• New State Laws Require Extensive Data Security Plans and Encryption
  • October 8, 2008 | Authors: Randy Gainer; Paul Glist; John D. Seiver; Charlene Allyson Brownlee
  • Law Firms: Davis Wright Tremaine LLP - Seattle Office ; Davis Wright Tremaine LLP - Washington Office ; Davis Wright Tremaine LLP - Seattle Office
  • Massachusetts adopted regulations on Sept. 22, 2008, that will require businesses, wherever located, that store or use information about Massachusetts residents, to implement comprehensive information security programs by Jan. 1, 2009. The regulations, available at 201 CMR 17.00, were issued by the commonwealth's Office of Consumer Affairs & Business Regulation. A Nevada statute will require Nevada businesses that store or use information on any individual to begin encrypting customer personal information that they send electronically, other than by fax, on Oct. 1, 2008.

    Together the two laws will significantly increase the precautions that many businesses must take to protect customer information they store and use.

    Data breaches reach new heights

    The increase in reported data breaches has increased pressures on states to try to reduce the amount of customer data that is stolen by thieves, or at least make that data less valuable to a criminal enterprise. According to the Identity Theft Resource Center, in 2006, 315 reported data breaches exposed 20 million records; and in 2007, 443 reported data breaches exposed 127 million records. By late August 2008, there had already been 449 data breach incidents in the United States in 2008, more than had occurred in all of 2007. For 2008, hacking thefts accounted for 12.9 percent of the reported breaches and 21.8 percent of the affected records. Plainly there is a substantial risk that confidential electronic information may be stolen and the interest in preventing the theft or making stolen information unusable is great.

    The perpetrators of such thefts are usually criminals with sophisticated computer skills who sell stolen information to other criminals, or use it to commit identity theft or fraud. For example, on Aug. 5, 2008, the Justice Department indicted 11 individuals from five countries for conspiracy, computer intrusion, fraud, and identity theft for allegedly hacking into the networks of at least nine U.S. businesses and stealing more than 45 million payment card records. See Simone Baribeau and Ellen Nakashima, "11 Charged in Global Theft, Sale of 40 Million Card Numbers,” The Washington Post, Aug. 6, 2008, at D 1.

    Federal and state information security regulations

    Federal regulations require businesses only in some specific industries to implement information security measures. See, e.g., the HIPAA Security Rule, 45 C.F.R. Part 164 (2007) (healthcare entities), and the Gramm-Leach-Bliley regulations, 12 C.F.R. Parts 30, 225, 364, & 568 (2007) (financial entities). No federal law requires businesses generally to implement information security practices. Similarly, no federal law requires businesses to encrypt customer personal information transmitted electronically.

    Massachusetts, 45 other U.S. states, and the District of Columbia have statutes that require businesses that own, license, or store unencrypted computerized data of residents of the various jurisdictions to notify those residents if their data are disclosed to unauthorized persons. The Massachusetts data breach notice statute, Mass. Gen. Laws Ch. 93H (2008), enacted in 2007, has data breach notice requirements similar to those of other states. Mass. Gen. Laws Ch. 93H § 2(a) goes further than other state notice laws by requiring the commonwealth's Department of Consumer & Business Affairs to “adopt regulations relative to any person that owns or licenses personal information of residents of the commonwealth …. [to] safeguard the personal information of residents of the commonwealth ….

    Before Massachusetts adopted its new regulations, only California had a statute or regulation that required all business to adopt information security practices. California's information security mandate is vague. It states only that “[a] business that owns or licenses personal information about a California resident shall implement and maintain reasonable security procedures and practices appropriate to the nature of the information, to protect the personal information from unauthorized access, destruction, use, modification, or disclosure.” Cal. Civ. Code § 1798.81.5(b).

    The new Massachusetts regulations are detailed and specific. To comply with the Massachusetts regulations, businesses that own, license, store or maintain paper or electronic records that include personal information of Massachusetts residents will have to implement comprehensive security measures.

    The Nevada law is also straightforward: A business that conducts business in Nevada and transmits customer information by e-mail, FTP transfer, or other non-fax electronic means must encrypt the information.

    New Massachusetts regulations

    The purposes of the new Massachusetts regulations are to ensure the security and confidentiality of such records, to protect against threats to the security or integrity of such records, and to prevent unauthorized access to and use of the records to prevent fraud and identity theft. Id. The regulations require each covered business to “develop, implement, maintain and monitor a comprehensive written information security program” that applies to records that contain Massachusetts' residents' personal information. 201 CMR 17.03. The required security program must include “administrative, technical, and physical safeguards” to protect such records and must be consistent with similar federal regulations that mandate security of “such information.” Id.

    Like the HIPAA rules, the Massachusetts regulations adopt a flexible standard to determine if a business's security program is adequate.1 They state that such programs “ shall be evaluated taking into account (i) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program, (ii) the amount of resources available to such person, (iii) the amount of stored data, and (iv) the need for security and confidentiality of both consumer and employee information.” Id. This flexible standard should permit small businesses to adopt reasonable but not excessive security programs.

    On the other hand, large businesses will be expected to deploy sophisticated, state-of-the-art security programs that, among other things, require substantial training, oversight, and discipline of employees, regular risk assessments, recovery plans, restricted physical and electronic access, and routine review of the plan and any breaches, with updates as necessary. 201 CMR 17.03 (a)-(l). Many organizations may have excellent security plans on paper but they still must effectively implement, administer, and update these plans, and breaches should be handled in consultation with counsel.

    The regulations also require businesses that use computers to store or transmit personal information about Massachusetts residents to restrict access by use of passwords and the like, incorporate firewalls, deploy updated virus and malware protection, limit access to only critical and security-trained users, encrypt information stored on laptops or transmitted across public or wireless networks, and monitor all systems to detect unauthorized access. 201 CMR 17.04 (1)-(8).

    If a covered business fails to comply with the regulations, the Massachusetts Attorney General may bring an action under Massachusetts' consumer protection statute for injunctive relief, to recover a fine payable to the commonwealth of up to $5,000 for each “method, act or practice” that the business knew or should have known violated the regulations, and to recover the costs of such litigation, including reasonable attorneys' fees. See Mass. Gen. Laws Ch. 93H § 6 and 93A § 4 (2008). Such an action by the Massachusetts Attorney General may be more likely than attorney general enforcement actions generally because Massachusetts residents have recently been the victims of the highly publicized TJX and Hannaford data thefts. See Todd Wallack, “Tougher consumer data rule adopted,” The Boston Globe, Sept. 23, 2008.

    Moreover, if a thief steals data from a business, the data includes personal information of Massachusetts residents, the business has not complied with the regulations, and either the Massachusetts residents or other businesses incur damages related to theft, they may pursue claims under Massachusetts' consumer protection statute. See Mass. Gen. Laws Ch. 93A § 11 (2008); see also In re TJX Companies Retail Security Breach Litig., 524 F. Supp. 2d 83, 92-95 (D. Mass. 2007) (denying motion to dismiss banks' Ch. 93A § 11 claims against TJX). If successful, the plaintiffs in such an action could recover treble damages plus costs and attorneys' fees. Ch. 93A § 11.

    Nevada's encryption mandate

    Nevada law provides that “a business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” NRS 597.970. Another Nevada statute defines “personal information” as a person's name together with either a Social Security number, a driver's license number, or a financial account number plus a PIN or other code to gain access to the account. NRS 603A.040. The Nevada statutes do not limit the “personal information” that must be encrypted to the personal information of Nevada residents.

    Nevada law defines encryption broadly to mean “ any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to prevent access, make the information unusable or disrupt the use of the network. NRS 205.4742. All businesses that operate in Nevada must encrypt all customers' personal information when they send it electronically, other than by fax. While the Nevada statutes do not explicitly impose a penalty, if a business fails to comply and a customer's data is intercepted and misused, the business may face consumer protection or negligence per se claims from the affected customer. See, e.g., Atkinson v. MGM Grand Hotel, Inc., 120 Nev. 639, 643, 98 P.3d 678, 680 (2004).


    1 See 45 C.F.R. § 164.306(b).