EPCOR staff has spent a great deal of time this year talking
to institutions and businesses about their obligations under the ACH Data Security Framework Rule that
goes into effect September 20, 2013. Personally, I’ve heard a lot of concern
from businesses that they don’t feel they have the resources or know-how to
meet the Rule’s requirements. The ACH
Network is not the first entity to apply data security requirements to protect consumer
information or to better secure a payment system, and in fact, most businesses
are probably already under strict requirements to protect consumer information
from other sources.
The Card Network introduced the Payment Card Industry Data
Security Standards (PCI DSS) in 2004 to protect consumer information related to
card transactions. Fines can exceed $100,000 a month for non-compliance. Prior
to PCI DSS, Card Brands had individual security requirements. Also, 46 states
have data breach notification laws for most businesses, and many of these laws prescribe
a minimum standard of security. Congress is reviewing an array of federal laws
that experts anticipate will forever change expectations of businesses to
protect consumer information.
Those are just a few obligations; some organizations also
fall under Sarbanes-Oxley obligations, others the FTC Act. Data security is not
really new. In fact, the Federal Trade Commission (FTC) states “all businesses
have a legal responsibility to take steps to properly secure and dispose of
sensitive consumer information, including financial data and consumer
non-public information. Failure to do so could lead to expensive lawsuits
resulting from victims, legal repercussions, and more.” When a company
discloses to consumers that it will protect personal information, the FTC can
take law enforcement action to make sure that companies live up to those
promises. The FTC reports that in just two years it has brought 32 legal
actions against organizations that violated consumers’ privacy rights, or
failed to maintain security for sensitive consumer information.
Organizations gearing up to meet the new Rule
should start with the basics. Identify appropriate state and federal laws or
regulations that already mandate certain actions to secure consumer
information. From there, begin reviewing resources such as The Better Business Bureau Data Security Made Simpler guide and the FCCs 10 Cyber Security Strategies for Small Businesses.
The FCC also has an interactive CyberPlanner which walks a business through developing a custom Cyber Planning guide.
There are a number of resources available to any
organization developing or reviewing a data security program. EPCOR will
provide many of these reliable, free resources in EPCOR’s Knowledge Community
Fraud Library within the next few days. Take a look and check back often as we
will update resources frequently. Also, be sure to post your data security
questions and share how you and your businesses are gearing up to comply with
the new ACH Rule.