While the Security and Exchange Commission’s (SEC) proposed amendments to Regulation S-P await final rule status, the Commonwealth of Massachusetts has enacted sweeping new data security and identity theft legislation. At present, approximately 45 states have enacted some form of data security laws, but before Massachusetts passed its new legislation, only California had a statute that required all businesses to adopt a written information security 保安公司 program. Unlike California’s rather vague rules, however, the Massachusetts information security mandate is quite detailed as to what is required and carries with it the promise of aggressive enforcement and attendant monetary penalties for violations.
Because the new Massachusetts rules are a good indication of the direction of privacy-related regulation on the federal level, its impact is not limited solely to those investment advisers with Massachusetts clients. The similarities between the new Massachusetts data security laws and the proposed amendments to Regulation S-P affords advisers an excellent preview of their future compliance obligations as well as useful guidance when constructing their current data security and protection programs.
All investment advisers would benefit from understanding the new Massachusetts regulations and should consider using them as the basis for updating their information security policies and procedures in advance of changes to Regulation S-P. This article provides an overview of both the proposed amendments to Regulation S-P and the new Massachusetts data storage and protection law and suggests ways that investment advisers can use the new Massachusetts rules to better prepare for the realities of a more exacting Regulation S-P.
The SEC’s proposed amendments to Regulation S-P set forth more specific requirements for safeguarding personal information against unauthorized disclosure and for responding to information security breaches. These amendments would bring Regulation S-P more in-line with the Federal Trade Commission’s Final Rule: Standards for Safeguarding Customer Information, currently applicable to state-registered advisers (the “Safeguards Rule”) and, as will be detailed below, with the new Massachusetts regulations.
Under the current rule, investment advisers are required to adopt written policies and procedures that address administrative, technical and physical safeguards to protect customer records and information. The proposed amendments take this requirement a step further by requiring advisers to develop, implement, and maintain a comprehensive “information security program, ” including written policies and procedures that provide administrative, technical, and physical safeguards for protecting personal information, and for responding to unauthorized access to or use of personal information.
The information security program must be appropriate to the adviser’s size and complexity, the nature and scope of its activities, and the sensitivity of any personal information at issue. The information security program should be reasonably designed to: (i) ensure the security and confidentiality of personal information; (ii) protect against any anticipated threats or hazards to the security or integrity of personal information; and (iii) protect against unauthorized access to or use of personal information that could result in substantial harm or inconvenience to any consumer, employee, investor or security holder who is a natural person. “Substantial harm or inconvenience” would include theft, fraud, harassment, impersonation, intimidation, damaged reputation, impaired eligibility for credit, or the unauthorized use of the information identified with an individual to obtain a financial product or service, or to access, log into, effect a transaction in, or otherwise use the individual’s account.
Knowing your enemy is vital in fighting him effectively. Security should be learned not just by network defense, but also by using the vulnerability of software and techniques used for malicious intent. As computer attack tools and techniques continue to advance, we will likely see major, life-impacting events in the near future. However, we will create a much more secure world, with risk managed down to an acceptable level. To get there, we have to integrate security into our systems from the start, and conduct thorough security testing throughout the software life cycle of the system. One of the most interesting ways of learning computer security is studying and analyzing from the perspective of the attacker. A hacker or a programming cracker uses various available software applications and tools to analyze and investigate weaknesses in network and software security flaws and exploit them. Exploiting the software is exactly what it sounds like, taking advantage of some bug or flaw and redesigning it to make it work for their advantage.
Similarly, your personal sensitive information could be very useful to criminals. These attackers might be looking for sensitive data to use in identity theft or other fraud, a convenient way to launder money, information useful in their criminal business endeavors, or system access for other nefarious purposes. One of the most important stories of the past couple of years has been the rush of organized crime into the computer attacking business. They make use of business processes to make money in computer attacks.
This type of crime can be highly lucrative to those who might steal and sell credit card numbers, commit identity theft, or even extort money from a target under threat of DoS flood. Further, if the attackers cover their tracks carefully, the possibilities of going to jail are far lower for computer crimes than for many types of physical crimes. Finally, by operating from an overseas base, from a country with little or no legal framework regarding computer crime prosecution, attackers can operate with virtual impunity .
Assessing the vulnerabilities of software is the key to improving the current security within a system or application. Developing such a vulnerability analysis should take into consideration any holes in the software that could carry out a threat. This process should highlight points of weakness and assist in the construction of a framework for subsequent analysis and countermeasures. The security we have in place today including firewalls, counterattack software, IP blockers, network analyzers, virus protection and scanning, encryption, user profiles and password keys. Elaborating the attacks on these basic functionalities for the software and the computer system that hosts it is important to making software and systems stronger.