On January 1, 2010, two important state data security and privacy laws took effect in Nevada and New Hampshire. The laws create new obligations for most companies that do business in Nevada and for health care providers and business associates in New Hampshire.
Nevada’s law requires “data collectors,” including government agencies and businesses, that accept payment cards and are “doing business” in Nevada to comply with the Payment Card Industry Data Security Standard (“PCI DSS”). Although Minnesota has codified the PCI DSS requirement that prohibits businesses from retaining certain credit or debit card data after a transaction, Nevada now becomes the only state to require compliance with PCI DSS in its entirety.
For businesses that do not accept payment cards, the new Nevada law prohibits electronically transmitting a customer’s personal information “outside of the secure system of the business” or moving any data storage device containing a customer’s personal information “beyond the logical or physical controls” of the business unless the transmission or data storage device is encrypted. The statute defines “encryption” to include both (1) encryption technologies to render data indecipherable which have been adopted by an established standard-setting body such as the National Institute of Standards and Technology (“NIST”) and (2) appropriate management and safeguarding of cryptographic keys using guidelines promulgated by an established standard-setting body such as NIST.
Although several states previously have rejected codifying PCI DSS into law, it remains to be seen whether Nevada’s new law will create a nationwide domino effect similar to that which occurred after California enacted the first information security breach notification statute. Since California’s breach notification statute became effective in 2003, all but five states have enacted similar statutes.
The new law in New Hampshire requires health care providers and business associates to (1) obtain an authorization from individuals before using or disclosing their protected health information (“PHI”) for marketing, and (2) provide an opportunity for individuals to choose not to receive any fundraising communications that involve their PHI. New Hampshire’s law also requires health care providers and business associates to notify individuals in writing of any use or disclosure of their PHI that is not permitted by New Hampshire law, even if such use or disclosure is allowed under federal law. For example, New Hampshire prohibits all marketing communications (including those authorized by individuals) by voicemail, facsimile, or “other methods of communication that are not secure,” while federal law contains no such prohibitions.
New Hampshire’s new law adds to the list of state and federal laws regulating breaches of health information: in August 2009, Missouri’s information security breach notification statute, which applies to breaches of “medical information” and “health insurance information,” took effect, and in February 2010, the federal regulations addressing breaches of unsecured PHI will become effective.