Soon Your Bank Will Have to Tell You About Any Data Breaches Within 30 Days

If your financial institution suffers a security breach, they’ll have to let you know within 30 days.

The Securities and Exchange Commission adopted changes to Regulation S-P this week, which deals with the treatment of consumers' personal information, Ars Technica reports.

Based on the new amendments, financial institutions will now have to notify any individual whose personal information is compromised due to a breach of their systems “as soon as practicable, but not later than 30 days after becoming aware that an incident involving unauthorized access to or use of customer information has occurred or is reasonably likely to have occurred.”

The update impacts broker-dealers (including funding portals), investment companies, registered investment advisers, and transfer agents.

“Over the last 24 years, the nature, scale, and impact of data breaches has transformed substantially,” says SEC Chair Gary Gensler. "These amendments to Regulation S-P will make critical updates to a rule first adopted in 2000 and help protect the privacy of customers’ financial data. The basic idea for covered firms is if you’ve got a breach, then you’ve got to notify. That’s good for investors.”

Recommended by Our Editors

7 Steps to Avoid Getting Hacked (Again)

The Best Identity Theft Protection Software for 2024

Not Ready for Passkeys? Multi-Factor Authentication Is Still Better Than Nothing

When financial institutions notify customers, they’ll also need to include details about what happened, what data was compromised, and provide information about how the impacted individuals can protect themselves.

The amendments will go into effect 60 days after they’re published in the Federal Register, though larger entities have 18 months to comply and smaller ones have two years.