Alert September 22, 2008

Nevada Law Will Require Encryption for Transmitted Data

Beginning on October 1, 2008, Nevada law will require that certain personal information be encrypted before the information can be transmitted electronically. The encryption requirements were originally enacted in 2005 as part of a broad identity theft prevention law that also included security breach notification requirements but only become effective as of October 1, 2008.

The new encryption requirements apply to a “business in [Nevada].” This term appears narrower than those “doing business” in Nevada, making it possible that businesses without a physical presence in the state may not be covered. For those businesses subject to the law, the encryption requirement appears to apply to all personal information, and not just the personal information of customers residing in Nevada. Enforcement of the encryption requirement is uncertain since the law does not explicitly address which, if any, government entity may enforce the law and the law contains no penalty provisions. While the section falls under the Miscellaneous Trade Regulations and Prohibited Acts chapter, this chapter also does not include any generally applicable penalty provisions.

The law, codified at Nev. Rev. Stat. § 597.970, will prohibit those within its scope from transferring “any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” “Personal information” is defined  in the same way as it is in the state’s security breach notice requirements, namely, as “a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

  • Social security number or employer identification number.
  • Driver’s license number or identification card number.
  • Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account,” but excludes “publicly available information that is lawfully made available to the general public.”

The measure, by reference, defines “encryption” as “the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:

  • Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
  • Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
  • Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.”
This new Nevada measure is yet one more reason to consider whether your enterprise is doing all that is required and/or recommended to ensure the protection of data in its possession. Given the protection that encryption affords and the continuing risks to information security, it is plausible that other jurisdictions may follow suit and impose similar requirements. In fact, measures are already being considered in Washington and Michigan.