I am pleased to support the adoption of reforms to Regulation S-P, an existing Commission rule requiring firms to adopt policies and procedures that include safeguards to protect customer records and information.

These reforms will strengthen privacy protections for hundreds of millions of retail investors in our country.

More than two decades ago, Congress enacted legislation, the Gramm-Leach-Bliley Act, that made it possible for financial firms to offer a range of financial services under one roof. One of the main public interest dimensions of the congressional debate centered on the protection of customer privacy, a matter of direct relevance to millions of retail investors.   

As a staffer on the House Financial Services Committee in the late-1990s, I had a front-row seat during the extensive deliberations that shaped the Act’s privacy provisions. Mindful of the implications for millions of consumers, and the opportunities and risks of technological change for our financial system and for the future of our country, privacy proponents in Congress made a compelling case for meaningful customer privacy protections.

The strong public support for these protections was reflected in the overwhelming, bipartisan 427-1 vote in the U.S. House of Representatives in favor of a stand-alone privacy amendment, sponsored by Chairman Mike Oxley (R-OH). The Conference Committee adopted a modified version of this amendment, which was then enacted into law – the source of the Commission’s authority for the reforms being advanced today.

Sec. 501(a) of the Act reads: “It is the policy of the Congress that each financial institution has an affirmative and continuing obligation to respect the privacy of its customers and to protect the security and confidentiality of those customers’ non-public personal information.”

Congress directed the Commission, and other financial regulators, to establish comprehensive standards to ensure the security and confidentiality of customer records and information.

The enhanced protections in the Commission’s reforms will have broad reach: 233 million customer accounts at carrying broker dealers; 51 million clients of registered investment advisers; and 250 million individual accounts at transfer agents.

Rapid technological change is now the norm and more frequent cybersecurity incidents and data breaches add additional risks that warrant Commission action to ensure that the hundreds of millions of affected customers benefit from robust customer privacy protections.

The consequences of cyberattacks and other data breaches, especially when customer personal information is compromised, are real and can result in significant harms.

These risks and consequences make it all the more essential for investors to receive timely notice of breaches. The more time that elapses between a breach and customer notice, the greater the potential damage to affected investors. 

Today’s reforms create a federal minimum standard requiring firms to provide notice to customers as soon as practicable, but no later than 30 days, after firms become aware that unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred. Though not perfect, preserving the standard in the Commission’s original proposal for firms to notify customers when they become aware of a qualifying breach helps protect customers victimized by a breach.

In modernizing the Commission’s rules to adapt to modern realities, and to fulfill Congress’ mandate in a way that serves the public most effectively, we must also ensure that our actions do no harm to applicable state laws that are stronger and more protective of customers. To that end, customers in states with greater protections than those provided for under the federal minimum standard the Commission is advancing today will continue to benefit from those greater protections.

My thanks to Chair Gary Gensler for advancing these important and balanced reforms that will benefit millions of investors in our country.