Friday, December 19, 2008

Inside Financial Services Technology

Preparing for new Bay State data compliance

The 2007 data breach at Framingham-based retailer TJX Companies Inc. and the resulting possibility of identity theft for Massachusetts residents have spurred lawmakers to protect residents from considerable inconvenience and financial harm by enforcing the 201 CMR 17.00 regulations. Below are some recommendations for companies that need to demonstrate compliance ahead of the May 1, 2009 deadline.

While some of the existing regulations and standards are aimed at specific industries, 201 CMR 17.00 will affect every company whose operations are linked to residents of Massachusetts, requiring these companies to prove they are protecting the personal information of residents, including names, Social Security numbers and drivers license numbers.

The first requirement of the new legislation is that every affected company must show that they have a comprehensive written information security plan, and at least one employee must be designated to maintain it.  Many smaller companies, lacking dedicated IT and security resources, may need to work with their IT consultants to create a custom plan. These companies must ensure their consultant has a security background, of course, because the regulations go well beyond the scope of standard IT processes.

Companies must also pay attention to the physical security of their paper documents. It is useful to look at how cash is protected in companies; only specific employees are allowed to handle cash. Similarly, if sensitive data is now recognized as something of value, the cash example can offer some tips on how one could approach data protection.

Most businesses already have implemented some critical requirements, such as firewalls and anti-virus software. While these existing measures help, they are not sufficient on their own. This brings us to a key technology in securing data — encryption.

The new regulations require laptops, portable media and e-mail to be encrypted, and that encryption keys be secured to ensure adequate protection against data loss. Encryption has long been recognized by security experts as being the most effective way to secure data, by making it unreadable to unauthorized users.

Even the toughest safe is useless if the attacker gains access to the key or lock combination. Businesses should carefully review their password rules and recommendations, and determine whether to invest in automated key management systems that may be coupled with encryption solutions. Smaller businesses have a choice of PC encryption software that provides strong security without the need for elaborate key management systems. While the regulation states that all personal information must be encrypted on PCs, many businesses choose to deploy full disk encryption where all the information stored on the disk is encrypted. Users do not have to pick designated files or directories to encrypt and need not worry about temporary system files that may contain sensitive data.

To encrypt data in motion, such as web traffic, transport layer encryption protocols, such as SSL, are convenient to use and do not require special user behavior. To effectively encrypt and decrypt e-mails, the encryption solution must be deployed on both the sender and receiver sides of the infrastructure. However you decide to do it, encryption is a must in order to conform to the new regulation.

Costs associated with meeting the requirements can be phased to address the highest risk systems first and then extend to other portable devices such as USB thumb drives. 

Even the best tools are of limited value if end users are not properly trained, and the new regulations require users to be regularly trained in the security procedures for correct handling of sensitive information. Small businesses should work with their consultants and solution providers to develop custom user training materials.

With a little bit of legwork and planning, and an understanding that regulatory compliance is a continually evolving process — and not a one-off event — every company whose business touches Massachusetts-based residents can overcome their compliance challenges in 2009.

For more information about how these new regulations will affect your business, or for help creating a plan to ensure compliance, visit the “For Business” section of Massachusetts Office of Consumer Affairs and Business Regulation.

Nagraj Seshadri is director of product marketing and a security industry expert at Utimaco Safeware AG in Foxborough.