Associations Urge SEC to Extend Deadlines on Breach Notification Requirements

Financial and trade associations urged the SEC to extend the compliance dates on adopted rule amendments that intended to enhance the privacy of consumer financial information and safeguard personal information.

Among the signatories, SIFMA, SIFMA AMG, the ABA, the Bank Policy Institute, the Institute of International Bankers, the Investment Adviser Association, the Investment Company Institute, the Insured Retirement Institute and the Committee of Annuity Insurers (collectively, "associations") asked the SEC to extend the compliance dates for the adopted amendments to Regulation S-P ("Privacy of Consumer Financial Information and Safeguarding Customer Information") by at least 12 months.

The SEC final rule amendments mandated that covered institutions "adopt written policies and procedures for incident response programs to address unauthorized access to or use of customer information, including procedures for providing timely notification to individuals affected by an incident involving sensitive customer information with details about the incident and information designed to help affected individuals respond appropriately. In addition, the amendments extend[ed] the application of requirements to safeguard customer records and information to transfer agents; broaden[ed] the scope of information covered by the requirements for safeguarding customer records and information and for properly disposing of consumer report information; impose[d] requirements to maintain written records documenting compliance with the amended rules;" and imposed other recordkeeping requirements. (See also, previous coverage.)

In their letter to SEC Chair Atkins, the associations said they believe their request falls within the President's Memorandum for a regulatory freeze. (See related coverage.) The associations emphasized that the current compliance deadlines—December 3, 2025 for large entities and June 3, 2026 for smaller entities—do not provide sufficient time for covered institutions to comply given the operational and contractual changes required. The associations pointed to major challenges, such as the need to renegotiate third-party vendor contracts to incorporate 72-hour breach notification requirements, overhaul internal policies and procedures to address expanded definitions of "customer information" and coordinate compliance across overlapping federal, state and global privacy frameworks.

The associations warned that without an extension, firms could face increased compliance burdens without corresponding cybersecurity benefits, and that the 30-day incident notification requirement risks leading to duplicative and premature notices to consumers. They also noted that forensic investigations typically take longer than 30 days and that over-notification could desensitize consumers.

The associations also urged the SEC to consider further amendments to better harmonize Regulation S-P with existing privacy laws.