The Office of General Counsel issued the following opinion on December 2, 2005, representing the position of the New York State Insurance Department.
Re: Definition of Encryption.
How does the Information Security Breach and Notification Act (the "Act") specifically define the term "encryption"?
The term "encryption" is not defined in the Act.
The inquirer stated that on August 9, 2005, the Governor signed the Information Security Breach and Notification Act into law. The inquirer's company is the lead company in a group of companies under a holding company structure that includes two insurance companies, two risk purchasing groups, a finance company and an insurance agency. Although the inquirer's company is a foreign corporation that does business in New York, he did not state whether the other companies within the holding company system also do business in New York. The inquirer asked the question because his company would like to remain compliant with all business regulations. The inquirer's Information Technology Department told him that information can by "encrypted" in a couple of different ways. One way would be through encryption software. Another would be through the use of a password. The inquirer asked how the word "encryption" is defined within the Act.
Ch. 442 of the Laws of 2005, commonly known as the Information Security Breach and Notification Act, as amended by Ch. 491 of the Laws of 2005, was signed into law on August 9, 2005, to be effective December 7, 2005. It sets forth new privacy standards by amending the State Technology Law and General Business Law to provide New York State residents with the right to know when a security breach has resulted in the exposure of private information. N.Y. State Tech. Law § 208, which adds the new privacy standards, applies to state entities, including New York State agencies. New Article 39-F of the New York General Business Law, which adds N.Y. Gen. Bus. Law § 899-aa, contains similar provisions applicable to any person or business which conducts business in New York. Section 899-aa(1)(b) defines the term "private information" as:
[P]ersonal information consisting of any information in combination with any one or more of the following data elements, when either the personal information or the data element is not encrypted or encrypted with an encryption key that has also been acquired:
(1) social security number;
(2) driver's license number or non-driver identification card number; or
(3) account number, credit or debit card number, in combination with any required security code, access code, or password which would permit access to an individual's financial account;
"Private information" does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. (emphasis supplied)
Although the statute uses the term "encrypted", it does not contain a definition of the term.
Please note that the Office for Technology, which is responsible for administering the State Technology Law, which also uses the term, promulgated a regulation under the section of the State Technology Law known as the Electronic Signatures and Records Act, which is contained in Article 3 thereof. This Regulation defines the term "cryptographic keys" as meaning "the items of information used by a given algorithm to transform data into an unreadable format." See N.Y. Comp. Codes R. & Regs. tit. 9, § 540.2(e) (2005). However, the Regulation does not require that a particular technology or methodology be used.
The inquirer was directed to contact the Office for Technology for additional guidance or the State Attorney General's Office for guidance as to the meaning of the term "encryption" as used in the N.Y. Gen. Bus. Law § 899-aa(1)(b), since the Attorney General is responsible for enforcing the General Business Law.
For further information you may contact Associate Attorney Pascale Jean-Baptiste at the New York City Office.