in

This Blog

Syndication

Tags

News

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Archives

AlertBoot Endpoint Security

AlertBoot offers a cloud-based full disk encryption and mobile device security service for companies of any size who want a scalable and easy-to-deploy solution. Centrally managed through a web based console, AlertBoot offers mobile device management, mobile antivirus, remote wipe & lock, device auditing, USB drive and hard disk encryption managed services.

Data Encryption Software: Nevada Non-Profits Not Required To Comply With NRS 603A? Of Course They Are Required To!

I heard a very disturbing assertion yesterday.  Apparently, some time ago, an offer was made by yours truly's company, AlertBoot: a non-profit in Nevada was presented with free deployment of our disk encryption program.  The offer was turned down, and we were told that they didn't need it because non-profits don't need to comply with NRS 603A -- i.e., what's called by many the Nevada Data Breach Notification Law.

When I heard of this, I responded with a "uhh....that doesn't sound right."  After all, if a bank has my SSN and a non-profit also has my SSN...well, it's the same SSN.  How is the breach of my info from one organization less risky than from the other one?  If anything, I'd say that a breach from a non-profit is riskier because, if someone stole something from a non-profit, I have to assume this person has even less moral fiber than your average thief.

Anyhow, I did some searching on-line, and I can see why people would make that mistake regarding non-profits.  But, things clear up quite nicely once you do some searching and read the actual law.  That notwithstanding, in the course of my research I ran across this, and thought it might be a good idea to throw it in here:

Disclaimer: The below codes may not be the most recent version. Nevada may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.

Nevada Businesses Need to Use Encryption!  Erm, Not Quite

A couple of things must be cleared up before we go on.  Many articles on-line point out how NRS 603A (and its shortcoming and replaced predecessor NRS 597.970) requires encryption of all customer data.  There are many things wrong with that statement and it doesn't take a lawyer to figure it out.  For example, I'm not a lawyer, and I see it (this also means that the following is not legal advice, etc).

First off, reading NRS 603A clearly shows that the use of encryption software is only required for:

  • Credit card payment information (i.e., adherence to PCI DSS).
  • Personal Information that is sent electronically via a non-voice medium, except for faxes (in other words, if you rattle off someone's SSN over the phone to the wrong person or send it via fax, technically that's not a breach per NRS 603A).
  • Personal Information in electronic format is moved "beyond the logical or physical controls of the data collector or its data storage contractor."  That's an actual quote from the law books.  In other words, if you store personal data in a laptop that's glued to your store's counter, you don't need to use encryption.

Notice, by the way, the use of "data collector."  We'll come back to that later.

My point here is: a business does not necessarily need to use encryption.  For example, if all of your customer info is written down on a notebook -- and hence it's not computerized / electronic data -- there's no need to encrypt.

Also, the implication seems to be that you don't need to encrypt electronic data on your computer as long as it's never taken out of your business venue in any way whatsoever.  I guess the assumption is that it will always be safe within your business (a lame assumption.  Insider data breaches are the fastest growing type of information theft in the US).

(As a non-lawyer, I don't know what happens if under bullet #3, an unencrypted laptop -- never meant to go beyond the data controller's (i.e., your) control -- gets stolen by a thief.  I'd assume, based on the purpose of the law, that it would be labeled a data breach.)

A second point of confusion: people think the law is about encrypting customer data.  It's not.  It's about personal information, which is defined as follows:

NRS 603A.040  "Personal information" defined.  "Personal information" means a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

  1. Social security number.
  2. Driver’s license number or identification card number.
  3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.

The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.

Whether that information belongs to your customer, your employees, your contractors and other outside parties...none of that matters.  Did you lose a flash drive containing the unencrypted names and SSNs of the janitors that clean your business's bathrooms?  Well, those janitors are not customers, but you're in breach of NRS 603A.

Another point of confusion: only businesses need to encrypt, which brings us back to whether non-profits -- which are not classified as businesses in Nevada (NRS 76.020 Definition of Business in the State of Nevada) -- need to comply with NRS 603A.

Well, it's a matter of following the trail:

NRS 603A.020  "Breach of the security of the system data" defined.  "Breach of the security of the system data" means unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the data collector.

Data collector!  There it is again!  What is a data collector?

NRS 603A.030  "Data collector" defined.  "Data collector" means any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information.

So, it looks like businesses are definitely covered under the law.  But what about non-profits?  There is no direct mention of non-profits in the definition of a data collector.  However, a governmental agency is definitely not a business; it's arguably a "non-profit," your stance on taxes notwithstanding.  Also, institutions of higher education are largely set up as non-profit organizations.

So, why are some non-profits included but not all?

A Non-Profit Corporation in Nevada is Still a Corporation

Ah, but all non-profits are included.  Under NRS 82.016, a corporation is defined as:

NRS 82.016  "Corporation" defined.  Unless the context otherwise requires, "corporation" means a corporation organized or governed by this chapter.

Chapter 82 governs -- wait for it -- Nonprofit Corporations.

There you have it: a non-profit is a corporation which can be a data collector which is required to follow NRS 603A.  I say "can be a data collector" because if you don't collect data or save it in electronic / computerized format, you don't have to comply.  Of course, this is also true for for-profit organizations as well, which just reinforces the fact that, when it comes to data breaches, a non-profit is held as accountable as any regular company.

Like I alluded at the beginning: data is data, and a breach is a breach.  Why would a non-profit not need to comply with the personal information security law?  I mean, what's next, you run over someone by accident in the company car and argue that you shouldn't face manslaughter charges because you're a non-profit?

 
<Previous Next>

K-12 Data Encryption: Student Records Need To Be Better Protected

Drive Encryption Software: Loyola University Medical Center Has Data Breach

Comments

No Comments

About sang_lee

Sang Lee is a Senior Account Manager and Security Analyst with AlertBoot, Inc., the leading provider of managed endpoint security services, based in Las Vegas, NV. Mr. Lee helps with the deployment and ongoing support of the AlertBoot disk encryption managed service. Prior to working at AlertBoot, Mr. Lee served in the South Korean Navy. He holds both a B.S. and an M.S. from Tufts University in Medford, Massachusetts, U.S.A.