Nevada Enacts Encryption Law For Data Transmission7:32 PM EST Wed. Oct. 01, 2008
Nevada put into effect Wednesday the nation's first data encryption law, which prohibits businesses from electronically transferring customers' personal data outside their organization unless it is encrypted.
Nevada defines "personal information" as a person's first and last name combined with social security, driver's license or bank account, credit or debit card numbers accompanied by a security code or password that allows an unauthorized user to have access to account -- all of which now need to be encrypted when being transferred electronically. The new law makes an exception for the transmission of data via fax machine.
Specifically, the law requires businesses to encrypt customers' personal data when transmitted to a location "outside of the secure system of the business," which could include e-mail and data file transfers, or other communications sent outside the local network, experts say. Nevada lawmakers have not yet clarified the definition of "secure system of the business."
While the new law requires businesses to encrypt personal customer data in motion, it does not require that same information be encrypted while it is at rest. More than 40 states have already enacted various data breach laws, and a few, including California, have adopted encryption statutes protecting customer data when it is stored on devices such as PCs, tapes, servers and laptops.
Phillip Dunkelberger, CEO of PGP Corp., which specializes in enterprise data encryption solutions, maintained that in light of a significant spike in reported data breaches over the last two years, other states will likely follow Nevada's lead to enact encryption laws that protect data in motion. However, he said that while the Nevada statute is a step in the right direction, it will do little to keep businesses safe if administrators aren't aware of their own security needs.
"It's a great first step for awareness, but I don't know if it's really going to improve security," said Dunkelberger. "The businesses themselves are going to have to look at their view of data -- how are they protecting the data in use, both in transit and at rest. If they're not compliant on those things, all the laws in the world aren't going to make them more secure."
For many SMBs trying to sustain their businesses, the new encryption mandates could come as an abrupt wake up call, Dunkelberger said, especially as businesses are increasingly required to determine where their data is stored, classify what is most important, and then acquire the appropriate new technologies in order to keep it safe.
Dunkelberger said that it will be incumbent upon channel partners to educate their customers, and provide solutions that will protect and secure their data. Consequently, the new Nevada law will also give channel partners opportunities to begin conversations about data protection, and enable them to add encryption as one more tool in their portfolio.
Those who sell e-mail solutions can now offer e-mail encryption. Those who specialize in FTP servers and shared data storage can now go back and sell file encryption, Dunkelberger said.
"The big thing is (customers) are starting to realize data isn't just lost on tapes or laptops," he said. "You're seeing a lot more information lost over e-mail than on PCs."
How enforceable Nevada's new law will be still remains to be determined.