PII Encryption Required by New Massachusetts and Nevada Laws

There is a growing trend in laws that require personally identifiable information (PII) to be encrypted.
Encryption in past laws have been directed to be considered based upon risk, but now they are more explicitly required in some laws.


Nevada’s S.B. 347 goes into effect October 1. Businesses handling Nevada residents’ PII must encrypt the customer PII when sending it outside a secured network under the state’s data breach notification law which was enacted over three years ago. Fax transmissions of customer PII are excluded from the law.
The Nevada PII is: a person’s first name, or first initial and last name, in combination with their Social Security number (SSN), employer identification, driver’s license, or identification card number, or their name information coupled with their financial account or credit or debit card number and access code or password.
So what encryption is required? Nevada’s law does not specify any technical or other specific requirements. Yes, this creates a loophole.
In Massachusets, new law 201 CMR 17.00 was issued on September 22 that goes into effect on January 1, 2009. The law applies to businesses and individuals that own, license, store or maintain PII about a Massachusetts resident.
PII that is stored in laptops, flashdrives, and other portable data storage devices, and that is transmitted over the Internet, or other public networks, and sent through wireless connections must be encrypted.
Encryption is defined as: “… the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key …”
The original definition of requiring “a 128-bit or higher algorithmic process” was weakened because of lobbyists’ protests that the requirement was “inflexible” as originally written.
In addition to requiring encryption, the law also requires organizations to develop a security program, conduct internal and external security reviews and provide employee training, use up-to-date firewalls, have effective access controls, limit the amount of PII collected, limit how long PII is retained, allow access only as required as necessary to perform job responsibilities, ensure that service providers have programs to adequately protect PII, contractually bind them to do so, and have them certify that they have a compliant documented information security program. A few more requirements include requiring documented security policies that meet certain standards, prevent terminated employees from gaining access to PII, regularly monitor employee access to PII, evaluate security program effectiveness annually, take corrective action when necessary, and document actions taken in security incidents and privacy breaches.
The proposed law would have required companies to maintain audit trails on the handling of PII, and the provisions defining PII were also changed so that SSNs and credit card numbers alone, without identifying names of individuals, are not covered by the data security rules.
Yes, another big hole that was built into the law. There are numerous ways in which fraudsters and and crooks, having SSNs and credit card numbers alone can do a lot of bad things.
The breach notification requirements may still need to be followed, however, even if a name is not tied to SSNs or credit card numbers, based upon the determined likelihood and risk of identity theft or fraud, even if the compromised data is not defined as “personal information” by the law.
If organizations would implement a comprehensive information security program, based upon risks and internationally accepted standards, which would include encrypting PII in transit through networks and on mobile computers and storage, they would meet most of the compliance requirements for existing and emerging data protection laws and regulations.

Tags: , , , , , , , , , , , ,

Leave a Reply