I wanted to gather a collection of recent news together regarding device encryption. There are new laws going into effect in Nevada and Massachusetts that may affect how data for their citizens are handled.
Massachusetts encryption law even stricter than Nevada’s
Written by Dan Blacharski on October 24, 2008
I recently wrote about Arizona’s new law concerning encryption of personal data. Several states are enacting similar legislation, and encrypting such data is becoming a de facto national policy. Most recently, Massachusetts issued new regulations on the same subject last month, and that state’s laws will take effect on January 1, 2009.
The Massachusetts legislation, known as the Standards for the Protection of Personal Information of Residents of the Commonwealth, is very far-reaching and considered the strictest regulations to date. The new law adds to Massachusetts’ already stringent security regulations, by requiring all portable personal data about any Massachusetts resident to be encrypted. This applies to data transmitted over public networks, or that is stored on a laptop, or on any type of removable memory device. The law requires other mandatory security procedures, including updated user authentication and authorization.
There is a technical difference between Nevada’s and Massachusetts’ statute in how encryption is defined. For the Nevada law, “encryption” is defined as the use of a protective or disruptive measure, including cryptography, enciphering, encoding, or a computer contaminant, to render data unintelligible. The Massachusetts statute is more specific, stating that “encryption” is an algorithmic process that requires a confidential process or key to decode. Some have argued that since the Nevada law does not use the word “algorithmic,” then password-protection is adequate to adhere to the letter of the law.
Also, the laws differ in scope. Nevada’s law focuses on the electronic transmission of data, while Massachusetts also includes portability. Accordingly, if you have data on a resident of Massachusetts on your hard drive, even if you do not send it via email or over the Internet, you still must encrypt that data.
New Data Privacy Laws Set For Firms
WSJ October 16, 2008
Alicia Granstedt, a Las Vegas-based hair stylist who works for private clients and on movie sets, never worried about conducting most of her business through email.
Ms. Granstedt regularly receives emails from customers containing payment details, such as credit-card numbers and bank-account transfers. Since she travels frequently, she often stores the emails on her iPhone.
But a Nevada law that took effect this month requires all businesses there to encrypt personally-identifiable customer data, including names and credit-card numbers, that are transmitted electronically.
After hearing about the new law, Ms. Granstedt started using email-encryption software, which requires her clients to enter a password to read her messages and send responses. It is a hassle, "but I can't afford to be responsible for someone having their identity stolen," she said.
Nevada is the first of several states adopting new laws that will force businesses -- from hair stylists to hospitals -- to revamp the way they protect customer data. Starting in January, Massachusetts will require businesses that collect information about that state's residents to encrypt sensitive data stored on laptop computers and other portable devices. Michigan and Washington state are considering similar regulations.
While just a few states have adopted such measures so far, the new patchwork of regulations is something many businesses will have to navigate, since the laws apply to out-of-state companies with operations or customers in those states.
That's one reason the Massachusetts law has the attention of Andrew Speirs, information security officer for National Life Group, an insurance company based in Montpelier, Vt. "We do business in all 50 states so we're definitely reviewing it," he said. Mr. Speirs said that National Life has a program in place to protect data, but that the Massachusetts law "is a little more particular" than other state laws. He is checking his company's program for any holes.
...
https://blogs.sonnenschein.com/icdp/Lists/Posts/Post.aspx?ID=21
Sonnenschein Nath & Rosenthal LLP
Massachusetts Rules Require Protection of Personal Information; Nevada Law Requires Encryption of Personal Information
On Sept. 19, 2008, the Massachusetts Office of Consumer Affairs and Business Regulation (“OCABR”) issued final rules governing how businesses must protect and store personal information. The rules take effect January 1, 2009. Under the rules, businesses that own license, store, or maintain personal information of a Mass. resident must develop and implement a written information security program and implement certain system security measures, including encryption of personal information during transmission (to the “extent technically feasible”) and encryption of personal information stored on laptops and other portable devices. A copy of the rules can be found on the OCABR website.
A Nevada statute (N.R.S. 597.970) that takes effect October 1, 2008 requires businesses “in this State” to encrypt all customer personal information (other than facsimiles) that is electronically transmitted “outside the secure system of the business.” The statute refers to Nevada's data breach statute for the definition of "personal information," which is defined as first name or first initial and last name in combination with any of the following elements: SSN; driver’s license or ID card number; or account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account. (N.R.S. 603A.040) The statute does not include a definition of what it means to be a "business in this state," thus making it unclear as to whether the statute would only apply to businesses physically located in the state or to all entities conducting business with Nevada residents.
Both the Massachusetts regulations and Nevada encryption statute are part of a growing trend in state legislation (and industry standards) to require businesses to implement certain controls to protect personal information. A number of states (including California and Nevada) have statutes in place requiring entities that maintain records containing personal information state residents to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure. Likewise, the Payment Card Industry Data Security Standard (“PCI DSS”) also requires all entities processing credit card payments to implement an array of security controls, including firewalls, access controls, monitoring, and encryption of cardholder data during transmission and storage. The message is clear: entities must implement reasonable security controls to protect personal data.
State Data Encryption Laws Ready to Take Effect
http://www.scottandscottllp.com/main/state_data_encryption_laws.aspx
By now, many U.S. businesses (hopefully) have taken steps to familiarize themselves and to contend with the patchwork quilt of state laws that sets forth standards regarding what must be done in the wake of an IT security breach affecting customer data. (Click here for more background on that topic.) While contingency planning in light of these laws (now present in 44 states and the District of Columbia) usually entails some up-front costs in the form of diverted resources and attorney’s fees, the overall cost of implementation has been relatively low. It may be fitting, then, that the perceived benefit of these laws has been similarly minimal, with some estimating only a 2% reduction in identify theft in recent years that can be attributed to data breach notification legislation.
It is perhaps as a result of such low estimated return that some states now are starting to implement tougher standards describing the steps that businesses bust take in order to prevent such breaches from occurring in the first place. Nevada’s law is the first and went into effect on October 1, 2008. Massachusetts is set to follow with a more detailed set of regulations in January, with Michigan and Washington State in the process of considering similar measures.
The Nevada provision is succinct:
A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.
“Encryption” and “personal information” are defined by reference to other statutes and have meanings similar to those typically used in the notification laws. (See NRS 597.970.)
The effect of the Nevada law is to give a victim of identify theft resulting from data breach a statutory standard of care to enforce against the business that, as a result of negligent (or other) non-compliance with the law, experienced the breach that led to the identify theft in question. Other questions pertaining to the practical implementation of the standard remain, including how to show a causal link between the breach and the ID theft and whether some injury short of ID theft – such as the cost of signing up for credit monitoring – would be support a damages claim sufficient to allow a case to proceed to trial. However, it is clear that companies doing business in Nevada now have a tangible interest in deploying encryption technology to protect the data of customers living in that state.
In Massachusetts, the stakes could be even higher. There, the state’s Office of Consumer Affairs & Business Regulation has adopted regulations, to become effective on January 1, 2009, that provide detailed definitions of the standards businesses must meet in order to bring their data handling technology and protocols into compliance. (See 201 CMR 17.00.) While the Massachusetts regulations’ enabling statute does not create a private cause of action for failure to comply, it does give the state attorney general the authority to file a lawsuit for injunctive relief and, in some cases, civil penalties up to $5,000.00 per violation.
As with the notification laws, there is no unified, federal standard for data handling to pre-empt what may become another medley of state laws for businesses to navigate. If these laws become more commonplace (and it appears that they very well may), it will become even more critical for companies conducting interstate transactions to work closely with counsel in order to ensure their compliance with all applicable data handling standards and safeguards.
Where can I get the latest information on HIPAA?
For the complete HIPAA regulations, visit the Department of Health and Human Services.
To learn more about HIPAA insurance reform or HIPAA administrative simplification, visit Center for Medicare & Medicaid Services (CMS).
To learn more about what the Navy and TMA is doing to comply with HIPAA requirements, visit the Navy Medicine HIPAA site and the TMA HIPAA site.
The WorkGroup for Electronic Data Interchange provides information and white papers on Transactions, Security and Privacy.
Questions about HIPAA regulatory compliance (transactions, code sets, national identifiers, and security) can be directed to the Centers for Medicare and Medicaid (CMS) at 410-786-4232 (local) or 1-866-282-0659 (toll-free).
Subscribe to:
Post Comments (Atom)
No comments:
Post a Comment