US government rules financial firms now have to disclose data breaches within 30 days

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

Some US financial institutions are now legally required to disclose a security breach within 30 days of their discovery.

The news comes as a result of changes made by the US Securities and Exchange Commission (SEC) to Regulation S-P, a rule adopted to protect the privacy of consumers' personal financial information held by financial institutions. 

The changes require financial institutions such as broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents to let the victims know their data was accessed “as soon as practicable, but not later than 30 days” from the moment the company first learns of the breach.

Detailing the incident

"Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially," Ars Technica cited SEC Chair Gary Gensler. "These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors."

When notifying the victims, the organizations must detail what happened, which data was stolen, and what the victims can do to protect themselves. Furthermore, these financial institutions will also need to “develop, implement, and maintain written policies and procedures” that are “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.”

While the update does seem like a good idea, Ars Technica believes it comes with a major loophole: institutions aren’t obliged to notify victims if they deem the information wasn’t used to cause “substantial harm or inconvenience”; or if they deem that such a scenario is unlikely. 

Officially titled "Privacy of Consumer Financial Information," this regulation, last updated in 2000, implements privacy provisions of the Gramm-Leach-Bliley Act (GLBA) and is designed to ensure that financial institutions safeguard sensitive customer information and provide notice of their privacy policies and practices.

The amendments will go into effect 60 days after publication in the Federal Register, and larger organizations will have 18 months to comply after modifications are published. Smaller organizations will have 24 months.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.