With data security breaches continuing to make the news, legislatures and regulators are focusing their attention on enforcing data protection. This has meant fines, law suits, and lost customers for businesses involved.
As a result, new data breach notification laws and the codification of industry specific standards has made compliance with data protection rules a top priority for financial services firms in 2010. And with continuing political pressure, it’s only certain that compliance requirements will become even more stringent.
This article examines the top 5 regulations financial services companies need to pay attention to and what can be done to make compliance a never ending treadmill:
1. PCI DSS (Payment Card Industry Data Security Standard)
PCI DSS was introduced in 2006 to encourage and enhance protection of cardholder data. Tackling the issue of cardholder data protection continues to be challenging. A 2009 Ponemon Institute study found 71 percent of companies do not treat PCI DSS as a strategic initiative and 79 percent have experienced a data breach.
The findings indicate that the main obstacle for PCI DSS compliance is cost. However, as high profile breaches have shown, the cost of not protecting cardholder data is much higher.
2. GLBA (Gramm-Leach-Bliley Act)
Despite being in existence for more than a decade, GLBA continues to require the attention of the financial services industry. The Act was instituted to govern the collection, disclosure, and protection of consumers’ nonpublic personal information or personally identifiable information. In their 2009 report, Trust Catalyst found financial services IT departments still working on GLBA compliance.
3. State Data Breach Notification Laws
More than 5 years ago, California took the lead by establishing data breach disclosure law, SB 1386,. Since then over 40 states have passed laws mandating that companies notify consumers if they lose the consumer’s personal data. Most laws require companies to immediately disclose a data breach to customers. They also provide “safe harbor” for data that is encrypted – making the lost data useless to those that might try and use it.
4. Massachusetts and Nevada Data Protection Laws
One of the most significant evolutions in compliance is the rise of mandatory data protection laws. Enacted now in Massachusetts and Nevada, these laws require businesses to take proactive steps to protect sensitive customer data. The Massachusetts data protection laws (201 CMR 17.00) came into effect on January 1, 2010 and mandate the use of encryption for Internet, wireless networks, laptops and other portable devices to protect personally identifiable information (PII).
Nevada’s NV SB 227 went even further by mandating compliance with the payment card industry data protection standard (PCI DSS) for all businesses accepting credit cards.
5. HIPAA (Health Insurance Portability and Accountability Act)
According to a Trust Catalyst report (2009 Encryption and Key Management Industry Benchmark Report), 53 percent of the organizations surveyed are planning encryption projects to comply with HIPAA for protection of patient and employee healthcare information. This renewed focus on HIPAA compliance is due to the introduction of HITECH (Health Information Technology for Economic and Clinical Health Act). HITECH requires organizations across to notify the federal government and individuals affected following a data breach.
Conclusion
All of these new, and not so new, compliance requirements suggest that perhaps the focus should not be on compliance but on data protection in general. A balanced risk management and data protection strategy will yield the required compliance. Otherwise, a business can spend all its energy focused on compliance with specific requirements instead of focusing on the common threads. While no single technology or regulation can claim to provide complete security or compliance, end-to-end encryption can significantly reduce the risk of data breaches and provide a common path to the end goal.
While most new data protection regulations specify encryption for safe harbor or even mandate its use, it has become much riskier for organizations that are waiting to encrypt critical information like healthcare and credit card data in unprotected backup tapes and databases. When it comes to protecting credit card and patient data, encryption is one of the most effective means to protect data. Using encryption with effective key management goes a long way toward helping organizations achieve their compliance and IT operations objectives.
**********
About the Author
Kevin Bocek is the director of product marketing at Thales (www.thales-esecurity.com), a leading international encryption and key management solutions provider The company’s technologies encrypt and protect more than 70 percent of ATM and point-of-sale-transactions globally, and customers include all of the world’s 10 largest banks.
With operations in 50 countries and 68,000 employees, Thales is a global technology leader for the aerospace, space, defence, security and transportation markets. Building on proven capabilities in large-scale software systems, Thales is stepping up to the security challenges of its customers in an increasingly interconnected, technology-driven world. Civil and military systems benefit from many of the same technologies and innovations. Developing these dual technologies has been a long tradition for Thales, with its global network of 25,000 high-level researchers and engineers. Leveraging a global presence and spanning the entire value chain, from prime contracting to equipment, Thales plays a pivotal role in making the world a safer place.
PDF 
