For the first time in the United States, a law specifies that encryption be used for the transmission of any electronic data. Nevada's NRS 597.970, which went into effect on Oct. 1, states: “A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”
While 39 states have already passed data protection laws, most requiring disclosure of breaches, and several other states with data laws introduced, Nevada's statute is thought to be the first law requiring encryption of transmitted data.
But a consensus is hard to reach on what effect this law might have.
“This isn't that different from HIPAA or GLBA restrictions on the transmission of personal health information or financial info or state customer information disclosure laws,” says Peter Firstbrook, a research director at Gartner. “So if companies are complying with those regulations, they should have the ability to adjust their policy to comply with this law. I suspect other states will follow and it would be nice if they harmonized the laws so that it was easier for companies to certify compliance. This will likely be harder for small business to comply with.”
Phil Neray, vice president of marketing at Guardium, echoes Firstbrook, saying that any business governed by PCI is already encrypting data in transit in order to be compliant. While he says any law that encourages better security is a good thing, he argues that hackers are looking for bigger targets than email attachments.
“The focus should be on areas that have potential for massive data breaches, like data centers,” he says. “Thieves and organized crime are not looking for retailers sending Social Security numbers in email, they're looking for databases containing sensitive information.”
Therefore, companies and regulators need to implement tighter controls around corporate databases. “From a security and controls point of view, as well as a regulatory point of view, he says.
Bryce K. Earl, an attorney with Las Vegas-based firm Santoro, Driggs, Walch, Kearney, Holley & Thompson, agrees that this law is a good first step, though he concedes that there are issues with a lack of clarity in terms such as “customer” and “electronic transmission.”
But Avivah Litan, security analyst at Gartner, argues that the ambiguity of the law is a good thing. “There's a lot of data that is lost in transit whether it's on backup tapes, laptops or being transmitted to service providers. Now someone can sue a company for violating the law and they will define the penalties as the cases come in,” she says.
“First of all, it seems to me that the Nevada law is a good idea,” says Ed Moyle, a founding partner of Amherst, N.H.-based SecurityCurve. “Pretty much all it says is that if you're doing business in Nevada, and you send personal information electronically outside the ‘secure system' of that business, that you need to encrypt that data. Really, it's a pretty low bar when you think about it. It's what you'd expect and hope the businesses that transmit your personal data to be doing in the first place.”
Insofar as it's impact on information security generally, that's where Moyle think it really gets interesting. “The specifics of who and what the law applies to leave some room for interpretation. The law states ‘personal information of a customer' must be encrypted. That could apply to any customer - Nevada resident or not. In addition, the law just says that a business ‘in this state' must comply. That's pretty wide. Does a retail chain based in New York with locations in Nevada count? It could. I think we'll need to look to the courts to see how it plays out in practice.”
But it's the way that businesses are likely to react that Moyle thinks is game-changing for information security. And that's because business have generally given state laws wide latitude in their responses, he says.
“In other words, they have tended to err on the side of caution in interpreting how state laws apply to them,” he says. “For example, when SB-1386 was first adopted in California, we saw quite a few businesses interpreting the law generally and applying the same disclosure rules for all customers whether they were residents of California or not. It seems to me that businesses are likely to have the same reaction here. There's a good chance that we'll see businesses (particularly larger businesses) decide to err on the side of caution and implement encryption for data transfer in states outside of Nevada.”
Moyle is hopeful that other states will recognize the value of having a law like this on the books. As a consumer, he expects that businesses will protect his data, but a state putting the stake in the ground and mandating minimum protections -- that's a win for consumers, he says.
“For businesses, it makes life a little more complicated. It means they need to take stock of how they're doing electronic data transfers and make sure that they're doing the right thing. But they're not likely to complain too much about it. After all, that'd be admitting that they don't have these protections in place already.”
Others find the Nevada law an interesting development, not for the specific law, but for the broader context – a wave of legislation protecting personal information. Ted Julian, vice president of strategy and marketing for New York-based Application Security, says the law offers guidance, but only for data in transit.
He points to a more sweeping piece of legislation, Executive order no. 504, that will become effective in Massachusetts on Jan. 1, 2009. This law, he says, will raise the hurdle for security requirements for any company handling personal information of residents of the state.
“The key difference is that it is far more detailed than the Nevada law. It includes encryption for data at rest and for systems that house personal information, and requires monitoring of the use of systems to detect incidents that might put data at risk,” he says.
While the Nevada law goes a long way to guide enterprises in the transfer of data, many point to the vagaries of the legislation as a need for a federal, comprehensive data protection law with a consistent set of definitions. For example, House Concurrent Resolution 425 proposes stronger federal data protection legislation emphasizing mandatory encryption.
While Nevada attorney Earl agrees that the state law leaves some terms vague, he expresses reservations about whether a federal law is necessary. “There are too many laws. It may be beneficial to determine the effectiveness and results of the Nevada statute before we attempt to initiate federal legislation without resolving some of the concerns with this Nevada statute,” says Earl.
Gartner's Firstbrook believes other states will copy the Nevada legislation, and that this law and others like it will make in-transit data encryption the new “standard of due care” in litigation.
Application Security's Julian offers a different perspective. “A single federal standard has to be the endpoint we're moving toward, rather than a patchwork of 50 state laws,” he says, adding that the states' passage of individual laws will force progress in that general direction.
“I hope companies will use this to be proactive in securing personal information,” Bryce says. “My concern is, I don't know how many people know about it. Will consumers and businesses catch on to ask, ‘Have you become compliant with the law?'”