July 30, 2009

Martha A. Dean
The new Massachusetts security regulation, although well-intended for data protection, may present some challenges to many companies in and out of Massachusetts. Banks are well positioned to comply with the regulation due to the preexisting measures currently in place for data protection and privacy, such as the Gramm-Leach-Bliley Act (GLBA) and other security-related regulatory requirements. Banks currently deploy tools such as virus protection, intrusion detection systems, patch management controls, encryption and firewall rules in order to maintain effective information security controls.

Many companies have or could develop comprehensive security programs consisting of policies, procedures and monitoring efforts. However, it is the encryption standards that may pose a technical challenge faced by many companies. The encryption requirement includes laptops, BlackBerry devices, e-mails, portable devices and more. E-mail encryption solutions alone can be costly and must be well planned for customer acceptance and communication flow.

The intent of the regulation is a step in the right direction to ensure that companies are focused on data security and have an understanding of their network configurations, firewall management, vulnerability testing and remediation, as well as data storage areas. A national standard is probably not too far away based upon the potential risk of compromise on a national level. Overall awareness of information security standards, protective technology, potential threats and effective incident-response activities is good practice on both personal and corporate levels. The dangers are ever-changing, and the ability to protect and defend against such threats is an enormous challenge for everyone.

Massachusetts Privacy Regulations Are Step in the Right Direction
Mass. Privacy Rule Doesn't Translate to National Standard
New Encryption, Vendor Privacy Requirements Good for Banks
Banks Spend in Wrong Privacy Areas