On October 1, 2008, Nevada law NRS 597.970—the first law in the country requiring encryption of electronically transmitted personal information—went into effect. The law states:
“A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”
Personal Information is defined as “a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
- Social security number.
- Driver's license number or identification card number.
- Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.”
Encryption is defined as "the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
- Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
- Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
- Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.”
What is the Significance of this Law?
Although there are no specific penalty provisions associated with this law, typically, when laws such as this one get passed, other states often follow suit. If this happens, there is no guarantee that those states will not apply specific penalty provisions under their law. In that event, expect to see a raft of consumer class actions filed by the plaintiffs’ bar.
Certain terms in the law are not clearly defined, which may cause disputes in the courts. For example, the new law does not define a “business in this State” or “customers.”
A court would have no problem finding that a “business in this State” refers to a business incorporated in or having its principal place of business in Nevada. It remains to be seen whether it also refers to any business with “minimal contacts” within the State sufficient to require that business to submit to personal jurisdiction, or to any business with a website which can be accessed by Nevada residents.
Similarly, a court would likely find that any Nevada citizen is a "customer," but it could also apply the term to any person doing business with a “business in this State.”
As noted, while there are no specific penalties defined in this new law, Nevada courts could find that a violation of the law is negligence per se and award proximately caused damages to a customer whose identity was stolen due to the failure to encrypt that customer’s personal information.