About Nevada’s New ‘Personally Identifiable Information’ (PII) Law

February 4, 2010
Pamela Brown
Blog

While at one of our clients, we recently fielded a question about Nevada’s new data security laws and how they may impact a company and its HR operations. We’ve been able to find the following information think it might be useful to a broader audience. So, here goes.

Nevada enacted a new data security law that went into effect on January 1, 2010. Nevada is one of several states that have enacted or proposed legislation that addresses how companies transmit and store personally identifiable information (PII). This PII can pertain to employees, customers or vendors and includes information such as social security number, driver’s license number, credit card data and bank account information combined with a last name and first name (or first initial). These laws are being created to prevent identification theft (Nevada is ranked 2nd in a listing of ID theft victims per 100,000 population).

From a business perspective looking outward onto these laws, there are several safeguards that companies can do to comply with this new legislation:

Use encrypted storage devices – Storage devices include any item that houses PII, including but not limited to servers, personal computer, external hard drives, flash drives, iPods, CDs, smart phones, DVDs or any other item that can store or transmit data.
Limit access to data – Only persons with a business need for the PII or access to the systems that house the PII should have access.
Understand who has access and where data is stored – There should be an understanding of what systems house what data. Also, one should fully understand the processes for secure access to the data. What if a person’s job responsibilities change? Are there processes in place to evaluate that the equivalent access to PII is necessary?
Use encrypted transmissions – This pertains to personal transmission as well as automated transmissions between systems. Care should be taken that PII is not emailed, instant messaged or otherwise transmitted over unencrypted connections. In addition, there should be encryption built in to all PII interfaces between systems. A company’s IT department should be familiar with the encryption standards as well as the storage of encryption keys.

It is important to note that while a given company may not have direct operations in Nevada, there are other states with similar pending legislation. This legislation will become much more prevalent. In fact, in another client discussion we learned there was a request for a state to have legislation regarding the storage of paper documents as well as digital data.

Identity theft is a mounting concern, and lawmakers are moving aggressively to combat it.

At a minimum, a solid data security policy that follows approved standards for data encryption (per The National Institute for Standards and Technology) is important. It is equally important that companies develop and follow procedures for how they will manage personally identifiable information.

By way of example, MIPRO consultants do have PSP data encryption software on their hard drives. So, if a laptop is ever lost or stolen, a password would have to be entered before someone can access any data on our laptops. You cannot even get to the Windows login screen before entering the access password; we’re talking BIOS-level security here.

Also, as a rule, we also strongly encourage our clients to create a shared space for project documentation. This space should be password protected and the project team in its entirety (employees and consultants) should only be given access to the areas that are necessary. So, for example, there is probably not a need for the project manager to have access to the folders where payroll data will be stored.

Finally, security in PeopleSoft is extremely structured to allow access to only the data that a particular employee needs to see. This is done through the setup of roles. As an example, if an employee gets a role of Training Administrator they will most likely have access to all things regarding training BUT they will not have access to SSN, payroll data, benefits data, etc. This is completely customizable so that an organization can define security rules that fit their business needs as well as meet compliance requirements.

Have questions or feedback about this? Want to know more? Let us know in the comments.