Nevada passes first law requiring business to encrypt customer personal information during transmission
Posted by Charlene Brownlee
Significance of the Law
Nevada has enacted the first data security law that mandates encryption for the transmission of customer personal information. ( NRS 597.970) The law goes into effect on October 1, 2008. While there are several laws that direct organizations in certain industries to consider using encryption and laws that make encryption a factor in decisions regarding breach notifications, no law required the encryption of personal information prior to this Nevada law.
Summary of the Law
The law is brief and provides that:
“A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”
Scope of the Law Unclear
Unfortunately, the brevity of the law results in the need for clarification on several key points:
- Is the law limited to customers resident in Nevada?
- A “customer” is not defined in the law, nor is there a statement that the law only applies to the personal information of Nevada residents.
- Accordingly, the law could be interpreted as applying to an organization’s transmission of “any personal information of a customer,” regardless of where the customer resides.
- What constitutes doing business in Nevada?
- The law does not define what nexus a company must have to Nevada to fall within the scope of the law as a “business in this State.”
- Guidance from a decision of the Nevada Supreme Court in evaluating whether a company is “doing business” in Nevada may be helpful. In this case, the court applied a two-pronged standard:
(a) the nature of the company's business in the state; and
(b) the quantity of business conducted by the company in the state.
- What constitutes a “secure system” of the business?
- The prohibition under the Nevada law is limited to transmission of personal information to a person “outside of the secure system of the business.”
What is a “secure system?”
- What are the consequences of violating the law?
- The law does not include any penalty provisions, making the consequences of failing to comply unclear.
- While the new law falls under the Miscellaneous Trade Regulations and Prohibited Acts Chapter, the chapter also does not contain any generally applicable penalty provisions.
Companies operating nationally should consider whether their existing policies and procedures regarding transmission of customer personal information comply with this new law. In October 2008 merely transmitting customer personal information in an unencrypted format may violate this Nevada data security law. If an organization is not doing business in Nevada, it should monitor the developments in other states where it operates. History of the enactment of the data breach statutes suggests that the other states may soon follow.
 Personal Information is defined as “a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
1. Social security number.
2. Driver's license number or identification card number.
3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.”
 Encryption is defined as " the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.”
 Executive Mgmt. Ltd. v. Ticor Title Ins. Co., 38 P. 3d 872 (Nev. 2002).