Nevada recently joined the growing list of states seeking to regulate how businesses handle consumers’ personal data. Businesspeople in every state should be aware of Nev. Rev. Stat. Ann. §597.970, which became effective Oct. 1, 2008. This new Nevada law specifies a particular security measure—encryption—to be used when businesses transfer consumer data in certain circumstances.
Nevada appears to be the first state to designate encryption as a means of data security: many comparable state statutes only require “reasonable” security measures, and others do not require any specific security measures at all. See, e.g., R.I. Gen. Laws § 11-49.2-2(2) (requiring “reasonable” procedures); Tex. Bus. & Com. Code § 48.102(a) (same); see also Conn. Pub. Act. No. 08-167 (specifying no single security measure). On May 1, 2009, Massachusetts law will follow Nevada in part: on that date, Massachusetts code will require laptops to be encrypted by the “use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key.” 201 C.M.R. 17.04(5), implementing M.G.L. ch. 93H. While there is some debate about whether or not encryption has a significant effect on data security, the Nevada and Massachusetts statutes suggest that states may begin to mandate it, regardless.
The Nevada statute requires “a business in this State” to encrypt “personal information of a consumer” whenever it sends that information “through an electronic transmission other than a facsimile” to someone “outside of the secure system of the business.” Nev. Rev. Stat. Ann. §597.970. But the statute does not define many of these terms, and it does not impose a specific penalty for a statutory violation. As a result, the statute’s scope and effects are as yet unclear.
Two of the statute’s central terms are given broad definitions imported from other Nevada laws. “Personal information” means the combination of: (1) a first name or first initial; (2) a last name; and (3) a social security number, driver’s license number, or financial account number (with a password if one is needed to access the account). Nev. Rev. Stat. Ann. §603A.040. And a business sufficiently “encrypts” data if it uses “any protective or disruptive measure” that attempts: (1) to “prevent, impede, delay or disrupt access” to information; or (2) to “cause or make” that information “unintelligible or unusable.” Nev. Rev. Stat. Ann. §205.4742.
Businesses with strong Nevada ties should at a minimum move to comply with this new law by using some security measures to make electronic consumer data more secure, as doing so will likely comply with the broad definition of “encryption” in the statute. More specific compliance measures likely depend on the many interpretive issues that this largely undefined statute raises. Some of these issues are:
- The statute facially applies to “a business in this State,” Nev. Rev. Stat. Ann. §597.970, but does not define that term. The Nevada Supreme Court recently addressed the related question of whether a foreign corporation was licensed to do business in Nevada. Executive Mgmt. Ltd. v. Ticor Title Ins. Co., 38 P. 3d 872 (Nev. 2002). In that case, the court approved a two-part test that considers: (a) the nature of the company’s business in Nevada; and (b) the quantity of business it conducted there. Id. at 874 n.4. But the court recognized that applying this test is “often a laborious, fact-intensive inquiry resolved on a case-by-case basis.” Id. at 874. For that reason, out-of-state businesses with strong Nevada ties might wish to assume, if only for compliance purposes, that they will be governed by this statute.
- When the statute refers to “personal information of a consumer,” it defines “personal information” but not “consumer.” Businesses often keep information about their employees, and they sometimes acquire information about potential consumers by purchasing contact lists from other businesses or from credit reporting agencies. If employees or the individuals on these contact lists have not purchased anything from a business, it is not obvious whether information about them should be treated as “personal information of a consumer” under the statute. But again, for compliance purposes, a business may wish to assume that all “personal information” is covered by the statute.
- The statute’s imported definition of “personal information” specifically excludes the last four digits of a social security number and any “publicly available information that is lawfully made available to the general public.” Nev. Rev. Stat. Ann. §603A.040. This latter exception may or may not cover information provided under color of law—e.g., in response to a court order. In other words, if a business electronically provides information in response to a subpoena, it could in theory be held to have violated this new Nevada law.
- The statute does not require a business to encrypt all relevant information, but only information that it sends “through an electronic transmission other than a facsimile” to someone “outside of the secure system of the business.” Nev. Rev. Stat. Ann. §597.970. The key phrases “electronic transmission” and “secure system” are both undefined. As a result, it is not clear whether some of the more common types of data breach are covered by the statute or not. If an employee takes a laptop containing unencrypted electronic data from the office, intending to work with it at night, and the laptop is lost or stolen on the way home, is the act of taking the laptop from work considered a “transmission…outside of the secure system of the business”? Suppose the employee attempts to take an unencrypted disc from one office to another, but loses the disc en route? An “electronic transmission” may only refer to sending data via email or via web download, or it may refer to physical transmissions that still involve data in “electronic” form.
In passing this new Nevada data security statute, the Nevada legislature appears to have assumed that: (1) a business’s “electronic transmission” of data is inherently insecure; and (2) encryption will make data more secure. But the best available evidence contradicts both of these assumptions.
There is some reason to doubt that businesses contribute to identity theft or that such theft causes real harm to consumers. A 2006 study by Javelin Research and the Better Business Bureau found that only 6 percent of identity theft victims traced the crime to a business’s loss of data, and it also found that 68 percent of all identity theft victims suffered no financial harm at all.1 Likewise, a 2003 FTC survey showed that 63 percent of victims suffered no monetary harm,2 and a survey by Privacy and American Business found that between 1990 and 2003, 62 percent of victims reported no financial loss.3
There is also some reason to doubt that encryption has any real effect on data security. A recent study by the Ponemon Institute suggests that laptop users use common passwords, share passwords, leave written notes containing passwords, leave laptops unlocked, and otherwise leave encrypted data open to theft or breach. The same study found that encryption creates a false sense of security that may encourage employees to take a casual or even careless approach to an employer’s data security measures.4
The fact that the new Nevada statute lacks any sort of damages provision and fails to define encryption in any significant way suggests that the Nevada legislature may have recognized both the lack of a direct connection between data breaches and consumer harm, and the questions about whether encryption enhances data security. Businesses targeted by private data security litigation— in which a putative class of plaintiffs whose data was lost sues the defendant(s) that failed to secure it—may be able to use this vague statutory language to their advantage. For example, a common and often successful defense argument against such actions is that unless a data breach caused out-ofpocket loss to consumers, there is no harm and thus no standing to sue. The Nevada statute’s lack of a damages provision may provide additional support for this argument.
In conclusion, Nevada’s new data security law, while largely undefined, requires businesses with strong Nevada ties to take steps to secure consumer data in a way that will meet the broad definition of “encryption” in the statute.