Schiff Hardin LLP November 13, 2008

Learn more about Intellectual Property at Schiff Hardin.

Attorneys In This Practice

Mark E. Ashton
Chris L. Bollinger
Charlene Q. Kalebic
Don M. Tellock
Adam S. Weiss
Robert B. Wilcox, Jr.

Schiff Hardin Offices

One Atlantic Center,
Suite 2300
1201 West Peachtree
Atlanta, GA 30309

225 Franklin Street,
Suite 2600
Boston, MA 02110

6600 Sears Tower
233 S Wacker Drive
Chicago, IL 60606

One Westminster Place
Suite 200
Lake Forest, IL 60045

900 Third Avenue
23rd Floor
New York, NY 10022

One Market, Spear Tower
32nd Floor
San Francisco, CA 94105

1666 K Street, NW
Suite 300
Washington, DC 20006

- - - - - - - - -

Join our mailing list.

Forward this profile to a friend or colleague.

- - - - - - - - -

Intellectual Property Update

PRIVACY ALERT - ENCRYPTION AND INFORMATION SECURITY

States are tightening laws regarding protection for the personal information of their residents. A new Nevada law (Nev. Rev. Stat. § 597.970, effective October 1, 2008) and even newer regulations in Massachusetts (201 CMR 17.00, effective January 1, 2009) impose requirements on businesses to encrypt "personal information" in their possession. These legal requirements are applicable to businesses that are not domiciled in these states but that do business in them. This Alert provides a brief summary of some aspects of these requirements.

The Nevada Law

The Nevada law is short and, at least by comparison to the Massachusetts regulations, relatively limited in its scope. The law states that:

A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.
The term "personal information" is generally defined as a person's name combined with a Social Security number, driver's license number, or financial account number. The term "encryption" is defined as "the use of any protective or disruptive measure . . . to [p]revent, impede, delay or disrupt access to any data . . . " and is so broad that it could arguably include minimal security measures such as password protection. The statute does not require particular encryption techniques or key strengths but, in view of the requirement in the statute that encryption be used "to ensure the security of electronic transmission," we expect that a business would have difficulty in arguing that it had complied with the statute if it used a weak, easily-cracked encryption technique.

The Massachusetts Regulations

Although the definition of the term "personal information" in the Massachusetts regulations is essentially the same as the definition in the Nevada law, the Massachusetts regulations are much longer, much more specific, and much more far-reaching than the Nevada law. Three respects in which the Massachusetts regulations are more demanding than the Nevada law are the following:

  1. The Massachusetts regulations require encryption of personal information that is stored on laptops and other "portable devices." In contrast, the Nevada law imposes encryption requirements only during "electronic transmission." The term "portable devices" is not expressly defined in the regulations, but in the context of the regulations we understand it to include virtually any storage media, such as compact discs, thumb/flash drives, PDAs and cell phones.

  2. The Massachusetts regulations require that each company develop a "comprehensive, written information security program" to safeguard records containing personal information of Massachusetts residents. The program must identify all forms, including electronic and paper, in which the company stores personal information. The program is required to include provisions with respect to (among other topics): collecting only the minimum personal information necessary, retaining that information only as long as necessary, limiting access to that information to those with a need to know, promptly deactivating a terminated employee's access to personal information, and obtaining contractual assurances from outside vendors that personal information will be adequately safeguarded (including a written certification that the vendor complies with the Massachusetts regulations). The regulations do mitigate the requirement for a "program" to some extent — but do not eliminate it — by providing that compliance will be evaluated taking into account the size and type of a business and its resources as well as the volume of personal information involved.

  3. The Massachusetts regulations apply to the personal information of any Massachusetts "resident," and this term is used in the regulations in a way that makes clear that it refers to "employees" as well as "customers" of businesses. This is in contrast to the Nevada law, which by its terms applies only to the personal information of "customers." This feature of the Massachusetts regulations, in and of itself, means that every company with one or more employees in Massachusetts needs to give thought to how it will comply with the regulations. This requirement, too, is probably mitigated for small businesses by the provision that says that compliance will be evaluated taking into account the size and type of a business and its resources as well as the volume of personal information involved.

Other Considerations

The Nevada law provides that it applies to "a business in this State." The Massachusetts regulations establish standards "to be met by persons who own, license, store or maintain personal information about a resident of the Commonwealth of Massachusetts." We understand both the Nevada law and the Massachusetts regulations as being intended to apply to businesses domiciled outside those two respective states.

Neither the Nevada law nor the Massachusetts regulations specifies the penalties for violations. Each would generally be enforced by the state's attorney general, and neither expressly provides that a violator would be subject to private lawsuits. Nonetheless, each arguably interacts with other applicable law to increase a company's exposure to private lawsuits if the company has failed to comply with the applicable encryption requirements and has been the victim of a theft of personal information.

Conclusion

Other states are already contemplating similar measures. Even if no other state adopts similar requirements — and that seems unlikely — it would be prudent to regard the Massachusetts regulations as establishing a de facto nationwide legal standard regarding the use of encryption and establishment of an information security policy. If your company has not already undertaken an evaluation of its information security and data-handling practices in light of these developments, now would be an excellent time to undertake such an evaluation.

ABOUT SCHIFF HARDIN LLP

Schiff Hardin LLP is a general practice law firm representing clients across the United States and around the world. We have approximately 400 attorneys in offices located in Atlanta, Boston, Chicago, Lake Forest, New York, San Francisco and Washington.

© 2008 Schiff Hardin LLP

This publication has been prepared for the general information of clients and friends of the firm.
It is not intended to provide legal advice with respect to any specific matter.
Under rules applicable to the professional conduct of attorneys in various jurisdictions,
it may be considered advertising material.

For more information visit our Web site at www.schiffhardin.com.

Click here to manage your subscriptions.

Click here to unsubscribe from this list.