The encryption provision of Nevada’s breach notification law, which was enacted over three years ago, became effective on October 1, 2008. This section requires businesses in Nevada to encrypt customer “personal information” before electronically transmitting such information outside the “secure system of the business.” This provision, however, does not apply to fax transmissions. Businesses in Nevada thus must now be aware that the electronic transmission of unencrypted customer “personal information” outside of a business’s secure systems may constitute a violation of Nevada’s data security law. Below is a summary of the key sections of the law.

I. Background

Nevada’s security breach law was signed by the governor on June 17, 2005, and the security breach notification and other identity theft provisions of the law were effective by January 1, 2006. The effective date of the encryption provision of the law was delayed to provide Nevada businesses with sufficient time to implement new encryption software.

II. Personal Information

Nevada law requires a business to encrypt “personal information” before it may electronically transfer such information outside of the “secure system of the business.” Under Nevada law “personal information” includes a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: (1) Social Security number or employer identification number; (2) driver’s license number or identification card number; (3) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.

III. Encryption Requirements

Nevada law directs businesses to use any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding, or a computer contaminant, to: (1) prevent, impede, delay or disrupt access to any data, information, image, program, signal, or sound; (2) cause or make any data, information, image, program, signal, or sound unintelligible or unusable; or (3) prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system, or network.