It should come as no surprise that the financial industry is among the most regulated in the world. There are strong data security requirements for banking and financial industries due to the sensitive and private data that they deal with. While GLBA/FFIEC are specific to these industries, compliance regulations such as PCI DSS, SOX, and state privacy laws can also apply. One thing that they all have in common though, is that encryption, along with proper key management, can mean the difference between a public breach notification and having a safe harbor.
What Data Needs Encryption?
Aside from the obvious personally identifiable information (PII) such as names, addresses, and social security numbers, the financial industry also regularly handles data that includes income, credit score, collection history, and family member PII and Non-public Personal Information (NPI).
The Gramm-Leach-Bliley Act (GLBA) specifically requires that institutions doing business in the US establish appropriate standards for protecting the security and confidentiality of customers’ NPI. The objectives are to:
- Ensure the security and confidentiality of customer records and information
- Protect against any anticipated threats or hazards to the security or integrity of such records
- Protect against unauthorized access to information which could result in substantial harm or inconvenience to any customer
Additionally, the Federal Financial Institutions Examination Council (FFIEC), which is “empowered to prescribe uniform principles, standards, and report forms to promote uniformity in the supervision of financial institutions,” adds:
“Financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit.”
Between FFIEC and GLBA, banks and financial institutions should encrypt:
- Any sensitive information an individual gives you to get a financial product or service (such as name, address, income, Social Security number, or other information on an application)
- Any information you get about an individual from a transaction involving your financial products or services (for example, the fact that an individual is your customer, account numbers, payment history, loan or deposit balances, and credit or debit card purchases)
- Any information you get about an individual in connection with providing a financial product or service (for example, information from court records or from a consumer report)
Encrypting Private Data
Encryption is often considered the hardest part of securing private data. The first step that banks and financial services can take is to deploy encryption based on industry-tested and accepted algorithms, along with strong key lengths. Examples of industry-tested and accepted standards and algorithms for encryption include AES (128 bits and higher), TDES (minimum double-length keys), RSA (2048 bits and higher), ECC (160 bits and higher), and ElGamal (1024 bits and higher). See NIST Special Publication 800-57 for more information.
There are many levels within an organization’s stack that encryption can be deployed, ranging from the operating system to the application and database level. Choosing where to implement encryption has security implications. Let’s focus on the two that are the most secure.
Encryption at the Database Level
Almost all commercial databases now support some time of encryption in the database itself. Encryption at the database layer provides some distinct advantages:
- Encryption is optimized for database performance
- Encryption services are better integrated with other database access control services resulting in fewer security gaps
- Encryption key management may be better integrated into the encryption implementation
Encryption at the Application Level
Application encryption involves the use of an encryption library and a key retrieval service. Encryption at the application layer fundamentally means that you are encrypting data before inserting it into a database or other storage mechanism, and decrypting it after you retrieve the data. It provides a very granular level of control of sensitive data and allows for the application of user access controls, program access controls, data masking, and other security controls. Many feel that application layer encryption is the most secure way to protect data.
Encryption Key Management
Encryption is only as secure as your encryption keys. The essential functions of a key management solution include storing the encryption keys separate from the data that they protect, as well as managing the encryption keys through the entire lifecycle including:
- Generating keys for different cryptographic systems and different applications
- Generating and obtaining public keys
- Distributing keys to intended users, including how keys should be activated when received
- Storing keys, including how authorized users obtain access to keys
- Changing or updating keys, including rules on when and how keys should be changed
- Addressing compromised keys
- Archiving, revoking, and specifying how keys should be withdrawn or deactivated
- Recovering keys that are lost or corrupted as part of business continuity management
- Logging the auditing of key management-related activities
- Instituting defined activation and deactivation dates, and limiting the usage period of keys
Just as with encryption, it is paramount that your key management solution meets industry standards. Again, look to NIST and vendors who have a solution that is FIPS 140-2 compliant. By adequately encrypting data to industry standards, the loss of encrypted data is not generally considered a breach, and is exempt from notification requirements.
FFIEC Guidance
The FFIEC provides guidance and oversight of GLBA for banks and financial organizations. They publish the IT Examination Handbook, which provides guidance for the IT security controls that can or should be used to protect NPI under GLBA. According to the Handbook, financial institutions should employ encryption to mitigate the risk of disclosure or alteration of sensitive information in storage and transit. Encryption implementations should include:
- Encryption strength sufficient to protect the information from disclosure until such time as disclosure poses no material risk
- Effective key management practices
- Robust reliability
Fortunately, encryption and key management has gotten tremendously easier to deploy and is within reach of even the most modest budgets. By protecting data with strong, standards-based encryption, organizations can meet the requirements of GLBA/FFIEC and protect their customer's’ private data – even in the event of a breach.