State legislatures and regulatory agencies are challenging businesses in these difficult economic times to put in place broad new information security policies and procedures. A series of new laws and regulations enacted in recent months require, among other things: (a) encryption of personal information on laptops, PDAs and portable media, including flash drives; (b) encryption of personal information transmitted over the Internet; (c) development and publication of Social Security Number (SSN) privacy protection policies; and (d) specific measures to protect the confidentiality and security of employee SSNs. These laws and regulations carry significant statutory penalties for violations and, in some states, the possibility of businesses facing private rights of action for noncompliance. Below we provide a brief update on these developments in the states of Massachusetts, New York, Nevada, Connecticut and Texas.
New Massachusetts Regulation Requires Encryption of Personal Information on Laptops and Other Portable Media and During Transmission over Public Networks
- On January 1, 2009, a sweeping new Massachusetts regulation will go into effect, requiring businesses that own, license or maintain personal information about Massachusetts residents to implement a written comprehensive information security program that meets certain detailed requirements.
- The regulation also requires businesses to encrypt all personal information transmitted via a wireless network or a public network, such as the Internet or cellular networks. In addition, businesses must encrypt personal information about Massachusetts residents that is stored on laptops, PDAs (including Blackberry devices) and portable media such as flash drives. The regulation defines “personal information” as a first and last name combined with an SSN, driver’s license number, financial account number or credit or debit card number.
- Non-compliance with the regulation is subject to a civil penalty up to $5,000 per violation.
- Link to Massachusetts Regulation (201 Mass.Code Regs. 17.00): http://www.mass.gov/?pageID=ocamodulechunk&L=1&L0=Home&sid=Eoca&b=terminalcontent&f=idtheft_201cmr17&csid=Eoca
New York Enacts Strong Protections for Employee Personal Information
- New York enacted legislation in July 2008, effective January 3, 2009, that will impose strict limitations on the use and communication of employee personal information, defined as an employee’s SSN, home address or telephone number, personal email address, Internet name or password, driver’s license number or parent’s surname prior to marriage. The law also prohibits employers from using employee SSNs as identification numbers for occupational licensing purposes.
- The new law further prohibits employers from: (a) publicly posting or displaying an employee’s SSN, (b) visibly printing an employee’s SSN on any identification badge, access card or time card, (c) placing an employee’s SSN in any files with unrestricted access, or (d) communicating an employee’s personal information to the general public.
- Civil penalties may be imposed for “knowing” violations of the law. A violation is presumed to be “knowing” if the employer “has not put in place any policies or procedures to safeguard against such violation, including procedures to notify relevant employees of these provisions.” We recommend, as a result, that businesses assess the risk of violating the new law based upon the business’s operations, procedures and track record. If there is a quantifiable risk, then it may be advisable to establish new procedures (or, if possible, identify existing qualifying procedures) and notify personnel based in New York of the new law. Of course, a business may also decide to undertake these measures even if there is only a remote risk of a violation.
- Other provisions, effective January 1, 2010, place restrictions on the use and communication of SSNs by the state and its political subdivisions.
- Link to New York Law (N.Y. Labor Law § 203-d): http://www.alston.com/files/docs/NY203-d.pdf
Nevada Law Imposes Encryption Requirements on Electronic Transmissions
- Nevada enacted a new statute that went into effect October 1, 2008, that requires businesses in the state to encrypt every electronic transmission containing personal information about a customer that is directed outside the business’s own “secure system.”
- The statute defines “personal information” as a person’s first and last name joined with an SSN, driver’s license number, or a financial account number or credit or debit card number (if combined with a security code required to access the account). The law does not define the term “secure system.” But the term would appear to mean a network and associated information systems behind a business’s firewall. This means that businesses operating in Nevada are now required to encrypt emails sent outside the business and other communications over the Internet if they contain personal information.
- Link to Nevada Law (Nev. Rev. Stat. § 597.970): http://www.leg.state.nv.us/NRS/NRS-597.html#NRS597Sec970
Connecticut and Texas
Connecticut and Texas Laws Guard Confidentiality of Social Security Numbers
- Connecticut Public Act No. 08-167 was signed into law on June 10, 2008, and went into effect on October 1, 2008. The Connecticut legislature passed the law quickly following a series of highly publicized data security incidents involving residents of the state. The law requires businesses to: (a) safeguard “personal information” in their possession, (b) dispose of records containing personal information in accordance with certain standards, and (c) publish and enforce an SSN privacy protection policy if the company collects SSNs “in the course of business”.
- The safeguarding and safe disposal requirements are consistent with other state laws. But Connecticut has staked out new ground by requiring companies that collect SSNs in the course of business to establish a “privacy protection policy” and to publish or publicly display the policy. The policy must “(a) protect the confidentiality of SSNs, (b) prohibit unlawful disclosure of SSNs, and (c) limit access to SSNs.”
- There is an argument that the new statute regulates the collection of SSNs from customers, but not from employees. While the law broadly applies to companies that collect SSNs in the course of business, the law is enforceable by the Department of Consumer Protection and Connecticut state agencies that license businesses that are not subject to that Department’s authority, such as insurance companies. These agencies do not regulate the relationship between employers and employees. We nevertheless recommend that companies independently consider whether to apply the law’s requirements to transactions with their employees.
- The Connecticut law is enforceable at the administrative level in the state and each violation is subject to a civil penalty of $500. The maximum penalty for a single event is $500,000.
- The Texas law will also prevent non-governmental use of SSNs on cards or for website access absent additional protections specified in the law.
- Link to Connecticut Law (Conn. Pub. Act No. 08-167): http://www.cga.ct.gov/2008/ACT/PA/2008PA-00167-R00HB-05658-PA.htm
- Link to Texas Law (Tex. Bus. & Com. Code §§ 501.001-102): http://tlo2.tlc.state.tx.us/statutes/docs/BC/content/pdf/bc.011.00.000501.00.pdf