In an effort to encourage businesses to encrypt data, in 2002 California became the first state to require businesses to take affirmative steps to safeguard certain types of private information and to notify persons whose private data might be compromised in the event of a security breach involving unencrypted personal information. More than 40 states have enacted new laws patterned after the California law requiring notification in the event of security breaches involving unencrypted data. More recently, responding to several widely publicized incidents of data security breaches, some states are going further by establishing additional standards for data security and protection, including specifically requiring the encryption of personal information.
Nevada has passed a new law that, as of October 1, 2008, requires Nevada businesses to encrypt all electronic transmissions (except facsimiles) of a costumer’s personal information if the information is sent outside “the secure system of the business.”1 “Personal information” is a person’s first name or first initial and last name, combined with either the person’s (1) Social Security number, (2) driver’s license or identification card number, or (3) account number, credit card number, or debit card number, combined with any required security code, access code, or password that would permit access to the person’s financial account.
The law applies to businesses “in this State [Nevada].” While it is not clear what constitutes a business “in this State,” the Nevada Supreme Court has established a two-prong standard for determining what constitutes doing business in the state: (1) the nature of the company’s business in the state; and (2) the quantity of business conducted by the company in the state.2 Until a case comes before Nevada courts to further interpret this new statute, companies would be prudent to assume it is likely that the “doing-business” test will be used to determine applicability of the data encryption law. Accordingly, companies not headquartered in Nevada but doing a substantial amount of business in the state could be subject to the law.
Companies subject to the law should take action now to ensure timely compliance. The law is triggered when personal information regarding a “customer” is transmitted “outside of the secure system of the business.” The law defines neither “customer” nor “secure system of the business,” but until clarified by the courts, companies should assume the law applies to data communications or transmissions outside its firewall-protected local area network. Thus, e-mails and data transfers to third parties could be covered and require industry standard encryption. While facsimile transmissions are exempt, businesses still should be mindful of the law since faxes are now often transmitted via e-mail, network scanners, or some other digital method. Companies should modify their practices and update their policies accordingly to comply with the new law.
The new law supplements and does not replace or modify Nevada’s current data breach notification law.3 While the new law requires the encryption of personal information during transmission, it does not require businesses to encrypt the same information while it is being stored on servers, laptops, backup tapes, and the like. Nonetheless, the data breach notification law requires notification of individuals when their personal information is not encrypted and has been the subject of a security breach. Accordingly, companies should consider an appropriate enterprise-wide encryption policy covering encryption of stored data, particularly on laptops, as well as transmitted data.
It should be noted that the law does not expressly provide for penalties or remedies. Nonetheless, violation of the law could be argued to be evidence of negligence or other wrong-doing in a civil lawsuit against the company in the event a customer is damaged as a result of a failure to comply with the law.
Legal News is part of our ongoing commitment to providing legal insight to our clients and our colleagues. If you have any questions about this alert or would like to discuss this topic further, please contact your Foley attorney or the following individual:
Chanley T. Howell
Let’s Talk Compliance | Provider Relief Fund: Reporting Requirements and Compliance Concerns