Nevada is getting serious about mandating the use of encryption to secure personal information. On May 29, Gov. Jim Gibbons signed into law Senate Bill No. 227, which repealed data protection law NRS 597.970, which had been in effect for less than a year. Among other things, the new law requires data collectors to use cryptographic key technology that meets established industry standards and, if they accept credit or debit cards, to comply with the Payment Card Industry Data Security Standard (PCI DSS) with respect to those transactions.
In late 2007 Nevada became one of two states in the country (the other being Massachusetts) to depart from a technology-neutral regulatory standard and specifically require the use of encryption to protect certain data transfers. The original Nevada data protection law, which became effective Oct. 1, 2008, provided that businesses could not electronically transmit "any personal information of a customer" (other than by fax) "outside of the secure system of the business" unless encryption was used to ensure the security of the transmission.
Personal information means unencrypted information consisting of an individual's last name and first name (or first initial), combined with his or her Social Security number, driver's license or identification card number, or financial account number plus password or access code.
However, encryption was very loosely defined as "the use of any protective or disruptive measure [including cryptography] to: 1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound; 2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or 3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network."
By this standard, simply requiring a user to input a password to open a file would have been sufficient for compliance. The statute prescribed no specific penalties or remedies for violators.
Senate Bill 227, set to go into effect Jan. 1, applies more rigorous technical standards to "data collectors" who do business in the state. A data collector is any organization (including a nonprofit or agency) that "handles, collects, disseminates or otherwise deals with nonpublic personal information." The "doing business" requirement should not be read to limit the new law's reach to organizations incorporated or formed in Nevada. On the contrary, any organization with customers, employees or operations in Nevada (which would include most medium-sized and large financial institutions) must comply.
The centerpiece of the new law is its requirement that data collectors must comply with the most current applicable PCI DSS with respect to their payment card transactions and, with respect to all other matters, must encrypt personal information transmitted "through an electronic, nonvoice transmission other than a facsimile" outside of the data collector's secure system. Personal information covered by the statute includes employee and other noncustomer data. Encryption is now explicitly defined as the protection of data by means of a technology that renders the data indecipherable without the use of cryptographic keys.
The encryption technology must have been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology. It must also incorporate "[a]ppropriate management and safeguards of cryptographic keys to protect the integrity of the encryption," using guidelines issued by an established standards setting body.
Data collectors must also encrypt personal information stored on any device or medium (including any portable device or medium such as a laptop, thumb drive, mobile phone, CD or magnetic tape) that is moved "beyond the logical or physical controls" of the data collector or its data storage vendor. This requirement imposes a clear obligation to monitor and enforce compliance by vendors.
If a vendor is to be entrusted with personal information, the data collector should review the vendor's information security program beforehand to verify compliance with the encryption requirement and should include this requirement in its contract with the vendor. It should also reserve the right to audit the vendor's information security practices for ongoing compliance.
The new law contains exemptions for telecommunications providers and certain payment processing and account activities conducted through a secure, private channel, as well as for fax transmissions. As might be expected, telecommunications providers are not required to encrypt communications when they are acting solely in the role of conveying the communications for third parties. Also exempt are data transmissions over a secure, private communication channel for approval or processing of negotiable instruments, electronic fund transfers or similar payment methods, or for issuance of account closure reports.
The Nevada law will rankle many IT and information security professionals because of its rather heavy-handed insistence on the use of a particular technology, encryption.
A fax transmission excluded from the encryption requirement is defined as a transmission between two dedicated fax machines using Group 3 or Group 4 digital formats that conform to the International Telecommunication Union T.4 or T.38 standards, or computer modems that conform to the T.31 or T.32 standards. However, the term does not include an "onward transmission to a third device after protocol conversion, including, but not limited to, any data storage device."
Thus, a fax containing personal information that is received by a fax service and re-transmitted to a laptop or mobile phone as an email needs to be encrypted upon re-transmission. In addition, it is unclear how the statute applies to the use of third-party Internet fax services like eFax; businesses that rely on such services may need to encrypt personal information sent through them, since, literally speaking, transmission and reception of data by means of such services requires the data to pass outside of the business' secure system.
Like its predecessor, Senate Bill 227 does not spell out the consequences of violation, but any noncompliance that is linked to a data breach or incidents of identity theft will be a boon to plaintiffs and class action lawyers. The law effectively creates what is known as a statutory standard of care, meaning that a failure to utilize the required encryption resulting in unauthorized access or interception of unencrypted data may render the data collector liable for negligence.
The statute provides a safe harbor where compliance will insulate a data collector from liability for damages for a data breach, unless the data breach is caused by the gross negligence or intentional misconduct of the data collector or its officers, employees or agents. (Since "agents" would include vendors performing internal functions or other activities at the request and direction of the data collector, this clause provides yet another reason for businesses to conduct a thorough review of the information security practices of their vendors and ensure ongoing compliance through contractual covenants and periodic audits.)
As a practical matter, gross negligence is extremely difficult for a plaintiff to prove, although the use of this standard of culpability in the safe harbor clause makes it likely that every data breach lawsuit from now on will include allegations of gross negligence.
The Nevada law will rankle many IT and information security professionals because of its rather heavy-handed insistence on the use of a particular technology, encryption. Like Massachusetts' regulation 201 CMR 17.00, which requires encryption as part of a comprehensive written information security program, Senate Bill 227 signals a more top-down regulatory approach that leaves businesses less discretion to choose their methodologies for managing information security risk.
The new style of state information security regulation is more aggressive in some ways than the pervasive but flexible risk assessment-based strategy favored up to now by federal banking regulators. Increasingly, therefore, financial institutions and other members of the financial industry will have to look to state information security law, and not just federal and state banking guidelines, in crafting the architecture and features of their security programs.
Andrew M. Baer is an attorney and founder of Baer Business Law LLC, a Philadelphia firm focused on providing clients with cost-efficient business counseling and transactional assistance, particularly in the areas of technology and intellectual property law. Baer can be contacted at firstname.lastname@example.org.