MASSACHUSETTS
On September 22, 2008, Massachusetts adopted regulations that will require businesses, wherever located, that own, license, store, or maintain information about Massachusetts residents, to implement a comprehen-sive security program by January 1, 2009. This deadline has since been pushed back by the Massachusetts Office of Consumer Affairs and Business Regulations (“OCABR”).
Massachusetts, along with 43 other U.S. states and the District of Columbia, previously enacted state security breach notification laws. These laws generally require that businesses that own, license, or store unencrypted computerized data of residents of the state to notify those res-idents if their data is disclosed to an unauthorized party.1 The Massachusetts security breach notification law, however, goes somewhat further than those of most of the other states by requiring the OCABR to “adopt regulations relative to any person that owns or licenses personal information of residents of the commonwealth…[to] safeguard the per-sonal information of residents of the commonwealth….”2
Under the new rule, entities that own, license, store, or maintain infor-mation concerning Massachusetts residents must develop, implement, maintain, and monitor a comprehensive written information security pro-gram. This rule applies to both paper and electronic records. The securi-ty program must be reasonably consistent with industry standards and contain administrative, technical, and physical safeguards to ensure the security and confidentiality of records that contain personal information. Personal information is defined under the rule as the resident’s name in combination with his or her social security number, driver’s license or state ID card number, or financial account or credit or debit card number that would allow access to the resident’s financial account. The security program must be consistent with any obligations required by any federal or state regulations governing the entity.
The security program must include:
• Designation of employee(s) in charge of the program;
the effectiveness of current safeguards, and means for detecting and preventing failures;
• Security policies for employees that address whether and how employees can keep, access, and transport personal information off premises;
• Disciplinary measures for employee violations of the policies; • Terminating access to personal information by former employees; • Management of service providers with access to personal information,
including contractually requiring compliance with security standards; • Limiting the collection and retention of personal information
neces-sary for a legitimate purpose and are required to know the personal information;
• Identifying paper and electronic records that contain personal infor-mation;
• Restricting physical access to personal information; • Regular monitoring and upgrading safeguards;
• Review of security program annually or whenever there is relevant material change in practices; and
• Documenting incident response to any breach and post-incident review of the program.
Entities that electronically store or transmit personal information must also include in their security program the establishment and maintenance of a security system covering their computers and wireless systems, including:
• Secure user authentication protocols; • Secure access control measures; • Encryption (in certain circumstances);
• Monitoring of systems, firewalls and operating system patches; • Up-to-date security systems software; and
• Education and training for employees.
Whether an entity is deemed to have complied with these rules will be evaluated according to a flexible standard. The following factors will be taken into account: (1) the size, scope and type of business; (2) the amount of resources available to the entity; (3) the amount of stored data; and (4) the need for security and confidentiality of the information.
Violations of the regulation may result in an action by the Massachusetts Attorney General under the state’s consumer protection statute for injunctive relief and a fine of up to $5,000 for each “method, act or practice” that the company knew or should have known violated the rule, along with litigation costs including reasonable attorneys’ fees.3
NEVADA
As of October 1, 2008, the State of Nevada requires the encryption of all transmissions for businesses that send personal identifiable informa-tion over the Internet. This fairly broad law provides that:
[a] business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the busi-ness uses encryption to ensure the security of electronic transmission.4 What this means is that an entity that conducts business in Nevada and transmits customer information by e-mail, FTP transfer, or other nonfac-simile means must encrypt the information.
Similar to Massachusetts law, personal information is defined as a person’s name in combination with his or her social security number, dri-ver’s license number, or financial account number with the PIN or similar code which enables access to the account.5 It is important to note that under the statute, the encryption of personal information is not limited to that of Nevada residents. Rather, the law requires that all businesses oper-ating in Nevada must encrypt all customers’ personal information when they send it electronically, other than by fax.
Encryption is defined broadly as:
the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer conta-minant, to:
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.6
The law does not define what constitutes conducting “business in this State.” However, a decision of the Nevada Supreme Court in evaluating whether a company is “doing business” in Nevada applied a two-pronged standard:
1. The nature of the company’s business in the state; and
2. The quantity of business conducted by the company in the state.7 The Nevada statute does not explicitly impose a penalty, making the consequences of failing to comply unclear. While the new law falls under the Miscellaneous Trade Regulations and Prohibited Acts Chapter, the chapter also does not contain any generally applicable penalty provisions. At a minimum, failure to comply may result in a consumer protection claim from the affected customer(s).
While data security experts have been advising and imploring clients for some time to implement and maintain reasonable security measures, companies will now find that these are no longer suggestions or best prac-tices. This is now the law.
NOTES
2 Mass. Gen. Laws Ch. 93H § 2(a).
3 Mass. Gen. Laws Ch. 93H §6 and 93A §4 (2008).
4 NRS 597.970.
5 NRS 603A.040.
6 NRS 205.4742.
