A couple of years ago, following the ChoicePoint security breach incident, state legislatures rushed to pass security breach notification laws. Now some states are beginning to mandate encryption for the transmission of personal information. This legislative trend is still in the early stages, but it appears to be gathering momentum.
Nevada is taking the lead in this area with Nevada Revised Statute 597.970, which becomes effective on October 1, 2008. The Nevada law requires encryption in transit for all personal information. Specifically, NRS 597.970 states: "[A] business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission."
The Nevada law does not specify what form of encryption is acceptable, and it is likely to apply to any business with significant contacts with, or business in, Nevada. As a result, the Nevada statute may drive security compliance planning of national companies just as S.B. 1386, California's seminal security breach notification law, once did. Massachusetts has already passed a law mandating encryption and legislatures in Michigan (S.B. 1022) and Washington (H.B. 2838 and H.B. 2574) have introduced similar bills.
Legislating data security measures is a dangerous trend, particularly if these laws start mandating the use of specific encryption standards. Let's hope this emerging trend doesn't lead to a patchwork of varying state encryption requirements.