On Nevada’s Electronic Transmission Encryption Law

Julia Mak's picture
Bookmark and Share
Submitted by Julia Mak on May 15th, 2009

What is NRS 597.970?

Nevada’s new law NRS 597.970 came into effect on October 1, 2008. It explicitly mandates all businesses to encrypt all personal information that is transmitted electronically. The new law states that all Nevada business shall not transfer personal information of a customer electronically “unless the business uses encryption to ensure the security of electronic transmission”. As defined by NRS 603A.040, personal information includes first name or first initial and last name in combination of one or more of the following: social security number, driver’s license number or identification card number, accounting number, credit or debit card number, in combination with any required security/access code/password that would permit access to an individual’s financial account.


What does it mean?

In other words, the law requires businesses to protect customer’s personal information with encryption while the data is in transmission. A common example would be sending sensitive information through email. With the new law, sending regular email messages and attachments containing customer information would be in violation of the law because standard email does not include any encryption and information is delivered in plain text. As defined by NRS 205.4742, encryption means “the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant”.

See the full text of the law here.


Why does it matter?

If you conduct business in the state of Nevada, it is time to take a look at your data—how are you protecting your data? How do you normally transmit your data? Have you adopted a solution that provides sufficient security and encryption? Although NRS 597.970 is ambiguous when it comes to the definition of businesses in the state of Nevada, companies should still take action and consider an appropriate encryption solution to protect stored and transmitted data. As I have mentioned in an earlier post, most states have already enacted data breach notification law, it is most likely that other states will soon follow in Nevada’s footsteps to establish data encryption law. The law does not explicitly state penalties for violation, but violation of the law could easily be argued as negligence in a civil law suit if a customer suffers damages (i.e. identity theft) as a result of a company’s non-compliance. 


What should you do?

There are some best practices and preventive steps that you can take to avoid possible violation of the law and to maintain a secure environment for the confidential data that you handle:

1. Use encrypted transfer methods: Establish what the acceptable methods are to electronically transfer sensitive data, and only transmit your data through encrypted channels.
2. Track access to your data: Implement a solution that will allow you to audit and track the communication of your data. You should have control over who can access your data, and know the details of when and what data was accessed by whom.
3. Train your staff on security guidelines: Communicate with your employees on proper security procedures, including educating users about how certain day-today practices are not secure.  For example, sending client information as an email attachment or over instant messengers are not secure.
4. Select a reliable solution vendor: Stick to vendors that have a strong track record for reliability and services that support data security. SAS 70 certified data centers, service level agreements and an established presence in your industry are good indicators of a trustworthy service provider.

Comments

Post new comment

The content of this field is kept private and will not be shown publicly.