October 2009 Developments - 21

the compliance burden on companies is much higher and would require encryption of many more systems. One area that the amendment cleared up is the deﬁnition of encryption. The new law contains a more detailed deﬁnition that references industry standards. Speciﬁcally, the new law deﬁnes encryption as the protection of data in electronic or optical form, in storage or transit, using (1) an encryption technology that has been adopted by an established standards setting body, including but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and (2) the appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standard setting body including, but not limited to, the National Institute of Standards and Technology. 10 There are certain exceptions to the Nevada law, including that it does not apply to data transmission over a secure, private communication channel for (1) approval or processing of negotiable instruments, electronic funds transfers, or similar payments methods; or (2) issuance of reports regarding account closures due to fraud, substantial overdrafts, abuse of automatic teller machines, or related information regarding a customer. Finally, the statute provides a safe harbor for data collectors who comply with the statute. Speciﬁcally, data collectors who comply with the statute may not be held liable for damages for a breach of the security of the system data unless the breach is caused by the gross negligence or intentional conduct of the data collector, its ofﬁcers, employees, or its agents.11 Data security issues are here to stay, and expect more and more states to mandate data security via laws like the new Nevada one. D Dan Bachrach is a partner in the international law ﬁrm of Foley & Lardner LLP. His e-mail address is dbachrach@foley.com. Andrew Serwin is the founding chair of the Privacy, Security, and Information Management Practice and is a partner in the San Diego ofﬁce of Foley & Lardner LLP. He is the author of Information Security and Privacy: A Guide to Federal and State Law and Compliance, and his e-mail address is aserwin@foley.com. 4 5 6 7 8 Endnotes 10 11 Relevant state or local data security or destruction laws include: Alaska, Arizona, Arkansas, California, Colorado, Connecticut, Georgia, Hawaii, Indiana, Kansas, Kentucky, Maryland, Massachusetts, Michigan, Minnesota, Montana, Nevada, New Jersey, New York, New York City, North Carolina, Oregon, Rhode Island, South Carolina, Tennessee, Texas, Utah, Vermont, Washington, and Wisconsin. “Data collector” means any governmental agency, institution of higher education, corporation, ﬁnancial institution, retail operator, or any other type of business entity or association that for any purpose, whether by automated collection or otherwise, handles, collects, disseminates, or deals with nonpublic personal information. Nev. Rev. Stat. § 603A.030. “Payment card” means a credit card, charge card, debit card or any other card that (1) is issued to an authorized card user, and (2) allows the user to obtain, purchase or receive credit, money, a good, a service or anything of value. Nev. Rev. Stat. § 205.602. S. 127 § 1-3, 75th session, (Nv. 2009). Id. § 1(1). “Facsimile” means an electronic transmission between two dedicated fax machines using Group 3 or Group 4 digital formats that conform to the International Telecommunications Union T.4 or T.38 standards of computer modems that conform to the International Telecommunications Union T.31 or T.32 standards. The term does not include onward transmission to a third device after protocol conversion, including but not limited to any data storage device. Id. § 1(5)(c). Id. § 1(2)(a). “Data storage device” means any device that stores information or data from any electronic or optical medium including, but not limited to, computers, cellular telephones, magnetic tape, electronic computer drives and optical computer drives, and the medium itself. Id. § 1(5)(a). Id.§ 1(2)(b). Id. § 1(5)(b). Id. § 1(3). October 2009 • Developments

October 2009 Developments

Table of Contents for the Digital Edition of October 2009 Developments