Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


03:00 PM
Avivah Litan, VP, Distinguished Analyst, Gartner (Stamford, Conn.)
Avivah Litan, VP, Distinguished Analyst, Gartner (Stamford, Conn.)
Connect Directly

Mass. Privacy Rule Doesn't Translate to National Standard

To ensure privacy, banks must make someone responsible for information security, document processes and implement basic security technology.

Avivah Litan
A couple of barriers prevent the Massachusetts privacy regulation from becoming a model for a national standard.

First, the real victims here are the consumers -- not the businesses whose systems are eventually breached (unless they have to disclose the breach, in which case they suffer a loss in reputation and potential fines). Very few states are as progressive as Massachusetts and willing to advocate for consumer rights at this level.

Second, the State of Massachusetts will be unable to proactively enforce this rule -- it simply doesn't have the resources or budget to do so. It will have to prosecute violators that come to its attention because of egregious violations. That means many companies may simply strive to stay under the radar here and evade authorities' attention.

This is very different from the PCI Data Security Standard rules governing protection of credit and debit card data. In the case of cards, the banks and card issuers lose real money when there is a breach at a third-party retailer or processor -- hence they have a very clear and direct motivation to make sure card acceptors, transmitters and processors protect the card data.

To really ensure the safety of personally identifiable information (PII), the business process has to change -- many banks and others still have to make someone responsible for the security and privacy policy protecting PII data. In addition institutions need to document their policies, processes and controls. Finally they need to implement the basic security technology around this data, which includes but is not limited to:

1. Strong network segmentation so that PII data is walled off from the rest of the enterprise network and only those people and programs that absolutely must access the PII data are allowed to do so.

2. Data protection technology, including encryption of PII data and sound key management practices.

3. Access controls around PII data.

4. Audits of all access to PII data.

Massachusetts Privacy Regulations Are Step in the Right Direction
Mass. Privacy Rule Doesn't Translate to National Standard
New Encryption, Vendor Privacy Requirements Good for Banks
Banks Spend in Wrong Privacy Areas

Comment  | 
Print  | 
More Insights
Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.