On Sept. 19, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) issued final rules governing how businesses must protect and store personal information. The rules take effect January 1, 2009. Under the rules, businesses that own license, store, or maintain personal information of a Mass. resident must develop and implement a written information security program and implement certain system security measures, including encryption of personal information during transmission (to the “extent technically feasible”) and encryption of personal information stored on laptops and other portable devices. A copy of the rules can be found on the OCABR website.
A Nevada statute (N.R.S. 597.970) that takes effect October 1, 2008 requires businesses “in this State” to encrypt all customer personal information (other than facsimiles) that is electronically transmitted “outside the secure system of the business.” The statute refers to Nevada's data breach statute for the definition of "personal information," which is defined as first name or first initial and last name in combination with any of the following elements: SSN; driver’s license or ID card number; or account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account. (N.R.S. 603A.040) The statute does not include a definition of what it means to be a "business in this state," thus making it unclear as to whether the statute would only apply to businesses physically located in the state or to all entities conducting business with Nevada residents.
Both the Massachusetts regulations and Nevada encryption statute are part of a growing trend in state legislation (and industry standards) to require businesses to implement certain controls to protect personal information. A number of states (including California and Nevada) have statutes in place requiring entities that maintain records containing personal information state residents to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure. Likewise, the Payment Card Industry Data Security Standard (“PCI DSS”) also requires all entities processing credit card payments to implement an array of security controls, including firewalls, access controls, monitoring, and encryption of cardholder data during transmission and storage. The message is clear: entities must implement reasonable security controls to protect personal data.