A new Massachusetts law aimed at protecting personal information went into effect on Monday, and it could ultimately require financial advisors to boost their security measures to protect client data.
The law, Massachusetts 201 CMR 17.00, establishes minimum standards for safeguarding personal information contained in both paper and electronic records. The law applies to any business or entity that owns or licenses, receives, stores, maintains, processes or otherwise has access to personal information.
And that includes any broker-dealer or RIA with one or more clients in Massachusetts.
According to the law, personal information is defined as a person's first and last names, or first initial and last name in combination with any one or more of the following: Social security number; driver's license or state-issued I.D. card numbers; financial account numbers; and credit or debit card numbers.
Among other things, the law requires entities that control personal information to designate one of more persons to oversee a comprehensive security program; identify foreseeable internal and external security risks; devise policies regarding employee access to client personal information outside the business premises; and have reasonable restrictions for physically accessing records.
In addition, entities must secure user IDs and other identifiers, and have a reasonably secure method of assigning and selecting passwords or other identifier technologies such as biometrics or token devices. They must also restrict access to records and files containing personal information only to those who need that information, assign unique identifications plus passwords that aren't vendor-supplied default passwords, and encrypt all transmitted records containing personal information that travel across public networks.
And there's much more. The full requirements can be found at: http://www.mass.gov/Eoca/docs/idtheft/201CMR1700reg.pdf.
The maximum fine per violation is $5,000.
"The law deals with issues our industry has been skirting for the past couple of years such as personal privacy, encryption and processes," said Joel Bruckenstein, who spoke during a compliance session devoted to the Massachusetts law at the Technology Tools for Today (T3) conference held two weeks ago in La Jolla, Calif. "My opinion is they'll serve as a template for the rest of the country."
In practical terms, the law means affected advisors will have to do a lot more encryption, be more creative and vigilant about passwords, and maybe even carefully vet their cleaning crews.