Privacy and Data Security

Regulatory status current as of June 2026 — verify effective dates, dollar thresholds, and pending rulemakings against current SEC/FINRA/FinCEN sources before advising.

Core Concepts

Regulation S-P (Privacy of Consumer Financial Information)

Regulation S-P (17 CFR Part 248, Subparts A and B) implements Title V of the Gramm-Leach-Bliley Act (GLBA) for entities registered with the SEC. It applies to SEC-registered investment advisers, broker-dealers, investment companies, and transfer agents. The regulation has three core components:

Privacy Notice Requirements. Firms must provide an initial privacy notice to each customer at the time of establishing the customer relationship (17 CFR 248.4). The notice must describe: (a) categories of nonpublic personal information (NPI) collected, (b) categories of NPI disclosed to third parties, (c) categories of affiliates and nonaffiliated third parties to whom NPI is disclosed, (d) the customer's right to opt out of certain disclosures, (e) the firm's policies and practices for protecting confidentiality and security of NPI, and (f) any disclosures required under the Fair Credit Reporting Act. Annual privacy notices must be delivered once during each 12-month period for the duration of the customer relationship (17 CFR 248.5). The FAST Act of 2015 (Pub. L. 114-94, Section 75001) created an exception to the annual notice requirement: firms that (i) share NPI only under the exceptions in 17 CFR 248.14 and 248.15, and (ii) have not changed their privacy policies and practices since the most recent notice, may satisfy the annual requirement by posting the privacy notice continuously on their website in a clear and conspicuous manner rather than mailing it to each customer.

Opt-Out Requirements. Before sharing NPI with nonaffiliated third parties, firms must provide customers with a reasonable opportunity to opt out (17 CFR 248.7 and 248.10). The opt-out notice must be clear, conspicuous, and delivered along with or as part of the privacy notice. Exceptions to the opt-out requirement include: (a) disclosures necessary to effect, administer, or enforce a transaction requested by the customer, (b) disclosures to service providers and joint marketing partners under written contractual agreements that restrict the third party's use of NPI, (c) disclosures with customer consent, (d) disclosures to protect against fraud, and (e) disclosures required by law (17 CFR 248.14 and 248.15). Joint marketing agreements must include written contracts specifying that the third party will maintain the confidentiality of NPI and will use it only for the purposes for which it was disclosed.

Safeguards Rule. Section 248.30 requires every covered institution to adopt written policies and procedures that address administrative, technical, and physical safeguards for the protection of customer records and information. Administrative safeguards include designating a responsible employee or officer, conducting risk assessments, implementing employee training, and establishing oversight of service providers. Technical safeguards include access controls, encryption, intrusion detection systems, and monitoring of information systems. Physical safeguards include secure storage of records, controlled access to facilities, and proper disposal of documents. The policies must be reasonably designed to: (a) ensure the security and confidentiality of customer records and information, (b) protect against anticipated threats or hazards to the security or integrity of such records, and (c) protect against unauthorized access to or use of such records that could result in substantial harm or inconvenience to the customer.

Disposal Rule. Section 248.30(b) requires proper destruction of consumer report information derived from consumer reports. Reasonable measures for disposal include shredding physical documents, erasing or destroying electronic media, and entering into contracts with third-party disposal services that require proper destruction.

Regulation S-ID (Red Flags Rule)

Regulation S-ID (17 CFR 248.201-202) implements Sections 114 and 315 of the Fair and Accurate Credit Transactions Act (FACTA) for SEC-regulated entities. It requires financial institutions and creditors that hold "covered accounts" to develop and implement a written Identity Theft Prevention Program (ITPP) designed to detect, prevent, and mitigate identity theft.