Nevada Businesses Must Start Encrypting E-Mail By Oct. 1st 178
dtothes writes "Baseline is reporting the state of Nevada has a statute about to go in effect on October 1, 2008 that will force businesses to encrypt all personally identifiable information transmitted over the Internet. They speak with a Nevada legal expert who says the problem is that the statute is written so broadly that the law could potentially open up a ton of unintentional liability and allow for the interpretation of things like password-protected documents to be considered sufficiently encrypted. Quoting: 'Beyond the infrastructure impact, the statute itself looks like Swiss cheese. Bryce K. Earl, a Las Vegas-based attorney, ... has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.'"
Bad summary (Score:5, Informative)
So businesses merely need to refrain from putting social security numbers, drivers license numbers, and passwords in email and other insecure communication channels and they're good. They can even send the password, provided they don't send the account number along with it. This makes forgotten password recovery a bit harder, but it's not impossible to comply with.
Re:Knowing the law... (Score:3, Informative)
Re:How about http web traffic? (Score:5, Informative)
Yes and no. The law says that you have to encrypt when you send personal data. The definition of encryption is pretty broad [state.nv.us] but the definition of personal data is very narrow [state.nv.us] so you could have a web site which is unencrypted except for the part where the customers identified themselves.
Overall, I don't see the problem with this. That they allow weak encryption is a red herring. Strong encryption will also comply with the ruling and so most people will use that. Weak encryption is often better than nothing. There are loopholes, but those can be closed later. This looks like a good start.
Re:I wonder . . . (Score:5, Informative)
RTFL. There is "personal information"
NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
1. Social security number.
2. Driver's license number or identification card number.
3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account.
Ê The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.
(Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)
Insecure anyway... (Score:5, Informative)
So based on this legislation, resetting a users password and sending them the new password via email is illegal?
This is an extremely insecure procedure, unless you make sure that, upon receiving the e-mail, the user will quickly log-in and change the pass to another one (the mailed password only used as a temporary pass). Or if the mail actually is a special reset-URL which could let the user choose his own.
An email is just as secure as a postcard. Everyone (for example the postman could read it). Same for the e-mail : it transits un-encrypted and could be intercepted at any point on the way to the receiver.
The Real Problem... (Score:5, Informative)
...isn't primarily with the law, it's with the Nevada definition of "encryption". Writing definitions of such things for legislation is a more difficult problem than you might think. (I helped draft Virginia's definition of encryption, and what we ended up with ain't perfect.) But in this case, Nevada's definition just plain sucks.
One of the challenges of writing legislation is that you really can't refer to specific technologies, otherwise you end up having to update the law every time the technology is broken.
Also, if you rely on a punch list of approved technologies, you effectively block out alternatives. ("But your honor, I used Blowfish because it's more secure than Triple-DES." "Sorry, son, Blowfish isn't on the list I see here. Guilty!")
Unfortunately, this is a case of "Not a Bad Idea, Piss-poor Implementation". There's a lot for Nevada to fix here.
Re:How about http web traffic? (Score:3, Informative)
No. As others here have noted:
Thus, simply having the username or first + last name on a page is insufficient to require encryption - if however, you are presenting the user with a credit card number of any of the above, then that page must be encrypted, which makes sense. This actually is a good piece of legislation if they defined what constitutes encryption - I don't know, and I don't feel like looking through the legalese.
Re:And if you don't have an IT department? (Score:3, Informative)
Good luck trying to figure out what this law (http://www.leg.state.nv.us/Nrs/NRS-597.html) means!
For that matter -- if you're in a business like lawnmowing that only uses its "web presence" as a virtual billboard or PO Box -- good luck knowing this law even exists!
Re:The Real Problem... (Score:1, Informative)
I disagree. The real problem is lack of standard business practices that take the need to protect PII seriously.
I personally know of people in businesses relating to insurance who regularly get emails from HR departments containing unencrypted PNI.
In many of these cases, password-protecting an Excel spreadsheet full of SSNs before mailing it would be a *huge* step up, and would provide enough protection for over 99% of realistic threat scenarios.
We're not talking about Swiss bank accounts, we're talking about the equivalent of where shredding a document before putting it curbside is enough to prevent most meth-addicted dumpster-divers from committing identity theft.
BTW, these insurance and HR employees aren't bad people, they're just non-techie clerk types and they aren't going to mess with encryption unless their boss demands it. And sadly, their bosses do not fear HIPAA.
This law could boost awareness of the need to encrypt PII, and businesses that exchange a lot of such data will have this value seep into their culture and business practices.
Re:Just ROT-13 twice (Score:5, Informative)
For the humor-impaired, performing ROT-13 twice results in the same text as the original unencrypted message. Performing ROT-13 twice again to "decrypt" would once again result in the same text as the original, unencrypted message. It's just a joke, relax.
The Hard Part of This (Score:3, Informative)
The hard part of this problem is getting MS Windows users to use email encryption. Your pretty much screwed if you use MS LookOut. Sometimes it works, sometimes it doesn't.
I would encrypted all my email if people that I'm sending to could read it. I would refuse any email that is not encrypted if I could get people to encrypt their email.
Re:I wonder . . . (Score:2, Informative)
Thats just "Personal Information". "Personal identifying information" is defined as follows:
NRS 205.4617 "Personal identifying information" defined.
1. Except as otherwise provided in subsection 2, "personal identifying information" means any information designed, commonly used or capable of being used, alone or in conjunction with any other information, to identify a living or deceased person or to identify the actions taken, communications made or received by, or other activities or transactions of a living or deceased person, including, without limitation:
(a) The current or former name, driver's license number, identification card number, social security number, checking account number, savings account number, credit card number, debit card number, financial services account number, date of birth, place of employment and maiden name of the mother of a person.
(b) The unique biometric data of a person, including, without limitation, the fingerprints, facial scan identifiers, voiceprint, retina image and iris image of a person.
(c) The electronic signature, unique electronic identification number, address or routing code, telecommunication identifying information or access device of a person.
(d) The personal identification number or password of a person.
(e) The alien registration number, government passport number, employer identification number, taxpayer identification number, Medicaid account number, food stamp account number, medical identification number or health insurance identification number of a person.
(f) The number of any professional, occupational, recreational or governmental license, certificate, permit or membership of a person.
(g) The number, code or other identifying information of a person who receives medical treatment as part of a confidential clinical trial or study, who participates in a confidential clinical trial or study involving the use of prescription drugs or who participates in any other confidential medical, psychological or behavioral experiment, study or trial.
(h) The utility account number of a person.
2. To the extent that any information listed in subsection 1 is designed, commonly used or capable of being used, alone or in conjunction with any other information, to identify an artificial person, "personal identifying information" includes information pertaining to an artificial person.
(Added to NRS by 2003, 1355; A 2005, 2498; 2007, 2169)