(Updated 10 August 2009 – NRS 596.970 will stop being effective on January 1, 2010, with NRS 603 taking its place)
The Nevada encryption law regarding personal information went into effect on October 1, 2008, meaning that Nevada businesses will require the use of file encryption software like AlertBoot when sending confidential files over e-mail. The law requires that any electronic data that is being transferred be encrypted. There are criticisms associated with it, some of the more salient ones described below.
In a nutshell (and I am not a lawyer), the Nevada personal information encryption regulations state that any digital information that moves through an electronic network be encrypted with the exception of faxes. This is only required when personal information is being sent outside the business, though.
The easiest way to comply with this law is to ensure that any sensitive files that you send via e-mail or make available on a network be encrypted using file encryption. Under this law, other encryption products like whole disk encryption will not do a business any good. You can follow this link to find out the basic difference between file encryption and disk encryption following the link.
Penalties For Violation Of Nevada’s Data Privacy Law
There is some confusion on what types of civil and criminal penalties could be assessed for violations of this law, since these are not defined, but there may be a provision already in the books. Apparently, a Nevada state assemblyman has pointed out to Donald Sears at baselinemag.com that under NRS 193.170, any prohibited act is a misdemeanor when no penalties are imposed.
So, I guess penalties would be in tandem with whatever a misdemeanor carries in NV? (Again, not a lawyer.)
(Update: 1 May 2009) According to arborlaw.biz, using encryption would put a cap on liability, whereas not using encryption would have unlimited liability under a lawsuit for negligence. The cap is $1,000 per customer affected, per occurrence. This seems to be further confirmed by the Wall Street Journal.
Personal Information Defined According To Nevada Encryption Law NRS 597.970
According to the law, personal information is defined as a natural person’s first name, or first initial, and last name combined with any of the following:
Social Security number
Driver’s license number or identification card number
Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.
Remember, the above must be combined with people’s names; otherwise, it’s not a breach. The above is also the definition used for Nevada’s data breach notification laws, by the way.
There has been a lot of criticism of the Nevada encryption law. Some of the ones I found to be more salient:
Most data breaches involve data at rest. The Nevada law requires encryption for data in motion. But data at rest–information stored on laptops, desktops, backup tapes, CDs, etc–are the major source of data breaches. By extension, one assumes data at rest breaches to be the major source of electronic ID theft.
For now, it looks like data at rest encryption, like full disk encryption, will not be required. This also means that the content on USB memory sticks will not require encryption to be in compliance with the law (although, it’s always a good idea).
The law is not clear enough. For example, Nevada’s definition of encryption is such that “password protection” could be construed as encryption. However, password protection is not encryption, as I wrote before.
Also, since an exception was made for faxes, why not voice? One interpretation–far fetched, I’d say–is that a bank can’t give you your password to on-line banking, even if you can prove that you are who you claim to be. Which, I must admit, is not necessarily a bad thing.
Easy-to-break encryption is allowed. Because the law doesn’t go into technical details (note the above bullet on the definition of encryption), using weak forms of encryption would make a business compliant, which is not the reason why the law is being passed. Currently, 128-bit encryption is the weakest form of encryption that’s considered secure. Anything lower than this is not even considered to be encryption. If you’re paranoid enough, you can opt for higher levels of encryption for even more security.
How will they enforce it? There won’t be a way to enforce it, unless government workers will go around businesses checking to make sure that there aren’t any businesses e-mailing unencrypted files with personal information. Like many laws, it will be a reactive one: someone is caught in violation and penalties assessed.
Related Articles and Sites: