Nevada law on encryption appears to affect more than just e-mail
Don Sears has an informative blog post on a new Nevada law requiring encryption of all transmissions containing personal, identifiable information by, well, every business in the state. The focus seems to be on e-mail, probably because it's a royal PITA to implement for many folks. A recent study1 conducted by CertifiedMail and Osterman Research found that "among those respondents that can send a manually encrypted email, 22% found doing so somewhat difficult or difficult."
Interestingly enough, the law doesn't specifically call out e-mail. In fact, it's quite open in describing its applicability (IANAL).
On Oct. 1, the state of Nevada will be requiring the encryption of all transmissions, such as e-mail, for all businesses that send personal, identifiable information over the Internet. The statute was signed into law in 2005 and is about to kick in as an enforceable law next month. Three years flies when you're raking in chips at casinos and enjoying the rising popularity of poker.
The Nevada law is stated as such:
NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]
1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.
An "electronic transmission" is almost certainly inclusive of web sites as well as e-mail. While most online orders are generally secured using SSL, some account information such as order status, profile, etc... is not always secured in such a fashion.
Similarly, this law likely has an effect on "back office" integration with third-parties, only some of whom might already require SSL and encrypted data exchange. That means this law will likely impact businesses outside of Nevada who electronically exchange information with those in Nevada affected by the law.
Either Nevada businesses are going to be at a big disadvantage next week in the world of electronic commerce, or it simply won't be enforced.
The latter is likely more realistic, at least until someone's personal information is inadvertently shared - a situation the CertifiedMail/Osterman Research study1 found 27% of organizations surveyed had experienced in the last 12 months - and it comes to light that the cause was a business in Nevada that failed to encrypt that data according to the law.
Then this law will probably become a very heavy stick with which more severe penalties can be applied to the offending business than simply the 15 minutes of infamy that seems to be the punishment for mishandling personal information today.
Which may very well have been the goal in the first place.
1 CertifiedMail and Osterman Research conducted an online survey of 205 small, mid-sized and large organizations in North America and Europe. The mean number of employees and email users at the organizations surveyed was 13,257 and 11,119, respectively. Respondents came from a wide range of industries, including manufacturing (18%), financial services (14%), government (11%) and healthcare (8%).
