Recently I made a post on the new Nevada data security law, NRS §597.970, which required the encryption of personal data transmitted electronically. On May 29, Nevada’s governor signed Senate Bill 227, which repeals §597.970 and replaces it with a more rigorously drafted encryption law. The new law requires a “data collector doing business in this State” to comply with the Payment Card Industry Data Security Standard (which requires encryption of cardholder data when transmitted wirelessly and in certain other circumstances) with respect to transactions where it accepts a payment card in connection with a sale of goods or services. The law also requires data collectors that collect, handle or deal with personal information in other contexts to encrypt such information if transmitted electronically “through an electronic, nonvoice transmission other than a facsimile” outside of the data collector’s secure system.
A data collector must also encrypt personal information stored on any data storage device or medium (including a laptop, flash or USB drive, mobile phone, CD-ROM or magnetic tape) that is moved “beyond the logical or physical controls” of the data collector or its data storage vendor. Unlike in the previous encryption law, encryption is now defined as requiring the use of cryptographic keys to decipher data, with the encryption technology and key management procedures having to meet established standards.
Compliance with the law will insulate a data collector from liability for damages for a data breach, unless the data breach is caused by gross negligence or intentional misconduct (an extremely high standard of proof from a plaintiff’s standpoint). The new law, which contains exclusions for telecommunications providers and certain financial account payment processing and reporting activities conducted over a secure private channel, is set to go into effect on January 1, 2010.
[...] in data security law. Among the highlights were tidbits already discussed on this blog, such as the new Nevada statute (Senate Bill 227) requiring encryption and PCI DSS compliance and Massachusetts’ recent move to make 201 CMR [...]
[...] the states, because, among other things, they used WEP, an outdated wireless encryption standard. As previously described in this blog, Nevada’s data security law, Senate Bill 227 (which is potentially applicable to any business [...]
[...] of data security safeguards, including vendor oversight; the State of Nevada, which requires the encryption of personal information; and the Commonwealth of Massachusetts, source of the most comprehensive information security [...]