Posted by Randy Gainer

State and federal laws encourage businesses to encrypt consumers’ computerized personal information. Most state data breach notice laws do not require businesses to notify their customers when customers’ digital personal information has been stolen or lost if the information was encrypted. The Federal Trade Commission encourages but does not mandate that consumers’ personal data be encrypted. See Protecting Personal Information, A Guide for Businesses

Nevada enacted a statute that goes further and affirmatively requires businesses to encrypt certain consumer data. Washington and Michigan are currently considering legislation that would also require consumer data to be encrypted. The Nevada statute and the pending Washington and Michigan bills contain different encryption requirements. Of the various measures, the proposed Michigan bill and the Washington Senate bill would most effectively protect consumer data if they are enacted.

The Nevada statute, NRS 597.970 (effective October 1, 2008), requires each business in Nevada to encrypt customers’ personal information when it is transmitted outside the business’ secure network. See Charlene Brownlee, “Nevada passes first law requiring business to encrypt customer personal information during transmission” (October 19, 2007). The Nevada statute does not require businesses to encrypt consumers’ personal information while it is being stored on the businesses’ servers, laptops, or backup tapes.   It’s much more likely, however, that thieves will steal and business will lose large amounts of stored consumer data than it is that data in transit will be stolen or lost. For that reason, the overwhelming majority of reports of stolen and lost consumer data relate to stored data, not data in transit.  See, e.g., Chronology of Data Breaches.  The limited, data-in-transit, encryption mandate in the Nevada statute will therefore do little to stem the tide of stolen and lost consumer data.

Unlike the Nevada statute, Michigan Senate Bill No. 1022 would require businesses to encrypt stored consumer data. The Michigan bill would, among other things, amend the state’s “Identity Theft Protection Act,” MCL 445.71-.72, by prohibiting the following conduct:

(e) If the person collects personal identifying information in the regular course of business and stores that information in a computerized database, failing or neglecting to store that information in the database in an encrypted form, in conformity with current industry-standard encryption methods and capabilities.

This prohibition would make it unlawful to fail to encrypt consumers’ personal information stored in digital form and to fail to use “industry-standard encryption methods and capabilities.” The latter prohibition should prevent businesses from deploying out-of-date encryption programs and from using deficient encryption procedures. It is important that businesses be required not only to encrypt stored data but to do so competently. See, e.g., Mike Chapple “Lessons Learned from TJX: Best Practices for Enterprise Wireless Encryption”  (December19, 2007) (reporting that the data theft of payment card data at TJX has been linked to the company’s use of the flawed WEP encryption program and to other errors). 

The proposed Michigan statute also includes, at section 16, authorization for financial institutions to bring civil actions for card replacement and other costs against persons who maintain computerized databases that contain personal information if a security breach of the database occurs. Section 16 of the Michigan bill is similar to Minn. Stat. 365E.64, which was adopted last year. See Randy Gainer, “State Laws to Shift Some Data Breach Costs to Businesses with Weak Security” (May 25, 2007).

Two bills pending in the Washington State legislature, Substitute House Bill 2838 and Senate Bill 6425, would also authorize financial institutions to recover such costs from persons who must disclose data breaches. See section 1 of Sub. HB 2838 and section 6 of SB 6425. 

Section 4 of pending Washington SB 6425 would also require businesses that collect or store computerized personal information in connection with payment cards to “comply with payment card industry data security standards established by the PCI security standards council.” Requirement 3.4 of the current version of the PCI Data Security Standard (PCI DSS) mandates that the primary account number of payment cards must be protected while in storage by encryption, hash indexes, truncation, or index tokens and pads. Requirement 4 of the PCI DSS mandates that card information be encrypted when it is transmitted over easily accessible networks. Proposed Washington SB 6425 would, therefore, effectively require encryption for payment card data in transit and require either encryption or other data-masking measures for payment card primary account numbers while they are in storage.  

If enacted, Michigan SB 1022 and Washington SB 6425 will require businesses that collect digital personal information to take effective steps to protect the information. While the PCI DSS already requires such measures for payment card data, both bills would enact the requirements into law and the Michigan bill would extend such protections to all digital personal information.