New state laws affect encryption practices

Nevada and Massachusetts have been in the process of enacting new state laws that target businesses and individuals who own, license, store, or maintain Personally Identifable Information (PII) about a state resident. Many other states already have these guidelines in place. Personally Identifiable Information (PII) is defined as a combination of the persons name and another unique identifier such as SS#, drivers license, or financial account number.

In Nevada, S.B 347 went into effect on October 1, 2008. This law specifically prohibits businesses in Nevada from transferring personal information through electronic transmission unless it is encrypted. This regulation even affects those companies that do business in Nevada but are headquartered elsewhere.

In Massachusetts, 201 CMR 17 is set to go into effect on May 1st, 2009. The law was initially set to go live on January 1, 2008, but has been extended to May in light of the economic crisis. This law is somewhat broader than Nevada in that it requires that any resident PII stored in laptops or removable storage devices be encrypted in addition to information transmitted over network and wireless connections. It also requires organizations to develop a security program, use updated firewall systems, enforce limits on the amount and length of time PII is retained, and allow access to sensitive PII only as necessary to perform job responsibilities. Even more detailed requirements include a need for documented security policies, prevention of terminated employees from gaining access to PII, and audit trails of employee access to PII.

Although penalties for non-compliance are not specified in either case, non-compliance may expose the business or individual if any legal action is taken subsequent to a data breach for failing to provide a minimum level of security. We recommend that companies review their security procedures in light of these new requirements and take action, if needed. For those companies in less regulated industries, a full risk assessment may be appropriate if you are moving into unchartered waters about what technology options are available to reduce exposure.

Much of the debate has been whether to apply encryption at the infrastructure layer using disk or email encryption or to implement it at a finer grain. Technology such as Adobe LiveCycle Rights Management ES or client based protection embedded in Adobe Acrobat provides this finer grain of protection aimed at protecting only the information assets considered most senstitive (such as PII). I believe each approach has it’s merit under certain circumstances, but Livecycle Rights Management and Acrobat each provide the added benefit of security that travels with the information itself.

As an example, using RIghts Management, if sensititve PII is located on a disk or removable media device and then gets transmitted over a network, it remains protected persistently throught the process. Using encryption at the infrastructure layer involves greater coordination, more layers and resources, and a higher risk of failure if not implemented properly.

Also, when considering some of the detailed requirements of the Mass regulations (along with similar requirements in other states) regarding terminated employees, RIghts Management allows an organization to revoke access to PII once that person is no longer employed. It also provides a complete audit trail of what user actions were taken on a particular document that contained PII and can help map your governance objectives to actionable, enforceable security policies. Furthermore, wIthin Content Management systems, it has the capability to create workflows that dictate when PII should be sent off to archive or even deleted.

Definitely explore all your options as you move towards improving your compliance posture with these new regulations, but do consider the advantages of a strategic strike versus a blanket approach to encryption.