Security Featured Article

Encryption is a great thing – it can provide protection for information that is sent electronically. It also helps businesses and organizations to meet specific privacy standards when sharing or transmitting information. For those that operate in Nevada, standards are about to increase.

On October 1st, the state will require encryption for all transmissions for all businesses that send personal, identifiable information over the Internet. Given that this private information is being sent over a public source, this requirement is a good thing for customers, even if it presents challenges for businesses.

 

Signed into law in 2005, the Nevada statute will become enforceable next month and states:

 

“A business in this state shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”

Many Nevada businesses could be caught without a net as they may or may not be prepared for the change. Some may even claim that they are not aware of the new requirement, although such a stance will not save them from retribution. They need not fear for long as encryption software vendors have been ready and waiting.

While the statute will soon become law, some believe that it is not ready to be enforceable. Donald Sears on the “Bottom Line” noted that according to Bryce Earl, a Las Vegas-based attorney with Santoro, Driggs, Walch, Kearney, Holley & Thompson, the statute has some problems that could make it difficult to follow and difficult to enforce.

These problems include the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.

"The statute's lack of specificity with regard to penalties will perhaps create the unintended consequence of opening up more liability," Earl told Sears.

According to the state, the definition of “encryption” is as follows:

 

NRS 205.4742 "Encryption" defined. "Encryption" means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:

1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;

2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or

3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.

As Sears reported, Earl stated that an argument could easily be made that a password-protected document sent in an e-mail might be good enough to hold up to this definition. But, it isn’t defined whether that is good enough or how Nevada will enforce the new law.

While it is expected that the state could better define this statute next year, a possible lawsuit may actually serve the purpose of helping to define the law for a more clear interpretation. While Earl stated that this does not really help a lawsuit, it can help set precedent.

The true problem here is that the state will be taxed with identifying and enforcing technology issues that it has not clearly defined and its representatives likely do not clearly understand. For those businesses that will strive for compliance, the challenge is very real.