The Standards for Safeguarding Customer Information Rule…. is structured in a similar manner to the EPA regulation at issue in the San Francisco v. EPA case in that it sets forth that financial institutions must have a “reasonable information security program.”
A lot has happened since December 2024. So much that you might be forgiven for forgetting that we mentioned two opinions would be coming from the US Supreme Court concerning the powers of federal agencies.
Back before advisors faced a market hop skipping and jumping each day to tariff news, we wrote about the Wisconsin Bell v. US, Ex Rel Heath and San Francisco v. EPA cases. By way of refresher, we summarized those cases as potentially involving two things: 1) the scope of FINRA, as an independent private agency with powers to self-regulate the investment industry as in Wisconsin Bell, and 2) the extent to which a federal agency can impose a non-specific prohibition with a monetary bite for violation, as in San Francisco v. EPA.
We thought the issues in the latter case might implicate cybersecurity issues for advisory firms. “If the Court decided that the EPA overstepped its regulatory authority and instead was required to be more detailed, then it could be that more agencies, such as those regulating financial advisors, might need to be more specific in their overly broad regulations as well. This could, in an overly broad manner, provide another strike against an overbroad fiduciary duty rule. Additionally, it is worth noting that many of the protections around cybersecurity (on PII) are modeled after HIPAA, which has notoriously vague standards. That could mean a ruling by the Supreme Court against the EPA (and its vague regulations) could change how regulatory agencies such as the SEC and DOL approach cybersecurity regulations.”[1]
In a 5-4 decision, the Supreme Court ruled that the EPA did overreach its authority. The Court found that the EPA had the ability to create specific discharge limits on sewage and had remained vague. “Determining what steps a permittee must take to ensure that water quality standards are met is the EPA’s responsibility, and Congress has given it the tools needed to make that determination.” [2] The court split on the concept of what constitutes a limitation. The majority held that a “‘limitation’ is a ‘restriction . . . imposed from without,’ not an end-result requirement leaving permittees to determine necessary steps.”[3] The dissent reasoned that a limitation “can be general as well as specific, and general limitations can call for more specific ones….”[4] For example, “an airline could impose a “limitation” on the weight of checked bags, even though it does not tell passengers what items to pack.” Justice Barrett’s dissent states that there were two regulatory systems occurring in the case: one with limits and a second with an outcome-based goal.
In the U.S., cybersecurity of financial institutions falls into a network of laws. Most of the regulation on this topic falls with the Gramm-Leach-Bliley Act (GLBA).[5] GLBA covers both privacy issues (when financial institutions can share information) and security (how institutions protect that information). “The two major rules for implementing this framework are known as the Privacy Rule (Regulation P) and the Safeguards Rule.”[6] Under the GLBA, the Federal Trade Commission was given the power to make rules for implementing the safeguards rule. It did so in the Standards for Safeguarding Customer Information Rule covers personally identifiable information that financial institutions, such as financial advisory firms, must protect from data breaches.[7] That rule is structured in a similar manner to the EPA regulation at issue in the San Francisco v. EPA case in that it sets forth that financial institutions must have a “reasonable information security program.”[8] In other words, it is outcome focused. However, the FTC does set forth nine specific elements financial institutions must meet to be considered reasonable. In some ways, that makes the FTC rule less like the one involved in the San Francisco v. EPA case.
In contrast, the Court in the Wisconsin Bell v. U.S. case was unanimous. There a unanimous court did not delve into the role of the private agency acting in a quasi-governmental role because it found that having funds rest in a treasury account for a period of time satisfied a needed element of the case.[9]
It is unclear whether the San Francisco case will impact financial advisors in any capacity. However, it may be worthwhile, as an exercise in abundance of caution, for advisors to discuss their cybersecurity programs with compliance and legal counsel in the coming months. We will continue to monitor the courts and Congress for additional developments.
[1] https://www.bcgbenefits.com/blog/digesting-investing-2024
[2] https://www.supremecourt.gov/opinions/24pdf/23-753_f2bh.pdf
[3] https://www.supremecourt.gov/opinions/24pdf/23-753_f2bh.pdf
[4] https://www.supremecourt.gov/opinions/24pdf/23-753_f2bh.pdf
[5] https://www.congress.gov/crs-product/R47434
[6] https://www.congress.gov/crs-product/R47434
[7] https://www.ftc.gov/legal-library/browse/rules/safeguards-rule
[8] https://www.ftc.gov/legal-library/browse/rules/safeguards-rule
[9] https://www.supremecourt.gov/opinions/24pdf/23-1127_k53l.pdf
These articles are prepared for general purposes and are not intended to provide advice or encourage specific behavior. Before taking any action, Advisors and Plan Sponsors should consult with their compliance, finance and legal teams.
Before leaping into the unknown, we recommend a thorough examination of your plan. Because we are experts in the field, we know the marketplace and know what your existing vendor is capable of offering. Through this examination, we can help you optimize the service you receive.
get xpress proposal
