September 29, 2008

NEW NEVADA LAW REQUIRES SECURING SENSITIVE PERSONAL INFORMATION WHEN TRANSMITTED ELECTRONICALLY

Beginning October 1, 2008, a new data security law in Nevada will require businesses to protect “personal information” that is transmitted electronically. The new law prohibits the transfer of “any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”1

Although other state laws require businesses to encrypt or securely transmit Social Security numbers over the Internet, the Nevada law is the first to extend this requirement to other sensitive data elements, including credit and debit card numbers, financial account numbers, driver’s license numbers and state identification card numbers.

A number of reports have characterized this law as an encryption mandate. This is inaccurate. The Nevada law is flexible in that it authorizes the use of “any protective or disruptive measure” to protect personal information in transmission. The law does not provide for enforcement by state officials, although a separate statutory provision requires businesses to use reasonable security procedures to protect personal information. This provision establishes a duty of care that could be enforced in civil negligence lawsuits.

Law Imposes “Soft” Encryption Mandate

Like a handful of other states, Nevada defines “encryption” flexibly to encompass a variety of methods and technologies that render “personal information” unreadable and unusable:

“Encryption” means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to: (1) Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound; (2) Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or (3) prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.2 (emphasis added).

In contrast to the Payment Card Industry Data Security Standards (PCI DSS), which require “strong cryptography and security protocols such as secure sockets layer (SSL)/transport layer security (TLS) and Internet protocol security (IPSEC) to safeguard sensitive cardholder data during transmission over open, public networks,”3 the Nevada law affords businesses latitude in selecting the particular data protection method or technology used to transmit personal information, provided that it is capable of rendering personal information unreadable or unusable.

Although businesses are not confined to the use of encryption in transmitting personal information, businesses in Nevada should carefully consider the method or technology employed to protect personal information that is transmitted electronically across public networks to ensure that it meets the state’s standards. Such considerations may be affected by PCI DSS obligations.

The Requirement Likely Applies to Any Business with Nevada Customers or Employees

The new law applies to “a business in this State.” While the law does not define this term, the Nevada Supreme Court has applied a two-prong standard for evaluating what constitutes “doing business” in Nevada: (1) the nature of the company’s business in the state, and (2) the quantity of business conducted in the state.4

Under the law, “personal information” is defined as the data elements covered by Nevada’s security breach notification statute – a person’s first name or first initial and last name in combination with an unencrypted
(1) Social Security number; (2) driver’s license number or identification card number; or (3) account number, credit card number or debit card number, in combination with a security code, access code or password that would permit access to the person’s financial account.5 The definition does not include the last four digits of a Social Security number or publicly available information.

Only personal information that is being transferred electronically outside of the “secure system of the business” is covered by the new mandate. Facsimiles are exempted, as is information in storage, whether it is on servers, computers, portable storage devices or backup tapes – which is the source of many data breaches. While faxes are exempt, some businesses transmit faxes through e-mail, which would likely fall under the ambit of the new law.

The new secure transmission law takes effect on October 1, 2008 – several years after the effective date of two other data security requirements that apply to Nevada businesses. Existing law already requires businesses to “implement and maintain reasonable security measures” to protect personal information from “access, acquisition, destruction, use, modification or disclosure,”6 and to take reasonable measures to ensure the destruction of records when they are no longer to be maintained.7

Steps Businesses Should Take Before the
October 1, 2008, Effective Data

Before the October 1, 2008, effective date, companies that conduct business in Nevada will need to determine whether their existing data security practices for their Nevada operations comply with Nevada’s secure transmission law. If their practices will not be in compliance, they need to determine the appropriate technology solution in a timely manner.

Enforcement

Although there are no specific remedies or penalties identified for violations of the encryption protocols, businesses could be subject to negligence lawsuits for failing to adhere to this statutory standard concerning data security, particularly in the case of a security breach. While existing case law suggests that consumers must articulate actual harm to survive a motion to dismiss, the costs of litigating such suits are significant, and the costs to a company’s reputation when a security breach is publicly exposed are often significant.

Encryption Legislation in Other States, and Federal Recommendations

As noted above, in October Nevada will become the only state that specifically requires personal information – other than Social Security numbers – to be secured when it is transmitted electronically. However, a significant minority of states require businesses to maintain reasonable data security measures, and it is likely that more states will enact data security laws in the near future. Massachusetts just released data security regulations that require encryption-like safeguards, and Michigan and Washington considered more extensive legislation this year.

The Washington bill8 covered both stored data and transmitted data and defined encryption less flexibly as an algorithmic process to render data unreadable or unusable. Under that bill, a business would only be considered to be in compliance if it used generally accepted encryption practices. The Michigan legislation would have required personal identifying information to be stored using industry standard encryption methods.9

Neither of these laws passed. However, the FTC recommends that businesses encrypt sensitive information that is being stored or transmitted. It has brought enforcement actions against companies that failed to provide reasonable and appropriate security for sensitive information.

We can expect that many more states will consider legislation requiring business to encrypt personal information that is transmitted electronically. The Nevada law may be a sign of things to come.

  1. NEV. REV. STAT. § 597.970.
  2. § 205.4742.
  3. See: https://www.pcisecuritystandards.org/pdfs/pci_audit_procedures_v1-1.pdf
  4. Executive Management, Ltd. v. Ticor Title Ins. Co. 118 Nev. 46, 50 38 P.3d 872, 874 n4 (2002).
  5. § 603A.040.
  6. Nev.Rev.Stat.§ 603A.210.
  7. § 603A.200.
  8. http://apps.leg.wa.gov/documents/billdocs/2007-08/Pdf/Bills/House%20Bills/2574.pdf
  9. http://www.legislature.mi.gov/documents/2007-2008/billintroduced/Senate/pdf/2008-SIB-1022.pdf