Nevada data encryption law

On October 1 a new law went into effect in Nevada requiring businesses to encrypt all “personal identifying information” (things like Social Security and drivers’ license numbers and credit card numbers) of customers in email and “electronic transmissions” more generally. The law has raised concern among, e.g., law offices and medical providers which often work with client documents containing such numbers; it will now be unlawful (say) to email such documents from a professional’s workplace to his or her home office absent encryption. Howard Marks at Information Week (Oct. 13):

Electronic transmission isn’t defined, so one interpretation would include the telephone — so if you forget the password to your online banking account, your bank will have to snail mail or fax you a new one. It does say “to a person outside of the secure system of the business,” so you don’t have to run out and encrypt all your disks like the vendor that brought this to my attention would like.

Don Sears at Baseline (Sept. 19) cites a Las Vegas lawyer on such problems with the law as “the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil” and concludes “once again, the legal system and the IT industry are faced with potentially bigger compliance and liability issues than they probably intended.” At Davis Wright Tremaine’s Privacy and Security Law Blog (Feb. 27), Randy Gainer cites similar (but not identical) mandates moving forward in other states and also notes, “the overwhelming majority of reports of stolen and lost consumer data relate to stored data, not data in transit…. The limited, data-in-transit, encryption mandate in the Nevada statute will therefore do little to stem the tide of stolen and lost consumer data.” Marian Waldmann at Morrison & Foerster (Oct. 2007) notes California’s more sweeping but less specific mandate for businesses to implement and maintain “reasonable security procedures and practices”, and also points out that the determination of whether an out-of-state entity dealing with Nevada residents is “doing business” in the state, and therefore subject to legal mandates of this sort, has been described by the Nevada Supreme Court itself as “often a laborious, fact-intensive inquiry resolved on a case-by-case basis” in litigation. Other commentary: Sidley Austin, Lori MacVittie/DevCentral.

3 Comments

  • I do not see how this is something burdensome. It is easy to do with PGP Freeware, Comodo, and Thawte. The same argument was made with wearing seatbelts years ago. It only takes an extra second or so.

  • And the government shouldn’t have imposed seat-belts either – they really don’t have the right (at least, not the FEDs).

  • Hello,
    It is not a simple as just using PGP because there is a big problem exchanging Keys and there is also management of those keys. The only option is to buy products such as email encryption by Espion (www.espionint.com) or Postini which is now Google (http://www.google.com/a/help/intl/en/security/email.html)
    . I personally prefer the espion interceptor not only because it is just a click away, but rather because it is an appliance which can be privately hosted and administered. The A. I. based spam option is also a nice complement and it is a one flat fee as opposed to per user charges which can be quite pricey.

    What other solutions are out there that someone can recommend other than the Espion Interceptor? Something under $5000 would hit the spot. What would be recommended for a business of 10 people or less. I often look into solutions of this type but I find them to be aimed towards the large enterprise.

    Good article,

    Al Zoony