What is NRS 597.970?

Nevada’s new law NRS 597.970 came into effect on October 1, 2008. It explicitly mandates all businesses to encrypt all personal information that is transmitted electronically. The new law states that all Nevada business shall not transfer personal information of a customer electronically “unless the business uses encryption to ensure the security of electronic transmission”. As defined by NRS 603A.040, personal information includes first name or first initial and last name in combination of one or more of the following: social security number, driver’s license number or identification card number, accounting number, credit or debit card number, in combination with any required security/access code/password that would permit access to an individual’s financial account.

What does it mean?

In other words, the law requires businesses to protect customer’s personal information with encryption while the data is in transmission. A common example would be sending sensitive information through email. With the new law, sending regular email messages and attachments containing customer information would be in violation of the law because standard email does not include any encryption and information is delivered in plain text. As defined by NRS 205.4742, encryption means “the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant”.

See the full text of the law here.

Why does it matter?

If you conduct business in the state of Nevada, it is time to take a look at your data—how are you protecting your data? How do you normally transmit your data? Have you adopted a solution that provides sufficient security and encryption? Although NRS 597.970 is ambiguous when it comes to the definition of businesses in the state of Nevada, companies should still take action and consider an appropriate encryption solution to protect stored and transmitted data. Most states have already enacted data breach notification law, it is most likely that other states will soon follow in Nevada’s footsteps to establish data encryption law. The law does not explicitly state penalties for violation, but violation of the law could easily be argued as negligence in a civil law suit if a customer suffers damages (i.e. identity theft) as a result of a company’s non-compliance.

How LeapFILE can Help

Connect with us to learn more about how LeapFILE's secure file transfer & collaboration solutions can resolve data security compliance issues, get updates on data security regulations and join others in discussions for compliance best practices!

Find out how LeapFILE can help you here.