Legally Mandated Encryption.

Two New State Laws Mandate Encryption of Personal Information

Over the past decade a multitude of information security and privacy laws have been passed mandating some level of security over sensitive information.  In most instances legislators and regulators have opted for "technology-neutral" laws obligating "appropriate," (e.g. "GLB") "reasonable" (e.g. Cal AB 1950) or "adequate" (e.g. "SOX") information security.  However, starting with California's SB1386, many States began bringing encryption into their legal regimes by creating an encryption "safe harbor" for security breach notice laws.  Nevada and Massachusetts have now gone further and have passed laws that legally mandate some form of encryption with respect to personal information.  This article explores the encryption requirements of the Nevada and Massachusetts laws, and analyzes the factors organizations should consider in complying with such laws.

Nevada's Encryption Law

Nevada's encryption law is brief in its wording, but potentially expansive in its application.  The statute provides:

A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission[1].

Compliance with this law is required starting on October 8, 2008.

Massachusetts's Encryption Law

Unlike Nevada's law, recently passed Massachusetts's regulations call for the adoption of a comprehensive information security program.[2] However, in addition to general requirements around information security, the regulations set some minimum controls organizations must implement, including encryption:

(3)  To the extent technically feasible, encryption of all transmitted records and files containing personal information that will travel across public networks, and encryption of all data to be transmitted wirelessly; [and]

* * *

(5)  Encryption of all personal information stored on laptops or other portable devices[3].

Organizations subject to this law must comply by January 1, 2009.

Analysis

Compliance with mandated encryption laws like those in Nevada and Massachusetts will likely be very challenging from a legal, technical and business standpoint.  This section explores the legal factors organizations must consider in attempting to comply with these encryption laws.

1. Geographic Scope

The Nevada and Massachusetts laws take different approaches in defining the geographic scope of their encryption laws.  In general, the focus of the Nevada mandatory encryption law is where an organization is doing business, while the applicability of the Massachusetts law is based on the residency associated with personal information.

In Nevada the law applies to "business[es] in this State."  The Nevada Supreme Court considers the following factors to determine whether a company is "doing business" in the State:  (1)  the nature of the company's business functions in the forum state, and (2) the quantity of business conducted in the forum state.  Clearly companies with an actual presence in Nevada may be subject to the law.  In addition, although applicable in a slightly different context, companies operating a commercial or interactive website may be considered to be "doing business" in Nevada.[4] Significantly, the term "customer" is not defined and the law does not appear to be limited to personal information of Nevada residents.

In Massachusetts, the applicability of the encryption mandate centers around the residency of the individuals whose personal information an organization possesses.  The physical presence or extent of business activities within Massachusetts does not matter.  Rather, mandated encryption is required if a company "owns, licenses, stores or maintains personal information about a resident of the [Massachusetts] and electronically stores or transmits such information."

2.   What Data Must Be Encrypted?

The Nevada and Massachusetts's laws both define "personal information" in a similar manner.  Under both laws is that a combination of information must be present to be considered "personal information."  In particular, both laws require an individual's first name or first initial and last name, in combination with sensitive data elements such as social security numbers, driver's license numbers or financial account numbers[5].

However, Massachusetts's law is broader in scope than Nevada's because it applies to any resident of Massachusetts (which would include employees, for example) while Nevada only applies to "customers" (undefined term under the law) of the company.  In addition, the Massachusetts laws is broader concerning encryption over wireless networks - it mandates that all data (not just personal information) be encrypted if it is to be transmitted wirelessly.

3.  When and Where Must Personal Information Be Encrypted?

The Nevada and Massachusetts's laws differ on when and where personal information must be encrypted.  In general, Nevada's law requires encryption of personal information while in transmission, while Massachusetts mandates encryption during transmission and in storage on laptops and portable devices.

a.  Nevada

Under Nevada's law, transfers of personal information through an electronic transmission outside of the secure system of the business are prohibited unless encrypted to ensure the security of electronic transmission.  As such, the law does not appear to require encryption of "hard" documents (e.g. paper).  Nor does it appear to require encryption of personal information while just stored on a company's systems, laptops or other portable storage devices.  While more research would be required, it also appears that no encryption would be necessary for the physical transfer of personal information stored on storage media at rest (e.g. back up tapes sent via courier to an offsite warehouse);  such a transfer would not appear to constitute an "electronic transmission."  However, the scope of "electronic transmission" is still unclear. Some commentators, for example, have questioned whether phone calls discussing personal information (especially VOIP-based calls) would need to be encrypted.

Nevada's law excludes electronic transmission in the form facsimiles.  The scope of this exclusion depends on how "facsimile" is defined.  Obviously then the law would not apply to "traditional" fax transmissions.  However, it is not certain whether the exclusion includes fax services provided over email.  Moreover, if facsimile is defined in its broader sense as "an exact copy" encryption may not be required for the emailing of a facsimile with personal information created using a scanner (e.g. creating ..jpg file via scanner) or a copy of an electronic file (e.g. a .pdf file) containing personal information. More research, however, is necessary to clarify the meaning of facsimile in this context.

Nevada's law also does not apply to electronic transmissions "outside of the secure system of the business."  It appears that the intent in this case was to exclude mandatory encryption for internal electronic transmissions within an organization.  Again, however, some ambiguities exist.  If a business's internal communications require personal information to be transmitted over any public network (and therefore outside of the "secure system of the business") then those internal communications will likely need to be encrypted (at least while traveling over any public networks).  In addition, it is not entirely clear whether internal wireless networks within an organization fall outside of the secure system of the business, or how much or what security constitutes a secure system.  In addition, the need to encrypt personal information may be contingent on how the business is defined and how its systems are secured.  For example, transfer of personal information between a parent and subsidiary may need to be encrypted if transferred outside of the parent's "secured system" to the subsidiary "secure system" to the extent they are distinct.

Similarly, employees working from remote laptops or home computers that access personal information may trigger encryption requirements.  Companies that rely on outsourcers and third party service providers will also likely have to encrypt personal information as well.  However, if proper security is established during the transmission (such as a secured virtual private network or other secure transmission lines), perhaps transmissions to third parties and outsourcers could be argued to be within the secure system of the business.

b.   Massachusetts

Under Massachusetts's encryption law, the following elements must be included in an organization's security program:

(a)    to the extent technically feasible, transmitted records and files containing personal information that will travel across public networks must be encrypted;

(b)   to the extent technically feasible, all data to be transmitted wirelessly must be encrypted; and

(c)    personal information stored on laptops or other portable devices must be encrypted.

There are several factors to consider concerning when and where personal information and other data must be encrypted.

Foremost, with respect to transmission of personal data, encryption is required only if "technically feasible."  This term is not defined in the regulations itself, and it is unclear how it would be applied.  Using the plain meaning of the word from Webster's, "feasible" means:  "capable of being done or carried out."   There are multitudes of encryption solutions that likely could achieve the goals of this law if implemented, and in general organizations are capable of implementing them if they have the right amount of time and resources.  Since "anything is possible", to construe feasible in this context as essentially meaning "not impossible" may strip away any meaning behind the phrase "technically feasible."

Another possible interpretation may be that encryption is required if technically feasible given the company's current business structure and goals, and/or technical infrastructure and capabilities.  Under this position, it could be argued that encryption is it not "technically feasible" if a company has to completely overhaul or replace major portions of its information technology systems or if encryption and decryption degrades system performance to the financial determinant of the company.  Significantly, while section 17.03 of the law makes allowances for the size and resources of the company, there are no such considerations tied to the duties in section 17.04, which set the mandatory encryption duties.  As such it is unclear whether the impact on a company's business structure and overall goals can be considered in assessing whether encryption of transmitted personal information is technically feasible.

Feasibility may also be dependent on whether the recipients of the encrypted personal information transmitted by the organization have the ability to implement the technology needed for encryption.  While some partners may be set up to work with common encryption methodologies, other less sophisticated outsourcers, service providers or third parties may not have such resources or capabilities.  It is unclear unfortunately, whether "technically feasible" refers solely to the company's computing environment or whether the concept of feasibility extends to third party relationships.  In all, companies relying on the technical feasibility exception should be very careful in analyzing and justifying its applicability.

The Massachusetts law requires encryption for all personal information traveling over public networks.  This would appear to include inter-company data, data sent to service providers and data flowing to employees working at remote locations if any of it goes over the Internet.  In addition, the law appears to require encryption of all wireless data (above and beyond personal information) traveling wirelessly, whether or not it travels on a public network.  As such all data transmitted on any purely internal wireless networks must be encrypted.

Finally, this law goes beyond the Nevada law and requires encryption of personal data stored on laptops or other portable devices.  There is no definition of portable devices, but this is likely to include thumb drives, floppy disks, PDAs and CD-ROMs.  It may also include, for example, back-up tapes intended for storage.  Significantly, there is no "technically feasible" exception for this requirement.

4.   What is the Standard for Encryption?

Although definitions may vary, a general definition of encryption is as follows:

Encryption is the process of transforming information (referred to as plaintext) using an algorithm (called cipher) to make it unreadable to anyone except those possessing special knowledge, usually referred to as a key[6].

While the intent of encryption is to render information unreadable except for the intended recipient, in reality the effectiveness of encryption depends on the methods, standards and practices used.  For example, security professionals use the term "strong encryption" to refer the strength the algorithm used to render information unreadable.  For example, using a 128-bit key to encrypt information generally provides more protection than a 56-bit key (a 128-bit Advanced Encryption Standard [AES] key can have more than 300,000,000,000,000,000,000,000,000,000,000,000 key combinations).  The efficacy of encryption also depends on how an organization manages the keys used to decrypt encrypted information.  For example, while it might take literally billions of billions of years to decrypt a strongly encrypted message by brute force, it would take minutes to do so if a company's employee left the decryption key or passphrase exposed on his laptop and a hacker was able to steal it.

One of the most challenging aspects of the Nevada and Massachusetts laws is to determine whether an organization meets the definition and standard (if any)  for encryption set by these statutes, and whether the laws require any minimum standards for encryption.

a.  Nevada

The Nevada encryption law defines encryption much broader than traditional definitions.  Under the Nevada law encryption is defined as:

the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to: 1.  prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;  2.  cause or make any data, information, image, program, signal or sound unintelligible or unusable; or 3. prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.[7]

Noticeably, the Nevada statute does not set any minimum standard or level of encryption.  Moreover, there is no specific requirement that the encryption method be reasonable, appropriate or consistent with industry standards.  As such, it appears that under Nevada law an organization might be technically compliant even if it uses an encryption algorithm or method that is known to be vulnerable.  For example, the Wired Equivalent Privacy (WEP) key encryption algorithm or method, used to encrypt data over many home and business WIFI networks, is now considered broken and information encrypted using it potentially vulnerable.  However, it appears that the use of WEP to encrypt an electronic transmission of personal information would still qualify as a "protective or disruptive measure" to "delay" access to such information under the Nevada law.  Moreover, issues like proper key management do not appear to factor into the question of compliance.

In fact, the definition of encryption in Nevada is broad enough to include other methods of protecting information which would not typically be considered "encryption" in the information security world.  For example, it appears that upon a literal reading of the statute, sending an unencrypted, but password protected spreadsheet with personal information may equate to "encryption" under the Nevada law - the password could be viewed as at least minimally "disrupting" to an unauthorized person gaining access to the data in the spreadsheet.

While the Nevada statute requires organizations to carefully consider whether they have any protection around the personal information they transfer through electronic transmissions, it does provide for some flexibility in achieving compliance.  Nonetheless, organizations should, if possible, regardless of the standard set by this law, endeavor to reach current industry standards for encryption because those standards are likely to be used in court if the organization is sued for negligent security.

b. Massachusetts

Although "encryption" is not defined under the Massachusetts law, "encrypted" is defined as:

the transformation of data through the use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key, unless further defined by regulation by the office of consumer affairs and business regulation.

(emphasis supplied)[8].  This definition is closer to a general definition of encryption but also appears to provide some flexibility.  However, in contrast to the Nevada law, the definition in this case appears to set a fairly high encryption standard without specifying exact encryption requirements.

The Massachusetts law makes reference to the use of an algorithmic process (e.g. cipher) to transform data into a form which meaning cannot be assigned without the use of a confidential process or key.  The standard set here depends on how a court interprets the term "cannot."    Theoretically, there is no encryption process or standard that renders data impossible to read - even strong encryption can be vulnerable.  A brute force attack for example (trying to decrypt a message by trying every possible combination of keys), does not technically require the use of a confidential process to decrypt a message.  If "cannot" means "impossible" in this context then it may also be impossible to comply with this law (at least on a theoretical level).

Significantly, the definition for encryption in Massachusetts's breach notice law may provide some guidance.  The breach notice law requires at least 128-bit encryption[9].  Moreover, rather than a "cannot" standard the breach notice law requires encryption render information in a "form in which there is a low probability of assigning meaning" to it.  However, it is unclear what impact the breach notice definition of encryption would have on the interpretation of the definition of encryption in the mandatory encryption standard.  On one hand, it could be argued that the 128-bit reference suggests a minimum for the mandatory encryption law.  The breach notice law might also suggest that encryption need not be impossible to crack for it to be adequate (e.g. low probability of assigning meaning).   On the other hand, since the drafters of the mandatory encryption law specifically refrained from adopting the 128-bit definition, it could be argued that their intent was to provide more flexibility and not set a minimum.  Regardless, it is unfortunate that Massachusetts's lawmakers could not decide on a single definition for encryption.  Nonetheless, a good argument could be made that utilizing "strong encryption" would satisfy the basic requirement of the statute.  However, if the "cannot" standard is viewed as being on the very highest end it is probable that "weak encryption" (e.g. encryption standards or techniques known to be insecure) would not satisfy the statute.  Under this statute, if encryption using an algorithmic process is to be utilized, organizations can play it safe by attempting to use strong encryption (and updating their systems when formerly strong encryption becomes weak over time).

The Massachusetts law also appears to build some flexibility into the definition of encryption with the reference to "an alternative method at least as secure" that can transform data into a meaningless form.  However, besides using an algorithmic process, it is unclear what other methods exist for transforming data in such a way.  It is possible that, like the Nevada law, a password protected spreadsheet might constitute such a method.  One could argue that without the password (e.g. a confidential process) meaning cannot be assigned to a password protected spreadsheet.  However, it is probable that this argument would fail because, even with password protection, the underlying data in the spreadsheet can be read if the password can be circumvented. This goes back to the original point, concerning how strictly the term "cannot" should be interpreted.

Conclusion

Nevada's and Massachusetts's mandatory encryption laws pose significant compliance challenges to organizations.  While they are isolated to each State on some level, organizations subject to either State's law, unless they can isolate their information technology system or data by State, may effectively have to encrypt all personal data they store and/or transmit.  In addition, the lack of uniformity between the laws may require compliance with the "highest common denominator" - the law that imposes the strictest requirements.  While encryption is a useful security technique, it is often very difficult to implement within an information technology system and in coordination with third parties.  Large organizations with complex network environments and numerous third party relationships may have to redefine their business processes and expend significant resources to achieve compliance.  Smaller organizations, despite potentially having less complex and more isolated computing environments, may have to expend significant monetary resources relative to their revenue base.  The ever-changing information security environment can also poses challenges as (formally) "strong encryption" techniques are broken, forcing organizations to change (e.g. WEP for wireless).  As with most information security legal compliance issues, organizations should convene multi-disciplinary teams (e.g. lawyers, security professionals and risk managers) to analyze compliance requirements, IT infrastructure and existing business processes, develop a plan to address these laws and implement and regularly review that plan.


[1] Nev. Rev. Stat. § 597.970.

[2] 201 CMR 17.00

[3] 201 CMR 17.04(3) and (5).

[4] See for example Rio Properties, Inc. v. Rio International Interlink, 284 F.3d 1007 (9th Cir. 2002)

[5] Nevada defines "personal information" as:

a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:  1.  social security number; 2.  driver's license number or identification card number. 3.  account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account.  The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.

Massachusetts's law defines "personal information" as:

a Massachusetts resident's first name and last name or first initial and last name in combination with any one or more of the following data elements that relate to such resident: (a)  Social Security number; (b)  driver's license number or state-issued identification card number; or (c)  financial account number, or credit or debit card number, with or without any required security code, access code, personal identification number or password, that would permit access to a resident's financial account; provided, however, that "Personal information" shall not include information that is lawfully obtained from publicly available information, or from federal, state or local government records lawfully made available to the general public.

[6] http://en.wikipedia.org/wiki/Encryption

[7] Nev. Rev. Stat. § 205.4272.

[8] 201 CMR 17.02

[9] MASS. GEN. LAWS 93H § 1 defines "encrypted'' as:

transformation of data through the use of a 128-bit or higher algorithmic process into a form in which there is a low probability of assigning meaning without use of a confidential process or key, unless further defined by regulation of the department of consumer affairs and business regulation.