Nevada Deadline on E-Mail Encryption Looming


What happens in Vegas, may stay locked down in Vegas.

On Oct. 1, the state of Nevada will be requiring the encryption of all transmissions, such as e-mail, for all businesses that send personal, identifiable information over the Internet. The statute was signed into law in 2005 and is about to kick in as an enforceable law next month. Three years flies when you're raking in chips at casinos and enjoying the rising popularity of poker.

The Nevada law is stated as such:

NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]

1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

As with any law about to go in effect, this one could be bound to catch many Nevada businesses off guard. In parallel, a few IT security vendors that sell encryption software and hardware are lining up to tell the technology media about it.

Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect. Not to mention all the businesses--the vice-ridden ones legal to Nevada only and otherwise--that incorporate in the tax-friendly state. Nevada is the West's version of Delaware (albeit a much sexier state, sorry Delaware).

Beyond the infrastructure impact, the statute itself looks like swiss cheese. Bryce K. Earl, a Las Vegas-based attorney with Santoro, Driggs, Walch, Kearney, Holley & Thompson, has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.

"The statute's lack of specificity with regard to penalties will perhaps create the unintended consequence of opening up more liability," said Earl. That doesn't sound good, but again, nothing has happened just yet.

Earl explained why the broad definition of "encryption" by the state is potentially problematic. Here is the definition from the state's Web site:

NRS 205.4742 "Encryption" defined. "Encryption" means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:

1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;

2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or

3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.

Earl said an argument could be made that a password-protected document sent in an e-mail might be good enough to hold up with the state's broad definition of encryption here. Is that good enough?

Moreover, how the heck will Nevada enforce this?

Earl said at this time it was unclear, but he thinks that the state--which holds legislative session every other year--could address the statute for more clarity next year when the Nevada state government reconvenes. A possible-pending lawsuit may also help to better define the law for clearer interpretation, but as Earl hinted, that doesn't necessarily mean it will help that potential lawsuit.

The challenge for Nevada is that its intentions were good in trying to stem the tide of identity theft and criminal behavior online. But once again, the legal system and the IT industry are faced with potentially bigger compliance and liability issues than they probably intended. The disconnection is real.

As of posting time, representatives of the state had not gotten back to me with comment.

What should businesses do about this issue?

UPDATE: A spokesman for the state has directed me to a state assemblyman (who I will follow up with), but more interestingly, has pointed out this provision in the law:

NRS 193.170 Prohibited act is misdemeanor when no penalty imposed. Whenever the performance of any act is prohibited by any statute, and no penalty for the violation of such statute is imposed, the committing of such act shall be a misdemeanor.


14 Comments for "Nevada Deadline on E-Mail Encryption Looming"

  • sc November 17, 2008 10:43 pm

    Great post Dave, I made a similar point in my article: http://jolt.unc.edu/blog/2008/11/10/nevada%E2%80%99s-encryption-law-how-much-does-it-help Isn't there another problem stemming from the fact that the statute seems to emphasize "encryption" with no concern for the security protocol used?

  • Derek September 23, 2008 8:57 pm

    Tom, you're absolutely right in saying that email isn't as secure as most people believe. And while you're also right about PKI and certificate software being available, Jason is correct in his cost assessment. Furthermore, PKI (and related technologies) are effective only when used properly. The reason we haven't seen full scale adoption of these tools is because they are still unintelligible to many low-tech users. An ideal solution is one with a much easier learning curve. As for the law, I say kudos to the law makers. It's about time we started protecting the personal information currently streaming through unsecured SMTP servers.

  • JJ September 23, 2008 4:09 pm

    Personally I just LOVE their definition of encryption: "Encryption" defined. "Encryption" means the use of any ... disruptive measure, including, without limitation, ... a computer contaminant, to: 1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound; yada yada yada Sooo, I can send someone a contaminant (a malicious program) and if it renders all of their data destroyed, I'm safe because it's encryption allowable under law!

  • Tony Perry September 23, 2008 2:32 pm

    The definition of "Personal Information" under NRS 603A.040 refers to a specific combination of information that can be used to gain access to a person's financial information and/or accounts, steal their identity, etc. Companies who shuffle around data that can be used to access a person's financial information should have already be following best practices for keeping that data safe. If not, then they've got much bigger problems than compliance. They are putting their customers at risk.

  • blessing shumbamhini September 23, 2008 10:01 am

    I think this is a good idea because Email isn't nearly as secure as most people imagine it to be.Anyone in between the sender and the reciver can read the message.However ,there may be challenges in ordinary people understanding how data encryption works.Some people may fail to use the private key which is important for accessing the message from the receiving end.Therefore for this law to be effective, there is need to educate the general public before it is implemented.

Leave a Comment