A Nevada law placing restrictions on the transfer of customer's personal information through electronic transmission went into effect on Wednesday.
The law states that personal information cannot be sent via email from one business to another unless encryption is applied.
Rod Murchison, vice president of marketing and strategic alliances at Code Green Networks, provider of data loss prevention solutions, said the law is ambiguous because some of the terms, including “customer” and “electronic transmission” are not defined. He said “electronic transmission” means email, but it also might include file transferring in instant messaging programs, postings to social networking sites or blogs and more.
“As a consumer, it's encouraging that the state is looking out for customers of companies,” Murchison said. “It's a little troubling, if I put my corporate hat on.”
Murchison said the law is also vague because it does not specify the penalties for not complying. Since the penalties are unspecified, this possibly, “leaves the door wide open for consumers to sue companies for sending out their data,” Murchison said.
Though the law applies to all businesses in Nevada, Murchison said the companies most affected might be health care companies, retail firms and credit unions — anyone holding large customer information files, such as credit card information or health care files.
Avivah Litan, security analyst at Gartner, said the law is beneficial because, “there's a lot of data that is lost in transit whether it's on backup tapes, laptops or being transmitted to service providers.”
She said the ambiguity of the law is a good thing.
“Now someone can sue a company for violating the law and they will define the penalties as the cases come in,” Litan said.