• The Move toward Mandatory Encryption of Sensitive Personal Information
  • December 22, 2008
  • Law Firm: Faegre & Benson LLP - Minneapolis Office
  • One of your employees returns late from her lunch break with bad news. Her work-issued laptop was stolen from her car while she visited a local restaurant. Worse yet, the employee informs you the laptop contained names and credit card numbers of your customers. Although the laptop was password protected, the spreadsheet containing the customer information was not encrypted.

    Knowing most states have adopted security breach notification statutes, your first thought is that you have an obligation to notify your customers their credit card information has been compromised. You are also aware, of course, this news may upset your customers and damage your company's reputation.

    When you contact your legal counsel, however, you discover the situation is even worse than you thought.

    New Data Encryption Rules Pertain to Laptops

    Many of your customers live in New England. And, your lawyer informs you, the company has violated new rules adopted in Massachusetts that make it illegal to store unencrypted sensitive information on a laptop. Your company may also be in violation of these new rules if it has not implemented a comprehensive information security program in compliance with the rules. Your lawyer explains that, although the rules were adopted in Massachusetts, they apply to any business that handles sensitive personal information of Massachusetts residents.

    You have learned about these new rules the hard way, but you are not alone. All companies that have a national customer or employee base must comply with these new requirements.

    What Is "Sensitive Personal Information"?

    The laws discussed in this article, including the new Massachusetts law, apply only to certain categories of personal information known as "sensitive personal information." Sensitive personal information typically includes a person's name in conjunction with that person's Social Security number, driver's license number, credit card number or other financial account number.

    It should be noted, however, that some state security breach notification laws classify additional types of information as sensitive personal information—including health information, electronic signature, mother's maiden name, date of birth, and biometric information such as fingerprint, voice print, retinal image or DNA profile.

    State Security Breach Notification Laws

    The first state security breach notification law went into effect in California in 2003 (Cal. Civ. Code § 1798.92). Since then, over 40 states have passed similar laws. These statutes are designed to provide affected individuals with an opportunity to prevent or mitigate identity theft. Yet virtually all state security breach laws make exception for information that is stored in encrypted form. As a result, if information on a stolen laptop is encrypted, the company would not be required to notify its customers of the incident.

    The Move Toward Mandatory Encryption

    This exception to security breach notification has created an obvious incentive to encrypt sensitive personal information—particularly when this information is stored on mobile devices such as laptops. However, rules recently enacted in Massachusetts now make the encryption of sensitive personal information even more important (201 CMR 17.00: Mass. Gen. Law c. 93H, effective January 1, 2009).

    Massachusetts rules now require encryption of sensitive personal information that is transmitted electronically or stored on portable devices. Any company doing business in Massachusetts and transmitting data or storing data on a portable device that contains the sensitive personal information of Massachusetts residents must comply with these rules.

    Other states have also considered adopting mandatory encryption laws—and it is possible mandatory encryption may spread to other states in the same way security breach notification laws have spread throughout the country. In fact, a Nevada statute already requires that any sensitive customer information about a Nevada resident transferred outside a business's secure system be encrypted (Nev. Rev. Stat. § 597.970, effective October 1, 2008). Any business that handles the sensitive personal information of its customers or employees needs to be aware of these recent developments and consider whether it is in compliance.

    Massachusetts Requirements for Implementing a Comprehensive Information Security Program

    In addition to the new encryption requirements, Massachusetts has adopted detailed rules requiring businesses to have a comprehensive information security program. These requirements apply to any business that owns, licenses, stores or maintains sensitive personal information about a Massachusetts resident.

    These new rules require that the information security program comply with 12 specific procedural elements and 8 specific technical elements. Most notably, if these rules apply to your business, you must now take reasonable steps to verify that any third-party service providers with access to your customer or employee sensitive personal information have the capacity to protect the information.

    The rules state that reasonable steps include retaining service providers that are capable of safeguarding sensitive personal information and contractually requiring service providers to maintain these safeguards. Prior to granting service providers access to your sensitive personal information, the rules also require that you obtain written certification that the service provider itself has a written, comprehensive information security program in compliance with the new Massachusetts rules. This certification requirement obligates companies doing business in Massachusetts to contact each of the service providers that handle their customer or employee information to request the certification. The company's contracts with service providers may also need to be amended to comply with these rules.

    The new Massachusetts rules also include a number of requirements regarding the handling and protection of sensitive personal information. Some of these requirements require policies, for example, for identifying where sensitive personal information is stored, placing restrictions on access to sensitive personal information and documenting responsive actions taken in connection with any security incident. Others require computer security elements in addition to encryption, such as, secure user authentication, secure access control measures, reasonable monitoring systems, firewall protection and operating system security patches and system security agent software (e.g., malware protection and anti-virus software). The effect of these rules is a much greater level of oversight and regulation over how your business handles sensitive personal information both administratively and technically.

    Dangers of Non-Compliance With Massachusetts and Nevada Laws

    Because these new laws are just going into effect, it is unclear exactly what penalties a business could face for failing to comply. The Nevada law does not specify how the law will be enforced and what penalties may result from non-compliance. The Massachusetts statute under which the encryption rules were issued only states that the attorney general may bring an action for violations of the statute's requirements. Presumably, this action could include fines and other penalties.

    Implications for All Businesses

    Even if your company does not handle the sensitive personal information of Massachusetts or Nevada residents, these new laws may still impact how you do business. Various federal and state laws, including the Gramm-Leach-Bliley Act and state equivalents, require businesses to employ "reasonable" safeguards for the protection of sensitive personal information. In addition, the Federal Trade Commission has interpreted Section 5(a) of the FTC Act as imposing on businesses an obligation to employ "reasonable" measures to safeguard consumers' sensitive personal information.

    Most of these laws do not define what safeguards are "reasonable" under what circumstances. Instead, the courts generally must weigh a number of factors, including the nature and likelihood of harm, the burden of providing a particular safeguard, and industry standards. Although it is too soon to tell, it is likely that the Massachusetts and Nevada laws will move us one step closer toward viewing the encryption of sensitive personal information as the norm, at least when the information is transmitted or stored on a mobile device.

    Accordingly, even if your company does not handle the information of Massachusetts or Nevada residents, you should consider the implications of these laws. If your company does not currently encrypt sensitive personal information, you may want to revisit that decision.

    Conclusion

    Security breach notification laws are one step in encouraging an increased level of data security for sensitive personal information to combat identity theft. By not requiring notification of affected individuals following a security breach if sensitive personal information is encrypted, the laws encourage businesses to encrypt data—thus avoiding the hassle and cost of complying with the increasing number of security breach notification laws.

    The fact that over half of all security breaches involve mobile devices provides further incentive for businesses to employ encryption technologies for these devices. New laws in Massachusetts and Nevada, and no doubt more to follow, now make encryption not only a means to avoid security breach notification requirements, but an express requirement of operating a national business.

    Even if your company does not do business in Massachusetts or Nevada, you may want to address these issues now, rather than later. Companies that implement a comprehensive information security program and encrypt sensitive personal information will have less to fear from events such as stolen laptops and other security breaches.