The Move Toward Mandatory Encryption of Sensitive Personal Information

It is mid-January of 2010. One of your employees returns late from her lunch break with bad news. Her work-issued laptop computer was stolen from her car while she was eating at a local restaurant. Worse yet, the laptop contained the names and credit card numbers of your customers. Although the laptop was password-protected, the spreadsheet containing the customer information was not encrypted.

Knowing most states have adopted security breach notification statutes, you realize immediately that you have an obligation to notify your customers their credit card information has been compromised. You also realize, of course, that this news may upset them and damage your company's reputation.

When you contact your legal counsel, however, you discover the situation is even worse than you thought. Many of your customers live in New England. And, your lawyer informs you, the company has violated new rules adopted in Massachusetts that make it illegal to store unencrypted sensitive personal information on a laptop. Your company may also be in violation of these new rules if it has not implemented a comprehensive information security program that complies with the requirements of the new rules. Your lawyer explains that, although the rules were adopted in Massachusetts, they apply to any business that handles sensitive personal information of the state's residents.

You have learned about these new rules the hard way, but you are not alone. All companies that have a national customer or employee base will have to comply with the new requirements, which were originally supposed to take effect on January 1, 2009. However, the Massachusetts Office of Consumer Affairs and Business Regulation recently extended the deadline for complying with the rules, and they will now go into effect on January 1, 2010.

Nor is Massachusetts alone. Since October 1, 2008, for example, Nevada law has required companies to encrypt any sensitive personal information about a state resident that is transferred outside a company's secure system. In addition, both federal law and many states require companies to take "reasonable"—but not specifically defined—steps to protect sensitive personal information. With passage of data encryption laws in Massachusetts and Nevada, we may well be heading to a time when encryption of sensitive personal information is considered the norm.

In short, even companies that don't do business in either Massachusetts or Nevada might well take notice and consider encrypting employees' and customers' sensitive personal information, at least when it is either transmitted electronically or stored on a mobile device.

What Is "Sensitive Personal Information"?

The laws discussed in this article, including the new Massachusetts law, apply only to certain categories of personal information known as "sensitive personal information." Sensitive personal information typically includes a person's name in conjunction with that person's Social Security number, driver's license number, credit card number or other financial account number. However, some state security breach notification laws classify additional types of information as sensitive personal information—including health information, electronic signature, mother's maiden name, date of birth, and biometric information such as fingerprint, voice print, retinal image or DNA profile.

Security Breach Notification Laws and the Move Toward Mandatory Encryption

The first state security breach notification law went into effect in California in 2003. Since then, over 40 states have passed similar laws. These statutes are designed to provide affected individuals with an opportunity to prevent or mitigate identity theft after a breach occurs. Yet, virtually all state security breach laws make an exception for information that is stored in encrypted form. As a result, if the sensitive personal information stored on a stolen laptop is encrypted, a company is not required to notify its customers of the incident.

This exception to security breach notification has created an obvious incentive to encrypt sensitive personal information—particularly when this information is stored on mobile devices such as laptops. The new Massachusetts rules will make the encryption of sensitive personal information even more important.

The Massachusetts rules will require the encryption of all sensitive personal information that is transmitted across public networks, transmitted wirelessly or stored on a portable device such as a laptop computer or flash drive. The rules will apply to any company doing business in Massachusetts and transmitting data or storing data on a portable device that contains the sensitive personal information of Massachusetts residents.

Other states besides Nevada and Massachusetts have also considered adopting mandatory encryption laws—and it is possible mandatory encryption may spread in the same way security breach notification laws have spread throughout the country. Any business that handles the sensitive personal information of its customers or employees—whether the company is based in Massachusetts, Nevada or any other state—needs to be aware of these recent developments and consider whether it is in compliance.

Massachusetts Requirements for Implementing a Comprehensive Information Security Program

In addition to the new encryption requirements, Massachusetts has also adopted detailed rules that will require businesses to have a comprehensive information security program. These requirements will apply to any business that owns, licenses, stores or maintains sensitive personal information about a Massachusetts resident.

The new rules will require that the information security program comply with 12 specific procedural elements and eight specific technical elements. These requirements also go into effect on January 1, 2010. Most notably, if these rules apply to your business, you will need to take reasonable steps to verify that every third-party service provider with access to your customers' or employees' sensitive personal information has the capacity to protect that information.

An earlier version of the Massachusetts rules specified that reasonable steps include retaining service providers that are capable of safeguarding sensitive personal information and contractually requiring them to maintain these safeguards. The earlier version of the rules also would have required that you obtain written certification that the service provider itself has a written, comprehensive information security program in compliance with the new Massachusetts rules prior to granting the provider access to your company's sensitive personal information. However, in addition to pushing back the effective date of the rules, the Massachusetts Office of Consumer Affairs and Business Regulation also amended the rules to remove these requirements and the rules no longer specify what constitutes "reasonable steps."

The new Massachusetts rules also include a number of requirements on the handling and protection of sensitive personal information. For example, the rules will require companies to identify where sensitive personal information is stored, place restrictions on access to sensitive personal information, and document responsive actions taken in connection with any security incident. Other requirements include computer security elements in addition to encryption, such as secure user authentication, secure access control measures, reasonable monitoring systems, firewall protection, operating system security patches and system security agent software (e.g., malware protection and anti-virus software). The effect of these rules is a much greater level of oversight and regulation over how businesses handle sensitive personal information both administratively and technically.

Dangers of Non-Compliance With Massachusetts and Nevada Laws

Because the Nevada law is so new and the Massachusetts law has not yet gone into effect, it is unclear exactly what penalties a business could face for failing to comply. The Nevada law does not specify how it will be enforced and what penalties may result from non-compliance. The Massachusetts statute under which the encryption rules were issued says only that the state attorney general may bring an action for violations of the statute's requirements. Presumably, this action could include fines and other penalties.

Implications for All Businesses

Even if your company does not handle the sensitive personal information of Massachusetts or Nevada residents, these new laws may still affect how you do business. Various federal and state laws, including the Gramm-Leach-Bliley Act of 1999 and its state equivalents, require businesses to employ "reasonable" safeguards for the protection of sensitive personal information. In addition, the Federal Trade Commission has interpreted Section 5(a) of the FTC Act as imposing on businesses an obligation to employ "reasonable" measures to safeguard consumers' sensitive personal information.

Most of these laws, though, do not define what safeguards are "reasonable" under what circumstances. Instead, courts generally must weigh a number of factors in determining what is reasonable, including the nature and likelihood of harm, the burden of providing a particular safeguard, and industry standards. Although it is too soon to tell, it seems likely that the Massachusetts and Nevada laws will move us one step closer toward viewing the encryption of sensitive personal information as the norm, at least when the information is transmitted electronically or stored on a mobile device.

Accordingly, even if your company does not handle the sensitive personal information of Massachusetts or Nevada residents, you should consider the implications of those states' laws. If your company does not currently encrypt sensitive personal information, you may want to revisit that policy.

Conclusion

The security breach notification laws encourage an increased level of security for sensitive personal information to combat identity theft. By not requiring notification of affected individuals following a security breach if sensitive personal information is encrypted, the laws encourage businesses to encrypt data—thus avoiding the hassle and cost of complying with the increasing number of security breach notification laws.

The fact that over half of all security breaches involve mobile devices provides further incentive for businesses to employ encryption technologies for these devices. New laws in Massachusetts and Nevada—and no doubt more to follow—make encryption not only a means to avoid security breach notification requirements, but an express requirement of operating a national business.

Even if your company does not do business in Massachusetts or Nevada, you may want to address these issues now, rather than later. Companies that implement a comprehensive information security program and encrypt sensitive personal information will have less to fear from events such as stolen laptops and other security breaches.