US government rules financial firms now have to disclose data breaches within 30 days

Data Breach
Image Credit: Shutterstock (Image credit: Shutterstock)

Some US financial institutions are now legally required to disclose a security breach within 30 days of their discovery.

The news comes as a result of changes made by the US Securities and Exchange Commission (SEC) to Regulation S-P, a rule adopted to protect the privacy of consumers' personal financial information held by financial institutions. 

The changes require financial institutions such as broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents to let the victims know their data was accessed “as soon as practicable, but not later than 30 days” from the moment the company first learns of the breach.

Detailing the incident

"Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially," Ars Technica cited SEC Chair Gary Gensler. "These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors."

When notifying the victims, the organizations must detail what happened, which data was stolen, and what the victims can do to protect themselves. Furthermore, these financial institutions will also need to “develop, implement, and maintain written policies and procedures” that are “reasonably designed to detect, respond to, and recover from unauthorized access to or use of customer information.”

While the update does seem like a good idea, Ars Technica believes it comes with a major loophole: institutions aren’t obliged to notify victims if they deem the information wasn’t used to cause “substantial harm or inconvenience”; or if they deem that such a scenario is unlikely. 

Officially titled "Privacy of Consumer Financial Information," this regulation, last updated in 2000, implements privacy provisions of the Gramm-Leach-Bliley Act (GLBA) and is designed to ensure that financial institutions safeguard sensitive customer information and provide notice of their privacy policies and practices.

The amendments will go into effect 60 days after publication in the Federal Register, and larger organizations will have 18 months to comply after modifications are published. Smaller organizations will have 24 months.

More from TechRadar Pro

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

Read more
healthcare
US government wants to toughen up cybersecurity rules for healthcare organizations
Someone holding a passport with two boarding passes inside it
Top digital loan firm security slip-up puts data of 36 million users at risk
A digital themed isometric showing a neon padlock in the foreground, and a technological diagram of a processor logic board in the background.
Third-party data breaches have become a major security concern
EU
“Rehearse, rehearse, rehearse” - is your business doing enough on DORA compliance?
US President Donald Trump speaks to the press as he signs an executive order to create a US sovereign wealth fund, in the Oval Office of the White House on February 3, 2025, in Washington, DC.
The US privacy nightmare? What's changed after 30 days of President Trump's new administration
security
The true cost of a security breach
Latest in Security
NHS
NHS IT supplier hit with major fine following ransomware attack
Data leak
Top home hardware firm data leak could see millions of customers affected
Representational image depecting cybersecurity protection
Third-party security issues could be the biggest threat facing your business
A stylized depiction of a padlocked WiFi symbol sitting in the centre of an interlocking vault.
Broadcom warns of worrying security flaws affecting VMware tools
Android Logo
Devious new Android malware uses a Microsoft tool to avoid being spotted
URL phishing
HaveIBeenPwned owner suffers phishing attack that stole his Mailchimp mailing list
Latest in News
Screenshot from action RPG soulslike Lies of P
Lies of P Overture won't elaborate on the game's eyebrow-raising post-credits twist, and I think that's good news
Nintendo Switch 2
The Switch 2 launching with a Mario Kart game 'is very unlike Nintendo' compared to the original Switch releasing with Breath of the Wild, says former marketing leads: 'That's what's gonna make you want to buy the new hardware'
Waze voice control
Waze is ditching Google Assistant for Gemini on iOS, and for good reasons
Apple Watch Ultra 2 displaying a step count and distance
Using a smartwatch could be a game-changer for people with diabetes, new research suggests
Focal Bathys MG
Focal just upgraded its audiophile noise-cancelling wireless headphones with even better sound, better noise cancelling, and a way higher price
A PC gamer celebrating, sat in a gaming chair in front of a monitor
Windows 11’s Game Bar gets a fresh coat of paint, plus a tweak to work better on handhelds – and I like the direction Microsoft’s heading in here