Simon Says – Musings of a Technology CTO

This week Linda McGlasson talked on BankInfo security about some changes to Nevada’s data protection stance. Nevada’s laws are no less complex than other states, but interestingly they have a few which, when combined, give a tighter than usual position.

The interesting bills are CHAPTER 603A – SECURITY OF PERSONAL INFORMATION, which deals with the regulations of Business Practices. This law puts the state teeth behind the PCI regulations, enforcing things which the payment card industry require as part of PCI compliance with state-driven criminal and financial penalties.

Though PCI is well established, the only teeth it has is the removal of a merchants ability to process credit cards. This could of course be quite devastating for a company relying on credit card transactions for revenue, but adding the weight of Nevada behind it will obviously force merchants to take PCI compliance seriously.

SB603A interestingly mentions the concept of “encryption” in two places:

NRS 603A.040 “Personal information” defined. “Personal information” means a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

NRS 1.  Any data collector that owns or licenses computerized data which includes personal information shall disclose any breach of the security of the system data following discovery or notification of the breach to any resident of this State whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection 3, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system data.

To find out what this means, we need to pay attention to the Nevada Statute, in particular, CHAPTER 205 – CRIMES AGAINST PROPERTY. The appropriate section is:

NRS 205.4742 “Encryption” defined. “Encryption” means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:

1.  Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2.  Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3.  Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.

(Added to NRS by 1999, 2704)

You can see this is a pretty general definition, and has no measure of “difficulty” associated with it.

(The Nevada State also specifically mentions that the use of encryption to facilitate, or aid in a criminal office is at a minimum  gross misdemeanour – NRS 205.486)

The final interesting bill is SB227 of March 13th 2009, which deals with the problem of identity theft in general, again “requiring the use of encryption”. It also insists that encryption is used:

(a) Transfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission;
or
(b) Move any data storage device containing personal information beyond the logical or physical controls of the data collector or its data storage contractor unless the data collector uses encryption to ensure the security of the information.

SB227 of course applies to any electronic transfer of personal information, that includes email, IM, USB sticks, removable hard disks, phones, cameras, iPods, CD/DVD’s etc – anything at all. To send an email with one persons name and address, unencrypted, is an illegal act IF that email travels outside the “secure system” of the data collector – so no emailing PII to customers, business partners, or your home machine any more. To add a final twist, SB227 also defines the concept of encryption, in a much more detailed way than NRS 205 –

(b) “Encryption” means the protection of data in electronic or optical form, in storage or in transit, using:

(1) An encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data;
and
(2) Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.

So, a lot of convoluted legislation which, combined summarizes to some interesting and useful points:

• To handle credit card transactions in a manner incompatible with PCI is against Chapter 603A
• To loose unencrypted PII is against SB227
• Encryption is defined generally in NRS 205.4742, and more specifically in SB227, which interpretation you use outside of SB227 is unclear.
• When transferring PII outside your control, you MUST use encryption as defined in SB227