Nevada has amended its data security law to require businesses that transfer personal information on hardware or mobile storage devices outside the "logical and physical controls of the data collector or its data storage contractor" to encrypt the information. Previously, Nevada's law only required encryption for non-fax electronic transmissions of personal information. The amended law also includes a technical standard for encryption, requires businesses that accept credit or debit cards to meet the payment card industry data security standards (PCI DSS), and contains an immunity provision. The law, S.B. 227, will go into effect on January 1, 2010.
Encryption for Hardware and Mobile Storage
Data collectors doing business in Nevada must now encrypt (1) electronic communications (except for faxes) and (2) any data storage device containing personal information that is moved beyond the "logical or physical controls" of the entity or its data storage contractors. The definition of "personal information" remains the same as before: it includes a person's first name or first initial and last name when combined with (1) a social security number, (2) driver's license or ID number, or (3) financial account number with any required security code, access code, or password. The new definition for "data storage device," however, greatly extends the statute's reach.
The amended law defines "data storage device" to include any device that stores information or data, including but not limited to computers, cell phones, and electric and optical computer drives. This brings all electronic storage and transmission, both by the entity and third-parties contractors, under the state's regulatory umbrella. Now, common storage media such as thumb drives present special risks for companies doing business in Nevada. These companies should consider updating their data storage policies to reflect the law's new requirements.
Encryption Standard and Encryption Key Safeguards
The amended law also sets a standard for encryption and requires that businesses use "an encryption technology that has been adopted by an established standards setting body, including … the Federal Information Processing Standards issued by the [NIST]." The technology must render the data indecipherable without the use of an associated cryptographic key. The encryption process must also include "appropriate management and safeguards of cryptographic keys ... using guidelines promulgated by an established standards setting body, including … the [NIST]."
PCI DSS Compliance Mandated
For businesses that accept credit or debit cards, the amended law requires that they comply with the current version of PCI DSS, a set of industry self-regulatory standards. This requirement applies only to transactions that use a payment card in connection with a sale of goods or services.
Finally, the amended law provides that data collectors "shall not be liable for damages for a breach of security" if they have complied with the terms of the amended law and the breach was not caused by gross negligence or intentional misconduct of the business or its officers, employees, or agents.
While this provision provides basic protection against liability, it also suggests that a business can be held responsible for the illegal or outside-the-scope acts of its employees. Furthermore, by incorporating a fact-based inquiry into the provision, the amended law ensures that class action lawyers will plead gross negligence in every case to survive a motion to dismiss and allow discovery to proceed on the factual issues of grossly negligent or intentional misconduct.
The amended Nevada law is the second in a new round of aggressive state regulations regarding data security. The first, from Massachusetts, has been delayed and modified since its initial passage due to concerns regarding its regulatory burden on businesses. The Nevada law is scheduled to go into effect less than seven months from now but will likely face complaints similar to those that challenged (and ultimately changed) the Massachusetts law.
For questions about PCI DSS compliance, data security practices, and use of encryption, please contact Susan Lyon