Great article [“Panels describe risks of noncompliance with Mass. data protection law“]. Numerous thought-provoking statements in this article and in the legislation itself. My first thought is that this regulation shouldn’t be so shocking, surprising and difficult to comply with. It’s all about doing the right things, as Rebecca Herold stated.
Information Security Officers, IT professionals and consulting firms have been telling the companies for whom they work to do this for years. But many firms, even those that are highly regulated, have traditionally taken a wait-and-see approach since they can’t seem to find the ROI. Locking down USB ports, encrypting hard drives and encrypting mail that contains sensitive data is just too “inconvenient” for them. I ask them, “What’s your reputational risk worth?”
This legislation goes hand in hand with the Red Flags Identity Theft Prevention rule that went into effect Nov. 1, 2008, for similar types of business. After a deeper look, it was determined that there were more than 10 million businesses throughout the country that would need to be examined. That’s nearly 10 million more than the number of examiners in the field to assess them.
While a great deal of the focus for Red Flags is certainly on the banking industry, in terms of governance and enforcement, my car dealer never heard of it. Neither has my attorney friend, who is the compliance officer at the insurance agency that wrote my general liability and errors & omissions policy and also provides my life insurance. They have no such program in place. And what about the gas station that still uses multipart forms to take my credit card information? I better ask the attendant how their efforts are going to comply with MA 201 CMR 17.00 before I fill up.
Legislation is great, if practical, but governance and enforcement is even better. I’d love to hear how the regulators plan to enforce it for those outside the banking sector, which at least makes an strong effort to comply and do the right thing. I also wonder about vendor management. Third-party providers must comply with the regulation by Jan. 1. Thus, it’s incumbent upon those who use third parties to ensure that those controls are in place at those third-party companies.
For the banking industry, the third key point of GLBA 501(b) requires oversight of service providers, meaning that even though you’ve assigned your risk by outsourcing a function or process to another company, you’re not relieved of your responsibility to ensure that controls are in place to protect sensitive data and systems. Heartland sound familiar? Hannaford sound familiar? TJX ring a bell? There are many others out there as well but just not as high profile. There’s always a box of tapes with a few hundred thousand customer names, account numbers and SSNs that’s been lost or misplaced or that fell off the truck. Or a dumpster that’s been raided for the sensitive info that employees have haphazardly discarded, despite policy for proper destruction and disposal.
A formal vendor management program is a requirement! And the banking sector has seen tighter and tighter regulatory scrutiny and examiner focus in this specific area over the past year or two, but there’s still a long way to go. There are very specific components to a sound and compliant vendor management program. These include vendor inventory, status tracking, periodic monitoring, due diligence, contract review, risk rating, reporting and policies and procedures. This is a long haul for those not in the heavily regulated banking sector. So, again, it will come to being all about governance and enforcement and the penalties for noncompliance to make this legislation effective.
And my final thought is that Massachusetts should at least be commended for taking a stand. I’ve read countless critiques of the legislation but haven’t seen anyone state in writing that MA should be commended for doing something to try to protect the consumer. Any time you stick your neck out, you’re bound to get slapped.
Let us know what you think about our stories. Email firstname.lastname@example.org.