There’s good and bad here. Good is the fact that the state of Nevada passed a law back in 2005 that as of October 1st this year requires that any business in that state must encrypt all communications that contain personally identifiable information. I wish all states would pass such a law.
You’d think that such a law (assuming everybody followed it.) would mean that “losing” information being sent by email would become almost as uncommon as flash memory was in the early 1980’s. Have a look at the law though, and there’s a problem.
NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]
1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.
2. As used in this section:
(a) “Encryption” has the meaning ascribed to it in NRS 205.4742.
(b) “Personal information” has the meaning ascribed to it in NRS 603A.040.
(Added to NRS by 2005, 2506, effective October 1, 2008)
That in itself is good. I consider it to be something of a “DUH Moment” anytime sensitive or personally identifying information is sent online that it should be encrypted so that only those who are supposed to receive it are able to decrypt and read the data.
The bad part comes when you look at their definition of “encryption”:
NRS 205.4742 “Encryption” defined. “Encryption” means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.
This definition is entirely too broad. It’s actually possible that you could look at this and decide that emailing a password protected Word or PDF file would fit the requirements. The problem with this is that there are a lot of easily available tools that allow anybody to recover the password that will unlock such a document.
If anybody is serious about encryption then the only thing to do is go with a “strong encryption” solution. i.e. the company should get GnuPG, create the needed keypairs and then require that all data that contains sensitive or personally identifiable be encrypted to the private keys of those who are authorized to have that information. This way, nobody’s going to get access to something they shouldn’t have. Not even if said email is posted on a public forum, because the content will be encrypted.
[Tags]encryption, email, nevada, personally identifiable, encryption law[/tags]