Compliance Blog

Aug 11, 2010

Massachusetts Privacy Law; Any Authors Out There?

Posted by Anthony Demangone

OK, here's a tidbit from San Francisco: The new Massachusetts Privacy Rule.  First, here are some useful links:

The rule creates data security requirements for anyone who holds "personal information" of a Massachusetts resident.  The reach of the rule is long - Massachusetts believes it applies to all entities in the U.S. who hold such data.  It went into effect on March 1, 2010. 

But wait...don't FCUs have to comply with federal security regulations?  Yes, but those regulations were written under the Gramm-Leach Bliley Act.  That Act does not preempt state laws that offer greater protection.

The Massachusetts requirements are very similar to NCUA's security regulation, but not identical.  The one difference that caught my eye is found under section 17.04.  It deals with encryption.

*******

17.04: Computer System Security Requirements

Every person that owns or licenses personal information about a resident of the Commonwealth and electronically stores or transmits such information shall include in its written, comprehensive information security program the establishment and maintenance of a security system covering its computers, including any wireless system, that, at a minimum, and to the extent technically feasible, shall have the following elements:

(1) Secure user authentication protocols including:

(a) control of user IDs and other identifiers;

(b) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;

(c) control of data security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;

(d) restricting access to active users and active user accounts only; and

(e) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system;

(2) Secure access control measures that:

(a) restrict access to records and files containing personal information to those who need such information to perform their job duties; and

(b) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls;

(3)Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly.

(4) Reasonable monitoring of systems, for unauthorized use of or access to personal information;

(5) Encryption of all personal information stored on laptops or other portable devices;

(6) For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.

(7) Reasonably up-to-date versions of system security agent software which must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.

(8) Education and training of employees on the proper use of the computer security system and the importance of personal information security.

*******

NCUA's security regulation does not have such a clear mandate for encrypted data. (Appendix A of Part 748 indicates that credit unions should use encryption, if appropriate.)  While Massachusetts has limited resources and won't be able to enforce this rule in every corner of the U.S., I wanted to make you aware of this new expectation.

***

So, you think you can dance write? One of my friends at Sheshunoff forwarded this:

Become a Published Writer.  Sheshunoff Information Services is looking for experienced content experts with strong organizational and writing skills for quarterly updating of its publications. Sheshunoff publishes authoritative, timely, and practical guidance for financial institution professionals. Whether your expertise is in policy drafting, information technology, or compliance – this is your opportunity to share your valuable expertise with financial institutions across the country.

Interested?  Email them.