Encryption Regulations

Some states require entities doing business within the state to follow basic information security practices to protect the security and privacy of data. Other states are more aggressive. They require entities to use specific security practices, such as encryption.

FYI

Massachusetts: Protecting Personal Information

Massachusetts has created some of the nation’s most rigorous data protection laws. For example, it created its breach notification law in 2007.³¹ That law also required the state’s consumer affairs department to issue standards for the protection of personal information. The law stated that the standards should:

• Protect the security and confidentiality of personal information consistent with industry standards.
• Protect against anticipated threats to the security or integrity of personal information.
• Protect against unauthorized access to or use of personal information that could harm a person.

The Massachusetts “Standards for the Protection of Personal Information of Residents of the Commonwealth” was released in September 2008 and went into effect in 2010. The law has very broad application.³² Any person that uses and stores personal information about Massachusetts residents as part of the sale of goods and services must comply with it. However, the law does not apply to state agencies.

Entities subject to the law must follow data protection standards to safeguard the personal information of Massachusetts residents. These entities must protect personal information in both electronic and paper form. The definition of personal information is similar to the definitions used in the breach notification laws discussed at the beginning of this chapter. Under the data protection standard, personal information is a person’s first and last name, or first initial and last name, and any of the following:

• SSN
• Driver’s license number or state identification card number
• Financial account number, or credit or debit card number, with or without password or PIN

The standard requires entities to create an information security program. It states that an entity’s information security program must be a good fit for its size and scope. It also must fit the entity’s type of business. It must describe the administrative, technical, and physical controls that protect the personal information used by the entity. The program requirements are similar to those stated in the GLBA Safeguards Rule.

The standard uses a risk-based approach to information security. It allows the entity to review its resources and data use. It also can review its needs for security and confidentiality. The entity can use the results of this review to determine the safeguards it should use. As part of its program, an entity must:

• Assign an employee to manage the program.
• Conduct a risk assessment to identify risks to the security, confidentiality, and integrity of information. Review current safeguards to make sure that they are effective.
• Develop policies for use of personal information off business premises.
• Develop disciplinary policies for failure to follow the information security program.
• Develop policies to keep terminated employees from accessing personal information.
• Select service providers and make sure that any contract includes terms to protect personal information.
• Develop policies to physically safeguard personal information.
• Monitor and review the program to make sure it is effective.
• Document actions taken in response to any security breach.³³

The standard also includes computer system security requirements. This part of the standard directs entities to implement the security requirements. They must do this as long as the requirements are technically feasible. An entity does not have to apply requirements that are not technically feasible.³⁴

The standard states that an information security program must include specific security requirements. They are:

• Secure user authentication
• Secure access control measures
• Encryption of all transmitted personal information that travels across public networks, and encryption of information to be transmitted wirelessly
• Reasonable monitoring of systems
• Encryption of all personal information stored on laptops or portable devices
• Up-to-date firewall protection and operating system security patches on computers containing personal information
• Virus and malware protection
• Security awareness and training activities

FYI

The encryption requirements have received a lot of attention. They require businesses to encrypt the personal information of Massachusetts residents while it is stored on their systems. They also must encrypt it when it is transmitted. The standard does not define a preferred method of encryption. Instead, encryption is defined in a technology-neutral way. Under the standard, encryption is changing data into an unreadable form. The encrypted data cannot be read or understood without an encryption key, which is used to encrypt and decrypt data.

The Massachusetts attorney general has the authority to enforce the data protection standard. The law allows civil penalties of up to $5,000 for each violation. The attorney general can also make an entity pay for the costs of an investigation into any violations. Entities can also be charged attorneys’ fees.³⁵

The Massachusetts data protection standard is unique. It attempts to regulate businesses outside of Massachusetts by requiring businesses to encrypt the personal data of Massachusetts residents. This may be hard because businesses typically must follow only the laws of the state where they are located. Under the law, this is a jurisdiction issue. Only revisions to the standard, or a court case, will help clarify how widely the state may enforce this standard.

Nevada Law: Standards-Based Encryption

Nevada law also has data encryption requirements. The Nevada law requires data collectors to use encryption if they are transmitting personal information outside of their business network. They must encrypt the data if it is sent externally via email or any other electronic transmission. This requirement helps protect data while it is being transferred from one entity to another. The Nevada law excludes facsimiles from the transmission encryption requirements.³⁶

The law also requires data collectors to encrypt personal information on any data storage device that is moved beyond the technical or physical controls of their business. This means that they must encrypt any storage device that leaves the business location. They also must encrypt backup tapes containing personal information that they send to an off-site storage facility. This portion of the law helps protect data if the storage media is lost or stolen.

The encryption rule is novel because of its breadth. It covers data when it is stored and when it is transmitted. The law is also interesting because of how it defines encryption. This is one area where the Nevada law varies greatly from the Massachusetts encryption law. The Massachusetts law defines encryption in a technology-neutral way. It does not reference any industry standards. The Nevada law, however, references industry standards.

Under the Nevada law, data collectors must use encryption technologies adopted by a standards-setting body. The law references the Federal Information Processing Standards, which are issued by the National Institute of Standards and Technology (NIST). Under the law, the technology used must make the personal information unreadable.³⁸

The law also requires that data collectors use good cryptographic key management practices to protect encryption keys. Encryption keys encrypt and decrypt data. They must be carefully guarded. These keys protect the confidentiality of data. They also protect the integrity of the whole encryption process. The law requires data collectors to use key management practices created by a standards setting body. Again, the law specifically refers to NIST standards.³⁹

A data collector that complies with the law is not liable for damages resulting from a security breach. This protection extends to a breach so long as the data collector’s own gross negligence did not cause the breach.