Scott & Scott | Software Compliance Counsel
Scott & Scott Scott & Scott

« Attorney Malpractice Claims Regarding Patents Must be Heard in Federal Court | Main | Apple’s & AT&T’s iPhone Policies Unfair, Anti-Competitive, and Illegal, According to Plaintiffs »

Nevada Passes Data Encryption Law

Nevada recently passed a law requiring businesses to encrypt customers’ personal information during transmission of an electronic transaction. While other data protection laws require the shredding of records or the implementation of reasonable security measures to protect sensitive information, Nevada’s mandates use of encryption technology.

What is prohibited activity?

The Nevada law is brief: “A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” Under NRS 205.4742, encryption means the use of any protective or disruptive measure including, but not limited to cryptography, enciphering, encoding or a computer contaminant, in order to:

  1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
  2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
  3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.

    4. To what information does the statute apply?

    Personal information, defined in NRS 603A.040, means a person’s first name or first initial and last name combined with any one or more of the following, when the name and data elements are not encrypted:


    1. Social security number.

    2. Driver’s license number or identification card number.

    3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.

    The statute specifically excludes from the definition of personal information “the last four digits of a social security number or publicly available information that is lawfully made available to the general public.”

    Statutory Ambiguity

    Though it defines “encryption” and “personal information,” the statute does not define the terms “secure system,” “business,” or “customer.” It is also unclear whether the statute only applies to Nevada residents?

    If your business does or plans to do business in Nevada, you should carefully review the provisions of Nevada’s new data encryption law to determine whether you are transmitting personal information in a sufficiently encrypted form.

Posted on December 5, 2007 10:00 AM |

Post a comment

(If you haven't left a comment here before, you may need to be approved by the site owner before your comment will appear. Until then, it won't appear on the entry. Thanks for waiting.)

Search


About

This page contains a single entry from the blog posted on December 5, 2007 10:00 AM.

The previous post in this blog was Attorney Malpractice Claims Regarding Patents Must be Heard in Federal Court.

The next post in this blog is Apple’s & AT&T’s iPhone Policies Unfair, Anti-Competitive, and Illegal, According to Plaintiffs.

Many more can be found on the main index page or by looking through the archives.

Subscribe to this blog's feed
[What is this?]
Powered by
Movable Type 3.32