Financial Firms Take Note: HIPAA-esque IT Encryption Regulations (And Big Fines) Are Coming by Cam Roberson, Director of the Reseller Channel for Beachhead Solutions
Authorities enforcing the laws that govern industries dealing with sensitive personal data – such as patients’ HIPAA protections in the healthcare industry – aren’t skittish about levying substantial fines and criminal punishments as a means of enforcement. Financial firms might increasingly start finding this out the hard way, with signals indicating that the sector would be wise to begin taking the same precautions as medical practices when it comes to properly encrypting private client data. A case in point: the Financial Industry Regulatory Authority (FINRA) recently reached a settlement (that included a public censure and $225,000 fine) with Sterne Agee stemming from the loss of a company laptop containing the unencrypted confidential financial and personal information of more than 350,000 customers.
The Securities and Exchange Commission (SEC) and FINRA have each issued reports recommending cybersecurity best practices this year, with the latter organization stating that it “expects firms to consider the principles and effective practices presented in the report as they develop or enhance cybersecurity programs.” The guidance in these reports should be taken as indicative of SEC and FINRA criteria for judging the effectiveness of a firm’s cybersecurity program in the case of an enforcement action. The FINRA report makes lays it out in no uncertain terms that the organization is and will be active in carrying out enforcement actions against firms. (And executives themselves aren’t immune from being found personally responsible in cases where customer data is poorly handled or breached.) As it appears that FINRA is looking to take a harder line in response to the fact that breaches of this nature continue to occur, it would follow that prudent financial firms ought to take a harder look at their data security strategy and ensure their houses are in order when it comes to acting in line with FINRA’s recommendations.
FINRA’s report does offer principles and practices for firms to follow, the result of a year-long study of cybersecurity programs across a cross-section of financial firms – including large investment banks, clearing firms, online brokerages, high-frequency traders, and independent dealers. FINRA demonstrates an accurate understanding that data security is not one-size-fits-all, and that every firm requires a program custom-fit for their functions and internal structure. In an example case study, the report details an enforcement action against a firm involved with a data breach and theft of around 200,000 customer profiles, including names, bank account numbers, Social Security information, dates of birth, etc. The firm had done penetration testing of its systems, but FINRA determined that the scope of their tests did not adequately detect vulnerabilities in their password management and encryption procedures, which allowed for a database of customer data to remain unencrypted and contributed to the breach. Making a good-faith effort isn’t good enough; the firm was fined $375,000.
In other case studies, FINRA cited these factors as reasons for enforcement actions: “failure to safeguard confidential customer information,” “inadequate user access restriction,” and “failure to rapidly remediate a device the firm knew was exposing customer information to unauthorized users.” For firms looking to remedy deficiencies in these areas and avoid similar enforcement actions, FINRA recommends implementing powerful technical controls over data, as well as putting in place policies and procedures that support these data security efforts. Financial entities need the ability to remotely monitor sensitive electronic data across all employee and partner devices that have access, and to promptly terminate access when a device is compromised – as was the case with Sterne Agee and the missing, data-laden laptop.
FINRA notes the central importance of encryption in protecting data, and recommends encrypting both data at rest and data in transit. Properly training staff is noted as a key feature for a successful cybersecurity program as well, as employees are indeed walking security risks if not made to understand proper procedures for handling sensitive customer data (and information such as passwords). In today’s bring-your-own-device world, employees may be working with the firm’s sensitive customer data on their own laptops, phones or tablets, and it’s critical that they know how to handle that access responsibly. Just as importantly, the firm must also have data controls with the ability to revoke access and protect that data remotely if the potential for a data breach arises.
Much like with HIPAA protections and rigid enforcement in the healthcare field – where medical practices are required to diligently defend patient data and protect their customers’ legal privacy rights – FINRA and the SEC are moving to require effective data security programs in the financial sector. Avoiding enforcement actions and securing customer data must now be a top concern of financial firms, not only to avoid steep fines but also to avoid the reputational damage that comes with a public declaration that a firm cannot protect their customers’ private data.
Cam Roberson is the Director of the Reseller Channel for Beachhead Solutions, a company that designs cloud-managed mobile device security tools.