Nevada Deadline on E-Mail Encryption Looming
What happens in Vegas, may stay locked down in Vegas.
On Oct. 1, the state of Nevada will be requiring the encryption of all transmissions, such as e-mail, for all businesses that send personal, identifiable information over the Internet. The statute was signed into law in 2005 and is about to kick in as an enforceable law next month. Three years flies when you're raking in chips at casinos and enjoying the rising popularity of poker.
The Nevada law is stated as such:
As with any law about to go in effect, this one could be bound to catch many Nevada businesses off guard. In parallel, a few IT security vendors that sell encryption software and hardware are lining up to tell the technology media about it.
NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]
1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.
Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect. Not to mention all the businesses--the vice-ridden ones legal to Nevada only and otherwise--that incorporate in the tax-friendly state. Nevada is the West's version of Delaware (albeit a much sexier state, sorry Delaware).
Beyond the infrastructure impact, the statute itself looks like swiss cheese. Bryce K. Earl, a Las Vegas-based attorney with Santoro, Driggs, Walch, Kearney, Holley & Thompson, has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.
"The statute's lack of specificity with regard to penalties will perhaps create the unintended consequence of opening up more liability," said Earl. That doesn't sound good, but again, nothing has happened just yet.
Earl explained why the broad definition of "encryption" by the state is potentially problematic. Here is the definition from the state's Web site:
NRS 205.4742 "Encryption" defined. "Encryption" means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.
Earl said an argument could be made that a password-protected document sent in an e-mail might be good enough to hold up with the state's broad definition of encryption here. Is that good enough?
Moreover, how the heck will Nevada enforce this?
Earl said at this time it was unclear, but he thinks that the state--which holds legislative session every other year--could address the statute for more clarity next year when the Nevada state government reconvenes. A possible-pending lawsuit may also help to better define the law for clearer interpretation, but as Earl hinted, that doesn't necessarily mean it will help that potential lawsuit.
The challenge for Nevada is that its intentions were good in trying to stem the tide of identity theft and criminal behavior online. But once again, the legal system and the IT industry are faced with potentially bigger compliance and liability issues than they probably intended. The disconnection is real.
As of posting time, representatives of the state had not gotten back to me with comment.
What should businesses do about this issue?
UPDATE: A spokesman for the state has directed me to a state assemblyman (who I will follow up with), but more interestingly, has pointed out this provision in the law:
NRS 193.170 Prohibited act is misdemeanor when no penalty imposed. Whenever the performance of any act is prohibited by any statute, and no penalty for the violation of such statute is imposed, the committing of such act shall be a misdemeanor.