October 14, 2008, 5:42 AM — Sometimes an individual state law becomes de facto national legislation, as was the case with California’s SB1386. This law requires any company that maintains personal data about a resident of California, provide notification in the event of a breach. But of course, California’s economy is larger than that of many foreign countries I’ve been in, so the law had an impact far beyond its borders. A company headquartered on the other side of the country is still likely to have some California customers, so it still applies.
The same ripple effect may take place as a result of Nevada’s new law, which requires that a business encrypt all transmissions of personal information over the Internet. The law takes effect on October 1, 2008. As a result, transmitting unencrypted personal information over the Internet in any form, including email, would constitute violation. The legislation specifically defines “personal information†as a person’s name, in combination with a social security number, driver’s license number, or account number in combination with a security code, access code or password.
There are some other states that have similar legislation, including California, Texas, and Rhode Island. But the Nevada law is more specific, in that it mandates the use of encryption as a security measure, and its passage may well set the standard for companies’ security policies nationwide. There has been some criticism of the new law, in that it defines “encryption†very broadly, and does not coordinate with any industry standards. Also, penalties for violation are not clearly stated. Read the rest of this article
