Nevada Law Requires Encryption of Emails with Personal Info about Clients
As of October 1, the state of Nevada requires the encryption of all transmissions, such as e-mail, for all businesses that send personal, identifiable information over the Internet. Violations are criminal misdemeanors.
It's all in Title 52 - Trade Regulations and Practices, Chapter 597 - Miscellaneous Trade Regulations and Prohibited Acts. The Nevada law states:
"A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission."
As with any new law, this one could be bound to catch many Nevada businesses off guard. The statute will affect all the law firms, hotels, resorts, golf courses, nightclubs, check cashing companies, ski lodges and small businesses which incorporate in the tax-friendly state. Nevada is the West's version of Delaware.
Lawyer Bryce K. Earl, a Las Vegas-based attorney with Santoro, Driggs, Walch, Kearney, Holley & Thompson, has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.
"The statute's lack of specificity with regard to penalties will perhaps create the unintended consequence of opening up more liability," said Earl. He explained why the broad definition of "encryption" by the state is potentially problematic. Here is the definition from the state's Web site:
NRS 205.4742 "Encryption" defined. "Encryption" means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.
Earl said an argument could be made that a password-protected document sent in an e-mail might be good enough to hold up with the state's broad definition of encryption here. Is that good enough? Moreover, how will Nevada enforce this?
The statute was designed to stop identity theft and online criminal behavior. But once again, the legal system and the IT industry are faced with potentially bigger compliance and liability issues than they probably intended.
I can recommend an email system that has an encryption option that very easily click encrypts any attachment. Give me a call at 630.942.0977.
Larry,
Your headline is very misleading - this law does NOT say that ALL email about clients must be encrypted. The law restricts the requirement for encryption only to those communications with personal information that is tramitted to a person outside of your business (i.e. email to your firm partners or associates is not included here if the email is hosted on your internal systems).
Nevada law then goes on to define 'personal information' as information, when included in a communication that includes the person's first name or first initial combined with their last name and also combined with specific information: Social Security #, Drivers license # or ID card #, or Account number/credit card number/debit card number in combination with the required security code/access code/password that would permit access to the person's financial account. (See NRS 603A.040).
So basically, to avoid violating the law, don't send an email outside of your business system that includes the person's name along with any of the above information and you're fine. If you do, such as loan documents, immigration paperwork, or other documents sent to clients for their review or review by opposing or coordinating counsel that might include this information - the 'encryption' requirement would appear to be satisfied by simply password protecting any documents you send using MS Word/Acrobat/Wordperfect's built-in ability to password protect a document from reading without a password - because that would be a 'protective measure' that would 'prevent, impede, delay, or disrupt' access to the information.
Of course, though, I am not the person that would prosecute such a violation nor am I the attorney of whomever reads my comments, so anyone doing so should consult their own competent attorney/counsel.
William