SB 227 was signed into law by Governor Gibbons and goes into effect in January 2010. Simply stated, the law requires data collectors (companies and government entities quite frankly) who accept credit cards for payment of goods and services to be compliant with PCI-DSS. In addition, it requires personally identifiable information be encrypted when transmitted electronically (except by fax over POTS) and on storage devices that leave the physical control of the organizations facilities. This includes laptops, thumb drives, CD/DVD’s, etc.
The good:
The intent is clearly to protect personally identifiable information. Taking steps to encrypt personal information in transit and on devices that leave the facility is a good thing. The legislation also defines encryption as that which has been adopted by an established standards setting body. Previously, the legislation just said “encryption” so I suppose someone could have used a Caesar cipher and called it good. This enhancement goes a long way quite frankly as standards tend to change over time. This definition keeps things current without having to revisit the legislation later.
Other good things is this also requires the protection of cryptographic keys which makes sense. It also protects telecommunication providers who serve only to provide the network conduit.
The bad:
The inclusion of PCI compliance in subsection 1 was ultimately a bad amendment to this piece of legislation. It’s not that I think PCI is a bad thing, I think it’s great. The problem is that this is already an industry standard with an economic incentive to comply… the loss of credit card processing capability for a business. While there are a number of really good controls associated with PCI, they apply to credit card information and don’t apply to other sensitive data elements. I’m not a big fan of “spot” security and to legislate that requirement for a specific industry is an exercise in applying buzzwords.
The big problem I have with this legislation is the “or” statement between subsections 1 and 2. The PCI component was just tacked onto the top as an amendment and created a loophole in the law, in my own, completely non-lawyerly opinion. If you’re PCI compliant then subsection 2 does not apply because the law says that subsection 2 (encryption) only applies for companies that aren’t covered by subsection 1 (PCI).
Keep that in mind and consider this scenario. A company collects credit cards but segments their credit card devices, applications and storage away from the rest of the company network. This PCI network complies with PCI-DSS. Their other network contains HR data, payroll data and the like. They don’t have really great controls in place for these areas. The question is, does the company still enjoy safe harbor under the law because they are PCI compliant? By letter, yes… by spirit no.
Conclusion:
Certainly the intent was to have organizations be responsible with personally identifiable information. In fact, I think if companies don’t apply sound security safeguards and controls to all of their PII then they are negligent and safe harbor shouldn’t apply at all. However, it sure would be nice if the legislature would turn the “or” statement into an “and” statement. Maybe at the next legislative session.
Whether granting safe harbor to any organization is a good thing or not is another argument altogether but ultimately, this is going to be a trend across all States and may be just the beginning of greater security legislative obligations. Protecting sensitive data is never a bad thing. Ultimately, the big takeaway here is organizations have an obligation to protect the personal information they are entrusted with and those efforts should be taken seriously.
National InfoSec | Paul July 29, 2009 | 
Comments (0)