A new Massachusetts law aimed at protecting personal information went into effect on Monday, and it could ultimately require financial advisors to boost their security measures to protect client data.
The law, Massachusetts 201 CMR 17.00, establishes minimum standards for safeguarding personal information contained in both paper and electronic records. The law applies to any business or entity that owns or licenses, receives, stores, maintains, processes or otherwise has access to personal information.
And that includes any broker-dealer or RIA with one or more clients in Massachusetts.
According to the law, personal information is defined as a person's first and last names, or first initial and last name in combination with any one or more of the following: Social security number; driver's license or state-issued I.D. card numbers; financial account numbers; and credit or debit card numbers.
Among other things, the law requires entities that control personal information to designate one of more persons to oversee a comprehensive security program; identify foreseeable internal and external security risks; devise policies regarding employee access to client personal information outside the business premises; and have reasonable restrictions for physically accessing records.
In addition, entities must secure user IDs and other identifiers, and have a reasonably secure method of assigning and selecting passwords or other identifier technologies such as biometrics or token devices. They must also restrict access to records and files containing personal information only to those who need that information, assign unique identifications plus passwords that aren't vendor-supplied default passwords, and encrypt all transmitted records containing personal information that travel across public networks.
And there's much more. The full requirements can be found at: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf.
The maximum fine per violation is $5,000.
"The law deals with issues our industry has been skirting for the past couple of years such as personal privacy, encryption and processes," said Joel Bruckenstein, who spoke during a compliance session devoted to the Massachusetts law at the Technology Tools for Today (T3) conference held two weeks ago in La Jolla, Calif. "My opinion is they'll serve as a template for the rest of the country."
In practical terms, the law means affected advisors will have to do a lot more encryption, be more creative and vigilant about passwords, and maybe even carefully vet their cleaning crews.
"Potentially there's personal information in both an email and an attachment, so both need to be encrypted," said Warren Mackensen, a certified financial planner and president of Pro Tracker Software in Hampton, N.H.
Mackensen, who was the featured speaker at the T3 session focused on the new Massachusetts law, said people need to put more thought into creating passwords because hackers can quickly crack simple password codes of fewer than eight digits by using software readily available online.
He said a potentially good password could be something like: "Amongtheclouds9000." This is an actual password (but the number changed to protect the innocent) that represents a certain mountain that's 9,000 feet high and with a peak that's often shrouded in clouds. The point being is it's an easy-to-remember password that's not easy for a hacker to crack.
"Think about old sayings, or non-English by shortening the spelling of words or using symbols for letters such as '@,'" Mackensen said.
A good part of the T3 session dealt with encryption, which is an algorithm that scrambles data to make it unreadable. The minimum standard is 128-bit encryption, which is two to the 128th power, which equals 3.4 x 10 to the 38th power number of possible combinations.
At the end of the day, even if the new Massachusetts law is copied by other states and starts a trend around the country that forces advisors to invest in tools and processes to safeguard their clients' personal information, the best intentions can be undermined by human laziness and sloppiness.
"Personal information is everywhere in the office," Mackensen said. "We can have all of the technology barriers, but everyone of us is the biggest [security] hole. We're the weak link."