Forgot your password?
typodupeerror
Encryption Businesses Privacy Security United States

Nevada Businesses Must Start Encrypting E-Mail By Oct. 1st 178

Posted by Soulskill
from the wouldn't-bet-on-it dept.
dtothes writes "Baseline is reporting the state of Nevada has a statute about to go in effect on October 1, 2008 that will force businesses to encrypt all personally identifiable information transmitted over the Internet. They speak with a Nevada legal expert who says the problem is that the statute is written so broadly that the law could potentially open up a ton of unintentional liability and allow for the interpretation of things like password-protected documents to be considered sufficiently encrypted. Quoting: 'Beyond the infrastructure impact, the statute itself looks like Swiss cheese. Bryce K. Earl, a Las Vegas-based attorney, ... has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.'"
This discussion has been archived. No new comments can be posted.

Nevada Businesses Must Start Encrypting E-Mail By Oct. 1st

Comments Filter:
  • I wonder . . . (Score:4, Interesting)

    by base3 (539820) on Monday September 22, 2008 @03:55PM (#25109679)
    . . . which Nevada legislator's friend or relative just happens to sell some kind of compliant encryption solution.
    • Re: (Score:2, Insightful)

      Forget selling software. The real money comes from selective prosecution of offenders.

      This law is absurd, an only goes to demonstrate how insane everyone on this planet is. An email address is potentially personally identifiable information. So is an IP address. So is a password.

      So based on this legislation, resetting a users password and sending them the new password via email is illegal?

      • by clone53421 (1310749) on Monday September 22, 2008 @04:06PM (#25109893) Journal

        You could always put the password into a text file, zip it, and password-protect the zip with their old password before you e-mailed it to them.

      • Re:I wonder . . . (Score:5, Informative)

        by Ferzerp (83619) on Monday September 22, 2008 @04:22PM (#25110153)

        RTFL. There is "personal information"

              NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

                    1. Social security number.

                    2. Driver's license number or identification card number.

                    3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account.

        Ê The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.

                    (Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)

        • Re: (Score:2, Informative)

          by Anonymous Coward

          Thats just "Personal Information". "Personal identifying information" is defined as follows:

          NRS 205.4617 "Personal identifying information" defined.

          1. Except as otherwise provided in subsection 2, "personal identifying information" means any information designed, commonly used or capable of being used, alone or in conjunction with any other information, to identify a living or deceased person or to identify the actions taken, communications made or received by, o

        • by itwerx (165526)

          Gee, sounds pretty close to HIPAA, which has only been mandated at the federal level for years now! Egads, no wonder NV has problems...

        • by b4upoo (166390)

          That driver's license number is a critical chunk of data. This week someone tried to get instant credit at Home Depot using my data. One thing they got wrong was my driver's license number. Home Depot was smart enough to call me. The way it works is that they don't care where the card is mailed. They simply want instant credit so that they can walk out of the store with an expensive item that they can quickly sell.
          I went to the local sheriff's

      • Insecure anyway... (Score:5, Informative)

        by DrYak (748999) on Monday September 22, 2008 @04:23PM (#25110167) Homepage

        So based on this legislation, resetting a users password and sending them the new password via email is illegal?

        This is an extremely insecure procedure, unless you make sure that, upon receiving the e-mail, the user will quickly log-in and change the pass to another one (the mailed password only used as a temporary pass). Or if the mail actually is a special reset-URL which could let the user choose his own.

        An email is just as secure as a postcard. Everyone (for example the postman could read it). Same for the e-mail : it transits un-encrypted and could be intercepted at any point on the way to the receiver.

        • Re: (Score:2, Interesting)

          by ropiku (1071312)

          This is an extremely insecure procedure, unless you make sure that, upon receiving the e-mail, the user will quickly log-in and change the pass to another one (the mailed password only used as a temporary pass). Or if the mail actually is a special reset-URL which could let the user choose his own.

          An email is just as secure as a postcard. Everyone (for example the postman could read it). Same for the e-mail : it transits un-encrypted and could be intercepted at any point on the way to the receiver.

          What method of password recovery do you suggest ?

          • What method of password recovery do you suggest ?

            1. Either, as I said, the password (or reset URL) should be considered as compromisable and thus only temporary and should be replaced as soon as possible.

            2. Or, a secure channel should be used (crypted, as suggested by the - although badly worded - law)

            3. A last possibility would be simply to try using a completely separate channel. As in, the user asks for a password reset by classical ways, but the replacement is sent by SMS. Not as secure as nÂ2, but requires a little bit more effort to compromise.

          • Recovery questions. SSL. Send the password over an HTTPS connection, if you must – even safer would be to require a password reset. Once the user has proven their identity via recovery questions, they get to type a new password and has no way of knowing what the old password was.

            Plus, any system which permits password recovery must, by nature, store the password as plain text in a database somewhere, which is bad practice from the get-go.

        • by rtb61 (674572)

          A simpler method for email is to simply encrypt the message using the delivery address. Not that it really secures it but it does however force a action with criminal intent. For the message to be deciphered the recipient must fraudulently misrepresent themselves as the legitimate receiver of that message in order to read it and as a result can be subject to criminal prosecution ie. no more postcards and the feature can simply be built into all email readers.

          As for required security, which is obvious in

    • Re:I wonder . . . (Score:5, Interesting)

      by Cajun Hell (725246) on Monday September 22, 2008 @04:41PM (#25110427) Homepage Journal
      But the the best encryption is free [gnupg.org] and the text of the law doesn't even exclude it. If someone wanted this bill to make money for their friend, they sure screwed up.
      • Too bad even a PW-prompting Zip file is too complicated for most non-IT folk.
        And here we are encrypting email.

        TAG: good luck with that

      • but if you run a business and aren't tech savy you don't.

        I already deal with having to encrypt everything in my current job (electronic medical claims). Believe me, there is still a ton of money to be made, even if you don't sell the software to them.
      • by yali (209015)

        Depends on your definition of "best."

        If best means "in theory, the technology is extremely difficult to break when human beings know how to use it correctly and do so" then yeah.

        If best means "in practice, it is likely to work effectively when used by ordinary actual human beings in the real world" then um, no.

        Human beings are part of the security equation [schneier.com]. Gnupg is a great piece of technology, but unless it is wrapped in an interface and set of procedures in such a way that Nina from accounting is able

  • by Anonymous Coward on Monday September 22, 2008 @03:57PM (#25109717)
    If they are not clear on the definition of encryption, just ROT-13 your messages twice and specify that's the type of encryption you use. You then have to ROT-13 it twice again to decrypt.
  • Knowing the law... (Score:2, Interesting)

    by dkf (304284)

    Am I just being too cynical, or will putting everything in a password-protected ZIP file and then sending that, together with the password, will satisfy the rules?

    • Odds are, yes. Unless it says you have to send the key/password separately.

    • Re: (Score:3, Informative)

      Even if it is, setting up certificates is a hell of a lot easier than what you proposed. The very best security systems are where good security is easier than bad security. Unfortunately, this doesn't happen very often.
  • by cryfreedomlove (929828) on Monday September 22, 2008 @03:59PM (#25109753)
    If I am an ecommerce website, am I now expected to encrypt all http traffic destined for customers I know to be in Nevada?
    • by fm6 (162816) on Monday September 22, 2008 @04:12PM (#25109985) Homepage Journal

      If you're an ecommerce website, and you don't already use https for sensitive data (like credit card info), you are just begging to be ripped off. Or hadn't you noticed that little padlock icon that appears whenever you buy something online?

      • by SoCalChris (573049) on Monday September 22, 2008 @04:18PM (#25110073) Journal
        But from the sounds of this law, simply having a small "Hello fm6" message at the top of the page would require the entire page to be encrypted, not just the login/out and payment screens.
        • by fm6 (162816)

          Don't judge a law by how it sounds. The actual text [slashdot.org] tends to be more useful.

        • Re: (Score:3, Informative)

          by Anonymous Coward

          No. As others here have noted:

          NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: 1. Social security number. 2. Driver's license number or identification card number. 3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that

          • by BronsCon (927697)

            a natural person's first name or first initial and last name in combination with any one or more of the following data elements

            The username and first + last name, yes. Either or, no.

      • by jacquesm (154384)

        funny how people fall for that padlock every time.

    • If you're an ecommerce website, you should be doing everything involving private data over HTTPS to begin with.

    • by barzok (26681)

      Shouldn't you be doing that already for your login/checkout/payment processes?

    • by rtfa-troll (1340807) on Monday September 22, 2008 @04:21PM (#25110125)

      Yes and no. The law says that you have to encrypt when you send personal data. The definition of encryption is pretty broad [state.nv.us] but the definition of personal data is very narrow [state.nv.us] so you could have a web site which is unencrypted except for the part where the customers identified themselves.

      Overall, I don't see the problem with this. That they allow weak encryption is a red herring. Strong encryption will also comply with the ruling and so most people will use that. Weak encryption is often better than nothing. There are loopholes, but those can be closed later. This looks like a good start.

    • You were expected to do that before they even passed this law, and not just for customers in Nevada.

      1976 called, they want their RSA-hasn't-been-invented-yet excuse back.

  • by elzbal (520537) <elzbalNO@SPAMyahoo.com> on Monday September 22, 2008 @04:00PM (#25109771) Homepage
    ... the encryption of my customer records at Nevada's brothels.

    I just hope they do more than password protecting the word docs...
  • Say it ain't so! (Score:2, Insightful)

    by Phizzle (1109923)
    The technically illiterate are passing legislation on technology!
    • Re: (Score:2, Insightful)

      by darguskelen (1081705)
      Sarcasm noted.
      Are they aware just how much money this is going to cost businesses in training?
      Not to mention they will have to have every company (and possibly every employee of every company) submit and maintain a proper public key in a public database, no matter how technically savvy they are. I can't get my own company to do that internally...
  • by Morris Thorpe (762715) on Monday September 22, 2008 @04:04PM (#25109853)

    Let's say you're a guy with a lawn mowing business and you have your web site (which you crudely built yourself) printed on the side of your truck.
    Now, someone emails you with their name and address asking for a quote.

    Good luck trying to figure out what this law (http://www.leg.state.nv.us/Nrs/NRS-597.html) means!

    p.s. seems to me that the lawyer who wrote this article ought to know the difference between "affect" and "effect"...
    "Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect."

  • Can I start a lawsuit to sue some company that does NOT do this, go to a jury by trial, but then do a terribly bad job of defending my position and set precedent that the defendant does not need to encrypt this stuff before a 'real' lawsuit comes about and sets precedent the other way?

    • by Qzukk (229616)

      then do a terribly bad job of defending my position and set precedent

      Judges hate it when you do that, and will likely throw out your case and force you to pay for all of it.

  • by digitaldc (879047) * on Monday September 22, 2008 @04:07PM (#25109897)
    As of posting time, representatives of the state had not gotten back to me with comment.

    It was later found that the reason for this delay was a system-wide shutdown & widespread panic as they couldn't figure out how to encrypt or decrypt any of their correspondence properly.
  • GOOD! (Score:2, Insightful)

    by Anonymous Coward

    ISTM we should phase out any unencrypted protocols going over the internet.

    This particular law may have technical shortcomings - but if it takes close-but-not-quite right laws to raise awareness to the common person and politician that much internet traffic is unencrypted, I'm all for this law as a stalking horse to-be-improved-upon.

    And just think if we eventually migrated to most internet traffic being encrypted. Much of the bittorrent-throttling / AT&T-spying / NSA snooping paranoia could be avoided.

    • by Detritus (11846)
      That's supposed to be one of the advantages of IPV6, mandatory support for IPSEC.
    • by againjj (1132651)

      And just think if we eventually migrated to most internet traffic being encrypted. Much of the bittorrent-throttling / AT&T-spying / NSA snooping paranoia could be avoided.

      In the case of things like bittorrent throttling, connections can be identified by the characteristics of the connection, such as burstiness, throughput, port numbers, etc. Beyond encryption, you have to obfuscate it. Truly disguising it would likely require throttling anyway.

  • Bad summary (Score:5, Informative)

    by russotto (537200) on Monday September 22, 2008 @04:10PM (#25109963) Journal
    The statute forces businesses to encrypt "Personal Information", which by law consists ONLY of the following

    NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: 1. Social security number. 2. Driver's license number or identification card number. 3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. Ê The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public. (Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)

    So businesses merely need to refrain from putting social security numbers, drivers license numbers, and passwords in email and other insecure communication channels and they're good. They can even send the password, provided they don't send the account number along with it. This makes forgotten password recovery a bit harder, but it's not impossible to comply with.

    • Re: (Score:3, Insightful)

      by ptbarnett (159784)

      So businesses merely need to refrain from putting social security numbers, drivers license numbers, and passwords in email and other insecure communication channels and they're good.

      If any business is currently sending SS and driver's license numbers via email, they are being irresponsible.

    • by ArsonSmith (13997)

      I always send that kind of info in a word doc, then have my email client UUEncrypt it.

    • by Thaelon (250687)

      publicly available information that is lawfully made available to the general public

      I wonder if this couldn't be pried open to include SSNs that are publicly available from court or property documents. It certainly looks like it. It also looks like if you remove the last name, you can send their SSN, credit card number and password all together.

      I don't know what's worse, a legal system where "loopholes" are enough for you to be excluded, or a society that needs a legal system that attempts (and inevitably

  • What can go wrong? (Score:3, Insightful)

    by oDDmON oUT (231200) on Monday September 22, 2008 @04:13PM (#25109997)

    It's not like we've had any keys lost [bigblog.com] lately.

  • If they can require people to encrypt their email, the next evil plan will be to force everybody to supply crytographic certificates with each email. This will make it impossible to send anonymous email! No poison pen messages, no mailbox bombing, no sp...

    Oh. Never mind.

  • by JeanBaptiste (537955) on Monday September 22, 2008 @04:27PM (#25110233)

    Personally identifiable information should be encrypted.

    Sincerely,
    xz'Kxv!y{Ycut="xgq'^e;

  • The Real Problem... (Score:5, Informative)

    by lax-goalie (730970) on Monday September 22, 2008 @04:28PM (#25110237)

    ...isn't primarily with the law, it's with the Nevada definition of "encryption". Writing definitions of such things for legislation is a more difficult problem than you might think. (I helped draft Virginia's definition of encryption, and what we ended up with ain't perfect.) But in this case, Nevada's definition just plain sucks.

    One of the challenges of writing legislation is that you really can't refer to specific technologies, otherwise you end up having to update the law every time the technology is broken.

    Also, if you rely on a punch list of approved technologies, you effectively block out alternatives. ("But your honor, I used Blowfish because it's more secure than Triple-DES." "Sorry, son, Blowfish isn't on the list I see here. Guilty!")

    Unfortunately, this is a case of "Not a Bad Idea, Piss-poor Implementation". There's a lot for Nevada to fix here.

    • by swillden (191260)

      Unfortunately, this is a case of "Not a Bad Idea, Piss-poor Implementation".

      I don't think it's all that bad. It'd be better if it required the use of good encryption, but I suspect that most people will find it cheaper to implement the widely-deployed encryption tech (i.e. SSL for web sites, S/MIME or PGP for e-mail) than to invent something themselves -- and those widely-deployed technologies are also quite good.

      Of course, the implementations will often be half-baked, with stupid processes that make the decryption keys far too easy for the wrong person to get -- but it'll almos

    • by Chemisor (97276)

      Any encryption is better than no encryption. Besides, once people learn how to encrypt things, it is pretty easy to just forget to turn it off. Or to receive encrypted emails in case I want to send one to them.

    • Seems there is no easy way to win this.

      Like you said, if they defined encryption to the tee, then they'd have a problem next year when that defininition is out of date or broken.

      Seems to me that leaving it vague is better, since it lets people choose how they comply. We're always saying on here that government should keep their hands off things. Maybe this is a good thing?

      Either way, this decision sounds like a step forward. It might be a very small step, and even slightly off the desired path, but at le

  • I didn't know any state was even talking about this.
  • The way the government's going, I wouldn't be surprised if the businesses have to use a particular package that gives the government backdoor access.

  • by dkleinsc (563838) on Monday September 22, 2008 @05:07PM (#25110789) Homepage

    Your government advocates a

    (X) technical (X) legislative ( ) market-based ( ) vigilante

    approach to fighting identity theft. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

    ( ) Spammers can easily use it to harvest email addresses
    ( ) Mailing lists and other legitimate email uses would be affected
    ( ) No one will be able to find the guy or collect the money
    ( ) It is defenseless against brute force attacks
    ( ) It will stop identity theft for two weeks and then we'll be stuck with it
    (X) Users of email will not put up with it
    (X) Microsoft will not put up with it
    ( ) The police will not put up with it
    ( ) Requires too much cooperation from identity thieves
    (X) Requires immediate total cooperation from everybody at once
    (X) Many email users cannot afford to lose business or alienate potential employers
    ( ) identity thieves don't care about invalid addresses in their lists
    (X) Anyone could anonymously destroy anyone else's career or business

    Specifically, your plan fails to account for

    ( ) Laws expressly prohibiting it
    (X) Lack of centrally controlling authority for email
    (X) Open relays in foreign countries
    ( ) Ease of searching tiny alphanumeric address space of all email addresses
    (X) Asshats
    (X) Jurisdictional problems
    ( ) Unpopularity of weird new taxes
    ( ) Public reluctance to accept weird new forms of money
    ( ) Huge existing software investment in SMTP
    ( ) Susceptibility of protocols other than SMTP to attack
    ( ) Willingness of users to install OS patches received by email
    ( ) Armies of worm riddled broadband-connected Windows boxes
    ( ) Eternal arms race involved in all filtering approaches
    ( ) Extreme profitability of identity theft
    ( ) Joe jobs and/or identity theft
    (X) Technically illiterate politicians
    ( ) Dishonesty on the part of identity thieves themselves
    ( ) Bandwidth costs that are unaffected by client filtering
    (X) Outlook

    and the following philosophical objections may also apply:

    ( ) Ideas similar to yours are easy to come up with, yet none have ever
    been shown practical
    ( ) Any scheme based on opt-out is unacceptable
    (X) SMTP headers should not be the subject of legislation
    ( ) Blacklists suck
    ( ) Whitelists suck
    ( ) We should be able to talk about Viagra without being censored
    ( ) Countermeasures should not involve wire fraud or credit card fraud
    ( ) Countermeasures should not involve sabotage of public networks
    ( ) Countermeasures must work if phased in gradually
    ( ) Sending email should be free
    ( ) Why should we have to trust you and your servers?
    ( ) Incompatiblity with open source or open source licenses
    (X) Feel-good measures do nothing to solve the problem
    ( ) Temporary/one-time email addresses are cumbersome
    (X) I don't want the government reading my email
    ( ) Killing them that way is not slow and painful enough

    Furthermore, this is what I think about your legislature:

    ( ) Sorry dude, but I don't think it would work.
    (X) This is a stupid idea, and you're stupid people for suggesting it.
    ( ) Nice try, assh0le! I'm going to find out where you live and burn your
    house down!

  • If this is the first step to encrypting EVERYTHING, then i think its worth a few of the speed-bumps this will cause in the beginning.

  • Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;

    Under this definition of "encryption", I could argue that by compressing the file it would "delay access" by making them wait for the time 7zip takes to unzip. So now zipped files are encrypted?

  • by rawg (23000) <phill@@@kenoyer...com> on Monday September 22, 2008 @05:54PM (#25111345) Homepage

    The hard part of this problem is getting MS Windows users to use email encryption. Your pretty much screwed if you use MS LookOut. Sometimes it works, sometimes it doesn't.

    I would encrypted all my email if people that I'm sending to could read it. I would refuse any email that is not encrypted if I could get people to encrypt their email.

    • by gr8dude (832945)

      How is this problem specific to Outlook? I've used Outlook as well as other email clients and I never felt uncertain about the effect of my actions.

      Could you elaborate?

  • by stewbacca (1033764) on Monday September 22, 2008 @06:04PM (#25111453)

    ...Igpay Atinlay!

    Seriously...show me one governmental agency that does ANYTHING with technology well and I'll accept governmental agencies telling me what the rules are regarding said technology.

  • In the UK, most large companies have long accepted that this is an implicit requirement of our Data Protection Act. In my area of work, you'd certainly be subject to disciplinary action if you failed to encrypt an email that contained personal data.

    Perhaps it's time for the USA to catch up with the rest of the world.

    • by cheros (223479)

      Balls. There is no consistent standard, and personal details still fly freely over the wire. Show me ANY, repeat, ANY recruitment agency that publishes a PGP key and that emails CVs encrypted.

      Even that setup that has more ways to waste money than a teenager, the government, has failed to pull something consistent together. Mind you, last time I rescued them from embarrassment they had Microsoft consultants cook up some secure email solution. Given the rates that MS pays it's "consultants" it was no surp

  • Don't for one minute believe that this idea is enforceable on a widespread basis.

    Here in the UK we've got the Data Protection Act (which doesn't specify "encryption" but does specify "reasonable care" and the watchdog tasked with monitoring compliance describes using encryption as an example of "reasonable care") and yet there have been loads of instances where personal data has been compromised.

    The purpose of a law like this is to give the judiciary something definite to charge someone with when the inevit

It is much easier to suggest solutions when you know nothing about the problem.

Working...