This month, I updated a white paper entitled "Summary of Selected Encryption Laws." The white paper will be an appendix in a forthcoming book to be published by the American Bar Association Section of Science and Technology Law on data protection.
The white paper summarizes selected encryption-related federal and state statutes, regulations, and regulatory guidance. The original version of this white paper highlighted encryption requirements covered in a 2008 ABA Annual Meeting program entitled “Protection of Sensitive Information Is Every Lawyer’s Business: Practical Solutions to Avoid Data Breaches” in New York. This version of the white paper updates the original version to include updates through January 2010.
Encryption is a crucial technology used to prevent security breaches. The encryption-related provisions covered in the white paper fall within three categories: (1) encryption to comply with legal requirements under federal law for information security in specific sectors of the economy, (2) state breach notification and general information security laws, and (3) laws intended to facilitate secure electronic commerce. The three tables in the white paper summarize the requirements in each of these categories.
I did not attempt to write the white paper as an exhaustive list of encryption-related requirements. For example, the state breach notification and information security law table focuses only on selected states, even though almost all of the states have some form of breach notification law. Moreover, the white paper does not include sector-specific state encryption laws, such as in the areas of medical records, genetic testing, or campaign finance laws. In addition, it does not include laws relating to liability for circumventing encryption protection of copyrighted material under the Digital Millennium Copyright Act or the protection of encrypted television signals. Moreover, it does not cover cybercrime involving the use of encryption. E.g., Nev. Rev. Stat. Ann. § 205.486. Finally, the white paper does not cover laws that call for protections similar to those in the Payment Card Industry Data Security Standard, such as the disposal of PIN information after the completion of a payment transaction. E.g., Minn. Stat. § 325E.61. While encryption may help to prevent security breaches that are the subject of such laws, these laws do not require or mention encryption.
Nonetheless, the white paper does cover the new Massachusetts and Nevada laws relating to encryption, as well as more general encryption related laws in those states, as well as in California, New York, and Illinois. I hope that you find this white paper to be helpful. If you have a request for additional states, just send me an email or give me a call and I will update the paper for the next revision.
Partner, Cooke Kobrick & Wu LLP