Privacy Compliance Standards, Remedies and Safeguards: What you need to know
In response to the implementation of MA 201 CMR 17 on March 1, 2010, Eze Castle Integration held a recent webinar to assist investment firms in developing and maintaining a thorough Privacy Compliance system. Among the essential practices in preventing and properly addressing security breaches, our speakers addressed:
The Privacy Compliance Life Cycle; and
Security Requirements and Solutions.
Before getting into the technology safeguards, let’s take a look at the legal requirements of 201 CMR 17.
Legislative History & Requirements
Beth Boland, Partner at Bingham McCutchen’s Securities Litigation and Privacy & Security Group, opened by highlighting Chapter 82 of The Acts of 2007. Chapters 93H & 93I work to direct OCABR in promulgating regulations, stimulating breach notifications and the destruction of documents containing personal information (PI).
According to OCABR, the vast majority of breaches occur with data in transit and on PDAs. Among those breaches, 97% were not encrypted data.
MA Data Security & Privacy Regulations
While your firm may not be located in the Commonwealth of Massachusetts, you may have investors with residences in the state – remember a vacation home in Nantucket may constitute residence if documents are sent to that address. Therefore, it is essential to fully understand the requirements in protecting your investors and your fund’s reputation.
The Basic Scope:
Any business, no matter its location, that “owns, licenses, receives, stores, maintains, processes, or otherwise has access to” “personal information” about a citizen of Massachusetts must comply. A breach occurs when the combination of first/last name plus data such as social security number, drivers license or state-issued ID number, financial account number or credit/debit card number is not properly encrypted in the transfer of data.
Identify where PI is being stored in your organization- paper and electronic.
Develop, instill and maintain a “comprehensive information security program”
Encrypt data in transit and on PDAs to an “extent technically feasible.” Encryption is not synonymous with password protection. The data must go through an actual transformation that will require a process to return to readable.
Oversee your third-party service providers handling PI. Furthermore, there is a duty to select capable vendors.
Ensure the security program is “consistent with” industry, federal and state standards.
To build a “Comprehensive Information Security Program,” a business is expected to:
Designate person(s) responsible for maintaining the program;
Work to identify and assess “reasonably foreseeable” risks of leaking PI;
Develop security policies for employees handing PI;
Impose disciplinary actions for breaches; and
Prevent terminated employees from accessing PI.
As well, it is essential to regularly monitor practices involving the transport and access to PI. If there is a breach, it is imperative to conduct a comprehensive investigation, involving a multidisciplinary approach. By thoroughly addressing the issue, you better protect your fund by proving that you are taking the appropriate steps to remedy the leak.
Standard For Compliance and Remedies
MA 201 CMR 17 works on a sliding scale in terms of remedies. The smaller the business, the less sophisticated you are expected to be. Additionally, fines can range from a minimum of $
25 to a maximum of $5,000 per violation. Beyond size of the firm, other factors in determining repercussions are the amount of stored data, resources available and the need for security and confidentiality.
According to OCABR, financial services make up the largest portion of breaches affecting Massachusetts’s residents at 56%. This means that you’re high on the radar and it is imperative to thoroughly address PI leaks.
10 Steps to Take in Properly Addressing a Security Breach
1. Assemble a response team, including IT, Legal PR & Operations.
2. Close gaps.
4. Notify Regulators (required in almost all states).
5. Notify banks, third-party vendors, and credit card companies/processors.
6. Notify customers impacted.
7. Ensure you are in compliance with Applicable Notification Law.
8. Where appropriate, be sure to draft a press release (potential litigation).
9. Establish a hotline for affected/potentially-affected customers.
10. Document everything.
Protecting Your Investors
Paul DiBlasi, VP of Alternative Investments at IntraLinks, further detailed the damages that can occur if firms do not take appropriate actions in complying with the Massachusetts privacy law. In particular, violations have the potential to deteriorate a firm’s reputation. With the loss of investor confidence, the ability to win allocations and retain investors is compromised.
DiBlasi highlighted that a Written Information Security Program (WISP) should be implemented to properly address risks. Steps for protecting data include:
Using encryption technology adopted that meets industry standards;
Restricting employee access to those who need the data to perform their duties;
Implementing user authentication;
Regularly monitoring for unauthorized use; and
Holding service providers to the same standards.
Storage and “in transit” data solutions are available in the form of SSL (Secure Socket Layers) and Digital Rights Management technology (DRM). These are practices that you may be familiar with, but not necessarily know the terminology.
SSL is a transport layer that encrypts the communication channel, but not the document. It’s often the noted on your browser with a small lock image.
DRM is more thorough in that it encrypts documents and authenticates users. The real value in DRM is that it actually allows you to control what recipients do with the information (access, transport, control print screen). These controls can prevent your investors from sharing investor letters and risk reports with unauthorized users such as Bloomberg, Dealbreaker.com or The Wall Street Journal.
Data Mapping & the Privacy Compliance Lifecycle
Matt Bretan, Director of Strategic Consulting at Eze Castle Integration, pulled together our live web event by detailing the process of data mapping. Funds must develop an understanding of where PI is stemming from, where it sits within the infrastructure (paper, electronic) and by knowing exactly who has access to this data. Maybe most importantly, firms should know if that PI is ever sent outside of the protected network.
Another topic covered was the Privacy Compliance Lifecycle, which flows hermetically.
The first step is identifying operational and technical risks. This means fingerprinting where and how are you storing your PI.
Once you’ve gathered the specifics, you are able to recommend policies and procedures that you can put in place to appropriately prevent risk.
The final step in a full rotation is training and maintaining. By educating and planning maintenance, you are constantly evolving to address technology updates that may pose new risks, and are better equipped to contain breaches.
Solutions such as ‘fingerprinting’ your data, preventing unauthorized movement of PI and securing mobile devices will greatly reduce the risk of detrimental breaches - which could lead to aggressive fines, erosion of the fund’s reputation and ultimately, the loss of investors.