This should have been done years ago. Email isn't nearly as secure as most people imagine it to be, anyone between the sender and the receiver can read it easily. Easy to use encryption mechanisms are already featured in the majority of email clients.

There has been a high barrier of entry to using encryption in the workplace - not because it's unavailable but because people don't understand how to use it and why. There are many benefits from ubiquitous encryption technology, including fraud detection that would go far against the phishing exploits so common these days - not to mention spam in general.

Any organization can implement this with zero licensing cost, as certificate authority software is available for free, and the technology is widely implemented. Of course, there will always be a cost in training and implementation. But a risk-benefit analysis should be easy enough. What company doesn't send email they don't want the world to read?

I applaud this move by Nevada lawmakers and hope other states will follow suit as quickly as possible.

Tom, the problem is poorly implemented infrastructure creates a false sense of security. No where is this more visible right now than in the financial markets. In my mind it is better to say we're naked, and act as if we're naked, than armored.

Furthermore, the costs to Nevada businesses will be large. There is now a need for every organization to set up a Private Key Infrastructure (PKI) (If one is to do it right), train employees on proper use of public and private keys and the software to accomplish the encryption with. Sadly, as someone who as used such software, it is still overly complicated for secretaries and the computer illiterate. Until it is just a checkbox to the end user ([ ] Encrypt this email and attachments) there will be pain (costs) all around.

Some people have suggested silly measures such as a password protected zip file sent with the password. Mr. Earl kind of alludes to such a "work-around" solution. However, the law says, you must use "encryption to ensure the security of electronic transmission." I doubt you can just use a gimmick to comply with the letter of the law. The language clearly says the intent of the encryption is to ensure security rather than encrypt for the sake of encrypting.

Nevada is turning into California, and this is sad.

The State of Nevada is doing a poor (actually nonexistent) job of informing businesses about this. This is a crazy, unenforceable law that creates more problems than it solves.

Implementing the encryption on the part of the business is easy enough. But how do we explain to our customers how this works and why they can't read the message? They have enough trouble reading and understanding plain-text emails that aren't encrypted.

The law should have cited FIPS 140-2 for any software/hardware approved encryption tools. PGP is an example that holds FIPS 140-2 level 3. As the author stated, simply password protected word document could be construed as sufficient means per the law. The vague law leaves plenty of room for judges to interpret the law, which is a bad idea. The problem I see is how do business conduct commerce with other businesses outside the state of Nevada? I understand the state legislature position to protect personal information, but passing a law that is flawed is not the right way to solve the problem.

Tom, what did you get your bachelor�s degree in? Because clearly you have NFC as to what your talking about. Go buy a new suit and play 18 holes of golf with a politician. This is an industry standards engineering problem, which cannot be solved by legislation. All this does is drive IT out of Nevada and generally hurt local businesses. If you (tom) want to help solve the problem � go get an engineering degree � also �know WTF your talking about before you post!

~Hoss~

It is actually simpler than that, it would require Nevada re-writing their law to insure that ISP's are also required to do this. At this point, every users' cable modem (or equivalent) will use ESP or SSL to connect to all servers, making ALL traffic passing through the internet encrypted, and only readable* on the users' computer and the server to whom they are connected....problem solved.

stine

* this assumes that you trust your teenagers and also the companies that are running the websites that you visit.

This is nonsensical. If "encoding" means anything different from "enciphering", then everything on a computer is already "encoded" - e.g. emails are sent using the ASCII encoding, or mime or base-64.

This message has been encoded with ROT-0. Does that make it pass under the new law?

"1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission."

Sounds like TLS to me. I don't see what the big deal is. Then again, I notice a lot of people don't even get things like reverse dns setup correctly for email servers and check for forward matching hosts to go with those reverse setups. If they can't generate a public/private key or go to one of the SSL players to get a certificate, they shouldn't be in administration of the servers..

A PKI infrastructure is a bit excessive. A simple cert will do the job fine.

I think this is a good idea because Email isn't nearly as secure as most people imagine it to be.Anyone in between the sender and the reciver can read the message.However ,there may be challenges in ordinary people understanding how data encryption works.Some people may fail to use the private key which is important for accessing the message from the receiving end.Therefore for this law to be effective, there is need to educate the general public before it is implemented.

The definition of "Personal Information" under NRS 603A.040 refers to a specific combination of information that can be used to gain access to a person's financial information and/or accounts, steal their identity, etc.

Companies who shuffle around data that can be used to access a person's financial information should have already be following best practices for keeping that data safe. If not, then they've got much bigger problems than compliance. They are putting their customers at risk.

Personally I just LOVE their definition of encryption:

"Encryption" defined. "Encryption" means the use of any ... disruptive measure, including, without limitation, ... a computer contaminant, to:

1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound; yada yada yada

Sooo, I can send someone a contaminant (a malicious program) and if it renders all of their data destroyed, I'm safe because it's encryption allowable under law!

Tom, you're absolutely right in saying that email isn't as secure as most people believe. And while you're also right about PKI and certificate software being available, Jason is correct in his cost assessment.

Furthermore, PKI (and related technologies) are effective only when used properly. The reason we haven't seen full scale adoption of these tools is because they are still unintelligible to many low-tech users.

An ideal solution is one with a much easier learning curve.

As for the law, I say kudos to the law makers. It's about time we started protecting the personal information currently streaming through unsecured SMTP servers.

Great post Dave, I made a similar point in my article:

http://jolt.unc.edu/blog/2008/11/10/nevada%E2%80%99s-encryption-law-how-much-does-it-help

Isn't there another problem stemming from the fact that the statute seems to emphasize "encryption" with no concern for the security protocol used?