NRS 597.970
We've have seen more than 39 states adopt data breach disclosure laws since California Senate Bill 1386, these laws help with cleaning up the mess left behind by a breach. Now, however we are starting to see the first laws trying to address the problem of preventing the breach from happening in the first place. The first state to do this is Nevada with Massachusetts, Washington and Michigan to follow shortly. These laws mandate the use of encryption to prevent sensitive customer information from being compromised when that information is transmitted out of the business.
Nevada Revised Statue (NRS) 597.970, which is effective October 1, 2008.
NRS 597.970 Restrictions on transfer of personal information through electronic transmission.
1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.
2. As used in this section:
(a) "Encryption" has the meaning ascribed to it in NRS 205.4742.
(b) "Personal information" has the meaning ascribed to it in NRS 603A.040.
This certainly looks like it requires encryption, but a closer look at the law also shows that there's no penalty for breaking it.
NRS 597.100 Criminal penalty. A person who willfully and intentionally violates any provision of NRS 597.010 to 597.090, inclusive, is guilty of a misdemeanor.
However, this law opens up businesses to law suits and in combination with the prevailing data breach disclosure law, having encryption will limit a businesses liability in the event of a data breach. So adding some low cost encryption software seems like a small price to pay for protecting your customer and employee data from being exposed after all.
Nevada businesses - take a look at www.voltage.com/nevada
UPDATE: From the WSJ - October 16th, 2008
"In Nevada, companies that suffer a security breach but comply with the new law would cap their damages at $1,000 per customer for each occurrence. Those that don't comply would be subject to unlimited civil penalties under the proposed enforcement plan, said James Earl, executive director of the state's task force for technological crimes."
Comments