Data Mobility Group, LLC - High Definition Analytics and Technology Market Insight

Massachusetts and Nevada data protection laws, and you

I’m all for data protection, and I believe we can all agree that the protection of personal information is extremely important. However, if our government wishes to enact laws to protect our data, then it should do a better job of crafting unambiguous wording. Ambiguity is an attorney’s best friend. With the number of attorneys-turned-legislators in government one would think they should know better.

I was inspired by a recent post on Stephen Foskett’s Enterprise Storage Strategies Blog titled “Massachusetts Says Encrypt It All!” Stephen raised an interesting issue about tape encryption in the context of MA and NV data protection laws. His post compelled me to take a closer look at the wording of the laws. For your reference, the laws are:

  • NRS 597.970: Restrictions on transfer of personal information through electronic transmission. [In effect since October 1, 2008]
  • NRS 603A: Security of Personal Information
  • 201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth [Effective January 1, 2010]

I began with a comment on Stephen’s blog:

“Stephen, I’ll suggest the same interpretation of Nevada’s law here that I used in a comment on Steve’s IT Rants.

Can an attorney successfully argue that tape is not ‘an electronic transmission…to a person outside of the secure system of the business’? In fact, the transportation of tape off-site is not electronic, it’s physical. The electronic transmission of the data to tape occurs before the tape leaves the facility. By the time it’s on tape, electronic transmission is no longer a factor. And if a fax – a combination of electronic and physical transmission – is permissible, then why not tape?

Mincing words, I know, but we all know that cases are won and lost in court based on wording and semantics. Legislators will need to be more clear about that.

Right now, it seems the wording is too vague. I suspect transporting a tape off-site would not break the law as it is now worded.”

Unlike Massachusetts law in which the word “electronic” is defined as ”relating to technology having electrical, digital, magnetic, wireless, optical, electromagnetic or similar capabilities” and “record” is defined as “any material upon which written, drawn, spoken, visual, or electromagnetic information or images are recorded or preserved, regardless of physical form or characteristics”, Nevada law offers no such definitions and leaves the door wide open for interpretation.

I continued reading the laws, and paused to write a few observations along the way:

  •  Massachusetts legislators conveniently and hypocritically defined “person” in a way that exempts the State from its own data protection law.  201 CMR 17.00 defines “person” as “a natural person, corporation, association, partnership or other legal entity, other than an agency, executive office, department, board, commission, bureau, division or authority of the Commonwealth, or any of its branches, or any political subdivision thereof.”  Shades of Sarbanes-Oxley and the federal government—do as I say, not as I do. Massachusetts business owners should be furious that the State is not prepared to shoulder the same burden. After all, what Massachusetts entity stores more private information on Commonwealth citizens than the State itself?
  • 201 CMR 17.03  states “Every person that owns, licenses, stores or maintains personal information about a resident of the Commonwealth shall develop, implement, maintain and monitor a comprehensive, written information security program applicable to any records containing such personal information.” As Steve Duplessie of ESG already pointed out, it remains to be seen if 201 CMR 17.00 can be enforced against out-of-state violators. I doubt it, but the threat alone will undoubtedly compel many out-of-state businesses to take action.
  • It also appears that the law may not be enforced consistently and equitably.  201 CMR 17.03  states “Whether the comprehensive information security program is in compliance with these regulations for the protection of personal information, shall be evaluated taking into account (i) the size, scope and type of business of the person obligated to safeguard the personal information under such comprehensive information security program, (ii) the amount of resources available to such person, (iii) the amount of stored data, and (iv) the need for security and confidentiality of both consumer and employee information.” Will this mean that a relatively small law firm or retail business will not be held to the same level of accountability as larger firms?
  • 201 CMR 17.03 (f): “Taking reasonable steps to verify that third-party service providers with access to personal information have the capacity to protect such personal information…Prior to permitting third-party service providers access to personal information, the person permitting such access shall obtain from the third-party service provider a written certification that such service provider has a written, comprehensive information security program that is in compliance with the provisions of these regulations.” Certified by whom? The service provider? The State?
  • 201 CMR 17.03 (h): “Inventorying paper, electronic and other records, computing systems, and storage media, including laptops and portable devices used to store personal information, to identify those records containing personal information.” I do not have to tell you how prohibitively expensive and time consuming it would be to inventory and identify every paper record that contains personal information within an organization. Fortunately, software applications do exist to aid electronic discovery. Unfortunately, most discovery tools cannot easily accommodate the data on tape backups. Do the legislators fully comprehend the impact of this requirement?  I doubt it. Encrypting everything is not a solution.
  • 201 CMR 17.04 (1)(iii): “control of data security passwords to ensure that such passwords are kept at a location separate from that of the data to which such passwords permit access.” I believe a definition is needed for the word “location”. Without it, I can interpret this to mean that the passwords should not be stored electronically alongside the protected data. What about data on a remote server accessed via a desktop computer containing a local unprotected password file?

Data protection laws need to be crystal clear, practical and affordable.  I’m pleased with the spirit of the MA and NV data protection laws, however, state legislators must tighten the language and re-evaluate their expectations.  As they stand now, the laws are ripe for abuse and misinterpretation so long as they remain poorly defined and impractical. 

What do you think of the laws and the impact on your business? Join one of the conversations at Steve’s IT Rants or Enterprise Storage Strategies.

One Response to “Massachusetts and Nevada data protection laws, and you”

  1. How to Comply with Data Encryption Laws - Enterprise Storage Strategies Says:

    […] That post generated lots of discussion, including thoughtful responses from Steve Duplessie and Joseph Martins, and I urge you to read those as […]

Leave a Reply

You must be logged in to post a comment.

  © 2002-2009 Data Mobility Group, LLC. All Rights Reserved. terms of use privacy copyrights