)(iv) of Section 30.
---------------------------------------------------------------------------

    (v) Train staff to implement the information security program; \37\
---------------------------------------------------------------------------

    \37\ See proposed paragraph (a)(3)(v) of Section 30.
---------------------------------------------------------------------------

    (vi) Oversee service providers by taking reasonable steps to select 
and retain service providers capable of maintaining appropriate 
safeguards for the personal information at issue, and require service 
providers by contract to implement and maintain appropriate safeguards 
(and document such oversight in writing); \38\ and
---------------------------------------------------------------------------

    \38\ See proposed paragraph (a)(3)(vi) of Section 30.
---------------------------------------------------------------------------

    (vii) Evaluate and adjust their information security programs to 
reflect the results of the testing and monitoring, relevant technology 
changes, material changes to operations or business arrangements, and 
any other circumstances that the institution knows or reasonably 
believes may have a material impact on the program.\39\
---------------------------------------------------------------------------

    \39\ See proposed paragraph (a)(3)(vii) of Section 30. This 
requirement is similar to the requirement in the Banking Agencies' 
Security Guidelines that institutions covered by those guidelines 
monitor, evaluate, and adjust, as appropriate, their information 
security program in light of any relevant changes in technology, the 
sensitivity of their customer information, internal or external 
threats to information, and their own changing business 
arrangements, such as mergers and acquisitions, alliances and joint 
ventures, outsourcing arrangements, and changes to customer 
information systems. See supra note 23, Banking Agencies' Security 
Guidelines, 66 FR at 8634, 8635-36, 8637, 8639, 8641. The ``material 
impact'' standard in proposed paragraph (a)(3)(iii) is intended to 
require adjustment of a covered institution's information security 
program only when a reasonable coordinator of the program would 
consider adjusting the program important in light of changing 
circumstances.
---------------------------------------------------------------------------

    The term ``service provider'' would mean any person or entity that 
receives, maintains, processes, or otherwise is permitted access to 
personal information through its provision of services directly to a 
person subject to the rule.\40\ We understand that in large financial 
complexes, a particular affiliate may be responsible for providing a 
particular service for all affiliates in the complex. In that 
circumstance, each financial institution subject to Regulation S-P 
would be responsible for taking reasonable steps to ensure that the 
service provider is capable of maintaining appropriate safeguards and 
of overseeing the service provider's implementation, maintenance, 
evaluation, and modifications of appropriate safeguards for the 
institution's personal information. Under the proposed amendments, we 
anticipate that a covered institution's reasonable steps to evaluate 
the information safeguards of service providers could include the use 
of a third-party review of those safeguards such as a Statement of 
Auditing Standards No. 70 (``SAS 70'') report, a SysTrust report, or a 
WebTrust report.\41\
---------------------------------------------------------------------------

    \40\ See proposed paragraph (d)(11) of Section 30.
    \41\ See Codification of Accounting Standards and Procedures, 
Statement on Auditing Standards No. 70, Reports on Processing of 
Transactions by Service Organizations (American Inst. of Certified 
Public Accountants). See also description and comparison of these 
reports at https://infotech.aicpa.org/Resources/
System+Security+and+Reliability/System+Reliability/
Principles+of+a+Reliable+System/
SAS+No+70+SysTrust+and+WebTrust+A+Comparison.htm.
---------------------------------------------------------------------------

    We request comment on the proposed specific standards for 
safeguarding personal information.
     Would these standards provide sufficient direction to 
institutions? Are there particular standards that should be more or 
less prescriptive? For example, should institutions be required to 
designate an employee or employees to coordinate the information 
security program by name, or should institutions be permitted to make 
these designations by position or office?
     Would additional standards be appropriate or are certain 
standards unnecessary? Should the proposed standards be modified to 
more closely or less closely resemble standards prescribed by the 
Banking Agencies or the FTC? For the securities industry, are there any 
other standards that a well-designed information security program 
should address? Are there any other standards that would provide more 
flexibility to covered institutions?
     We also invite comment on the proposed requirement that 
entities assess the sufficiency of safeguards in place, to control 
reasonably foreseeable risks. Should the rules include more detailed 
standards and specifications for access controls? Should the 
requirement specify factors such as those identified in the Banking 
Agencies' guidance regarding authentication in an Internet banking 
environment or include policies and procedures such as those in the 
Banking Agencies and the FTC's proposed or final ``red flag'' 
requirements? \42\ For example, should we require that covered 
institutions implement multifactor authentication, layered security, or 
other controls for high-risk transactions involving access to customer 
information or the movement of funds to third parties? Should we 
require that covered institutions include in their information security 
programs ``red flag'' elements

[[Page 13697]]

that would be relevant to detecting, preventing and mitigating identity 
theft in connection with the opening of accounts or existing accounts, 
or in connection with particular types of accounts associated with a 
reasonably foreseeable risk of identity theft? Should we require that 
covered institutions adopt policies and procedures for evaluating 
changes of address followed closely by an account change or 
transaction, or for processing address discrepancy notices from 
consumer reporting agencies? If the rule were to include more detailed 
standards and specifications for access controls, how should these 
apply to business conducted by telephone?
---------------------------------------------------------------------------

    \42\ See Authentication Guidance, Proposed Red Flag Guidance, 
and Final Red Flag Rules, supra note 23. The Authentication Guidance 
has been credited with helping to curtail online banking fraud, but 
has been characterized as not adequately addressing authentication 
in the context of telephone banking. See Daniel Wolfe, How New 
Authentication Systems are Altering Fraud Picture, Amer. Banker 
(Dec. 26, 2007).
---------------------------------------------------------------------------

     Commenters are invited to discuss the proposed definition 
of ``substantial harm or inconvenience.'' Are there circumstances that 
commenters believe would create substantial harm or inconvenience to 
individuals that would not meet the proposed definition? If so, how 
should the definition be revised to address these circumstances?
     Commenters are invited to discuss the proposed 
requirements for written documentation of compliance with the proposed 
safeguarding provisions.
     Commenters are invited to discuss the proposed definition 
of ``service provider.'' They also are invited to discuss whether, if 
the proposed amendments are adopted, they should include or be 
accompanied by guidance on the use of outside evaluations of third-
party service providers. For example, should the Commission provide 
guidance similar to that provided by the FFIEC on the appropriate use 
of SAS 70 reports in evaluating the information safeguards of service 
providers? \43\
---------------------------------------------------------------------------

    \43\ The FFIEC provided the following guidance on the use of SAS 
70 reports in the oversight of third-party service providers 
(``TSPs'') by financial institutions regulated by FFIEC member 
agencies:
    Financial institutions should ensure TSPs implement and maintain 
controls sufficient to appropriately mitigate risk. In higher-risk 
relationships the institution by contract may prescribe minimum 
control and reporting standards, obtain the right to require changes 
to standards as external and internal environments change, and 
obtain access to the TSP for institution or independent third-party 
evaluations of the TSP's performance against the standard. In lower 
risk relationships the institution may prescribe the use of 
standardized reports, such as trust services reports or a Statement 
of Auditing Standards 70 (SAS 70) report.
    * * * * *
    Financial institutions should carefully and critically evaluate 
whether a SAS 70 report adequately supports their oversight 
responsibilities. The report may not provide a thorough test of 
security controls and security monitoring unless requested by the 
TSP. It may not address the effectiveness of the security process in 
continually mitigating changing risks. Additionally, the SAS 70 
report may not address whether the TSP is meeting the institution's 
specific risk mitigation requirements. Therefore, the contracting 
oversight exercised by financial institutions may require additional 
tests, evaluations, and reports to appropriately oversee the 
security program of the service provider.
    FFIEC, FFIEC IT Examination Handbook, Information Security 
Booklet--July 2006, at 77, 78 (available at https://www.ffiec.gov/
ffiecinfobase/booklets/information_security/information_
security.pdf).
---------------------------------------------------------------------------

2. Data Security Breach Response
    Because of the potential for harm or inconvenience to individuals 
when a data security breach occurs, we are proposing that information 
security programs include procedures for responding to incidents of 
unauthorized access to or use of personal information. These procedures 
would include notice to affected individuals if misuse of sensitive 
personal information has occurred or is reasonably possible. The 
procedures would also include notice to the Commission (or for certain 
broker-dealers, their designated examining authority \44\) under 
circumstances in which an individual identified with the information 
has suffered substantial harm or inconvenience or an unauthorized 
person has intentionally obtained access to or used sensitive personal 
information. The proposed rules that would require prompt notice of 
information security breach incidents to individuals, as well as the 
Commission or designated examining authorities, are intended to 
facilitate swift and appropriate action to minimize the impact of the 
security breach.
---------------------------------------------------------------------------

    \44\ A broker-dealer's designated examining authority is the 
self-regulatory organization (``SRO'') of which the broker-dealer is 
a member, or, if the broker-dealer is a member of more than one SRO, 
the SRO designated by the Commission pursuant to 17 CFR 240.17d-1 as 
responsible for examination of the member for compliance with 
applicable financial responsibility rules (including the 
Commission's customer account protection rules at 17 CFR 240.15c3-
3).
---------------------------------------------------------------------------

    The data security breach response provisions of the proposed 
amendments include elements intended to provide firms in the securities 
industry with detailed standards for responding to a breach so as to 
protect against unauthorized use of compromised data. The proposed 
standards would specify procedures a covered institution's information 
security program would need to include. These procedures would be 
required to be written to provide clarity for firm personnel and to 
facilitate Commission and SRO examination and inspection. The proposed 
standards are intended to ensure that covered institutions adopt plans 
for responding to an information security breach incident so as to 
minimize the risk of identity theft or other significant investor harm 
or inconvenience from the incident. These proposed procedures also are 
intended to be consistent with security breach notification guidelines 
adopted by the Banking Agencies.\45\
---------------------------------------------------------------------------

    \45\ See Banking Agencies' Incident Response Guidance, supra 
note 23.
---------------------------------------------------------------------------

    Under the proposed amendments, institutions subject to the rule 
would be required to have written procedures to:
    (i) Assess any incident involving unauthorized access or use, and 
identify in writing what personal information systems and what types of 
personal information may have been compromised; \46\
---------------------------------------------------------------------------

    \46\ See proposed paragraph (a)(4)(i) of Section 30.
---------------------------------------------------------------------------

    (ii) Take steps to contain and control the incident to prevent 
further unauthorized access or use and document all such steps taken in 
writing; \47\
---------------------------------------------------------------------------

    \47\ See proposed paragraph (a)(4)(ii) of Section 30.
---------------------------------------------------------------------------

    (iii) Promptly conduct a reasonable investigation and determine in 
writing the likelihood that the information has been or will be misused 
after the institution becomes aware of any unauthorized access to 
sensitive personal information; \48\ and
---------------------------------------------------------------------------

    \48\ See proposed paragraph (a)(4)(iii) of Section 30.
---------------------------------------------------------------------------

    (iv) Notify individuals with whom the information is identified as 
soon as possible (and document the provision of such notification in 
writing) if the institution determines that misuse of the information 
has occurred or is reasonably possible.\49\
---------------------------------------------------------------------------

    \49\ See proposed paragraph (a)(4)(iv) of Section 30. 
Notification could be delayed, however, if an appropriate law 
enforcement agency determines that notification will interfere with 
a criminal investigation and requests in writing a delay in 
notification. We propose to require notification of individuals only 
if misuse of the compromised information has occurred or is 
reasonably possible to avoid requiring notification in circumstances 
in which there is no significant risk of substantial harm or 
inconvenience. If covered institutions were required to notify 
individuals of every instance of unauthorized access or use, such as 
if an employee accidentally opened and quickly closed an electronic 
account record, individuals could receive an excessive number of 
data breach notifications and become desensitized to incidents that 
pose a real risk of identity theft.
---------------------------------------------------------------------------

    We propose to define the term, ``sensitive personal information,'' 
to mean ``any personal information, or any combination of components of 
personal information, that would allow an unauthorized person to use, 
log into, or access an individual's account, or to establish a new 
account using the individual's identifying information,'' including the 
individual's Social Security number, or any one of the individual's 
name, telephone number, street address, e-mail address, or online user 
name, in combination with any one

[[Page 13698]]

of the individual's account number, credit or debit card number, 
driver's license number, credit card expiration date or security code, 
mother's maiden name, password, personal identification number, 
biometric authentication record, or other authenticating 
information.\50\ This definition is intended to cover the types of 
information that would be most useful to an identity thief, and to 
which unauthorized access would create a reasonable possibility of 
substantial harm or inconvenience to an affected individual.
---------------------------------------------------------------------------

    \50\ See proposed paragraph (d)(10) of Section 30.
---------------------------------------------------------------------------

    The amendments also would require an institution to provide notice 
to the Commission as soon as possible after the institution becomes 
aware of any incident of unauthorized access to or use of personal 
information in which there is a significant risk that an individual 
identified with the information might suffer substantial harm or 
inconvenience, or in which an unauthorized person has intentionally 
obtained access to or used sensitive personal information.\51\ This 
requirement would allow Commission and SRO investigators or examiners 
to review the notices to determine if an immediate investigative or 
examination response would be appropriate. In this regard, it is 
crucial that institutions respond promptly to any follow-up requests 
for records or information from our staff or the staff of the 
designated examining authority.\52\ Under the proposed amendments, a 
prompt response in accordance with existing Commission guidance on the 
timely production of records would be particularly important in 
circumstances involving ongoing misuse of sensitive personal 
information.
---------------------------------------------------------------------------

    \51\ See proposed paragraph (a)(4)(v) of Section 30.
    \52\ See generally 15 U.S.C. 21(a) (investigative requests); 17 
CFR 240.17a 4(j) (examinations of broker-dealers); 17 CFR 275.204-
2(g) (examinations of investment advisers).
---------------------------------------------------------------------------

    The regulatory notification requirement in the Banking Agencies' 
guidance requires a report to the appropriate regulator as soon as 
possible after the institution becomes aware of an incident involving 
unauthorized access to or use of sensitive customer information.\53\ 
Our proposed notice requirement differs from the Banking Agencies' 
approach in that it would require notice to the Commission (or a 
designated examining authority) when an incident of unauthorized access 
to or use of personal information poses a significant risk that an 
individual identified with the information might suffer substantial 
harm or inconvenience, or in which an unauthorized person has 
intentionally obtained access to or used sensitive personal 
information. The proposed notice requirement is intended to avoid 
notice to the Commission in every case of unauthorized access, and to 
focus scrutiny on information security breaches that present a greater 
potential likelihood for harm. We believe that this approach would help 
conserve institutions', as well as the Commission's, administrative 
resources by allowing minor incidents to be addressed in a way that is 
commensurate with the risk they present. The information to be included 
in the notice would allow the Commission or a broker-dealer's 
designated examining authority to evaluate whether any legal action 
against a would-be identity thief or other action is warranted in light 
of the circumstances. A broker-dealer, other than a notice-registered 
broker dealer, w