Nevada's Security of Personal Information Law Post Three: Reasonable Security Measures Requirements
(4) REQUIRED SECURITY MEASURES (NRS 603 A.210)
What security measures must data collectors implement and maintain while maintaining records containing personal information?
Data collectors that maintain records that contain personal information must implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure. Some observations
- Objective standard. The use of the word "reasonable" to describe required security measures suggests an objective standard in assessing whether a company has complied with the Security Law. In short, it may not be enough if a company "subjectively" believes that it has good security measures (even if that belief is "true"). Security measures under this law will be measured against an "objective" standard based on the circumstances of the data collector, the threat environment, available technology, etc. In practical terms, if a lawsuit is filed, the plaintiffs will retain an expert who will likely provide a counter-opposing view as to the reasonableness of the data collector's controls (if that is an issue in the case). The data collector will have counter that opinion with "objective" evidence.
- Reasonableness - Adherence to Industry Standards May Not Be Enough. If "reasonableness" is viewed in a similar fashion as under common law negligence, complying only with industry standards may be inadequate. Judge Learned Hand's ruling in the T.J. Hooper case demonstrates this rationale:
Indeed in most cases reasonable prudence is in fact common prudence, but strictly it is never its measure. A whole calling may have unduly lagged in the adoption of new and available devices....Courts must in the end say what is required. There are precautions so imperative that even their universal disregard will not excuse their omission.
In short, doing what the industry does may not be enough if the industry is lagging behind the security risk curve.
- Risk-Based Reasonableness. Again, in another nautical-oriented lawsuit, Judge Learned Hand famously put forth the following legal concept:
Since there are occasions when every vessel will break from her moorings, and since, if she does, she becomes a menace to those about her; the owner's duty, as in other similar situations, to provide against resulting injuries is a function of three variables: (1) The probability that she will break away; (2) the gravity of the resulting injury, if she does; (3) the burden of adequate precautions. Possibly it serves to bring this notion into relief to state it in algebraic terms: if the probability be called P; the injury, L; and the burden, B; liability depends upon whether B is less than L multiplied by P: i.e., whether B < PL.
Under this legal doctrine, an analysis of the risk posed by having or not having particular security measures is required to determine what security measures are "reasonable." In simplistic terms, low-cost security measures that mitigate a lot of risk (e.g. virus protection might be one) are necessary, while high cost security measures that mitigate a little risk may not be. The difficult part is determining the security measures that fall in the middle.
- Considerations in analyzing "reasonable" security measures. Compliance with industry standards and risk-based security controls can assist a company in achieving "reasonable" security measures. If attempting to comply with industry standards, companies should consider not only the industry on the whole, but also similar peers and sub-groups within the industry. For example, while my local credit union and Citibank may be in the same industry (financial industry), "reasonable" industry security measures for Citibank likely differ from the smaller credit union. While a baseline may exist for all financial institutions, larger and more wealthy banks like Citibank may have to match up to similar financial titans (Bank of America, HSBC, etc.). In addition, organizations should consider complying with general security standards like ISO 27001, CoBit and others. If laws exist within a particular industry (such as GLB, HIPAA, FERPA) that establish security laws they should also be considered part of the "reasonableness" equation. The more a company can point to relevant standards or laws they have complied with, the stronger their arguments for reasonableness.
- Retain Security and Legal Expertise and Develop Positions. Since the issue of reasonableness in many cases will come down to a battle of security and legal experts, organizations should develop their positions ahead of potential security breaches or other situations likely to lead to litigation. This includes having developed a position that is defensible from both a security and legal standpoint. In many cases, the data collector will have to retain a security professional to provide expert testimony. If security and legal positions are developed prior to a breach, and hopefully under attorney-client privilege, they can be ready for use after a security breach in the defense of a lawsuit.
If a data collector discloses personal information to a service provider, does the service provider have a direct and independent duty to implement and maintain the reasonable security measures required under the Security Law?
Since data collectors are defined based on whether they maintain personal information, a service provider that maintains personal information appears to have a direct and independent duty under the Security Law to implement reasonable security measures. In addition, the Security Law requires a data collector disclosing personal information to a service provider to enter into a contract obligating the service provider to implement and maintain reasonable security measures. Finally, for all intents and purposes, service providers handling payment card data may have to comply with PCI to the extent that it is considered the industry standard, which informs on the issue of "reasonableness."
Do data collectors need to comply with the law's reasonable security requirements if they are already compliant with another state or federal law mandating reasonable security measures?
No, as long as the other applicable security law provides greater protection to records that contain personal information of Nevada residents and the data collector is compliant with that law. In such a case, the data collector is deemed in compliance with this subsection of the Nevada Security Law. However, organizations must conduct a careful legal and security analysis to determine whether other laws actually match up to the protections required under Nevada's Security Law.
Please note, while I am an attorney this post does not in any way constitute legal advice or a legal opinion, and should not be relied upon to take any action or be the basis for any inaction. The this law is complex and additional research is necessary. If you are interested in a full legal analysis please contact me directly at firstname.lastname@example.org