Nevada recently amended its law on the Security of Personal Information to require Nevada businesses to comply with the Payment Card Industry Data Security Standards ("PCI DSS") in any transaction where the business accepts a credit card (or other payment card) for the sale of goods or services, and to require Nevada businesses to encrypt any personal information the business transfers. Nevada's recent amendment, S.B. 227, will take effect January 1, 2010, and will considerably broaden the information security obligations of companies "doing business" within the state's borders. Moreover, by incorporating and referencing various industry standards, the state's new law could be a precursor to similar state laws that may mandate higher standards for privacy and data security, much as California's data protection statute caused a wave of data breach notification laws throughout the country
PCI DSS is a set of principles adopted by the PCI Security Standards Council, a consortium of major credit card companies, and organized around a group of six principles with 12 accompanying requirements. Businesses accepting credit card payments are likely already bound by contract to comply with PCI DSS. Despite such existing contractual obligations (which often exist within a complex web of contractual relationships among the merchant or other business accepting credit card payment, the consumer, the issuing credit card company, the payment processor, and others), Nevada's S.B. 227 turns PCI DSS compliance into a mandatory statutory obligation with associated penalties for noncompliance beyond what may be imposed for breach of contract. Subsection 1 of S.B. 227 requires all companies doing business in Nevada that accept "a payment card in connection with a sale of goods or services" to comply with PCI DSS and associated deadlines "with respect to those transactions."
The amendment further requires companies doing business in Nevada to encrypt any personal information transferred electronically "outside of the [business's] secure system" or when a data storage device, such as a computer, cellular telephone, computer drive or tape, etc., containing personal information is transferred beyond the business's "logical or physical controls." This provision extends beyond credit card transactions, as Nevada's Security of Personal Information law defines personal information to include a natural person's first name or first initial and last name with (1) Social Security number, (2) driver's license or identification card number, or (3) financial account number (with security code, access code, or password). S.B. 227 defines "adequate means of encryption" to include encryption technology adopted by an established standards-setting body, such as the National Institute of Standards and Technology ("NIST"). In addition, adequate encryption requires "[a]ppropriate management and safeguards of cryptographic keys" promulgated by an established standard-setting body, such as NIST. Companies doing business in Nevada should review their compliance programs, privacy policies, and third-party contracts to determine whether modifications are necessary for compliance with these encryption requirements. Companies should pay particular attention to policies and practices governing mobile storage devices, including laptops and thumb drives, as data security practices on these mobile devices are often lax despite the increased risk for loss or theft posed by their small size and portable nature. Although encrypting data stored on laptops, thumb drives, and other mobile storage devices may be legally sufficient, a more prudent approach would be to limit the amount of personal information stored on such devices in the first instance.
Nevada's amendment contains certain exemptions; for example, it exempts from data breach liability all businesses that comply with its requirements and do not engage in "gross negligence" or "intentional misconduct" in handling personal data. While the exact scope of the amendment remains unclear, its language suggests that the amendment covers all companies (including their third-party agents) considered to be "doing business" in Nevada that collect, store, or transfer personal information.
Like Minnesota's 2007 Plastic Card Security Act, which incorporated part of the PCI DSS requirements, Nevada's S.B. 227 may set a precedent for a new round of state data protection legislation that adopts industry standards, such as PCI DSS and NIST, to strengthen their data protection laws. Other states could pass broader and more comprehensive laws that affect companies outside their borders. For example, Massachusetts requires compliance with industry standards (without referencing specific industry or technical requirements) that will affect companies collecting data from Massachusetts residents, regardless of where the company is located.
Nevada's S.B. 227 and similar legislation will encourage businesses to stay current with technology and best practices as industry standards are constantly evolving. The PCI Security Standards Council has already planned a revision of PCI DSS and will accept comments from July 1 to November 1, 2009, for a new version of PCI DSS that may be released in fall 2010. To comply with current and forthcoming industry standards—and state laws mandating compliance with same—companies will need to evaluate regularly their information security regimes and implement necessary updates to meet appropriate state and industry requirements.