US government rules financial firms now have to disclose data breaches within 30 days

Some US financial institutions are now legally required to disclose a security breach within 30 days of their discovery.

The news comes as a result of new changes the US Securities and Exchange Commission (SEC) made to Regulation S-P, a rule adopted to protect the privacy of consumers’ personal financial information held by financial institutions.

The changes, adopted this Wednesday, require financial institutions such as broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents to let the victims know their data was accessed “as soon as practicable, but not later than 30 days” from the moment the company first learns of the breach.

Detailing the incident

“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” Ars Technica cited SEC Chair Gary Gensler. “These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”

When notifying the victims, the organizations must detail what happened, which data was stolen, and what the victims can do to protect themselves. Furthermore, these financial institutions will also need to “develop, implement, and maintain written policies and procedures” that are “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.”

While the update does seem like a good idea, Ars Technica believes it comes with a major loophole: institutions aren’t obliged to notify victims if they deem the information wasn’t used to cause “substantial harm or inconvenience”; or if they deem that such a scenario is unlikely.

Officially titled “Privacy of Consumer Financial Information,” this regulation implements privacy provisions of the Gramm-Leach-Bliley Act (GLBA) and is designed to ensure that financial institutions safeguard sensitive customer information and provide notice of their privacy policies and practices. It was last updated in 2000. The amendments will go into effect 60 days after publication in the Federal Register, and larger organizations will have 18 months to comply after modifications are published. Smaller organizations will have 24 months.