Some news about the protection law! Read!
Nevada is getting serious about mandating the use of encryption to secure personal information. On May 29, Gov. Jim Gibbons signed into law Senate Bill No. 227, which repealed data protection law NRS 597.970, which had been in effect for less than a year. Among other things, the new law requires data collectors to use cryptographic key technology that meets established industry standards and, if they accept credit or debit cards, to comply with the Payment Card Industry Data Security Standard (PCI DSS) with respect to those transactions.
In late 2007 Nevada became one of two states in the country (the other being Massachusetts) to depart from a technology-neutral regulatory standard and specifically require the use of encryption to protect certain data transfers. The original Nevada data protection law, which became effective Oct. 1, 2008, provided that businesses could not electronically transmit “any personal information of a customer” (other than by fax) “outside of the secure system of the business” unless encryption was used to ensure the security of the transmission.
Personal information means unencrypted information consisting of an individual’s last name and first name (or first initial), combined with his or her Social Security number, driver’s license or identification card number, or financial account number plus password or access code.
A fax containing personal information that is received by a fax service and re-transmitted to a laptop or mobile phone as an email needs to be encrypted upon re-transmission. In addition, it is unclear how the statute applies to the use of third-party Internet fax services like eFax; businesses that rely on such services may need to encrypt personal information sent through them, since, literally speaking, transmission and reception of data by means of such services requires the data to pass outside of the business’ secure system.
The new style of state information security regulation is more aggressive in some ways than the pervasive but flexible risk assessment-based strategy favored up to now by federal banking regulators. Increasingly, therefore, financial institutions and other members of the financial industry will have to look to state information security law, and not just federal and state banking guidelines, in crafting the architecture and features of their security programs.
