Educause Security Discussion
mailing list archives
Re: Nevada's mandatory encryption law
From: Aaron Kirby <akirbyco () GMAIL COM>
Date: Sat, 18 Oct 2008 10:36:23 -0400
I wonder what types of loopholes will arise from the use of different
definitions of "secure system of business?" Would a private line WAN
connection through a telecommunications or cable company still be
considered a secure system of business? Or will companies have to
encrypt traffic traveling over private WAN connections? Can a company
really "ensure the security of the electronic transmission" if it is
passing through AT&T infrastructure? I wonder if MPLS VPN service
offerings build momentum.
Still doesn't do much to protect against insider threats.
Basgen, Brian wrote:
FYI for anyone who hasn't seen it yet, Nevada is requiring encryption on electronic transfers of personal information.
It seems to be a natural extension of the mandatory data reporting laws.
"NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1,
1. A business in this State shall not transfer any personal information of a customer through an electronic
transmission other than a facsimile to a person outside of the secure system of the business unless the business uses
encryption to ensure the security of electronic transmission.
2. As used in this section:
(a) “Encryption” has the meaning ascribed to it in NRS 205.4742.
(b) “Personal information” has the meaning ascribed to it in NRS 603A.040.
(Added to NRS by 2005, 2506, effective October 1, 2008)
Pima Community College