One of the key privacy debates over the past decade involves whether federal law should "preempt" state law—whether there should be one federal standard for the protection of privacy, or whether states should be allowed to enact stricter protections. For the most part, federal law, to date, has merely set a floor of protection, with the states being permitted (in most instances) to pass tougher laws. Important examples of this model are the Gramm-Leach-Bliley Act (G-L-B) for the financial services industry and the Health Insurance Portability and Accountability Act (HIPAA) for the health care industry.
Under that model, where states pass tougher laws, such as California's effort to address the sharing of personal information with affiliates of financial services companies, or the plethora of state laws regulating health care industry disclosure of information about "sensitive" conditions, there often is significant confusion about how the state laws interact with the federal provisions. Moreover, specific state rules may impose substantial administrative burdens on regional or national businesses.
To date, these issues have for the most part been limited to privacy laws. Now, however, with a series of new provisions going into effect this fall or early next year, states such as Nevada and Massachusetts are imposing information-security requirements that are specific at the state level, and that otherwise are not required for most companies. These provisions—because they regulate the details of information systems—create a substantial concern about a single state being able to define the systems of a national company, given the difficulties in establishing separate systems for a particular state. Moreover, as illustrated by the recent Texas Attorney General suit against a drug treatment facility for improper disposal of patient records (based on Texas state law) and the new California laws containing stringent penalties for security violations, states also are acting aggressively on the enforcement end. Accordingly, companies—in all industries—need to pay close attention to these new rules and develop an appropriate strategy for managing their requirements.
Nevada's Encryption Requirements
Nevada recently stepped into the information-security arena with a new encryption standard. The Nevada law, for the most part, is a typical state law that contains security-breach-notification standards. See Nev. Rev. Stat. § 597.970 (2005). Most of the provisions of this law went into effect in 2005. Beyond these typical provisions, however, Nevada added a provision related to encryption of personal information. Effective October 1, 2008, the Nevada law requires that:
"A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission."
The "personal information" covered by this law is the kind of personal information that has triggered the breach-notification laws: a Nevada resident's "first name or first initial and last name in combination with any of the following: (a) Social Security number or employer identification number; (b) driver's license number or identification card number; or (c) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account."
The Nevada law defines encryption as "the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer containment, to: (1) [p]revent, impede, delay or disrupt access to any data, information, image, program, signal or sound; (2) [c]ause or make any data, information, image, program, signal or sound unintelligible or unusable; or (3) [p]revent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network."
The law could require many companies to alter their behavior. For example, while the law explicitly exempts facsimiles, it seems to apply to all other kinds of electronic transmissions. This means that companies need to implement encryption for emails. While many companies in regulated areas (such as health care or financial services) have chosen to implement encryption standards for email transmissions, this step is neither required in most situations nor even common in most industries. The law also may impose this standard de facto for all email transmissions. While there is some confusion over what companies are covered, any business that transmits the personal information of a Nevada resident faces risks under this statute, whether or not the business is located in Nevada, in the same way that a business outside the state faces notification obligations if there is a breach affecting a Nevada resident.
Therefore, it is clear that this Nevada law requires specific behavioral changes for many companies, and that it will be difficult as a practical matter to design a solution that is limited to specific electronic transmissions involving Nevada residents.
Massachusetts Security Program Requirements
The Massachusetts security provisions similarly evolved from a law creating breach-notification requirements. See Massachusetts General Laws, Chapter 93H. While following the mainstream in its breach-notification provisions, Massachusetts has now imposed the most substantial set nationally of security practice obligations applicable to businesses in all sectors. The law also mandates specific information disposal practices (although these practices are becoming somewhat more common in other states, including Colorado and Michigan, in addition to various federal requirements).
The law authorizes and requires regulations to specify appropriate security practices. The final regulations, just released in September 2008 (201 CMR 17.00), currently require compliance by January 1, 2009 (although there are efforts ongoing within the state to extend that compliance deadline).
The Massachusetts law has broad applicability, as it covers "persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts." Essentially, by imposing a set of information-security compliance requirements on all businesses, this law (with some additional complexity) puts into effect, as a formal compliance requirement for all businesses, the requirements that the Federal Trade Commission (FTC) implemented under the G-L-B Act and later extended to all companies through the FTC BJ's Wholesale settlement. See "Effective Security Practices Now a National Requirement," Privacy In Focus (June 2005), available at www.wileyrein.com/Effective_Security_Practices.
According to the Massachusetts rules, each covered business "shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information." This program "shall be reasonably consistent with industry standards" (without defining what industry or what standards), and, like the G-L-B rules, "shall contain administrative, technical, and physical safeguards to ensure the security and confidentiality of such records." In addition, the program safeguards "must be consistent with the safeguards for protection of personal information and information of a similar character set forth in any state or federal regulations by which the person who owns, licenses, stores or maintains such information may be regulated." The Massachusetts law does not explain why it needs to extend its applicability to companies that already are regulated.
Supplementing the general requirements, the rules impose a set of detailed security program requirements. Many of these are consistent with the G-L-B principles, but others impose new standards on businesses that maintain information about Massachusetts residents. For example, like G-L-B, the Massachusetts rules require companies to designate "one or more employees to maintain the comprehensive information security program." They also require "identifying and assessing reasonably foreseeable internal and external risks to the security, confidentiality, and/or integrity of any electronic, paper or other records containing personal information, and evaluating and improving, where necessary, the effectiveness of the current safeguards for limiting such risks" (including (i) ongoing employee training; (ii) employee compliance with policies and procedures; and (iii) means for detecting and preventing security system failures).
In addition to these G-L-B mandates, the rules require:
- Developing security policies for employees that take into account whether and how employees should be allowed to keep, access and transport records containing personal information outside of business premises.
- Imposing disciplinary measures for violations of the information-security program. Preventing terminated employees from accessing records containing personal information by immediately terminating their physical and electronic access to such records.
- Taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information, including (i) selecting and retaining service providers that are capable of maintaining safeguards for personal information; and (ii) contractually requiring service providers to maintain such safeguards.
- Limiting the amount of personal information collected, the time such information is retained and the access of employees to that which is reasonably necessary to accomplish the legitimate purpose for which it is collected.
- Identifying paper, electronic and other records, computing systems and storage media, including laptops and portable devices used to store personal information, to determine which records contain personal information.
- Placing reasonable restrictions upon physical access to records containing personal information and storage of such records and data in locked facilities, storage areas or containers.
- Monitoring to ensure that the information-security program is operating in a manner reasonably calculated to prevent unauthorized access to, or unauthorized use of, personal information, and upgrading information safeguards as necessary to limit risks.
- Reviewing the scope of the security measures at least annually, or whenever there is a material change in business practices that may reasonably implicate the security or integrity of records containing personal information.
- Documenting responsive actions taken in connection with any incident involving a breach of security, and mandatory post-incident review of events and actions taken, if any, to make changes in business practices relating to protection of personal information.
Accordingly, this required program is now far more detailed than virtually any existing requirement, other than the HIPAA Security Rule. In addition to these basic provisions, however, the rules also mandate a separate information-security program for computer systems, including "any wireless system," meeting the following specific requirements:
- Secure user-authentication protocols including:
(i) control of user IDs and other identifiers;
(ii) a reasonably secure method of assigning and selecting passwords, or use of unique identifier technologies, such as biometrics or token devices;
(iii) control of data-security passwords to ensure that such passwords are kept in a location and/or format that does not compromise the security of the data they protect;
(iv) restricting access to active users and active user accounts only; and
(v) blocking access to user identification after multiple unsuccessful attempts to gain access or the limitation placed on access for the particular system.
- Secure access control measures that:
(i) restrict access to records and files containing personal information to those who need such information to perform their job duties; and
(ii) assign unique identifications plus passwords, which are not vendor supplied default passwords, to each person with computer access, that are reasonably designed to maintain the integrity of the security of the access controls.
- To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly.
- Reasonable monitoring of systems for unauthorized use of or access to personal information.
- Encryption of all personal information stored on laptops or other portable devices.
- For files containing personal information on a system that is connected to the Internet, there must be reasonably up-to-date firewall protection and operating system security patches, reasonably designed to maintain the integrity of the personal information.
- Reasonably up-to-date versions of system security agent software that must include malware protection and reasonably up-to-date patches and virus definitions, or a version of such software that can still be supported with up-to-date patches and virus definitions, and is set to receive the most current security updates on a regular basis.
- Education and training of employees on the proper use of the computer security system and the importance of personal information security.
Implications for Businesses
With these new laws in Nevada and Massachusetts, what are the key issues for companies trying to meet their expanding information-security obligations?
Assess What the Law Makes You Do
These laws impose specific requirements, many of which include documentation details or otherwise require compliance steps that are subject to specific and measurable evaluation. Companies must develop a strategy for evaluating how they will comply with these specific laws—and whether they will comply in the same way across the country, or will try to adapt their practices to meet a specific state law. Encryption obviously is the big challenge here—will you try to encrypt communications concerning Nevada residents? Is there any realistic way to determine when a Nevada's resident's personal information is at issue? Or will you find some other means of meeting the statutory requirements? How will you handle the broader encryption requirements of the Massachusetts law, which extend beyond emails to all laptops and portable devices as well?
Evaluate What You Should be Doing Anyway
Beyond these immediate compliance questions, many of the requirements in the Massachusetts law do make good sense from a security perspective. Regardless of a company's formal approach to compliance with the state laws (including a risk-based assessment, for example, that a company does so little work with Nevada residents that it will not develop a separate compliance approach for that state), companies should be evaluating whether the specifications of these laws make good sense, regardless of whether they are requirements. Whatever one thinks of the details of G-L-B and HIPAA on the security front, those rules clearly have forced companies in the relevant industries to re-evaluate their security activities, and to improve their overall information-security practices. All companies should evaluate the requirements of the Massachusetts law—just as they should review the requirements of any relevant set of security standards—simply to assess how the company can most effectively protect its information assets. Remember, the main time that these requirements will come into play is when a company has a breach. In that situation, a company's exposure will be driven as much by the breach itself as by a violation of a security-procedures requirement. Timely attention to these laws can often generate improved overall information security.
Keep an Eye on New Developments
Pay Attention to What Other States Do
Over the past decade, the state of California has passed dozens of privacy and security laws. Some, like the security-breach notification or Social Security Number laws, were picked up by many other states and became a de facto national standard. Other laws have been ignored by the remaining states.
For information security, the big question is whether new states will form a bandwagon for additional state requirements. The Nevada and Massachusetts laws obviously have some similarities (i.e., encryption), but the Massachusetts law is much broader. While the laws are not extensively specific in terms of particular technical security standards, they do require particular steps and compliance practices that may be difficult to separate on a state-by-state basis. Although there are only a limited number of these laws today, it will not take many more before companies likely will be forced to comply on a national basis.
As information-security problems persist around the country and in a wide variety of industries, states are beginning to see value in putting their own stamp on the security obligations for companies interacting with their residents. These laws are hard enough to deal with in their infancy. If we see a wave of new state laws, the ongoing cost and complexity of compliance may become unmanageable.
Companies need to take these requirements seriously, just as they need a continuing effort to improve security compliance independent of specific legal requirements. It is critical to view information security as a top priority—for any company that collects, maintains or discloses personal information about customers, employees or others.