While other states have previously passed laws that recommended that businesses consider the protection of a customer's data, Nevada has now become the first state to require all businesses in the state to encrypt the electronic transmission of a customer's personal information, effective October 1, 2008. Despite the novelty of this new law, it raises many questions and uncertainties in its practical application by businesses.
Briefly, NRS 597.970 ("Restrictions on transfer of personal information through electronic transmission") states that a "business in this state shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission." Though the law is succinct and specific in its language and obligation, it provides little guidance or definition by which a business can determine whether and to what extent the law applies to its operations.
The new law adopts the definition of "personal information" from NRS 603A.040 to include a natural person's first name or initial and last name in combination with one or more of the following "data elements:" (i) social security number; (ii) driver's license number or identification card number; and/or (iii) account, credit or debit card number in combination with any security code, access code or password that would permit access to the person's financial account. "Personal information" does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.
The law also defines "encryption" (NRS 205.4742) to mean "the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant" that effectively prevents access to the personal data or information.
Notwithstanding these definitions, the rest of the new law presents the following issues:
- The law does not define what constitutes a "business in this state." As such, it is not clear whether this law only applies to businesses located in Nevada or includes any business located elsewhere that does business with customers in Nevada.
- It is not clear whether a "customer"must be a Nevada resident or may include persons living elsewhere whose personal information is transmitted by a business in Nevada.
- While the law clearly excludes faxes, the law does not specify whether an "electronic transmission" of personal information is limited to only e-mail or other computer transmission v. by telephone or other media.
- The law prohibits the transmission of information "outside of the secure system of the business," but does not define what constitutes a "secure system."
- Though the law imposes strict compliance on a business, it does not define any penalty or sanction for a violation of the law, or indicate what agency would be charged with enforcement of the law. Notwithstanding, it is likely that any violation by the law would be evidence of liability for damages in a civil action by a customer whose personal information was breached as a result.
The only clear advice about this new law is that all businesses should proceed with caution and err on the side of full compliance until such time as the law is either clarified by regulations or interpreted by a court. Until it can be determined to whom and how the law should be applied, any business that attempts to cut corners with this law risks becoming the "test case" for this cutting-edge Nevada law.
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.
