Posted on March 10, 2010 by David Navetta

A Closer Look at the PCI Compliance and Encryption Requirements of Nevada's Security of Personal Information Law

Since approximately 2005, the state of Nevada has had a fairly comprehensive data privacy law on its books: the Nevada Security of Personal Information Law (the “Law”). Prior to 2009, the Law imposed various requirements concerning the protection of personal information of Nevada residents, including requirements concerning security breach notice, the implementation of reasonable security measures and the destruction of records containing personal information.  In 2009, the Nevada legislature materially amended the law by passing Nevada Senate Bill 227 (“SB 227” or “SB 227 Amendment”). The SB 227 Amendment added two significant (but mutually exclusive) data security obligations: (1) a requirement to comply with the Payment Card Industry Data Security Standard (“PCI”); and (2) requirements to encrypt personal information in certain contexts. The SB 227 Amendment became effective on January 1, 2010. This article summarizes the requirements of the SB 227 Amendment, addresses various compliance issues posed by it, and discusses its “safe harbor.”

The Interplay Between the Law’s PCI Compliance and Encryption Obligations

To understand the requirements of SB 227, it is important to first understand the interplay between the PCI obligations set forth in subsection 1. and the encryption requirements of subsection 2. Significantly, it appears that a data collector that complies with PCI (as required under subsection 1. of SB 227) need not comply with the personal information encryption requirements of subsection 2. This “either/or” dynamic creates a strange compliance situation.

Subsection 1. of SB 227 provides:

1. If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.

Subsection 2. of SB 227 provides:

2. A data collector doing business in this State to whom subsection 1 does not apply shall not:

(a) Transfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission; or

(b) Move any data storage device containing personal information beyond the logical or physical controls of the data collector or its data storage contractor unless the data collector uses encryption to ensure the security of the information.
(emphasis supplied).

The current version of PCI (v 1.2.1 – July 2009 ) references encryption with respect to certain cardholder related data while stored and in transit. Section 3.4. of PCI requires companies to render a payment card’s PAN’(“Primary Account Number’”) unreadable, including through the use of strong encryption. Compliance under section 3.4 is also possible through other measures, including truncation, index tokens and pads, and “compensating controls.” Section 4.1. of PCI mandates the use of strong encryption of “cardholder data” during transmission over open or public networks. Cardholder data as defined under PCI includes PAN, Cardholder Name, Service Code, and Expiration Date as defined with respect to PCI.

However, the definition of “personal information” under the Law is much broader than “PAN” or “cardholder data” under PCI. Personal information includes information that is wholly unrelated to credit cards, including social security numbers, driver’s license numbers, identification card numbers and bank account numbers. PCI does not require encryption of these elements while transmitted electronically. Moreover, PCI does not require any personal information to be encrypted while stored. Rather, it only requires that the PAN be encrypted in storage (and even here encryption is not an absolute requirement -- PCI allows for other methods to render PANs unreadable and allows for "compensating controls"). Finally, since the encryption that happens around PCI relates to payment processing only, it does not appear that PCI-compliant companies would have to address encryption in other contexts, including for example e-mails containing personal information.

In short, PCI compliance allows an entity to avoid the obligation to encrypt personal information (except for "Cardholder Data") on data storage devices or while in transit, as required under subsection 2. of SB 227, and would appear to undermine the broader purposes of the Law. Stated differently, companies that are already PCI compliant would appear to have diminished obligations when it comes to encrypting Personal Information than those companies that are not subject to PCI.

Issues Surrounding the Law’s PCI Compliance Obligations

Nevada is the first state to incorporate the entire PCI Standard into law. The PCI Standard is an industry standard contractually imposed by the payment card networks on merchants and service providers that store, process or transmit cardholder data. In essence, the Nevada legislature has ceded its legislative authority to a group of private companies whose interests and concerns in creating and updating the standard may not be aligned with the goals of the Law. It has given PCI the weight of law, backed by attorney general enforcement and potential statutory liability, despite the fact that PCI is typically imposed in a negotiated contractual setting. As such, tying PCI to the Law raises several interesting issues and poses additional challenges:

  • PCI is always changing. One of the biggest problems with the PCI compliance requirement under SB 227 is that PCI is constantly being changed and updated. PCI is currently on version 1.2.1 (the fourth version in four years) and is currently soliciting comments concerning potential modifications in 2010. This makes the Law a moving target. On a certain level this makes sense – the PCI standard and good security evolves as the risks and technology changes. However, from a compliance standpoint constant vigilance is required to ensure compliance. Under the Nevada law this is especially true since non-compliance can result in an attorney general action.
  • PCI is ambiguous. Unfortunately the PCI standard is ambiguous as written in many sections and as applied in many circumstances. This is due in part to the one-size-fits-all nature of the standard. The problem is exacerbated, however, because there are multiple sources of interpretation, including the PCI Council, merchant banks, the card brands and qualified security assessors. Even within the PCI Council itself multiple methods of interpretation exist, including guidelines, FAQs, prioritized approaches, and email answers provided by the PCI Council provided on an ad hoc basis. Moreover there is no set interpretative hierarchy between potentially competing interpretations. For example it is not clear whether PCI Council guidance document would trump an FAQ, or the interpretation of a merchant bank.
  • PCI is contractual in nature. Typically a merchant will enter into a “merchant agreement” with a merchant bank or processor so it can accept credit cards. That merchant agreement will mandate that the merchant comply with PCI. If there is an ambiguity, since the merchant’s obligations are derived by contract, naturally the “best” source to resolve those ambiguities is with the merchant bank that is party to the agreement. If the merchant bank “gets it wrong” or agrees to a PCI interpretation that is not compliant, while it may have sufficed for the contractual relationship, under the Law it could result in a legal violation.
  • PCI is one-size-fits-all. PCI is made up of over 200 individual requirements/sub-requirements. For small businesses it may be difficult, if not impossible, to comply with (from a resource standpoint). Yet the Law does not make any exception or allowance for this. As a result, on day one many businesses (especially smaller and medium companies) are likely to be non-compliant with the Nevada law.
  • New independent and direct duty for service providers to comply with PCI? Typically, under the PCI regulatory scheme, service providers that store, handle or transmit cardholder only have a direct obligation to comply with PCI if they are contractually required to do so. They have no independent legal duty to comply with PCI under normal circumstances. SB 227, however, may provide a direct duty for service providers to comply with PCI. Service providers appear to fall into the definition of “data collectors” because they typically “handle, collects, disseminates or otherwise deals with nonpublic personal information.”  The issue becomes whether, under subsection 1. of SB 227, a service provider storing, processing or transmitting cardholder data for another “accepts a payment card in connection with a sale of goods or services.” If the language in subsection 1. read “accepts a payment card for a sale of its goods or services,” then it would appear to be limited to merchants. However, the “in connection” language arguably extends the duty to service providers. For example, some might argue that payment gateways directly “accept” payment card numbers from customers online on behalf of merchants in connection with the merchant’s sale of goods and services.

Issues Surrounding the Law’s Encryption Obligations

The Encryption Obligations: Electronic Transmission and Data Storage Devices.

If a data collector doing business in Nevada does not have an obligation under subsection 1., then it must comply with the encryption requirements of subsection 2. SB 227 requires encryption in two areas: personal information transmitted electronically (subsection 2.(a) of SB 227) and encryption of personal information stored on certain data storage devices (subsection 2.(b) of SB 227).

A data collector doing business in Nevada, subject to exceptions discussed below, may not transfer personal information outside of its secure systems through an electronic transmission, unless encrypted. Again, a drafting quirk may pose some interesting interpretations of this obligation. By using the term “secure system” (undefined), it appears that this encryption requirement does not apply to personal information transmitted from an “insecure system.” Note that the probable intent of the “secure system” language was to eliminate the need to encrypt personal information while in transit within the internal networks of an organization (or at least that is one interpretation).

Drafting mistakes aside, SB 227 sets forth some significant exceptions to this encryption requirement. The electronic transmission encryption requirement does not apply to:

  • electronic voice transmissions or facsimile transmissions;
  • telecommunication providers conveying communications of other people; or
  • data transmissions over secure private communications channel for: (1) approval or processing of negotiable instruments, EFT transfers or similar payment methods; (2) issuance of reports regarding account closures due to fraud, substantial overdrafts; or (3) abuse of ATM machines or related information regarding a customer.

Data collectors must also encrypt data stored on a data storage device if the device goes beyond the logical or physical controls of the data collector or its data storage contractor. The concept of going beyond the physical controls (e.g. facilities of the data collector) is fairly clear. However, it is uncertain exactly what the intent is behind the “logical controls” reference. It could mean that if the data storage device is protected by the same “logical controls” as data storage devices that are part of the data collector’s internal networks, then encryption is not required.   Or it could be tying back into the concept of secure internal environments.  However, more research is necessary to ascertain how the “logical control” reference should be interpreted.

The Encryption Standard.

To comply with the Law, data collectors must use an encryption technology that renders such personal information indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data, which has been adopted by an established standards setting body, including for example, the Federal Information Process Standards published by the National Institute of Standards and Technology.

Encryption under the law also requires sound key management processes and safeguards. Specifically, data collectors must utilize appropriate management and safeguards with respect to cryptographic keys in order to protect the integrity of its encryption process. The data collector’s key management procedures and safeguards must be consistent with guidelines set forth by an established standards setting body, including for example, the National Institute of Standards and Technology.

While one might quibble with the requirement that the encryption technology render personal information indecipherable (all encryption is theoretically capable of being broken), the reference to FIPS and NIST standards provides solid guidance. However, the Law does not indicate what constitutes an “established standards setting bodies” in the event a data collector would like to use an encryption standard that is not based on FIPS or NIST.

The SB 227 Amendment’s “Safe Harbor”

While SB 227 arguably imposes significant encryption obligations on certain data collectors (at least those that are not already PCI-compliant), it also provides a “reward” for companies that meet its mandates. Subsection 3. of SB 227 provides a “safe harbor”:

3. A data collector shall not be liable for damages for a breach of the security of the system data if:
(a) The data collector is in compliance with this section; and
(b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.

This “safe harbor” may provide significant protection to compliant companies that suffer a personal information breach, even beyond the Law itself. Some may argue that the safe harbor protects the organization from all damages no matter what context or theory of liability (e.g. common law negligence, contract, negligent misrepresentation, etc.). Support for this theory can be found where SB 227 references a very limited list of liabilities theories (“gross negligence and intentional misconduct”), which arguably implies that other theories of liability can be barred by the safe harbor. Moreover, since the Law itself does not explicitly provide any damage remedy against a data collector that suffers a security breach, it would appear to be referring to liability outside of the Law.

For example, assume the case of a merchant that suffered a payment card breach. It would typically have a contract in place whereby it agreed to indemnify its merchant bank in the event of a payment card breach. Under SB 227, as long as the merchant was PCI compliant at the time of the breach (and therefore compliant with subsection 1. of SB 227), it could argue that it should be immune from contractual liability. This is significant because there is no legal mechanism currently in place under PCI that provides this legal protection. Please note that this argument is far from settled and additional research and analysis is necessary in order to validate the intent of Nevada’s legislature.

Beyond its potential broad scope, the safe harbor language in SB 227 arguably creates some incongruities between SB 227 and the Law. For example, the Law requires data collectors to implement certain “reasonable” security measures around personal information, which typically include measures beyond encryption (e.g. background checks, firewalls, virus protection, security policies, etc.). However, the safe harbor applies to all security breaches as long as the data collector complied with SB 227, even if it implemented “unreasonable” (but not “grossly negligent”) security.

An illustration may assist here. Assume a data collector made a mistake in configuring its firewall, which allowed a hacker to steal one million unencrypted personal information records while in transit on the data collector’s internal systems. One might argue that this data collector violated the section of the Law requiring “reasonable security measures” by providing such access. Nonetheless, as long as the data collector complied with SB 227 by encrypting data in transit externally or in data storage devices taken off premises, and it was not grossly negligent, it appears it would not be liable for the security breach under the Law (and otherwise). In other words, with the safe harbor, the requirements of SB 227 could be argued to override more stringent requirements of the Law around security.

Conclusion

Nevada’s Security of Personal Information Law, including the SB 227 Amendment, may pose some challenges for organizations. Its scope is arguably wider than Nevada companies because it appears to apply to any business that stores or processes personal information of Nevada residents, even those without a physical presence in Nevada. It employs a one-size-fits all approach that requires either PCI compliance or encryption of data in transit or on data storage devices, regardless of feasibility, or the resources or sophistication of the company. Moreover, by incorporating the payment card industry’s data security standard directly into the law, it gives PCI “the force of law.” This may be problematic for several reasons, the least of which is that PCI is frequently amended and presents a “moving target,” and is often ambiguous as written and as applied.

However, in addition to the new obligations posed by SB 227, it may offer some benefits and protection to organizations. First, companies that are already PCI compliant do not need to go the extra step under SB 227 and encrypt personal information in transit or on data storage devices. This is true despite the fact that the encryption requirements of PCI are limited in scope. Second, SB 227 provides a safe harbor that arguably bars liability arising out personal information security breaches that were not intentional or grossly negligent. In all, it will be interesting how companies react to the Law, how it is enforced by regulators, used by litigants involved in security breach litigation, and interpreted by courts.
Tags: , , , , ,
Posted on October 2, 2009 by W. Scott Blackmer

Code or Clear? Encryption Requirements (Part 2)

In the last post, I talked about the role of encryption in fashioning a “reasonable” security plan for sensitive personal information and other protected data routinely collected, stored, and used by an enterprise. But lawmakers and regulators are getting more specific about using encryption and managing data that is risky from an ID-theft perspective. Here are some leading examples of this trend.

State Security and Breach Notification Laws

Since California adopted SB 1386, which went into effect in 2003, nearly all US states have enacted security breach notice laws that require notice to affected individuals, and in some cases to public authorities, when a party has reason to believe that the security of protected categories of personal data has been compromised. The protected categories are typically SSN (Social Security Number), driver’s license, financial account or payment card details (usually only if the password or access code is also compromised), and, increasingly, medical data not covered by federal HIPAA privacy protections.

All of these laws make an exemption from the notice obligation if the data were encrypted (some add that this is true only if there is no reason to believe that the decryption key was also compromised). The laws, and regulations adopted under the laws, typically do not specify the level or kind of encryption. For example, California’s Office of Privacy Protection published guidance specifically on the subject of “Recommended Practices on Protecting the Confidentiality of Social Security Numbers” in April 2007, which has only this to say about encryption, on page 11:
“Protect records containing SSNs, including back-ups, during storage by encrypting the numbers in electronic records or storing records in other media in locked cabinets.”

Partly as a consequence of these security and breach notice laws, organizations should limit their use and storage of these categories of personal data to the extent they are really necessary for business operations. Storage on servers or on archived media, and transmission over internal networks and VPN connections, may or may not be sufficiently secure without encryption, depending on the company’s risk assessment and IT security practices. Organizations should encrypt such data when it is resident on laptops or other portable devices and when it is in transit over the public Internet.

Massachusetts and Nevada have recently adopted stricter and more specific rules, however, that may become a model for other states. These increase the regulatory pressure for encrypting protected categories of personal data.

Massachusetts

The Massachusetts Personal Information Security Regulation (201 CMR 17.00) is now scheduled to take effect on March 1, 2010. The Regulation was promulgated by the Office of Consumer Affairs and Business Regulation (OCABR) under the authority of the Massachusetts personal information security law.

The Regulation will require all parties that “own or license” any of the protected categories of personal data concerning Massachusetts residents to encrypt the data in laptops or other portable devices, as well as in wireless transmissions and in transmission over public networks.

Note that the Regulation does not limit its coverage of financial account data to cases where the access code or PIN is compromised, as do most security and breach notice laws. The Regulation extends to any nonpublic financial account or payment card data, as well as to SSNs and driver’s license numbers. The Regulation does not cover medical information, however.

The Regulation mandates a number of “Computer System Security Requirements” (201 CMR sec. 17.04) for businesses that handle the protected categories of personal data. These expressly include the following:

“(3) Encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data containing personal information to be transmitted wirelessly . . .

(5) Encryption of all personal information stored on laptops or other portable devices . . .”

The level and type of encryption are not specified.

Nevada

Nevada recently amended its personal information security law, which already required “reasonable” security measures as well as breach notice (Nevada Rev. Stats. secs. 603A.010 et seq.). The amendments take effect on January 1, 2010.

The law covers SSNs, driver’s license numbers, and payment card or financial account data in combination with an access code or PIN. Medical information is not covered.

Under the amended law, businesses that accept payment cards (credit cards and debit cards) must comply with the Payment Card Industry Digital Security Standard (PCI DSS). In addition, a party handling any of the protected categories of information must encrypt the data if it transfers the data electronically “outside of the secure system of the data collector” or if the data is stored on a device (laptop, USB drive, etc.) that is moved “beyond the logical or physical controls of the data collector or its data storage contractor.”

“Encryption” is defined in the amendments with reference to “established standards,” specifically including FIPS and mentioning the need for standards-based key management as well as encryption protocols:

‘Encryption’ means the protection of data in electronic or optical form, in storage or in transit, using:

(1) An encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and

(2) Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.”

Thus, while the law itself does not specify the form of encryption, it puts the burden on the user to choose an appropriate and standards-based method.

HITECH

Title XIII of ARRA, the federal economic recovery legislation adopted early in 2009, is labeled the Health Information Technology for Economic and Clinical Health Act (HITECH). It amends the HIPAA medical privacy provisions by adding a federal security breach notice requirement for nonpublic, personally identifiable health information. While HIPAA applies only to certain covered entities (healthcare providers and insurance companies and clearinghouses), HITECH also applies to “business associates” that provide services to those entities. HITECH reaches as well any employers that are covered by HIPAA because, for example, they operate company clinics or manage their own health plans.

HITECH requires notice to affected individuals when there has been a security breach exposing personally identifiable health data. HIPAA already lists 18 identifiers (names, addresses, SSNs, health plan ID numbers, etc.) that must be removed to establish that health records have been “de-identified.” Where compromised records have not been fully de-identified by removing these data fields, HITECH sec. 132400 also recognizes that the information may not be personally identifiable if it is effectively encrypted:

“(b) Implementation specifications: Requirements for de-identification of protected health information. A covered entity may determine that health information is not individually identifiable health information only if:

(1) A person with appropriate knowledge of and experience with generally accepted statistical and scientific principles and methods for rendering information not individually identifiable:

(i) Applying such principles and methods, determines that the risk is very small that the information could be used, alone or in combination with other reasonably available information, by an anticipated recipient to identify an individual who is a subject of the information; and (ii) Documents the methods and results of the analysis that justify such determination; . . . .”

Thus, HITECH does not specify a particular form of encryption but leaves it to IT security experts to decide whether the data are effectively unidentifiable in the hands of an unauthorized user. Note that the statute requires covered entities to maintain documentation of this professional analysis, and that the analysis must be based on “generally accepted” principles and methods – which means that professional opinions are likely to refer to published specifications and industry standards.

Red Flags

The 2007 Identity Theft Red Flags Rule (promulgated under the 2003 FACTA amendments to the federal Fair Credit Reporting Act) went into effect in November 2008, although the FTC suspended enforcement until November 1, 2009. (Similar rules were issued by the federal financial regulatory agencies, for the institutions they supervise.) The Rule requires covered entities to develop and implement written policies to prevent identity theft, including recognition of warning signs or “red flags” of suspected ID theft.

The Rule applies not only to traditional financial institutions but to “creditors,” defined as companies that “regularly defer payment for goods or services,” whether or not charging interest or finance charges, and therefore store personal information about individual debtors. Some employers, for example, sell goods or services to employees on deferred payment terms and may be treated as covered entities for that reason. (However, the Red Flag FAQs written by FTC staff take the view that an employer is not a covered entity simply because it sponsors a 401k or other qualified retirement plan that allows participants to borrow from their retirement funds.)
For covered entities, the mandatory policy to prevent ID theft must identify signs of possible security breaches involving certain data, as well as appropriate responses to those alerts. The covered data are SSNs and tax identification numbers, healthcare IDs, financial account and credit/debit card details, personally identifiable medical information, and identifying data from consumer reports (which are often used for employee background checks as well as for credit applications).
The Rule itself does not mandate encryption measures. However, most covered entities will necessarily address encryption in their written anti-ID theft policies. Their “red flags” should also include an alert if there is evidence that encryption keys have been misused, stolen, or hacked.
 
Tags: , , , , , , , , , , , , , , , , , , , , , , , , , , , ,
Posted on July 23, 2009 by David Navetta

Nevada's Security of Personal Information Law Post Three: Reasonable Security Measures Requirements

The following FAQs address the "reasonable security measures" requirement of Nevada's Security of Personal Information Law. The rest of the FAQ is linked to here.

(4) REQUIRED SECURITY MEASURES (NRS 603 A.210)

What security measures must data collectors implement and maintain while maintaining records containing personal information?

Data collectors that maintain records that contain personal information must implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure. Some observations

  • Objective standard. The use of the word "reasonable" to describe required security measures suggests an objective standard in assessing whether a company has complied with the Security Law. In short, it may not be enough if a company "subjectively" believes that it has good security measures (even if that belief is "true"). Security measures under this law will be measured against an "objective" standard based on the circumstances of the data collector, the threat environment, available technology, etc. In practical terms, if a lawsuit is filed, the plaintiffs will retain an expert who will likely provide a counter-opposing view as to the reasonableness of the data collector's controls (if that is an issue in the case). The data collector will have counter that opinion with "objective" evidence.
  • Reasonableness - Adherence to Industry Standards May Not Be Enough. If "reasonableness" is viewed in a similar fashion as under common law negligence, complying only with industry standards may be inadequate. Judge Learned Hand's ruling in the T.J. Hooper case demonstrates this rationale:
Indeed in most cases reasonable prudence is in fact common prudence, but strictly it is never its measure. A whole calling may have unduly lagged in the adoption of new and available devices....Courts must in the end say what is required. There are precautions so imperative that even their universal disregard will not excuse their omission.

In short, doing what the industry does may not be enough if the industry is lagging behind the security risk curve.

  • Risk-Based Reasonableness. Again, in another nautical-oriented lawsuit, Judge Learned Hand famously put forth the following legal concept:
Since there are occasions when every vessel will break from her moorings, and since, if she does, she becomes a menace to those about her; the owner's duty, as in other similar situations, to provide against resulting injuries is a function of three variables: (1) The probability that she will break away; (2) the gravity of the resulting injury, if she does; (3) the burden of adequate precautions. Possibly it serves to bring this notion into relief to state it in algebraic terms: if the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B < PL.

Under this legal doctrine, an analysis of the risk posed by having or not having particular security measures is required to determine what security measures are "reasonable." In simplistic terms, low-cost security measures that mitigate a lot of risk (e.g. virus protection might be one) are necessary, while high cost security measures that mitigate a little risk may not be. The difficult part is determining the security measures that fall in the middle.

  • Considerations in analyzing "reasonable" security measures. Compliance with industry standards and risk-based security controls can assist a company in achieving "reasonable" security measures. If attempting to comply with industry standards, companies should consider not only the industry on the whole, but also similar peers and sub-groups within the industry. For example, while my local credit union and Citibank may be in the same industry (financial industry), "reasonable" industry security measures for Citibank likely differ from the smaller credit union. While a baseline may exist for all financial institutions, larger and more wealthy banks like Citibank may have to match up to similar financial titans (Bank of America, HSBC, etc.). In addition, organizations should consider complying with general security standards like ISO 27001, CoBit and others. If laws exist within a particular industry (such as GLB, HIPAA, FERPA) that establish security laws they should also be considered part of the "reasonableness" equation. The more a company can point to relevant standards or laws they have complied with, the stronger their arguments for reasonableness.
  • Retain Security and Legal Expertise and Develop Positions. Since the issue of reasonableness in many cases will come down to a battle of security and legal experts, organizations should develop their positions ahead of potential security breaches or other situations likely to lead to litigation. This includes having developed a position that is defensible from both a security and legal standpoint. In many cases, the data collector will have to retain a security professional to provide expert testimony. If security and legal positions are developed prior to a breach, and hopefully under attorney-client privilege, they can be ready for use after a security breach in the defense of a lawsuit.

If a data collector discloses personal information to a service provider, does the service provider have a direct and independent duty to implement and maintain the reasonable security measures required under the Security Law?

Since data collectors are defined based on whether they maintain personal information, a service provider that maintains personal information appears to have a direct and independent duty under the Security Law to implement reasonable security measures. In addition, the Security Law requires a data collector disclosing personal information to a service provider to enter into a contract obligating the service provider to implement and maintain reasonable security measures. Finally, for all intents and purposes, service providers handling payment card data may have to comply with PCI to the extent that it is considered the industry standard, which informs on the issue of "reasonableness."

Do data collectors need to comply with the law's reasonable security requirements if they are already compliant with another state or federal law mandating reasonable security measures?

No, as long as the other applicable security law provides greater protection to records that contain personal information of Nevada residents and the data collector is compliant with that law. In such a case, the data collector is deemed in compliance with this subsection of the Nevada Security Law. However, organizations must conduct a careful legal and security analysis to determine whether other laws actually match up to the protections required under Nevada's Security Law.

Up Next: Blog Post Four: Encryption and PCI Requirements

Please note, while I am an attorney this post does not in any way constitute legal advice or a legal opinion, and should not be relied upon to take any action or be the basis for any inaction. The this law is complex and additional research is necessary. If you are interested in a full legal analysis please contact me directly at djn@davidnavetta.com
Tags: , , ,
Posted on July 22, 2009 by David Navetta

Nevada's Security of Personal Information Law Post Two: The Breach Notice Requirements

The following FAQs address the breach notice requirements of Nevada's Security of Personal Information Law. The rest of the FAQ is linked to here.

(3) SECURITY BREACH NOTICE (NRS 603A.220) What triggers the security breach notice obligations under the Security Law?

In order for the breach notice requirements to be triggered under the Security Law two general events must occur (with some sub-requirements discussed further below). First, there must have been a "breach of the security of the system data" discovered by a data collector or notified to a data collector. Second, "personal information" must have actually been acquired by an unauthorized person, or was "reasonably believed to have been acquired" by an unauthorized person. Some observations:

  • "Reasonably believed" acquisitions. In some cases it may be very unclear as to whether any actual "acquisition" by an unauthorized person occurred. Forensic assessment may not yield enough information to reach a definitive conclusion on that issue. Nonetheless, if there is evidence of possible acquisition that outweighs contrary evidence, then reporting requirements may still apply under the "reasonably believed" standard. This standard is likely viewed as an objective standard - so even if the data collector subjectively believed that no acquisition occurred that belief would be tested against the available evidence with respect to the incident.
  • Duty to investigate. Let's assume that an organization discovers a security breach, but the initial facts it receives do not provide any indication as to whether personal information was acquired by an unauthorized person. What if the company plugged the security hole and conducted no further investigation as to the question of acquisition? Is this permitted? Technically the answer appears to be 'yes.' That law does not impose any explicit duty to investigate whether personal information was acquired. As such, an organization could take the position that it never formed a reasonable belief of unauthorized acquisition, because it had no evidence of such acquisition. Whether this would hold up in court is another story, as some would argue that this complies with the letter of the law, but defeats its spirit. Moreover, the concept of "reasonable belief" may be argued to imply a reasonable investigation in order to form a belief one way or another.

What constitutes a security breach under the Nevada Security Law?

 

The Security Law sets forth a somewhat convoluted definition for "security breach." "Breach of the security of system data" is defined as: "unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the data collector." Some observations:

  • No reference to systems. The security breach definition does not require breach of a particular network or system. Rather it focuses on unauthorized acquisition of computerized data. As such, it appears that it does not matter from which systems the data is taken as long as the data collector is "maintaining" the data. This would appear to include, for example, theft of a lap top, portable storage device or smart phone from an employee's car.
  • 2-step process. Acquisition of computerized data containing personal information alone does not constitute a breach. In addition, there must be a material compromise of the security, confidentiality or integrity of personal information. In the event a thief could not get to the personal information (e.g. encryption or perhaps some sort of strong access control) then the Security Law would not be triggered.
  • Material compromise. It is unclear how the concept of materiality is intended to work under this definition. For example, it seems that the security or confidentiality of personal information is either compromised or not compromised. Moreover, since the definition of personal information already requires a combination of first/last name and account numbers, it would seem that materiality is already built in. This reference may also refer to the volume of personal information exposed, but it is far from clear what the intent is.

What events must transpire for a notification duty to be triggered under the Security Law?

 

Unfortunately the definitions and requirements of the Security Law are somewhat convoluted. Breaking down the definition of "breach of the security of system data" and the trigger in section NRS 603A.220, it appears that the following events must occur:

(1) unauthorized acquisition of computerized data; AND

(2) a resulting material compromise of the security, confidentiality or integrity of personal information; AND

(3) discovery or notification of (1) and (2) by the data collector; AND

(4) a determination that unencrypted personal information of a Nevada resident was acquired by an unauthorized person; OR

(5) the existence of a reasonable belief that such personal information was acquired by an unauthorized person.

Some observations:

  • Prerequisites. It appears that steps (1) through (3) are required before (4) and (5) come into play. If a "breach of the security of system data" as defined never occurs (see steps (1) and (2)) it cannot be discovered and you never get to (4) and (5) as part of your analysis. Moreover, obviously if there is no discovery or notification of the "breach of the security of system data" (step 3), then steps (4) and (5) cannot exist.
  • Contradictory requirements concerning "reasonable belief" of acquisition. Steps (2) and (5) may be somewhat contradictory. Step (2) requires a determination as to whether a material compromise has occurred. There is no language indicating a trigger where the data collector has a "reasonable belief" that personal information has been compromised. In other words only if there has been an "actual" compromise of personal information will a "breach" have occurred (according to the definition of "breach of the security of system data"). For example, assume a laptop with personal information is stolen. Certainly there has been unauthorized acquisition of computerized data, but there may be no way to determine whether there has also been a material compromise of the security, confidentiality or integrity of personal information. Therefore, it would appear that one could reasonably argue that the data collector could not ascertain whether a "breach of the security of system data" existed, and therefore never "discovered" such a breach. That data collector would not even get to step (5) (which requires reporting if there is a reasonable belief of unauthorized acquisition) since step (2) is a pre-requisite to steps (4) and (5). Again, this is a very technical argument and it may be difficult to argue in court.

Who must provide notice of a security breach under the Nevada Security Law? And to whom?

 

Any data collector that owns or licenses computerized data which includes personal information must disclose a breach of that personal information to the Nevada resident that was impacted. Data collectors that have received computerized personal information from and owner or licensee (e.g. service providers) of computerized data must provide notice of a breach impacting computerized personal information immediately after discovering the breach. However, if a data collector is subject to and complies with the privacy and security provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., it is deemed in compliance with the Security Law and apparently need not comply with its requirements (although those subject to GLB should already have breach notice response programs in place). Some observations:

  • Application to service providers. "Data collector" as defined makes no distinction between "data owners/controllers" and "service providers." Both fall into the definition of data collector as long as they are handling personal information.
  • Service providers as "licensees" of personal information. Data controllers often use service providers to process personal information for on behalf of the data controller. In fact, in some cases the personal information may initially be provided directly to the service provider (e.g. data hosting or application service providers). Typically most interpret "ownership and licensing" of personal information to mean that the data controller (the company seeking to collect and use the data on the front-end of a transaction for its own purposes) is the party responsible for notice, even if the data controller's service provider was the entity that suffered the actual breach. This view is buttressed by the requirement in the Security Law that service providers provide owners and licensees immediate notice of a breach. However, it is possible for a service provider to also be considered a "licensee" of computerized data containing personal information. Service provider agreements often provide the service provider with a limited license to use data including personal information for purposes of processing on behalf of the original data owner. Even if not explicit, service providers may have an implied license to use computerized personal information for the limited purposes of processing a transaction for the data controller. It is not clear from the language of the statute whether a data collector must have received a license directly from the individual providing personal information, or whether a service provider's potential status as a "sub-licensee" of personal information creates a direct duty to report to Nevada residents.

Do the Security Law's breach notice obligations apply to "hard copies" or paper records?

 

No, breach notice obligations under this subsection of the Security Law only relate to computerized data which includes personal information. However, other sections of the Security Law (such as the record destruction section (603A.200) and the security measure section (603A.210)) apply to "records," which would appear to include hard copies/paper records.

Who how soon must notice be provided under the Nevada Security Law?

Following discovery of a breach and acquisition by an unauthorized person (or the establishment of a reasonable belief of such acquisition), "owners" and "licensees" must provide notice to the relevant individuals "in the most expedient time possible and without unreasonable delay." However, notification can be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. Service providers that suffer a breach must provide notice to the owner or licensee of the personal information immediately following the discovery of a breach resulting in acquisition by an unauthorized person, or reasonably believed unauthorized acquisition.

Besides, Nevada residents and the owner or licensee of computerized personal information, are there any other parties to whom data collectors must provide notice?

If a data collector determines that notification is required under the Security Law to be provided to more than 1,000 persons at any one time, the data collector shall also notify, without unreasonable delay, any "consumer reporting agency that compiles and maintains files on consumers on a nationwide basis" (as that term is defined in 15 U.S.C. § 1681a(p)), of the time the notification is distributed and the content of the notification.

Up Next: Blog Post Three: Required Security Measures.

Please note, while I am an attorney this post does not in any way constitute legal advice or a legal opinion, and should not be relied upon to take any action or be the basis for any inaction. The this law is complex and additional research is necessary. If you are interested in a full legal analysis please contact me directly at djn@davidnavetta.com
Tags: , , , , ,