I conducted a webinar last week that covered Nevada's encryption and breach notification laws. Nevada's encryption laws are what's garnering all the attention, but people forget that the breach notification law has significant application, especially with defining "personal information" and what to do when there is a breach. Nevada citizens and businesses that have clients residing in Nevada need to take stock of both.

Nev. Rev. Stat. § 603A.220

Nevada's breach notification law became effective on October 1, 2005, and is now one of 45 states to have one in place. The only states with no security breach law are Alabama, Kentucky, Mississippi, New Mexico and South Dakota.

The statute defines “breach” as an unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of "personal information" maintained by the Nevada business entity. In turn, “Personal Information” is defined as an individual's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
(1) SSN;
(2) Driver's license number or ID card number;
(3) Bank account number, credit or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account.

PI does not include the last four digits of a SSN or publicly available information that is lawfully made available to the general public.
 
The statute is in line with most other states, in that written notice must be provided to the affected consumer in the "Most expedient time possible and without unreasonable delay”. Delay that may be reasonable often refers to a situation that requires involvement of authorities due to a possibility of criminal liabilities. The statute also provides that notice to consumer reporting agencies is required if the actual or imminent breach affects more than 1000 consumers.

One of the criticisms of the breach notification statute is the lack of teeth. The statute authorizes the Attorney General to bring an action to stop a continuing or impending violation, but not for a private individual suit or for recovery of damages. Nonetheless, the law's bite should be sufficient from the potential embarrassment and media coverage of a data breach. This kind of news can damage the business's reputation, client confidence, and ultimately bring down a firm.

Nev. Rev. Stat. § 597.970

Nevada was the first state to pass an encryption law, effective January 1, 2008. Massachusetts has since passed an encryption law, making it two states now, that make it a violation merely by transmitting customer information in an unencrypted format, even if there is no actual breach of customer information. There is much debate about whether this is a good thing. What is clear to me, however, is that other states will follow suit as reports of security breaches make the evening news reels and the resulting million dollar liabilities force state legislatures to take further prescriptive action.

The Nevada encryption law, however, lacks teeth as well as direction. It simply provides: “A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”

The “personal information” covered by the Nevada encryption law is the same as stated above in the state’s security breach notification law. The Nevada encryption law, however, does not define a “customer.”  Because neither “personal information” nor the “customer” is specifically limited to a Nevada resident, the law could be interpreted as applying to “any personal information of a customer,” regardless of where the customer resides. The law also did not define "encryption". On top of this, the law does not include any specific penalty provisions, making it unclear what types of sanctions may be imposed on companies for violations.

Given the lack of guidance and lack of teeth, Nevada businesses are left to wonder out loud whether the legislature was serious about the law or was meant to be simply symbolic.

Nev. Senate Bill 227

Then came SB 227, which will become effective January 1, 2010, and repeals the existing statute as of that date. It seems that this revised statute was intended to cure whatever shortcomings the original encryption statute suffered from the first time around.

The new encryption law expands what must be encrypted, requiring business to use encryption when data storage devices that contain personal information are moved beyond the physical or logical controls of the business, in addition to continuing to require that personal information be encrypted if it is transferred outside the secure system of the business. A “data storage device” is any device that stores information in electronic or optical medium. This includes, but not limited to, computers, cellular phones, and thumb drives.

Significantly, by taking out the reference to "customer", the new law appears also to expand the original encryption requirement to both customer and non-customer personal information.

This time around, the Nevada law defines encryption as “the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer containment, to: (1) [p]revent, impede, delay or disrupt access to any data, information, image, program, signal or sound; (2) [c]ause or make any data, information, image, program, signal or sound unintelligible or unusable; or (3) [p]revent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.” The statute does not mandate any specific type ofencryption technology.

Effectively, the new encryption law creates a potential safe harbor against liability for damages resulting from a security breach if arising out of encrypted data.

Businesses that accept payment cards should also take note that the new law goes one step further by requiring compliance with the Payment Card Industry Data Security Standard (“PCI DSS”). It is unclear whether compliance with PCI relieves them of any liability under either the breach notification or encryption statutes.