Financial-services firms, along with other businesses holding sensitive customer data in digital form, have to be more diligent as new state regulations to enhance data security take effect.
A financial industry expert says that while financial services will comply as needed, they already adopt their own best practices and the new laws are just an additional costly burden.
Increasingly, states are taking on a greater role in regulating data security that goes beyond simply notifying customers of a breach. Now some states are requiring encryption of data at rest, in transit and even on portable devices like laptops.
Massachusetts is slated to enact new rules Jan. 1, 2010 requiring encryption of data, including data on mobile devices, such as laptops, PDAs and USB drives. It is one of the first states to extend security regulations this far.
Although the law applies to all business that hold sensitive customer data, financial institutions already abide by federal and industry regulations and are confident they can secure data without new state regulations, said Doug Johnson, vice president of risk management policy for the American Bankers Association.
"We are accustomed in financial services to looking at this stuff on a risk-based basis… and making a lot of those individual determinations about levels of encryption and the like ourselves," Johnson said.
The Massachusetts regulations will add to overhead Johnson said, because of a provision requiring third-party security system audits to ensure compliance. Consulting firms already charge financial companies for PCI compliance and charge an additional amount for federal compliance audits. He said if an institution also has to comply with various state laws, that will increase audit costs.
"You see where you get to death by a thousand cuts," Johnson said.
The rules were scheduled to take effect Jan. 1, 2009, but as the economy worsened last November, the state postponed the effective date five months to give businesses a break, a delay the ABA actively sought, Johnson said. Then in February the Massachusetts Office of Consumer Affairs and Business Regulation (OCABR) announced the extension to Jan. 1, 2010 in order to give businesses time to implement the necessary protections.
Nevada, meanwhile, took a step toward better data protection when its new law took effect Oct. 1, 2008, requiring encryption of personal information "outside the secure system of the business," meaning beyond the firewall. It defines personal information as a consumer's name along with both either their Social Security Number, driver's license number or credit card number, and any pass codes that could provide access to account information.
California, which enacted one of the first data breach notification laws in the nation in 2003, expanded that law in 2008 -- beyond its original focus on personal financial information such as credit card numbers -- to also cover breaches of health care information.
With growing state regulation, some federal regulation and industry-specific requirements, such as the Payment Card Industry Data Security Standard (PCI DSS), businesses have a lot of regulatory trap doors to avoid falling through. Various law firms are hosting client seminars or webinars, or advising clients one-on-one, on what the new laws mean.
"We are hearing clients ask about compliance mechanisms," said Marc Zwillinger, a partner and expert on data security legal issues, with the Sonnenschein law firm in Washington, D.C.
Compliance gets complicated as regulations cover not just data at rest, but data in transit and data stored on portable devices. Massachusetts solicited information about breaches for a year after Gov. Deval Patrick signed legislation creating the enhanced security in August 2007. The OCABR received reports of 320 data breaches affecting the records of more than 625,000 Massachusetts residents. Sixty percent of those cases were criminal acts in which laptops or hard drives were stolen; the rest were instances of employee error or otherwise sloppy handling of data. In 75% of cases, the data at risk was not encrypted.
And that's just one state. Attorney Zwillinger points to PrivacyRights.org, which chronicles data breaches that have exposed or potentially exposed 253 million data records in the U.S. since it started tracking them in 2005.
This volume of breaches explains why states are requiring encryption of data, not just notification of breaches, and why the toughest state regulation may be a de facto national law for companies that operate in several states. For example, if a business is based in Wisconsin and conducts most of its business there, but has even just one customer in Massachusetts where the data protection laws are stricter, the cheaper and easier solution is to conduct all business in accordance with the stricter Massachusetts laws.
"Yes, as a practical matter you have to comply with the regs in the most highly-regulated state," said information technology security lawyer Robert Brownstone. This is especially the case for businesses who engage in interstate commerce, he added
Brownstone offers an unusual analogy to describe a company's obligation to protect its data: Think of your data as a duck.
The duck, full of customer records, credit card and Social Security numbers, etc., is paddling across a pond. Think of the security, encryption and policies to protect that data as though they are riding on the duck's back. Wherever that duck paddles around the pond, flies to another pond, or flies from North to South for the winter, the rules fly with him.
"You need to think of the information itself as mobile," said Brownstone, director of the law and technology practice at Fenwick & West, a law firm in Palo Alto, Calif.
In advising his clients about regulatory compliance, he finds some still unaware of the overall risk. While generally conscientious, some remark that they don't hold a lot of personal information about their customers. Brownstone reminds them, though, that information about their employees, partners or trade secrets is sensitive, too, and needs to be protected.
"It's not that companies aren't concerned about customer data but they don't think about the universe of what needs to be kept confidential as broadly as they should," Brownstone said.
His advice to clients breaks down into two main areas: proactive, a set of protections in place to prevent a breach; and incident response, the procedures in place to notify customers of a breach and rectify the situation. Given that there are as many as 40 state regulations governing data breaches, plus those various federal and industry standards, Brownstone advises clients to look at a range of security measures and decide which ones are appropriate for their security risks.
Companies should first look at their security situation from a high level, assessing the overall risk and the variety of tools and approaches available and developing a sense of what is a minimum level of security required, what steps could secure their data even better and what it would take to completely lock down their data on the level of Fort Knox. Then companies can hone in on the level of security necessary for their situation and their budget, Brownstone said.
Although the law firm is not a network security consultant, Brownstone fields questions from clients about what kind of technology they should buy.
"We try to give them ideas and multiple choices of vendors," he said.
The State of Nevada, meanwhile, provides a list of suggested vendors on its Office of Information Security website.
Further complicating the choices faced by companies is the vagueness of the regulations as to exactly how to secure the data, argued Brownstone. "The more vague the directives are, the more they are in a quandary as to what to do."
But that vagueness is deliberate, explains Daniel Crane, undersecretary of the Massachusetts OCABR. Given that network security is ever changing, the state would be wrong to lock businesses into a particular technology or vendor now.
"What we are saying in our definition [of encryption] is a result, but we have not dictated what the technology is. That is an effort to try to be flexible and to encourage innovation," Crane said.
About the author: Robert Mullins is a reporter covering the technology industry from Silicon Valley. He writes about servers, storage, security, open source software and other topics.