Two new state laws requiring companies to encrypt electronic records containing personal data are likely to apply to a large number of companies nationwide, requiring major changes in the way personal information is used, stored, and transmitted, and requiring companies to fundamentally reexamine their corporate security compliance obligations.
On October 1, 2008, a Nevada law1 requiring businesses to encrypt electronic transmissions of personal information takes effect (the "Nevada Law"). On January 1, 2009, Massachusetts will implement regulations that impose even stronger and more sweeping encryption requirements (the "Massachusetts Regulations").2
Nevada Encryption Requirements:
The Nevada Law prohibits "a business in this State" from transferring outside of its secure system “any personal information of a customer through an electronic transmission,” except via facsimile, “unless the business uses encryption to ensure the security of electronic transmission.” Thus, for example, all e-mail, and Website, and other forms of Internet-based communications involving the personal information of a customer must be encrypted.
The subject of the Nevada Law – the data that must be encrypted – is limited to personal information of a customer. The term "personal information" is defined as “a natural person's first name or first initial and last name in combination with any of the following: (a) social security number or employer identification number; (b) driver's license number or identification card number; or (c) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account . . . . ”
Thus, the encryption requirement is limited in two key ways. First, it does not apply to all information about an individual, but only the specific categories of sensitive information noted. Second, it only applies if the individual is a "customer," although the term "customer" is not defined. But note that the term "personal information" is not limited to Nevada residents.
It is also important to note that the Nevada Law applies only to businesses "in this State." However, for many businesses that are not located in Nevada, but that do business with customers in the state, the question of whether they are "doing business" in Nevada is an open one. The Nevada Supreme Court has used a two prong test that weighs: (a) the nature of the company's business; and (b) the quantity of business conducted, but has also noted that the analysis "is often a laborious, fact-intensive inquiry resolved on a case-by-case basis." Thus, until further clarified by Nevada law or court decisions, companies should recognize that while the applicability of the Nevada Law may well be uncertain, if they do a significant amount of business in Nevada it may be prudent to assume that the law will apply. Moreover, by failing to limit the definition of personal information to Nevada residents, the Nevada Law arguably could be applied to any transmission of personal information of any customer regardless of whether or not the customer was actually located in, or a resident of Nevada, so long as the company in question was "doing business" in Nevada.
The action required by the Nevada Law – encryption – also raises some questions. Nevada defines encryption as "the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to: (1) prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound; (2) cause or make any data, information, image, program, signal or sound unintelligible or unusable; or (3) prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.” Because of the broad nature of this definition, and the fact that it does not absolutely require an algorithmic approach to encryption as found in cryptography, some have argued that other schemes to deter readability of data, such as file passwords, might also qualify. Whether such non-cryptographic approaches will qualify as encryption is one of many enforcement quandaries that Nevada faces in policing technology and other issues that are not clearly defined under the Nevada Law..
Massachusetts Encryption Requirements:
On September 22, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation released the final Massachusetts Regulations. Those Regulations, which take effect on January 1, 2009, represent the most comprehensive encryption requirements to be imposed on companies by any state. Like the Nevada Law, they require companies to encrypt all personal information that is transmitted across public networks or wirelessly. However, in a significant expansion of the rule under the Nevada Law, the Massachusetts Regulations also require businesses to encrypt all personal information that is stored on laptops and other portable devices.
Like the Nevada Law, the Massachusetts Regulations apply only to "personal information," which is defined as a combination of a person's name plus one of the following sensitive data elements related to that person: Social Security number, driver's license or state-issued identification card number, or financial, credit or debit card account numbers. Unlike Nevada, however, financial, credit or debit card account numbers are covered regardless of whether they are stored with or without any required security code, access code, or personal identification number linked to such accounts.
Unlike the Nevada Law, which applies only to businesses "in" Nevada, the Massachusetts Regulations apply to "all persons that own, license, store or maintain personal information about a resident of the Commonwealth." The key triggering applicability of the Regulations is possession of data about Massachusetts residents.
The Massachusetts Regulations require any entity that stores or transmits electronic records containing personal information to encrypt that personal information in certain situations. Specifically:
- Stored personal information must be encrypted if it is stored on a laptop or other portable device. While "portable device" is not defined, it presumably includes communications devices such as Blackberries and cell phones, as well as storage devices, such as iPods and USB drives.
- Personal information being transmitted must be encrypted, to the extent technically feasible, if it "will travel across public networks" or if it will "be transmitted wirelessly." Public networks clearly include the Internet and wireless transmission presumably includes communication even within a corporate network.
The Massachusetts Regulations define "encryption" generally as "the transformation of data though the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key." By providing for "an alternate method" to the standard algorithmic approach to encryption, the Regulations seem to provide for some flexibility in approach, so long as the data is transformed " into a form in which meaning cannot be assigned without the use of a confidential process or key."
* * *
Between the Nevada Law and the Massachusetts Regulations, companies that have a national presence or otherwise deal with people in those states should be prepared to conduct a full assessment of their practices and determine what financial, legal and technical resources are required to comply with both specific state standards.
The penalties for non compliance under either law are not specified. The Nevada Law falls under the Miscellaneous Trade Regulations and Prohibited Acts Chapter, but the chapter does not contain any generally applicable penalty provisions. The Massachusetts Regulations were issued Mass. Gen. Laws 93H, which specifies only that the attorney general may bring an action for violations. (MA. Gen. Laws 93A (4)). Notwithstanding the specter of penalties, however, where the law requires encryption, non-compliance may provide a potential plaintiff with a basis for bringing an action for breach of a duty to provide reasonable security.