What it covers: In January 2010, Nevada was the first state to enact a data security law that mandates encryption for customers' stored and transported personal information.
More about encryption
Who is affected: Businesses that collect and retain personal information of Nevada residents.
Link to the law: http://www.leg.state.nv.us/nrs/nrs-603a.html
Key requirements/provisions: The law contains the following requirements:
* Data collectors that accept payment cards comply with the current version of PCI/DSS (see above).
* Businesses must encrypt any personal information that is electronically transmitted outside the business's secure system.
* Business must encrypt any personal information stored on a device (computer, phone, magnetic tape, flash drive, etc.) moved beyond the logical or physical controls of the data collector or data storage contractor.
* Businesses are not liable for damages of a security breach if they are in compliance with the law and the breach was not caused by gross negligence or intentional misconduct.
Source: State of Nevada, Paul Mudgett
Section four: Selected international security and privacy laws
Personal Information Protection and Electronic Documents Act (PIPED Act, or PIPEDA)--Canada
What it covers: This Canadian privacy law governs how public and private organizations collect, use and disclose personal information in the course of business. It went into effect in January 2001 for federally regulated organizations and in January 2004 for all others.
In May 2010, Bill C-29 introduced numerous amendments to PIPEDA, involving exceptions for the use and disclosure of personal information without consent and further requirements for business transactions.
Who is affected: All private-sector companies doing business in Canada.
Bill C-29 amendments: http://www2.parl.gc.ca/HousePublications/Publication.aspx?Docid=4547739&
Key requirements/provisions: PIPEDA establishes 10 principles to govern the collection, use and disclosure of personal information:
2. Identifying Purposes
4. Limiting Collection
5. Limiting Use, Disclosure and Retention