States move to mandate encryption of sensitive personal data

March 2nd, 2009

hadley_roy_cropFirst came data loss disclosure requirements and credit freeze laws. Now comes data encryption laws. In response to the continuing wave of data heists, Massachusettes and Nevada are leading the way in passing new state laws dictating what businesses must do to protect credit card transaction records and other  personal data. These new laws go much further than the hard-won laws in more than 30 states requiring companies to notify individuals whose data has been lost or stolen, and granting individual consumers the right to freeze their credit histories.

Roy E. Hadley, an attorney at Bryan Cave Powell Goldstein Bulletin and former Chief Privacy Officer at AirGate PCS, says other states may very likely follow suit, especially if the wave of massive data breaches at Heartland Payment Systems, RBS WorldPay and now a third, unnamed payment processor, continues. Excerpts from Last Watchdog’s interview with Hadley:

LW: Which states are currently considering new data protection laws?

HADLEY: Currently, Nevada and Massachusetts are the two states which have enacted “new” data protection laws. However, as states start to review Nevada’s and Massachusetts’ policies, some may adopt similar laws. Legislative chatter indicates that Washington and Michigan may be starting down the path as well.  In addition, states like New Jersey are implementing additional security mandates which may make their way into this fold.

LW: Why is this occurring?

HADLEY: There is little doubt that identity crime is becoming one of the major offenses of our current times. Just in the first two months of 2009 there have been several major data breaches. However, those that make it to the public eye probably represent only a fraction of the breaches that are occurring every day. Data security is a major problem. So, as with many aspects of technology, this is likely a case of the law attempting to keep up with practical reality. Data protection laws are not a new idea.

Historically, California was the first state to adopt protection laws, although these laws focus on notification after information has been potentially taken, rather than provide proactive protections before such a taking. Since California, thirty-eight other states have adopted data protection laws of some kind. Most have followed California’s general approach, although some have added more stringent disclosure requirements and others have limited application of the law to specific entities like government agencies. Therefore, this new approach of “proactive protection” of data may be the next step for many states.

Another element in this issue is the problem of “over disclosure.” The language of the current notification laws requires disclosure for a variety of security failures. Therefore, people are receiving notification letters saying that their information may be in jeopardy when minimal risks exist. It is questionable whether this is actually helping fight the problem or if it simply is adding to our country’s anxiety level over this issue. Nevada and Massachusetts are taking a different approach by requiring the use of technologies that are now available to help prevent theft, although that does shift the burden of protecting a consumer’s identity (and the associated costs) to rest more heavily on the company than the consumer.

LW: What are key commonalities?

HADLEY: The biggest commonality is that the Nevada and Massachusetts laws are not notification laws, but rather proactive steps that must be taken whenever a company has a customer’s information. In short, both laws require that companies will, at least, take steps to use encryption technology to protect sensitive personal information when it is sent electronically outside of a secure network. Both statutes consider such sensitive information to include the name  and some identifying number or code, such as a Social Security number, card number, account number, all with the caveat that information lawfully obtained from publicly available sources or government records is not included as such information.

LW: What are key differences?

HADLEY: The biggest difference is the scope considered by the two laws; Nevada’s statute being six lines long compared with Massachusetts’ three pages.  Nevada added its requirements to a long list of miscellaneous trade regulations found in its statutes. This list contains dozens of specifically tailored policies that cover specific aspects of trade — and doing business generally — in Nevada.

Massachusetts, however, started with Nevada’s requirements, but it adds significantly to the requirements a business must meet. From designated information security maintenance employees to risk identification to limits on the amount of information collected, Massachusetts requires a comprehensive policy on the collection, maintenance and sharing of sensitive information. Just to reiterate, these requirements cover a much broader scope than just transmission. They start with the intake of data, have proactive monitoring requirements and cover the storage and transmission of sensitive information.

Another key difference is that Massachusetts also sets restrictions on portable devices. The statute specifically includes laptops, but it is unclear how far the “portable devices” umbrella reaches. So, businesses may face a much greater task of securing data in Massachusetts than a cursory read would suggest.

A third key difference is the “covered” party under these laws. In Nevada, the regulation applies to any “business in this State.” Although the statute does not clearly designate just what constitutes doing business in Nevada, the focus is clearly on where a business is located and operating. This raises a question regarding information about customers not in Nevada and transmissions occurring outside Nevada. Massachusetts ties its regulations to the information itself, saying that the regulation covers any person that “owns, licenses, stores or maintains personal information about a resident of the Commonwealth.”

Finally, the two states differ on what is required as far as protection of information that is transmitted digitally –i.e. encryption. Both states set forth definitions of what counts as “encryption,” but neither establishes a clear standard. Massachusetts does require that the method be algorithmic in nature, but, otherwise, the standards fail to specify the technologies which must be used.

Questions regarding whether encryption need be symmetric or asymmetric, what protocol is best suited, the bit specification, and similar technical issues are important to IT specialists. A business could assume that, given the broad scope of the definitions, any form of “encryption” will do. But, implementing a plan only to have it deemed insufficient may be a risky proposition if and when a court decides just what these amorphous standards may actually require.

LW: What is the likelihood that other states will follow suit?

HADLEY: Similar to California and data-breach notification, we may see other states following suit. This is a bit different because it has a business element. Notification placed a lesser burden, so the balance of individual rights vs. business requirements was easier. This is a greater burden on businesses, so it may spark a different conversation in the states’ legislatures.

Just how fast other states act may depend somewhat on the response from the business world. Businesses are strongly lobbying against these regulations. On the other hand, some companies are already looking to improve their security policies internally, and software and technical service companies are quickly making easily implemented improvements available. Just as one example, we have heard of one company with locations in Massachusetts that has already taken steps to bolster protection on its computers by purchasing new computers with what they call “persistent data protection” and greater email security programs.

LW: Would a federal law data protection law be better? Why so?

HADLEY: In concept, yes, only because it would be applicable law in all states. Depending on the industry, a large percentage of companies have customers that reside in different states. Without federal data protection laws, a business would have to take different steps for its customers in each state. The result of such a requirement would be extremely time consuming and costly. The practical reality might be to simply go with the highest common denominator and protect all data in accordance with the most strict state’s laws, but there is the chance that state requirements may conflict.

Of course, that is a pessimistic view that may be unrealistic. Although we see Nevada and Massachusetts as having distinct differences, the differences seen between the thirty-nine breach notification laws are much less pronounced. Just how much divide exists from state to state has yet to be seen.

Furthermore, one strike against federal legislation is that it prevents flexibility for state-specific needs. This is a relevant factor because states with high concentrations of specific industries may have greater public policy concerns that push for greater protections. Therefore, federal legislation may be too lax for these states or, if these states become the baseline, too strict for other states.

Finding that balance may be impossible, and industries may suffer by trying to find a “one size fits all” approach. One answer may be to set a federal “floor” upon which states can build their own policies for their corporations and citizens. However, this still may not solve the issue because national businesses will still be faced with potentially divergent regulatory requirements from the laws of different states.

The effectiveness of using federal laws is not a clear cut issue. Lawmakers know this is a growing area of concern, but the path which will spell the most effective and most efficient relief is a bit more murky. But, it is possible to utilize nationalized standards, as shown by the European Union’s common set of data security standards that appear to be working well for its member countries.

LW: What signs do you see that the Obama administration is paying attention to this, and could take action?

HADLEY: I think a lot of signs point to the fact that data security is on the current administration’s radar. Generally, President Obama is more technology oriented. Before taking office, the new president had a highly public issue of his personal smart phone. He understands the integral role data storage and transmission plays in modern society.

Furthermore, the legislature appears to be more sensitive to these needs, as the most recent stimulus bill included a provision that required additional data security for electronic health records in connection with HIPAA regulations.

But, even as shown by President Obama’s comments of frustration regarding the securing of his own device, Washington may not fully understand just how intricate and complex  the process of proactively ensuring data protection can be. On one hand, there is a great need to protect the information of the American people, especially in a time of economic crisis. On the other hand, implementing new regulations could have a significant impact on the costs of doing business.

Therefore, this is a delicate area for the moment, but it may not receive the immediate attention of President Obama or his staff.

–Byron Acohido

Photo of Roy Hadley