PointofLaw.com
 Subscribe Subscribe   Find us on Twitter Follow POL on Twitter  
   
 
   

 

 

Nevada data encryption law



On October 1 a new law went into effect in Nevada requiring businesses to encrypt all "personal identifying information" (things like Social Security and drivers' license numbers and credit card numbers) of customers in email and "electronic transmissions" more generally. The law has raised concern among, e.g., law offices and medical providers which often work with client documents containing such numbers; it will now be unlawful (say) to email such documents from a professional's workplace to his or her home office absent encryption. Howard Marks at Information Week (Oct. 13):

Electronic transmission isn't defined, so one interpretation would include the telephone -- so if you forget the password to your online banking account, your bank will have to snail mail or fax you a new one. It does say "to a person outside of the secure system of the business," so you don't have to run out and encrypt all your disks like the vendor that brought this to my attention would like.

Don Sears at Baseline (Sept. 19) cites a Las Vegas lawyer on such problems with the law as "the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil" and concludes "once again, the legal system and the IT industry are faced with potentially bigger compliance and liability issues than they probably intended." At Davis Wright Tremaine's Privacy and Security Law Blog (Feb. 27), Randy Gainer cites similar (but not identical) mandates moving forward in other states and also notes, "the overwhelming majority of reports of stolen and lost consumer data relate to stored data, not data in transit.... The limited, data-in-transit, encryption mandate in the Nevada statute will therefore do little to stem the tide of stolen and lost consumer data." Marian Waldmann at Morrison & Foerster (Oct. 2007) notes California's more sweeping but less specific mandate for businesses to implement and maintain "reasonable security procedures and practices", and also points out that the determination of whether an out-of-state entity dealing with Nevada residents is "doing business" in the state, and therefore subject to legal mandates of this sort, has been described by the Nevada Supreme Court itself as "often a laborious, fact-intensive inquiry resolved on a case-by-case basis" in litigation. Other commentary: Sidley Austin, Lori MacVittie/DevCentral (cross-posted from Overlawyered).

 

 


Rafael Mangual
Project Manager,
Legal Policy
rmangual@manhattan-institute.org

Katherine Lazarski
Manhattan Institute
klazarski@manhattan-institute.org

 

Published by the Manhattan Institute

The Manhattan Insitute's Center for Legal Policy.