Massachusetts, Nevada mandate encryption for consumer data
New regulations will tighten security measures around residents' personal data, but the impact of these regulations will affect businesses beyond the two states' borders.
Massachusetts' Office of Consumer Affairs and Business Regulation issued new regulations, called the Standards for The Protection of Personal Information of Residents of the Commonwealth, set to take effect on January 1, 2009. The state already has what are considered by some to be the most far-reaching information security requirements of any US state (see this PDF client advisory from a Mass. law firm for more).
Now, these new regulations will add to existing guidelines by requiring any "portable" personal data about Massachusetts residents to be encrypted. This means any data transmitted over public networks, that's stored on laptops or removable memory such as flash drives, must comply.
The rule will affect any company doing business in Massachusetts, or one that holds personal data of Mass. residents. Worldwide law firm Morrison & Foerster LLP warns, "Even organizations that have no facilities or personnel in Massachusetts should anticipate that they will be subject to the regulations if they maintain information of any Massachusetts residents."
The new regulations also call for mandatory security measures, including updated user authentication control and permissions restriction.
Nevada's own encryption law will go into effect in just one week. Its brief clause reads, "A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission."
Nevada's regulation is decidedly less comprehensive than Massachusetts', and a comparison of the two states' definitions of "encryption" could lead to differing opinions on what is considered effective security. This matter could be problematic if a breach of data security took place in an exchange between the two states.
For Nevada:
"Encryption" means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.
For Massachusetts: "Encrypted," the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key, unless further defined by regulation by the office of consumer affairs and business regulation.
Nevada's failure to include the word "algorithmic" has caused some Nevada residents to question if a password-protected document sent within an e-mail could be argued as compliant.