New Massachusetts Data Security Law Could Affect Many Banks, Credit Unions and Other Online Business
The state of Massachusetts' new data security law, 201 CMR 17.00, will impact many web based applications that collect and store personal financial information about users. The new law reaches beyond the state's borders and affects organizations that are collecting and storing personally identifiable information (PII) about Massachusetts residents. The law requires that PII be encrypted during transport (from client to browser) and while at rest. The law imposes stiff monetary penalties for organizations that fail to provide these two types of data protection for PII that they collect and store about Massachusetts residents.
PII is defined in the bill as a person's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account.
Even Businesses with Physical Presence in Massachusetts Must Comply
Financial institutions doing business in Massachusetts are obviously directly affected, but so are banks, credit unions, lenders, e-commerce operators and other businesses who provide wire transfer, lending or other transactional services to residents of those MA, or who sell products to customers who reside in MA. In other words, if you're a bank allowing your customers to perform wire transfers to or from residents of Massachusetts, we recommend that you familiarize yourself with this law and make sure your applications and I.T. security policies comply.
How MemberProtect Helps You Comply
MemberProtect's data encryption functionality will satisfy the data storage encryption requirements, and standard SSL will meet the transport security requirements. MemberProtect encryption is not automatic, however, so it is important that you've properly configured MemberProtect and your application to properly encrypt PII data. Also, as introduced in the most recent MemberProtect release, we recommend that all customers periodically change their MemberProtect encryption key for the same reasons that it is wise to periodically change passwords.
We recommend that you read the law here and take steps to ensure that you're in compliance.