Nevada Businesses Must Start Encrypting E-Mail By Oct. 1st

dtothes writes "Baseline is reporting the state of Nevada has a statute about to go in effect on October 1, 2008 that will force businesses to encrypt all personally identifiable information transmitted over the Internet. They speak with a Nevada legal expert who says the problem is that the statute is written so broadly that the law could potentially open up a ton of unintentional liability and allow for the interpretation of things like password-protected documents to be considered sufficiently encrypted. Quoting: 'Beyond the infrastructure impact, the statute itself looks like Swiss cheese. Bryce K. Earl, a Las Vegas-based attorney, ... has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.'"

Say it ain't so!

[Phizzle]

The technically illiterate are passing legislation on technology!

Re:Say it ain't so!

[darguskelen]

Sarcasm noted.
Are they aware just how much money this is going to cost businesses in training?
Not to mention they will have to have every company (and possibly every employee of every company) submit and maintain a proper public key in a public database, no matter how technically savvy they are. I can't get my own company to do that internally...

Re:I wonder . . .

[neuromancer23]

Forget selling software. The real money comes from selective prosecution of offenders.

This law is absurd, an only goes to demonstrate how insane everyone on this planet is. An email address is potentially personally identifiable information. So is an IP address. So is a password.

So based on this legislation, resetting a users password and sending them the new password via email is illegal?

And if you don't have an IT department?

[Morris+Thorpe]

Let's say you're a guy with a lawn mowing business and you have your web site (which you crudely built yourself) printed on the side of your truck.
Now, someone emails you with their name and address asking for a quote.

Good luck trying to figure out what this law (http://www.leg.state.nv.us/Nrs/NRS-597.html) means!

p.s. seems to me that the lawyer who wrote this article ought to know the difference between "affect" and "effect"...
"Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect."

GOOD!

ISTM we should phase out any unencrypted protocols going over the internet.

This particular law may have technical shortcomings - but if it takes close-but-not-quite right laws to raise awareness to the common person and politician that much internet traffic is unencrypted, I'm all for this law as a stalking horse to-be-improved-upon.

And just think if we eventually migrated to most internet traffic being encrypted. Much of the bittorrent-throttling / AT&T-spying / NSA snooping paranoia could be avoided.

Re:How about http web traffic?

[fm6]

If you're an ecommerce website, and you don't already use https for sensitive data (like credit card info), you are just begging to be ripped off. Or hadn't you noticed that little padlock icon that appears whenever you buy something online?

What can go wrong?

[oDDmON+oUT]

It's not like we've had any keys lost lately.

Re:Knowing the law...

Not at all. By decrypting, you've made a prosecutable effort. However, the data is safe from passive sniffing.

Re:Bad summary

[ptbarnett]

So businesses merely need to refrain from putting social security numbers, drivers license numbers, and passwords in email and other insecure communication channels and they're good.

If any business is currently sending SS and driver's license numbers via email, they are being irresponsible.

The technical solution isn't the point . . .

[mmell]

Hellfire, the government could issue an RSA code to every citizen and publish the public keys in a phone book. The government could even provide the necessary software to make it work. It'd be secure - that's the beauty of public key encryption systems such as RSA or knapsack. But it'll never happen. Nobody wants it. Nobody wants to pay for it.

This legislation will force industry to develop and pay for it, regardless of whether the customers want it or not. Yes, we all want encryption on everything; but an overwhelming majority of computer users don't care enough to actually do anything, even though it would only take a bit of time and effort. Now, what happens when your bank send you your private encryption key and instructions? Most recipients will either delete or (at best) ignore the key. Later that month imagine their anger when their bank statement is encrypted and they have no idea how to decrypt it? Or do you really get the impression that the average American (Nevadan?) consumer is intelligent enough to implement, say, GPG? If so, do you think the average consumer is energetic enough to do so?

Leave this job up to market forces - the free-enterprise economy is infinitely more responsive to the needs and wants of the average consumer than is the Federal or even any of the State governments.

Delay access? Not good enough.

[isBandGeek()]

Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;

Under this definition of "encryption", I could argue that by compressing the file it would "delay access" by making them wait for the time 7zip takes to unzip. So now zipped files are encrypted?