Bank Systems & Technology is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them. Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:15 PM
Catherine A. Allen, Chairman and CEO, The Santa Fe Group (Santa Fe, N.M.)
Catherine A. Allen, Chairman and CEO, The Santa Fe Group (Santa Fe, N.M.)
Connect Directly

New Encryption, Vendor Privacy Requirements Good for Banks

New Massachusetts Data Security Regulation adds encryption, vendor responsibility to the privacy mix.

Catherine A. Allen
Financial institutions have been regulated for years under the GLBA Safeguards Rule, which includes data security regulations that are similar (but not identical) to those found in the Massachusetts Data Security Regulation. The key benefit of the new regulation to the financial services industry is that it now holds third-party vendors directly accountable to protect personal information. The concern, naturally, will be over the additional impact (and costs) to the industry as each state follows suit with similar (but not identical) legislative initiatives.

The significant new requirement is mandatory encryption. If an entity electronically stores or transmits information on Massachusetts residents, encryption of personal information (defined as name combined with either Social Security, driver's license or financial account number) is required when transferred in a wireless environment or when stored on laptops or other portable devices. While many financial institutions have comprehensive encryption programs, this requirement will extend the protection not only to customer information but to employee information as well.

In addition the regulation reinforces the requirement to take all reasonable steps to ensure third-party vendors are verified and monitored to ensure they comply. [The Santa Fe Group, through the multi-industry-based Shared Assessments Program, offers an industry-standard control-assessment approach for use by financial institutions and third-party providers that is being updated to meet these new requirements. The materials are available at]

Massachusetts Privacy Regulations Are Step in the Right Direction
Mass. Privacy Rule Doesn't Translate to National Standard
New Encryption, Vendor Privacy Requirements Good for Banks
Banks Spend in Wrong Privacy Areas

Register for Bank Systems & Technology Newsletters
Bank Systems & Technology Radio
Archived Audio Interviews
Join Bank Systems & Technology Associate Editor Bryan Yurcan, and guests Karen Massey and Jerry Silva from IDC Financial Insights, for a conversation about the firm's 11th annual FinTech rankings.