Data Security Regulation 2.0, Part 1: In Nevada Transmission Requires Encryption

Nevada and Massachusetts are pushing forward with a new, more assertive type of data security regulation that has huge implications for businesses operating online.  Call it Data Security Regulation 2.0.

In this first of two installments we will overview past regulation and cover changes Nevada is implementing in regards to data security.

Data Security Regulation 1.0:  First Breach, Then Notice

By now most of us are familiar with what I call Data Security Regulation 1.0 – the complex of data breach notice statutes passed in the last five or six years by (as of the end of 2008) 44 states and the District of Columbia following California’s lead.  These statutes require notification of individuals potentially affected by the  unauthorized access of their covered personal information which may result in foreseeable  identity theft or other harm. The definition of covered personal information and the triggering event for notice differ from state to state, and some laws exempt encrypted data from the notice requirement.  This first wave of regulation was, in essence, operations and technology neutral, setting specific requirements for responding to incidents but not for preventive measures.

The impetus for Data Security Regulation 1.0 was the flood of widely publicized data breach incidents at retailers, data mining companies and government agencies, including TJX, ChoicePoint, CardSystems, DSW, and BJ’s Wholesale Club, resulting in the compromise of tens of millions of records containing credit card account information, Social Security numbers, and other sensitive personal information.  This proliferation of data breach notice statutes, in turn, led cautious businesses to issue a torrent of disclosures, whose portentous tone, coupled with a lack of specificity about what information was improperly accessed, often baffled their recipients.

Data Security Regulation 1.5:  Be Reasonable

Two or three years ago federal and state policymakers started moving away from an incident-based model of regulation, instead requiring the proactive implementation of measures to ensure a minimum acceptable level of data security.  Regulated financial institutions subject to the Gramm-Leach-Bliley Act and Fair Credit Reporting Act, among other things, have had to operate in these waters for a decade or more, but the aggressive regulatory approach to data security known in the banking world has been increasingly extended to all types of businesses whose possession of personal information exposes them to the risk of hacking, internal sabotage or accident and thus potentially imperils the public.

The Federal Trade Commission (FTC) took the lead by bringing enforcement actions against companies, most notably TJX, whose failure to implement reasonable data security measures (e.g., not upgrading controls for wireless access to its networks, not requiring network administrators to use strong passwords, and not adequately investigating reported security incidents) created culpability for the massive and repeated breaches that ensued.  The states then stepped in, a dozen or so enacting laws requiring minimum levels of security for covered businesses and agencies.

I call this second wave of governmental activity Data Security Regulation 1.5.  It imposed a higher standard on businesses than the purely reactive data breach notice laws and penalized them for specific practices that resulted in harm to the public, but did not prescriptively legislate the use of certain technologies or the actual content of companies’ information security programs.

Data Security Regulation 2.0:  Looking Under the Hood

That is beginning to change with the advent of Data Security Regulation 2.0 in Nevada and Massachusetts.  New laws in those states have government looking under the hood by setting specific standards, including the use of encryption, for businesses which collect, store and transmit the personal information of their customers.

Nevada: Transmission Requires Encryption (Round 1)

The Nevada law, NRS §590.970 (recently repealed and replaced by Bill 227, see below), became effective on October 1, 2008 and provides that “a business in this State” may not electronically transmit “any personal information of a customer” (other than by fax) “outside of the secure system of the business” unless encryption is used to ensure the security of the electronic transmission.  “Personal information” means unencrypted information consisting of an individual’s last name and first name (or first initial) combined with his or her Social Security number, driver’s license or identification card number, or financial account number plus password or access code.

Careful parsing of the statutory language is necessary to grasp its broad coverage.  For one thing, “a business in this State” is almost certainly not limited to Nevada chartered companies.  Rather, any business with operations or customers in Nevada is likely to be covered, which, of course, includes websites with Nevada customers and account holders.  Furthermore, there is no indication that a “customer” must be a Nevada resident.  Thus there are many different scenarios in which the law could be invoked.  For example, if an account representative at a business with Nevada customers e-mails a file of customer names and credit card account information, which could belong to out-of-state residents, to a vendor or her personal e-mail account without encrypting the data, the company arguably has violated the statute.  Similarly, if a company outsources certain operations to a vendor and transfers customer information to the vendor for storage or processing by posting it to a secure file server, the data must be encrypted.

Nevada: Transmission Requires Encryption (Round 2)

On May 29, 2009, Nevada’s governor signed into law Senate Bill 227 (pdf), which repeals NRS §597.970.  Notably, it imposes a more rigorous encryption requirement and extends this requirement to portable storage devices, just as Massachusetts has done.  Even more than its predecessor, the revised Nevada law is an example of Data Security Regulation 2.0.

Set to go into effect on January 1, 2010, the new law provides that if a “data collector doing business in this State” accepts payment cards in connection with a sale of goods or services, it must comply with the most current applicable Payment Card Industry Data Security Standard (PCI DSS) with respect to those transactions.  PCI DSS, which requires the encryption of cardholder data when transmitted wirelessly and in certain other circumstances, is already a looming requirement for businesses that accept payment cards; the revised Nevada law, however, codifies and enshrines it.  A “data collector” is any organization that “handles, collects, disseminates or otherwise deals with nonpublic personal information.”

A data collector “to whom [the PCI DSS clause] does not apply” (i.e., who collects, handles or deals with personal informational in a context other than payment card transactions) must encrypt personal information transmitted electronically “through an electronic, nonvoice transmission other than a facsimile” outside of the data collector’s secure system.  It must also encrypt personal information stored on any device or medium (including any portable device or medium such as a laptop, flash or USB drive, mobile phone, CD-ROM or magnetic tape) that is moved “beyond the logical or physical controls” of the data collector or its data storage vendor.

Encryption is now explicitly defined as requiring the use of cryptographic keys to decipher data.  To satisfy this requirement, the encryption technology must have “been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology.”  It must also incorporate “[a]ppropriate management and safeguards of cryptographic keys to protect the integrity of the encryption” using guidelines issued by an established standards setting body.  The new law, therefore, abandons the technology-neutral approach of Data Security Regulation 1.5.  (However, it does exempt telecommunications providers and certain financial account payment processing and reporting activities conducted through a secure private channel.)

Like the previous law, the new statute is not limited to Nevada chartered companies, but applies to any organization with customers or operations in Nevada.  Coverage has also been expanded to include employee and other non-customer personal information.
There is a twist in the definition of a facsimile transmission, which is normally excluded from the encryption requirement.  Not only must a facsimile transmission conform to certain technical requirements laid out in the statute, but the term does not include an “onward transmission to a third device after protocol conversion, including, but not limited to, any data storage device.”  Thus, a fax containing personal information that is received by a fax service and re-transmitted to a laptop or mobile phone as an e-mail may have to be encrypted.

Furthermore, the requirement to encrypt personal information on a storage device that is moved beyond the controls of the data collector or its data storage contractor imposes a clear obligation to monitor and enforce compliance by vendors.  If a vendor is to be entrusted with personal information, the data collector should review the vendor’s information security program beforehand to verify compliance with the encryption requirement and should include this requirement in its contract with the vendor as well as reserving a right to audit the vendor’s information security practices for ongoing compliance.

Like its predecessor, the Nevada law specifies no penalties or remedies.  However, it does provide that compliance will insulate a data collector from liability for damages for a data breach, unless the data breach is caused by the gross negligence or intentional misconduct of the data collector or its officers, employees or agents.  Since “agents” would include vendors performing internal functions or other activities at the request and direction of the data collector, this clause provides yet another reason for businesses to conduct a thorough review of the information security practices of their vendors and ensure ongoing compliance through contractual covenants and periodic audits.  The new law also establishes a statutory standard of care, leaving the non-compliant exposed to negligence liability.

In tomorrow’s part 2nd segment will cover Massachusetts more comprehensive and sweeping data security regulation law.

Andrew Baer is the founder of Baer Business Law, LLC, a Philadelphia firm focusing on e-commerce, business and technology law.

About Andrew M. Baer, Esq.

You can find Andrew Baer on Twitter @baerbizlaw.

5 Responses to Data Security Regulation 2.0, Part 1: In Nevada Transmission Requires Encryption

  1. Don Aplin says:

    Nevada law was amended, gov. signed the bill recently.

  2. […] Court House News; Data Security Regulation 2.0, Part 1: In Nevada Transmission Requires Encryption, ReveNews; Cameras toe the line between privacy, security, delmarvaNow; Publishing David Carradine photo. Too […]

  3. Thanks Don, updated information on the Bill 227 and Nevada's new Data Security Regulation posted in article.

  4. Mike says:

    This is the first step in what will be an incredibly long process in the regulation of data protection methods. Clearly, all data needs to be encrypted because there are people who want to steal every piece of it they can get their hands on. I foresee two things happening in this vein. First, there will be a standard in encryption that will emerge and be adopted by the government. Second, the government will acquire this company and then push their standard on the country. with too many cooks, the encryption issue will remain muddled and we will always be vulnerable.

  5. I agree it would be helpful to have an encryption standard that is universally accepted as best practices (although this will continue to evolve as the security threat grows more sophisticated). PCI DSS (required by the Nevada statute for payment card transactions) and its supporting documents partially fulfill this role, although PCI DSS is not applicable to everyone and IT experts point out that PCI DSS compliance can still leave vulnerabilities.

    In regard to a nationally required encryption standard, I do not see this happening the near future because right now Congress is (a) preoccupied with health care, and (b) very concerned about imposing costly IT requirements on small and medium-sized businesses at a time when the national unemployment rate is 10.2%. The two big national data security bills being considered right now, H.R. 2221 and S. 1490, do not contain an encryption standard. The Massachusetts data security regulation, 201 CMR 17.00, previously required 128-bit encryption, but after businesses complained about this and other technology-specific provisions, it was amended in August (and finalized just last week) to keep the encryption requirement flexible.

    So, for at least the next year or two, outside of specialized areas like HIPAA, I don't see a specific encryption standard being adopted by the federal or state governments. With that said, if a business is using a standard that clearly falls below best practices and then suffers a data breach (just as TJX used a wireless encryption standard that the PCI Security Council had criticized as vulnerable), you can expect the FTC will step in and plaintiffs' lawyers will file negligence claims. In other words, the FTC and the courts will set the standard de facto.