Complying with Personal ID Encryption Mandates

Nevada, Massachusetts and Beyond

Written by Charles H. Kennedy, Wilkinson Barker Knauer, LLP

Historically, data protection laws in the United States have required businesses to adopt "reasonable" information security methods but have not stated in detail what those methods should be. The vagueness of these laws can be frustrating, but it also serves a purpose: by keeping data security requirements general, lawmakers avoid locking in solutions that might become obsolete, and give businesses the flexibility to choose measures that are appropriate to their circumstances.

In 2010, Nevada and Massachusetts up the ante by requiring encryption of personal information when that information is transmitted over public networks or stored on portable media. The impact of these new laws should be farreaching, but their precise effect is unclear in many ways. For example, when are businesses outside of Nevada and Massachusetts subject to these laws? What do these states mean by "encryption," and what kinds of information must be encrypted? Under precisely what conditions of transmission and storage will these laws apply? How are these laws enforced, and what are the possible penalties for non-compliance?

The following looks at these and other issues raised by the new Nevada and Massachusetts laws, and considers the prospects for similar laws in other states.

THE NEVADA ENCRYPTION LAW

Nevada's law has two principal sets of provisions.

First, the law incorporates the requirements of the Payment Card Industry Data Security Standard ("PCIDSS") for all data collectors doing business in the state that accept a payment card in connection with a sale of goods or services. With this provision Nevada gives the PCIDSS, an industry standard developed by a private rulemaking body, the force of law in that state.

The second set of provisions requires encryption, in circumstances defined by the law, of personal information during electronic transmission or while in storage on data storage devices.

Businesses that accept payment cards already should be familiar with the PCIDSS. Accordingly, our focus here will be on the new law's encryption requirements for stored and transmitted data.

The transmission provisions of the new law state that a "data collector doing business in this State to whom subsection 1 does not apply [i.e., that is not required to comply with the PCIDSS] shall not . . . [t]ransfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission."

The data storage provisions of the law state that a "data collector doing business in this State to whom subsection 1 does not apply shall not . . . [m]ove any storage device beyond the logical or physical controls of the data collector or its data storage contractor unless the data collector uses encryption to ensure the security of the information."

In deciding whether it is subject to the Nevada law, a business must unpack this language carefully. Specifically, a business must decide whether it is a data collector, and, if it is a data collector, whether it is doing business in Nevada. Next, it must determine if it maintains personal information as that term is defined in the statute and, if so, whether it transmits that information outside of its "secure system" or moves any storage device containing such information beyond its own "logical or physical controls" or that of its data storage contractor. If the business handles personal information in either of these defined ways, then it must determine what encryption means in Nevada and must use such encryption to ensure the security of that information.

What Is a Data Colector, and When Is a Data Colector Doing Business in Nevada?

The new law defines a data collector as "any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information." Essentially, the law intends to capture any organization, public or private, that handles personal information as defined in the statute.

However, most businesses in the United States are not incorporated in Nevada and do not have their principal offices in Nevada. In fact, it is fair to say that most U.S. businesses do not have employees, property or any other permanent presence in Nevada. Given these facts, is the Nevada law simply irrelevant to most businesses in this country?

The new law's only answer to this question is the reference to "doing business in Nevada." This phrase might have either of two meanings: it might refer to the activities that require a foreign corporation to obtain a certificate of authority to "do business" in the state; or (and this is the better interpretation) it might refer to the minimum contacts that a business must have with the state in order to meet the constitutional standard for assertion of jurisdiction over that business by the state's courts. Under either meaning, the determination whether an out-of-state organization is doing business in Nevada can be "a laborious, fact-intensive inquiry resolved on a case-by-case basis." The decision is especially difficult where the business in question sells a product or service to Nevada residents only through catalog or Internet channels and does not have employees or brick-and-mortar facilities in the state.

Although we cannot answer the "doing business" question without specific information about each business's circumstances, any company that owns or leases property in Nevada or employs Nevada residents should consider complying with the new law. Also, any business that advertises or makes sales to Nevada residents on a regular basis, regardless of the marketing channel or channels it uses, should expect the state to assert jurisdiction in the event of an apparent violation of the new law.

Companies that do not meet these criteria and have engaged in only isolated transactions – or no transactions at all – in Nevada or with Nevada residents are less likely to be subject to the law. If a company determines that it is doing business in Nevada, the Nevada statute could apply to the company's operations wherever they may occur in the United States, or even worldwide.

What Is "Personal Information" under the Nevada Law?

The statute defines "personal information" as "a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

• Social security number
• Driver's license number or identification card number
• Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account"

The definition does not include "the last four digits of a social security number or publicly available information that is lawfully made available to the general public."

When Is a Transmission Subject to the Nevada Law?

Nevada's law appears to cover essentially all electronic transmissions, except conventional faxes and voice telephone calls, that are sent outside the data collector's internal computer and communications systems. This category would include emails, transmissions of data to offsite data processing vendors, and any non-voice Internet communications. The law does not distinguish between wireless and wireline transmissions, and presumably applies to both.

The law's transmission requirements also include some narrow exceptions. Specifically, the law does not apply to a "telecommunications provider acting solely in the role of conveying the communications of other persons." The law also does not apply to a data transmission over a "secure, private communication channel" for "approval or processing of negotiable instruments, electronic fund transfers or similar payment methods," or "issuance of reports regarding account closures due to fraud, substantial overdrafts, abuse of automatic teller machines or related information regarding a customer."

When Must Stored Data Be Encrypted?

Some of the most controversial provisions of the Nevada law have to do with encryption of data on a "data storage device" that is moved "beyond the logical or physical controls of the data collector or its data storage contractor."

The law defines a data storage device quite comprehensively as "any device that stores information or data from any electronic or optical medium, including, but not limited to, computers, cellular telephones, magnetic tape, electronic computer drives and optical computer drives, and the medium itself." Based on this broad definition, any device or medium on which personal information is stored must be kept within the system or premises of the data controller or its data storage vendor, or the personal information stored on the device or medium must be encrypted.

These provisions put a heavy burden on a business to control its employees' use of laptops, flash drives, and other devices and media that can easily be loaded with sensitive data and removed from the employer's premises. Under the data security breach notification laws already in effect in most states, losses of unencrypted laptops and other devices that contain personal information can create an obligation to notify affected persons. The Nevada law turns the legal screw even tighter, by making the act of removing the unencrypted device from the employer's premises a violation of law in itself, even if no security breach results.

Also, the Nevada law's express inclusion of magnetic tape within the definition of a "data storage device" calls into question the practice of transporting unencrypted backup tapes from a company's premises to those of its data storage vendor. Does the delivery of backup tapes from one location to another count as movement "beyond the logical or physical controls of the data collector or its data storage contractor?"

Nevada does not define "logical or physical controls" or give any other guidance on this question. However, data storage contractors physically secure their customers' records during transport, and the language of the law suggests no reason why those measures are not part of the "physical controls of the . . . data storage contractor." Accordingly, as long as a company's backup tapes are at all times under its control or under the control of its vendor, encryption of those tapes should not be required. We should note, however, that this interpretation would not permit transport of unencrypted tapes to the storage location by a party other than the storage contractor, unless, possibly, transportation is accomplished by a subcontractor to the data storage vendor whose drivers and facilities meet the storage vendor's security standards.

What Does Nevada Mean by "Encryption"?

Nevada has defined encryption very broadly, to include any "key-based" encryption method that "has been adopted by an established standards setting body." The law does not try to list all of the standards setting bodies that might qualify, but gives the Federal Information Processing Standards issued by the National Institute of Standards and Technology ("NIST") as an example of an acceptable set of standards adopted by a qualified organization.

This open-ended definition appears to permit the use of any encryption technology that has been recognized by a reputable private or governmental body. The requirement that the technology must have been adopted by an "established" body suggests that standards issued by new and untried organizations might not pass.

THE MASSACHUSETTS ENCRYPTION REGULATION

Although we refer to the Massachusetts encryption requirements as a law, they actually are a set of regulations adopted by that state's Office of Consumer Affairs and Business Regulation ("OCABR"). The version of the regulations that will take effect on March 1, 2010 is the result of repeated amendments and delays in the effective date, occasioned by widespread criticism of earlier versions and vigorous lobbying by affected organizations.

Massachusetts requires encryption to be adopted as part of a broader "written, comprehensive information security program" by every "person that owns or licenses personal information about a resident of [Massachusetts] and electronically stores or transmits such information." Specifically, the security program must include, "to the extent technically feasible, . . . encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly." The program also must include "[e]ncryption of all personal information stored on laptops or other portable devices."

Like the Nevada law, the Massachusetts regulation must be parsed carefully before a business can decide if it is subject to its requirements at all and, if so, what are its obligations. Specifically, when is a business (including an out-of-state business) subject to the Massachusetts law? What sorts of personal information are covered by the law? Under what circumstances must such information be encrypted? And, finally, what is "encryption" according to Massachusetts?

What Businesses Are Subject to the Massachusetts Law?

An important difference between the Nevada and Massachusetts laws is that Massachusetts protects only personal information of Massachusetts residents. Accordingly, companies that do not sell to Massachusetts residents, or do not otherwise maintain their personal information, should have no compliance obligations under the law.

This still leaves the question of businesses that might have some personal information of Massachusetts residents but do not have facilities, employees or other permanent contacts with the state. The mere possession of a state resident's personal information will not necessarily give Massachusetts jurisdiction over an out-of-state business that does not regularly do business there. As we discussed in connection with Nevada, the test will be whether the business has the "minimum contacts" that satisfy the constitutional test for assertion of jurisdiction over the business by the state of Massachusetts. Under that standard, an out-of-state company that does not transact business in Massachusetts, or does so only in isolated cases, might not be subject to the new regulations; but out-of-state businesses that engage in transactions with Massachusetts residents on an ongoing basis should comply.

What Is "Personal Information" under the Massachusetts Law?

Massachusetts defines personal information in terms that are similar to Nevada's definition. The category includes "a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a) Social Security number; (b) driver's license number or state-issued identification card number; or (c) financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that ‘Personal Information' shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public."

When Must Personal Information Be Encrypted in Transmission?

The Massachusetts law states generally that personal information must be encrypted, if technically feasible, when it travels across public networks and when it is transmitted wirelessly. Apparently, this means that even transmissions over a private network, entirely within an organization's control, must be encrypted if the transmission includes a wireless link.

When Must Personal Information Be Encrypted in storage?

The Massachusetts regulation simply states that personal information of Massachusetts residents stored on "laptops and other portable devices" must be encrypted if technically feasible. Unlike Nevada, Massachusetts does not define these terms; but an FAQ document posted by the OCABR notes that the category will be interpreted to include laptops, cell phones, smartphones, net books and similar devices. The FAQs also state that the category includes backup tapes, at least "on a prospective basis."

It is noteworthy that the Massachusetts regulation does not limit the encryption requirement to devices that are taken outside the control of a business or its storage contractor. Apparently, when such devices contain personal information of Massachusetts residents, they must be encrypted even when they are physically secured on the premises of the business or its contractor.

The FAQs also acknowledge that standardized encryption methods for many devices, such as cell phones and smartphones, might not be available, making encryption of those devices not "technically feasible." And, while the FAQs indicate that the OCABR considers laptop encryption to be technically feasible, the technical feasibility requirement should be carefully considered in the context of each portable device. Technical feasibility does not appear to require doing anything that is possible, in the engineering sense. As the U.S. Supreme Court has stated, "if technically feasible meant what is merely possible, it would be no limitation at all." Rather, in the FAQs the OCABR introduced a reasonability standard, stating that technically feasible means "that if there is a reasonable means through technology to accomplish a required result, then that reasonable means must be used." And, although there is no further clarification of reasonability in this context, at a minimum it would seem to include a consideration of the regulation's flexibility of approach factors, which state that the required written, comprehensive information security program, including the encryption requirement, should be "appropriate to (a) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program; (b) the amount of resources available to such person; (c) the amount of stored data; and (d) the need for security and confidentiality of both consumer and employee information."

Some of the most confusing language in the FAQs has to do with the circumstances under which backup tapes must be encrypted. The FAQs state that "[y]ou must encrypt backup tapes on a prospective basis," but do not explain what "on a prospective basis" means. If a business finds on March 1, 2010 that it has tapes that were created in unencrypted form before the effective date of the regulation, must the business encrypt those tapes in order to comply with the regulation? Or, does this tape encryption requirement only extend to tapes that are created after the effective date?

The suggestion of an answer, at least, is contained in the FAQs' brief discussion of "transport[ing] backup tapes from current storage," which states that if "it is technically feasible to encrypt (i.e. the tape allows it) then you must do so prior to the transfer." Assuming that "current storage" means "storage before the new law's effective date," this language suggests that the obligation to encrypt tapes created before March 1 arises only when the business decides to transport them. Otherwise, this language would be redundant because a compliant business already would have encrypted the tapes.

If this reading is correct, there is no obligation to encrypt tapes created before March 1, 2010 that will remain in storage, but there might be an obligation to encrypt them (if technically feasible) before transporting them at any time after March 1, 2010.

Finally, the FAQs' discussion of transport of backup tapes from current storage includes the handling of tapes that cannot feasibly be encrypted. For tapes in that category, the FAQs state that "you should consider the sensitivity of the information, the amount of personal information and the distance to be traveled and take appropriate steps to secure and safeguard the personal information.

What Does Massachusetts Mean by "Encryption"?

Massachusetts defines "encrypted" simply as "the transformation of data into a form in which meaning cannot be assigned without the use of a confidential process or key." The definition is technology-neutral and does not cite the NIST or any other standards-making body. The FAQs make clear, however, that password protection, which does not transform the affected data, does not qualify as encryption under the regulation.

Obligations with Respect to Vendors in Massachusetts

Some of the Massachusetts regulation's most stringent provisions have to do with the selection of vendors involved with personal information of Massachusetts residents.

Specifically, businesses subject to the regulation must take "reasonable steps to select and retain third-party service providers that are capable of maintaining appropriate security measures to protect such personal information consistent with these regulations and any applicable federal regulations." Also, businesses must require "such third-party to contract to implement and maintain such appropriate security measures for personal information; provided, however, that until March 1, 2012, a contract a person has entered into with a third party service provider to perform services for said person or functions on said person's behalf satisfies [the regulation] even if the contract does not include a requirement that the third party service provider maintain such appropriate safeguards, as long as such person entered into the contract no later than March 1, 2010."

Of course, no contract with a vendor can ensure that the vendor is capable of, or has a track record of, safeguarding a company's information to the standard required by the Massachusetts regulation and other applicable laws. As always, reputation and qualifications will be important factors in selecting vendors that will have access to records containing personal information.

RISKS AND PENALTIES UNDER THE NEW LAWS

Although the Massachusetts and Nevada laws have essentially the same goal – to mandate the encryption of personal information in transit and when stored on portable devices – the risks and penalties under those laws are not the same.

Notably, Nevada's law provides that compliance with the encryption obligations will act as a shield against claims for damages in the event of a data security breach, so long as the breach is not caused by gross negligence or intentional misconduct. Massachusetts does not appear to have a comparable safe harbor.

Also, and perhaps most importantly, the available enforcement mechanisms under the two laws seem quite different. The Nevada law appears to have no specific penalty provisions, and it is unclear how enforcement actions under the law will be brought or what penalties will be imposed. Massachusetts, however, has a well-defined set of penalties, including monetary assessments of up to $5,000 for each violation.

BEYOND NEVADA AND MASSACHUSETS

The history of privacy and data protection laws shows that once a state has adopted such a law, others tend to follow suit. For example, California adopted the first data security breach notification law in 2003; by 2009, at least 45 states and the District of Columbia have adopted similar laws.

The future course of encryption laws and regulations could be similar. A number of encryption bills have been introduced in the state legislatures in recent years, and some governors have signed executive orders requiring state agencies to encrypt sensitive information in transmission and on portable devices. Further initiatives of this kind should be expected, and businesses should follow those developments and implement compliance measures accordingly.

In conclusion, the proper safeguarding of a company's information doesn't just happen by chance. It requires thoughtful planning and careful controls. Given the implications of these privacy and data protection laws, companies must allocate proper resources to implement and maintain rigorous processes to securing data. For more information on how Iron Mountain can help, please visit www.ironmountain.com.