Privata Vox® Blog

The SEC’s Proposed New Data Security Rules

U.S. Securities and Exchange Commission Logo with data and legal icons

A March 15 proposal by the Security and Exchange Commission (SEC) to amend the Gramm-Leach-Bliley Act Safeguard’s Rule will require financial institutions and their data processors (i.e., secure shredders, ITADs, managed service providers, etc.) to seriously rethink and retool their data protection contracts, recordkeeping, and policies and procedures.

Here’s What it Looks Like

The proposal specifies increasing safeguards related to customer information, including requiring that service provider contracts have language related to notifying the financial institution in the event of a potential data security incident.

In addition, the SEC proposal requires both the financial institutions and service providers to augment their written incident response procedures, requiring them to 1) define and identify what constitutes an incident, 2) include procedures for containing and controlling such incidents when the definition is met, and 3) describe the procedures for executing the required incident investigation and, if warranted, the notification.

For a managed services provider, for instance, one possible incident could be allowing unauthorized access to the credentials for a client network. For an ITAD service provider, on the other hand, it would be a discrepancy in an asset inventory transferred to their custody.

What Happens Next?

After the SEC proposal hits the Federal Register (any day now), there will be a public comment period. As for the compliance date, a year is a reasonable guess. (Remember, this is not a new law. It is “rulemaking” of an existing law, which is much easier lift and has a much shorter runway.)

In the meantime, financial institutions and their service providers can get ahead of this by appropriately revising their:

1) Incident Response Procedures

2) Contract language re service providers (in the case of financial institutions)

3) Contract language re subcontractors (in the case of service providers)

4) Written procedures for safeguarding and disposing of customer information

5) Checks and balances for validating & demonstrating compliance

In light of the above, and in the face of the growing tide of new regulatory proposals and new data protection regulations, financial institutions and their service providers would be doing themselves “a solid” by being proactive, not only on what is described above, but in all matters related to information security and operational resiliency.

You don’t need me or anyone else to tell you that ESG is a big deal. Let’s not forget that the “G” stands for “Governance” and, in the scheme of things, privacy compliance, and personal and proprietary information protection make up a pretty big slice of the Governance pie.

Note: While there is overlap, the SEC proposal discussed above should not be confused with the SEC’s concurrent rulemaking proposal on cybersecurity.  More on that soon.

© 2024 Privata Vox, LLC - All Rights Reserved

About Author

Bob Johnson, CSDS, CIPP/US, CIPP/E, is the Principal Advocate at Privata Vox, LLC. Read more about his long career in privacy and data protection policy development.

Bob Johnson Official Portrait

Scan OR Click QR Code below to automatically add to contacts

Related Articles



Subscribe to stay up to date with new blog posts, speaking appearances, and more.

Subscribe To Updates