A Nevada law requiring encryption of customer personal information goes into effect on October 1, 2008. See Nev. Rev. Stat. § 597.970 (2007). While the legislation is short in length, it is potentially wide-ranging in scope. In particular, the legislation requires any "business in this State" to encrypt an electronic transmission (other than via facsimile) of "any personal information of a customer" to "a person outside of the secure system of the business unless the business uses encryption to ensure the security of the electronic transmission." Id.
What Is Personal Information?Nevada law defines "personal information" to mean a natural person’s first name or first initial and last name in combination with the person’s: social security number; driver’s license number or identification card number; and/or account, credit or debit card number in combination with any security code, access code, or password that would permit access to the person’s financial account. Nev. Rev. Stat. § 603A.040 (2007). Natural person is not limited to Nevada residents.
Encryption means "the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network."
Some open questions remain, which include:
How "business in this State" will be interpreted and applied.
The meaning of "customer."
The meaning of "secure system of the business."
Enforcement of the legislation. The law does not specify how and by whom enforcement happens. Similarly, it does not identify a penalty for failure to comply with the encryption requirement.
Does it mean something more than a business’s local area network? It is not limited to Nevada residents. Does "customer" mean that the law will only apply to individuals who purchased goods or services from a business? Will the encryption requirement be limited to only business operations in Nevada?
What Is Encryption?