Financial Firms Take Note: HIPAA-esque IT Encryption Regulations (And Big Fines) Are Coming

[Audrey McNeil <audrey () riskbasedsecurity com>]

http://www.valuewalk.com/2015/11/hipaa-finance/

Authorities enforcing the laws that govern industries dealing with
sensitive personal data – such as patients’ HIPAA protections in the
healthcare industry – aren’t skittish about levying substantial fines and
criminal punishments as a means of enforcement. Financial firms might
increasingly start finding this out the hard way, with signals indicating
that the sector would be wise to begin taking the same precautions as
medical practices when it comes to properly encrypting private client data.
A case in point: the Financial Industry Regulatory Authority (FINRA)
recently reached a settlement (that included a public censure and $225,000
fine) with Sterne Agee stemming from the loss of a company laptop
containing the unencrypted confidential financial and personal information
of more than 350,000 customers.

The Securities and Exchange Commission (SEC) and FINRA have each issued
reports recommending cybersecurity best practices this year, with the
latter organization stating that it “expects firms to consider the
principles and effective practices presented in the report as they develop
or enhance cybersecurity programs.” The guidance in these reports should be
taken as indicative of SEC and FINRA criteria for judging the effectiveness
of a firm’s cybersecurity program in the case of an enforcement action. The
FINRA report makes lays it out in no uncertain terms that the organization
is and will be active in carrying out enforcement actions against firms.
(And executives themselves aren’t immune from being found personally
responsible in cases where customer data is poorly handled or breached.) As
it appears that FINRA is looking to take a harder line in response to the
fact that breaches of this nature continue to occur, it would follow that
prudent financial firms ought to take a harder look at their data security
strategy and ensure their houses are in order when it comes to acting in
line with FINRA’s recommendations.

FINRA’s report does offer principles and practices for firms to follow, the
result of a year-long study of cybersecurity programs across a
cross-section of financial firms – including large investment banks,
clearing firms, online brokerages, high-frequency traders, and independent
dealers. FINRA demonstrates an accurate understanding that data security is
not one-size-fits-all, and that every firm requires a program custom-fit
for their functions and internal structure. In an example case study, the
report details an enforcement action against a firm involved with a data
breach and theft of around 200,000 customer profiles, including names, bank
account numbers, Social Security information, dates of birth, etc. The firm
had done penetration testing of its systems, but FINRA determined that the
scope of their tests did not adequately detect vulnerabilities in their
password management and encryption procedures, which allowed for a database
of customer data to remain unencrypted and contributed to the breach.
Making a good-faith effort isn’t good enough; the firm was fined $375,000.

In other case studies, FINRA cited these factors as reasons for enforcement
actions: “failure to safeguard confidential customer information,”
“inadequate user access restriction,” and “failure to rapidly remediate a
device the firm knew was exposing customer information to unauthorized
users.” For firms looking to remedy deficiencies in these areas and avoid
similar enforcement actions, FINRA recommends implementing powerful
technical controls over data, as well as putting in place policies and
procedures that support these data security efforts. Financial entities
need the ability to remotely monitor sensitive electronic data across all
employee and partner devices that have access, and to promptly terminate
access when a device is compromised – as was the case with Sterne Agee and
the missing, data-laden laptop.

FINRA notes the central importance of encryption in protecting data, and
recommends encrypting both data at rest and data in transit. Properly
training staff is noted as a key feature for a successful cybersecurity
program as well, as employees are indeed walking security risks if not made
to understand proper procedures for handling sensitive customer data (and
information such as passwords). In today’s bring-your-own-device world,
employees may be working with the firm’s sensitive customer data on their
own laptops, phones or tablets, and it’s critical that they know how to
handle that access responsibly. Just as importantly, the firm must also
have data controls with the ability to revoke access and protect that data
remotely if the potential for a data breach arises.

Much like with HIPAA protections and rigid enforcement in the healthcare
field – where medical practices are required to diligently defend patient
data and protect their customers’ legal privacy rights – FINRA and the SEC
are moving to require effective data security programs in the financial
sector. Avoiding enforcement actions and securing customer data must now be
a top concern of financial firms, not only to avoid steep fines but also to
avoid the reputational damage that comes with a public declaration that a
firm cannot protect their customers’ private data.

_______________________________________________
Dataloss Mailing List (dataloss () datalossdb org)
Archived at http://seclists.org/dataloss/
Unsubscribe at http://lists.osvdb.org/mailman/listinfo/dataloss
For inquiries regarding use or licensing of data, e-mail
        sales () riskbasedsecurity com 

Supporters:

Risk Based Security (http://www.riskbasedsecurity.com/)
YourCISO is an affordable SaaS solution that provides a comprehensive information security program that ensures focus 
on the right security.  If you need security help or want to provide real risk reduction for your clients contact us!