Nevada Updates Encryption Law to Require Data Security Compliance and Encryption on Data Storage Devices

07/27/2009 / Molly Eichten and *James Graves

Last October, a new Nevada law took effect that required encryption of all personal data in transit. In response to criticisms that the law was too vague, the Nevada legislature recently enacted S.B. 277, clarifying the encryption requirements. While doing so, it also added some new requirements: use of encryption on mobile storage devices, and compliance with the Payment Card Industry Data Security Standard (PCI DSS).

As with the previous law, anyone who does business in Nevada must encrypt any personal data it transmits over the Internet. Unlike the previous law, S.B. 277 specifies that the encryption method must have been adopted by some established standards-setting body and use key management that meets an established standard. The most applicable current standards and guidelines are produced by the National Institute of Standards and Technology (NIST). NIST standards approve most modern encryption methods, but exclude older protocols such as DES and RC4 (the encryption behind the much-maligned WEP wireless security protocol). For more information, see NIST Federal Information Processing Standards (FIPS) Publication 140-2 and Special Publication 800-57 (Part 1, Part 2, and Part 3 (draft)).

The new law also requires businesses to encrypt information on any "data storage device" that leaves their "logical or physical control." This provision may simply be a way of applying the same encryption requirement to personal information whether it is sent through the Internet or on a DVD through the mail, but it could also be read as requiring encryption of personal information on laptops, flash drives, or other mobile media.

S.B. 277 also requires anyone who does business in Nevada and accepts payment cards to comply with PCI DSS. PCI DSS is a set of technical and operational requirements for anyone who stores, processes, or handles payment card data. Businesses that accept payment cards are already required by contract to comply with PCI DSS. Therefore, the new law does not require businesses to do anything related to PCI DSS that they should not be doing already. But because it empowers the Attorney General to obtain an injunction against a non-compliant company, Nevada's law does add a new source of risk for non-compliance.

Anyone who does business in Nevada should verify that all personal data it transmits is encrypted using an approved protocol and that mobile storage devices are similarly encrypted. And businesses that accept payment cards in Nevada now have an additional incentive to remain compliant with PCI DSS.

Nevada's updated encryption law takes effect January 1, 2010.

-- Originally published in Larkin Hoffman's IP/Tech Buzz.

*James Graves is a J.D. candidate at William Mitchell College of Law and is a 2009 summer law clerk at Larkin Hoffman.