Home page logo
/

educause logo Educause Security Discussion mailing list archives

Re: Nevada's mandatory encryption law
From: Allison Dolan <adolan () MIT EDU>
Date: Mon, 20 Oct 2008 13:41:02 -0400

Also worth noting about Massachusetts law is that encryption doesn't obviate the need for notification if personal information goes astray - as per a member of the Attorney General's office for enforcement.

(Massachusetts law also includes paper documents as part of the protected info - if the US Postal service misdelivers a correctly addressed letter with PII, then the consumer is supposed to be notified)

Allison F. Dolan
Program Director, Personally Identifiable Information
Massachusetts Institute of Technology
77 Massachusetts Ave  NE49-3021
Cambridge MA 02139-4307
Phone: (617) 252-1461
http://mit.edu/infoprotect



On Oct 20, 2008, at 12:56 PM, Doug Markiewicz wrote:

Massachusetts seems to have a similar encryption requirement that goes into effect 01/01/2009. However, thats just one in a much more extensive list of requirements published by the Mass. Office of Consumer Affairs and Business Regulations in support of existing laws around the protection of personal information.

http://www.mass.gov/? pageID=ocaterminal&L=3&L0=Home&L1=Consumer&L2=Identity +Theft&sid=Eoca&b=terminalcontent&f=idtheft_201cmr17&csid=Eoca


Basgen, Brian wrote:
FYI for anyone who hasn't seen it yet, Nevada is requiring encryption on electronic transfers of personal information. It seems to be a natural extension of the mandatory data reporting laws. "NRS 597.970 Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.] 1. A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.
      2.  As used in this section:
(a) “Encryption” has the meaning ascribed to it in NRS 205.4742. (b) “Personal information” has the meaning ascribed to it in NRS 603A.040.
      (Added to NRS by 2005, 2506, effective October 1, 2008)
~~~~~~~~~~~~~~~~~~
Brian Basgen
Information Security
Pima Community College


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]