EPIC Urges SEC to Interpret Harm Broadly in Breach Notifications Rule

On June 5, EPIC filed a letter comment with the SEC supporting the agency’s proposal to amend Regulation S-P (the data “safeguards” rule) to establish a federal standard for data breach notifications for all broker-dealers, investment companies, investment advisors, and transfer agents. The Commission also proposed requiring annual cybersecurity audits by those same entities and by national securities associations, national securities exchanges, and others. EPIC supports the data breach notification and audit requirements, but called on the SEC to expand its definition of harms that would trigger breach notifications. The Commission’s proposed data breach notification rule would apply when the breach is likely to result in “substantial harm or inconvenience”, so the scope of the definition is very important to the rule. EPIC proposed a broader definition that reflects the full scope of harms that can be caused by a breach, and that corrects a circularity issue between the agency’s proposed definitions of “substantial harm or inconvenience” and “sensitive customer information.” More generally, EPIC applauded the agency’s proposals to help companies identify deficient practices and shore up vulnerabilities through annual audits, to incentivize companies to strengthen their data security practices as a way to avoid the reputational costs of sending required breach notifications, and to equip consumers via notification to protect themselves when a company entrusted with their data has failed to safeguard that data.

EPIC regularly comments on regulations and testifies on policies to promote better cybersecurity practices that protect consumer data from unauthorized access and other misuse.