The newly enacted Senate Bill 227 offers businesses in Nevada that collect personal information a deal and a unique deal at that. SB 227 was conceived by the Tech Crime Advisory Board, which I chair, and presented by Sen. Valerie Weiner, a member of the board.
The new law requires data collectors to encrypt personal information to recognized industry standards. In return, the state offers a safe harbor provision in state courts no liability for a data breach provided the personal information was appropriately encrypted.
Beginning five or six years ago, Nevada, along with some 44 other states, passed laws requiring companies to notify individuals potentially affected of the unauthorized release of their personal information so those individuals might take appropriate action to protect themselves from potential identity theft frauds. Millions of veterans received letters from the Veterans Administration, millions more were notified as a result of data breaches at TJX, ChoicePoint and BJ's Wholesale Club.
Unfortunately, breach notification laws are a little like locking the barn door after the horse has run away.
The laws have not stemmed the number of unwarranted exposures of personal information. In fact, the Identity Theft Resources Center reports 246 known data breaches since Jan. 1, 2009, compromising over 12 million known records.
Two states, Massachusetts and Nevada, are moving the country toward a more proactive data security path, laying out specific programs to protect personal information, whether it is in private hands or under the control of government agencies. Their approaches could not be more different.
The Massachusetts regime is characterized by detailed regulation and stiff criminal penalties.
No regulations are necessary to implement the new Nevada law resulting from SB 227. No criminal sanctions are involved. Instead, Nevada offers a deal both companies and government agencies are unlikely to refuse encrypt personal data sent electronically and data residing on laptops outside your controlled premises, and you avoid liability if that encrypted data is lost or improperly accessed.
This "safe harbor" provision could have two additional consequences. Nevada courts may take the encryption requirement into account in determining what constitutes negligent conduct associated with data breaches. The statute sets out certain requirements for data protection, and courts may take the statute into account in determining what a reasonable data collector should do to protect personal information. Also, insurers of data collectors could modify their policy fee structure in light of the statute. A company that demonstrates compliance with the encryption requirement would pay less for an all hazards policy, since its liability exposure would be reduced by the "safe harbor" provision. This provides companies with a financial incentive to protect personal information.
Moreover, the Nevada law makes it relatively easy for small retail companies to comply. Any company that accepts credit or debit cards for payments is already required by its commercial contracts with Visa, MasterCard, American Express and Discover, to comply with the Payment Card Industry data security standards. So, by doing what they have already committed to do, retailers whose only contact with personal information comes through money card processing, should already be in compliance with the new Nevada law.
SB 227 is a fine example of Legislative and Executive Branch coordination during the 2009 Legislative session. In addition, the Tech Crime Advisory Board was guided by expert advice from the private sector both within Nevada and beyond our State borders.
As we continue to move increasingly toward electronic record keeping think medical records that will allow any doctor or hospital to learn immediately of your past health and treatment history we need to be increasingly more mindful of how to ensure personal information does not fall into criminal hands.
SB 227 represents increased security for Nevada citizens and their personal information by providing incentives to industry and government to implement the necessary safeguards to protect this data.
Catherine Cortez Masto is attorney general of Nevada.