SEC: Financial Orgs Have 30 Days To Send Data Breach Notifications

An anonymous reader quotes a report from BleepingComputer: The Securities and Exchange Commission (SEC) has adopted amendments to Regulation S-P that require certain financial institutions to disclose data breach incidents to impacted individuals within 30 days of discovery. Regulation S-P was introduced in 2000 and controls how some financial entities must treat nonpublic personal information belonging to consumers. These rules include developing and implementing data protection policies, confidentiality and security assurances, and protecting against anticipated threats.

The new amendments (PDF) adopted earlier this week impact financial firms, such as broker-dealers (funding portals included), investment firms, registered investment advisers, and transfer agents. The modifications were initially proposed in March of last year to modernize and improve the protection of individual financial information from data breaches and exposure to non-affiliated parties. Below is a summary of the introduced changes:

- Notify affected individuals within 30 days if their sensitive information is, or is likely to be, accessed or used without authorization, detailing the incident, breached data, and protective measures taken. Exemption applies if the information isn't expected to cause substantial harm or inconvenience to the exposed individuals.
- Develop, implement, and maintain written policies and procedures for an incident response program to detect, respond to, and recover from unauthorized access or use of customer information. This should include procedures to assess and contain security incidents, enforce policies, and oversee service providers.
- Expand safeguards and disposal rules to cover all nonpublic personal information, including that received from other financial institutions.
- Require documentation of compliance with safeguards and disposal rules, excluding funding portals.
- Align annual privacy notice delivery with the FAST Act, exempting certain conditions.
- Extend safeguards and disposal rules to transfer agents registered with the SEC or other regulatory agencies.

Alas, still no fines for breaches.

[supremebob]

Seriously, corporations aren't going to improve their security posture until the fines for NOT doing so are more than the cost of actually improving their IT security.

If they start charging something like $10,000 per person breached with a billion dollar cap... then you'll start seeing some real change. Until then, they'll just keep renewing their cyberinsurance policies and hoping for the best.

Re:

[Baron_Yam]

It's the way the entire system is set up - anything that doesn't involve jail time for the decision makers is just a cost, and the company seeks the path of least costs to highest profits.

They'd be crazy not to pay fines or insurance premiums if that is the least costly path for the company.

So if the lawmakers are serious, we need to start jailing executives.

Re:

[Njovich]

If they start charging something like $10,000 per person breached with a billion dollar cap... then you'll start seeing some real change. Until then, they'll just keep renewing their cyberinsurance policies and hoping for the best.

Yeah nobody would be making software anymore. Nice change. Every single person you and I know has had their data leaked. Nobody I know has had any tangible downsides from it. Maybe we should just stop with the drama about having your address on the internet being a life ending experience.

Oh but stalkers! They already have your address from following you home or a million other ways. Identity theft! They got plenty of profiles already and you have to be really stupid or inlucky to get really affected. Robo c

Proposed way forward

[will4]

Objective:
- Prevent future data breaches and limit the damage possible from future data breaches both in measured economic terms, loss of privacy damage and public image damages
- Not require proof of actual economic damages in order to be compensated for a data breach

Proposal:
- In case of a data breach, the company must make a payment to each and everyone who had data stolen. Payment in the form of a lifelong insurance policy and future date start annuity. Each company with a data breach will add to this

Needs anti-trust like penalty

[will4]

It will take 2 to 3 major companies to be dismantled before corporate leaders will change.

Right now, data breaches are like a $50 speeding ticket given a billionaire.

Is âoeDiscovery âoe well defined?

[WimBo]

Iâ(TM)m sure thereâ(TM)s legalese that will delay when a breach is actually discovered.

Accountability is Un-American

[Required Snark]

Business should only be accountable to the executive suite, and that accountability has only one goal: executive compensation. The Board of Directors is a close second, the shareholders are third, and the workers and customers are useless burdens that only get in the way. That is the natural God given order of the universe, and any other consideration is a woke godless communist sin. Any bureaucrat or lawmaker who defies this natural law is a tool of Satan, and they and their families, friends, acquaintance

Easy Workaround

[StormReaver]

"The breach happened 15 years ago, but we won't discover it for another ten years."

Complete BS, loopholes everywhere.

[Canberra1]

Who decides what is 'serious'. It should be codified. Who defines 30 days .. when it takes years to find 'how serious' bit. Can we add destruction of emails concerning the breach and outside communication channels, like carpark chats and unlogged signal conversations. Yep, full of weasel words. And if notified, I want to know why - and who lost performance bonuses and or lost their job. I also want to see gag orders pertaining to breaches - made illegal, so the fired security guy can tell all.