Nevada’s new data security law, which mandates that customer personal information be encrypted prior to transmission, went into effect on October 1, 2008.

Companies that do business on a nationwide basis should consider whether their existing data security policies and procedures comply with this new state law. Specifically, the new Nevada law states: “a business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” NEV. REV. STAT. § 597.970 (2005).

The Nevada statute, signed into law in 2005 and effective this month, defines “personal information” as a “person’s first name or first initial and last name in combination with any of the following: (a) social security number or employer identification number; (b) driver’s license number or identification card number; or (c) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.” Id. This definition of “personal information” is reasonably clear, and is consistent with state data breach notification laws, including Nevada’s.

However, other terms used in the new law are more ambiguous, leaving the scope of the law uncertain. For example, on its face, the statute does not limit the terms “customer” or “personal information” to Nevada residents, although there are obviously jurisdictional issues with this omission.

Moreover, while this law states that it applies to a “business in this state,” it is not clear whether a business that is geographically located outside of Nevada with personal information from Nevada residents may nonetheless be subject to the law as a result of “doing business” within  the state.

While numerous states have enacted laws that require businesses to take affirmative steps to safeguard certain types of personal information and to notify persons whose personal information might be compromised in the event of a security breach (see IN FOCUS article, page 12, on the new Massachusetts data security rules), Nevada’s new law goes one step further by specifically requiring the “encryption” of personal information. (The new law supplements and does not replace or modify Nevada’s current data breach notification law.)

Notably, however, the new law’s definition of “encryption” is broad, giving businesses some leeway in adopting compliance procedures. “Encryption” is defined as “the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding, or a computer contaminant to: (i) prevent, impede, delay, or disrupt access to any data, information, image, program, signal, or sound; (ii) cause or make any data, information, image, program, signal, or sound unintelligible or unusable; or (iii) prevent, impede, delay, or disrupt the normal operation or use of any component, device, equipment, system, or network.”

Companies operating nationally should verify that their information security policies address “transmission” and otherwise satisfy the requirements of this new Nevada law.

TAKE A LOOK BACK:

Customer Payment Data Breached in Transit: Transmission Becomes Latest Focus for Hackers (April 2008)