For organizations with customers in Massachusetts, the Jan. 1, 2010 deadline to comply with the state's data protection law is looming, but many of those in the financial industry shouldn't need to sweat too much if they already comply with other data security and privacy regulations.
However, the law's encryption requirements could require some work, and certain types of financial firms - such as mortgage brokers - may have a lot of catching up to do on the information security front, experts said. UPDATE: Massachusetts officials on Aug. 17 delayed the compliance deadline to March 1, 2010.
201 CMR 17.00 requires businesses to have a written information security program that details where personally identifiable information (PII) resides, how it's being transmitted and how it's being protected. They must also encrypt the data when it's transmitted across the Internet, over wireless networks, or when it resides on laptops and other portable devices.
Other requirements of the law include strong user authentication protocols, monitoring access to residents' personal information, and oversight of third parties with access to personal data.
Consultants who work with financial institutions said the firms have had to comply with the Gramm-Leach-Bliley Act (GLBA) for several years now, so they're well prepared for the Massachusetts data protection law.
"Banks and credit unions won't find they're affected. It's what they've been doing all these years," said Mick Kless, managing partner at Ocean, N.J.-based Regulatory Information Security Compliance (R.I.S.C.) Associates.
But non-banking financial-services firms, such as mortgage brokers and consumer credit counseling services, are scrambling, he said. While they're also required to comply with GLBA, government regulators haven't pressured them on compliance until this year, he explained. Now, they're being pushed to have information security programs and all the other requirements of GLBA, so the Massachusetts law is directly affecting them.
"They've got their hands full," he said. "They need to learn and understand what an information security program really entails and start building that program out," Kless said.
Susan Orr, a financial services consultant who spent 14 years as a banking examiner, said like 201 CMR 17.00, GLBA requires financial institutions to have a written information security program and vendor due diligence. However, an area where the laws differ is encryption, she said.
"It is explicitly pushing encryption," she said. "Regulators have always recommended encryption but this is mandating encryption."
Most financial institutions encrypt laptops and other portable devices, but some portable device platforms - like the iPhone - are more challenging to secure, said Richard Mackey, vice president of consulting at Sudbury, Mass.-based SystemExperts Corp. The Massachusetts law "will put more pressure on organizations to maintain a compliant portable device infrastructure," he said.
But 201 CMR 17.00's encryption and other security requirements could be weakened under a bill being considered by the Massachusetts Senate. And how the law will be enforced is unclear.
"There's no word on how it will be enforced at all," Mackey said. "What infrastructure is there to have any enforcement? It's hard to say right now."
He advises organizations to carefully consider how to comply with 201 CMR 17.0; rushing to meet the letter of the law by Jan. 1 may not be in a company's best interest. "It could be an expensive and likely a long-term project to get these controls in place," he said.
"I recommend looking at any operational exposure that could lead to a compromise. If you can effectively prevent a compromise of the information, then you've reduced the likelihood you'd be found non-compliant," Mackey said. "If you get the operational controls in place, then you can follow up over time, filling out all the documentation and policies."
Orr said financial institutions need to be aware of the Massachusetts law since other states are likely to follow its lead. She noted that Nevada enacted a data protection law last year; a new law signed in late May strengthened the state's data protection requirements.
Mackey agreed, suggesting that a similar law could be created at the federal level: "This is just the first in a series of laws that will be written like this. Complying with this is just the first step towards complying with, say, a federal law that will require similar types of controls.