Trusttone

Member Area
Summary of Nevada Personal Information Law
2009.12.05 00:35:32 Rajesh Kanungo
Table of Contents
  1. Introduction
  2. Encrypting Personal Information Data in Motion
  3. Encrypting Personal Information Data At Rest
  4. A process to notify authorities and the affected individuals in case of a breach

Introduction

This blog captures basic essential aspects of Nevada Personal Infomation Law. More details are available in white paper form elsewhere on the site.

"Personal information" ( NRS 603.A ) means a natural person’s first name (or first initial) and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

  • social security number
  • driver’s license number or identification card number
  • account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account

There are several forms of protection that are mandated, creating a form of defense-in-depth:

  • encryption of all personal data in motion and at rest
  • protection of the network using firewalls
  • use of secure remote access technologies like VPNs
  • isolating critical infrastructure from other parts of the network
  • systems are protected using the latest security patches
  • strong passwords are used
  • adequate access controls are implemented so that unauthorized users don't gain access to information they should not have

From an information leakage detection perspective, IT must:

  • set up an intrusion detection system
  • create audit logs of all access to personal information
  • set up a process to notify authorities and the affected individuals in case of a breach

Finally, PCI compliance kicks in if the data contains any credit card-related information.

Most IT personnel are familiar with all of the above requirements and know one or more tools to address any of the major areas except for the following:

  • encryption of personal information at rest and in motion
  • a process to notify authorities and the affected individuals in case of a breach

Encrypting Personal Information Data in Motion

Surprisingly, protecting data in motion turns out to be a lot easier than protecting data at rest! But think about it: Is the communication between you and your bank more likely to be encrypted than the data residing on the bank's hard drives? Turns out, the use of SSL, SSL certificates, VPN, etc. has made it easier to have encrypted communication between two points. This is because the security people got in right at the point when the World Wide Web took off and introduced SSL, now known as TLS. Secure encrypted email has been around longer, with mainly the use of the technology being a hindrance. The advent of newer encryption and software have reduced the pain in deployment and administration. In fact, many enterprises now use email encryption appliances that scan email and encrypt content based on policies. The encryption policy could ensure adherence to the Nevada NRS 603.A law !

Encrypting Personal Information Data At Rest

The IT administrator first of all has to identify all the places where personal information is stored. Some of these may be:

  • laptops
  • smartphones including iPhones, RIM Blackberries, etc.
  • removable media like USB flash drives
  • employee machines at work
  • machines used by telecommuting employees
  • servers in the DMZ
  • internal servers

In general, a good way to secure data is not to have it. The IT administrator MUST ask if the perambulating devices and media must hold personal information at all. It may be impossible, in many cases, to avoid personal information somehow sneaking into an employee's machine. For example, an employee may be working on a statistical model of delinquencies based on hard data. In these cases, the IT administrator MUST mandate the use of encryption. To be safe, all mobile devices must have encryption turned on. Problem solved; don't dither! Encrypt. In many cases, there may be a performance impact. The performance impact may be reduced by using encrypting drives or by moving the affected servers onto faster hardware.

There have been some industries, most notably the pharmaceuticals industry, which have approached the problem of creating a wall between personal information and data processing with a great deal of success. Most of us have heard of drug trials using double-blind studies. The data is anonymized and is still acceptable for analysis. Obviously, the keys are held by the CRO (Contract Research Organization) running the actual drug trial and they are subject to intrusion if the data is not kept encrypted and secure. However, it does provide a way forward for software companies creating packages that may manipulate personal information: separate out personal information as soon as possible, encrypt it, and then, join it to the anonymized data when you are sure that the accessor of the information has all the relevant rights.

A process to notify authorities and the affected individuals in case of a breach

The system administrator must do a CYA by reporting any known intrusion and information leakage, suspected or actual, in a concise manner to executive management.


Tags: SB227 | NRS 603.A | Privacy law | Nevada
 
Reply this post
Name:

E-mail:

  Enter text shown in left:
 



Tags

Nevada Privacy law NRS 603.A SB227 201 CMR 17 Massachusetts Cloud Computing Security Secure email privacy-protected email email encryption TLS Encryption product selection

Bookmark & Share