The Massachusetts and Nevada Models
Brace yourself for the countless retrospectives to appear in the coming months, touting 2008 as an eventful year for so many reasons: an historic presidential election, a meltdown in the financial and real estate industry and resulting economic maelstrom, Michael Phelps winning a record-breaking eight gold medals in the Beijing Olympics – the list goes on.
One notable characteristic of 2008 that may go unnoticed by the mainstream commentators, but is no less remarkable, is the continuing wave of consumer protection legislation enacted by state legislatures in the wake of spiraling incidents of identity theft. In addition, an otherwise lethargic Congress has managed to enact a cybercrime law, signed by President Bush in early October, called The Identity Theft Enforcement and Restitution Act of 2008. This law makes it easier for prosecutors to bring hacking and other cybercrime charges against an individual, eliminating the minimum $5,000 in damages requirement. It also makes it a felony, during any one-year period, to damage ten or more government or financial institution computers, and directs the U.S. Sentencing Commission to consider increasing its penalty guidelines for those convicted of identity theft, computer fraud, illegal wiretapping or breaking into computer systems. Combined with the issuance early in 2008 of the FTC’s Identity Theft Red Flag Guidelines, these new legislative and regulatory initiatives are designed to combat what has become a crime wave of increasing dimensions.
The proactive trend of the state legislatures began several years ago with California’s data security breach notification and security freeze laws, resulting in 44 states and the District of Columbia enacting the same or similar laws. The momentum has continued with many states strengthening identity theft laws concerning the protection from the public of social security numbers and personal information from credit cards. Massachusetts has moved in another new direction with a law that will become effective on May 1, 2009. The law was an addition to Massachusetts Laws Chapter on Security Breaches, and was as expanded upon by administrative regulations. It applies to anyone who owns, stores or maintains the personal data about a resident of Massachusetts. The data that is stored electronically must be encrypted before it is transmitted over a public network or transmitted wirelessly, especially on portable devices such as laptop computers and Blackberries, as well as other portable devices such as flashdrives, cellphones and CDs. For this reason, according to some commentators, the law is a little ahead of its time, since the technology for encryption of portable devices is just starting to be developed.
In addition to the computer system security requirements, the law imposes a duty to protect and standards for protecting personal information. Its requirements are similar to the federal Identity Theft Red Flag Guidelines requirements, effectively extending the federal regulations’ applicability well beyond the original class of “creditors,” as defined in the Guidelines, to all types of businesses. It requires the development and maintenance of a comprehensive, written information security program, that includes the designation of an employee responsible for the program, identifying foreseeable risks, ongoing employee training, employee compliance with policies and procedures, and processes for detecting and preventing security system failures. It requires disciplinary measures be imposed for violations of the program rules, the prevention of terminated employees from accessing records, and the taking of reasonable steps to verify that third-party service providers have the capacity to protect the personal data. It imposes data collection and retention standards and requires access be limited to those persons reasonably required to know, as well as restrictions on physical access.
Nevada has also enacted a similar law that went into effect October 1, 2008. NRS 597.970 takes a different approach than Massachusetts to applicability, so that it only applies to businesses operating or “doing business in” the state of Nevada, without regard to where their customers reside. It imposes an encryption requirement as well, by simply stating that businesses in the state of Nevada “shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” Of course, as with the Massachusetts law, the devil is in the details. The Nevada law defines “encryption” broadly to mean the use of any protective or disruptive measure (including cryptography, enciphering, encoding or a computer contaminant) to prevent or disrupt access to, or the normal operation of, any device, system or network, or to cause such data to be unintelligible or unusable. The definition raises more questions than it answers. While the definition of “personal information” is similar to that found in many data security laws, the questions of who is a customer and what constitutes “doing business” in Nevada have no clear answers. It could arguably apply to businesses with no physical presence in the state of Nevada, but which do business through an internet website.
The Massachusetts law is enforceable only by the Massachusetts Attorney General. However, the Nevada law does not limit enforcement to its attorney general, nor does it contain any specific penalty provisions, so that the potential for a private lawsuit (including a class action suit) exists with no limit on damages. Companies operating nationally should consider whether their existing policies and procedures regarding the transmission of personal data meet the encryption and other requirements of these laws.
Whether the Massachusetts and Nevada laws forecast a trend or whether they are isolated anomalies remains to be seen. But if recent experience with state enactment of security breach notification and security freeze statutes is any gauge, these two laws may very well signal the beginning of the next wave of state law initiatives designed to combat the growing phenomenon of identity theft.