July 30, 2009

Catherine A. Allen
Financial institutions have been regulated for years under the GLBA Safeguards Rule, which includes data security regulations that are similar (but not identical) to those found in the Massachusetts Data Security Regulation. The key benefit of the new regulation to the financial services industry is that it now holds third-party vendors directly accountable to protect personal information. The concern, naturally, will be over the additional impact (and costs) to the industry as each state follows suit with similar (but not identical) legislative initiatives.

The significant new requirement is mandatory encryption. If an entity electronically stores or transmits information on Massachusetts residents, encryption of personal information (defined as name combined with either Social Security, driver's license or financial account number) is required when transferred in a wireless environment or when stored on laptops or other portable devices. While many financial institutions have comprehensive encryption programs, this requirement will extend the protection not only to customer information but to employee information as well.

In addition the regulation reinforces the requirement to take all reasonable steps to ensure third-party vendors are verified and monitored to ensure they comply. [The Santa Fe Group, through the multi-industry-based Shared Assessments Program, offers an industry-standard control-assessment approach for use by financial institutions and third-party providers that is being updated to meet these new requirements. The materials are available at shareassessments.org.]


Massachusetts Privacy Regulations Are Step in the Right Direction
Mass. Privacy Rule Doesn't Translate to National Standard
New Encryption, Vendor Privacy Requirements Good for Banks
Banks Spend in Wrong Privacy Areas