New Nevada Law Explicitly Requires Organizations to Encrypt PII Sent Through Networks

To date there have been several laws that direct organizations in certain industries to consider using encryption as one way to protect data based upon the organization’s considered risks, and laws that make encryption a factor in decisions regarding breach notifications, but until now no laws that I’m aware of explicitly required personally identifiable information (PII) to be encrypted. The state of Nevada has now changed that!


Nevada NRS 597.970,”Restrictions on transfer of personal information through electronic transmission,” goes into effect October 1, 2008. So, you have a year to get into compliance.
What if you do not have customers or offices in Nevada? Well, recent history shows us that once one state enacts a specific type of data protection law, such as for breach notifications or credit freezes, many other states are not far behind in following suit. Chances are other states will soon be jumping on the PII encryption law bandwagon.
The law itself is very short and sweet:

” NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]
1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.
2. As used in this section:
(a) “Encryption” has the meaning ascribed to it in NRS 205.4742.
(b) “Personal information” has the meaning ascribed to it in NRS 603A.040.
(Added to NRS by 2005, 2506, effective October 1, 2008)”

However, let’s consider this deceptively simple law.
* What is “encryption”? According to NRS 205.4742, it is:

” NRS 205.4742 ‚ÄúEncryption‚Äù defined. ‚ÄúEncryption‚Äù means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.”

UGH!
This will cause IT folks to fret, lawyers to lean towards inexpensive or free non-encryption solutions that meet the “letter of the law,” and all sorts of interesting arguments in the court cases from civil suits that will likely occur starting in late 2008.
I wonder what businesses will try to use “computer contaminants” to encrypt the PII? IT folks, be prepared to answer your laywer when he or she asks you what is cheaper: cryptography, enciphering, encoding or computer contaminants.
I wish these laws would reference established and accepted standards when they define their terms, instead of always trying to create a unique, unusual and different definition each time. For example, here they could have defined encryption as NIST does in their special publications.
* What is “personal information”? According to NRS 603A.040, it is:

“NRS 603A.040 ‚ÄúPersonal information‚Äù defined. ‚ÄúPersonal information‚Äù means a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
1. Social security number.
2. Driver’s license number or identification card number.
3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.
The term does not include publicly available information that is lawfully made available to the general public.”

Looks quite familiar, eh? This is the common definition used in many of the at least 39 state level breach notice laws and the credit freeze laws.
* What is a “customer”?
Good question that is not answered within the Nevada law!
The law could possibly be interpreted as applying to an organization’s transmission of ‚Äúany personal information of a customer,‚Äù for anywhere a customer is from…in any state or even country. If a company has offices in Nevada, or if people who live in Nevada are purchasing a service or product, or how about even a person who does not actually give a company money, but gives the company their PII…all “customers” in these situations could arguably be considered as being protected by this law.
* What is “A business in this State”?
Another good question that is not answered within the Nevada law!
It could possibly be a business headquartered in the state, or one that has offices in the state, or one that has any type of presence, such as a website, available for people within Nevada to do buiness with. This will likey be decided on a case-by-case basis lacking a specific definition.
It is curious facsimiles (faxes) are exempt; a very large portion of faxes are now transmitted via email, network scanners, or some other digital method in which a physical paper is not received in the traditional fax machine. There are many ways in which the digitally-based faxes can be encrypted. I can see this becoming a point in a civil suit.
It is important to note that this law applies to what all organizations must do to electronically transmitted PII…it is not an after-effect consideration of a data breach. An organization must follow this law even in the absence of an incident or breach.
It is also interesting to note that the new law has no specified penalties. This could leave it open to each court and judge to decide what the penalty will be, which could have some very wide variances. It is likely civil suits would bring the largest awards to the customer plaintiffs.
Wow…does the U.S. ever need a federal, comprehensive, well-written, data protection law!! One that has a consistently used set of definitions!

Tags: , , , , , , , , , , , ,

Leave a Reply