Nevada Businesses Must Start Encrypting E-Mail By Oct. 1st

← Back to Stories (view on slashdot.org)

Nevada Businesses Must Start Encrypting E-Mail By Oct. 1st

Posted by Soulskill on Monday September 22, 2008 @07:53AM from the wouldn't-bet-on-it dept.

dtothes writes "Baseline is reporting the state of Nevada has a statute about to go in effect on October 1, 2008 that will force businesses to encrypt all personally identifiable information transmitted over the Internet. They speak with a Nevada legal expert who says the problem is that the statute is written so broadly that the law could potentially open up a ton of unintentional liability and allow for the interpretation of things like password-protected documents to be considered sufficiently encrypted. Quoting: 'Beyond the infrastructure impact, the statute itself looks like Swiss cheese. Bryce K. Earl, a Las Vegas-based attorney, ... has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.'"

25 of 178 comments (clear)

Min score:

Reason:

Sort:

I wonder . . . by base3 · 2008-09-22 07:55 · Score: 4, Interesting

. . . which Nevada legislator's friend or relative just happens to sell some kind of compliant encryption solution.

--
One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
1. Re:I wonder . . . by clone53421 · 2008-09-22 08:06 · Score: 4, Funny
  
  You could always put the password into a text file, zip it, and password-protect the zip with their old password before you e-mailed it to them.
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
2. Re:I wonder . . . by Ferzerp · 2008-09-22 08:22 · Score: 4, Informative
  
  RTFL. There is "personal information"
  NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
  1. Social security number.
  2. Driver's license number or identification card number.
  3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account.
  Ê The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.
  (Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)
3. Re:I wonder . . . by Cajun+Hell · 2008-09-22 08:41 · Score: 4, Interesting
  
  But the the best encryption is free and the text of the law doesn't even exclude it. If someone wanted this bill to make money for their friend, they sure screwed up.
  
  --
  "Believe me!" -- Donald Trump
4. Re:I wonder . . . by morgan_greywolf · 2008-09-22 08:44 · Score: 4, Funny
  
  You could always put the password into a text file, zip it, and password-protect the zip with their old password before you e-mailed it to them.
  Duh. Obviously that wouldn't work, since they don't know their old password. You'd have to password protect the password with their new password!
  
  --
  My blog
Just ROT-13 twice by Anonymous Coward · 2008-09-22 07:57 · Score: 5, Funny

If they are not clear on the definition of encryption, just ROT-13 your messages twice and specify that's the type of encryption you use. You then have to ROT-13 it twice again to decrypt.
1. Re:Just ROT-13 twice by Anonymous+Psychopath · 2008-09-22 09:13 · Score: 4, Informative
  
  For the humor-impaired, performing ROT-13 twice results in the same text as the original unencrypted message. Performing ROT-13 twice again to "decrypt" would once again result in the same text as the original, unencrypted message. It's just a joke, relax.
  
  --
  Eagles may soar, but weasels don't get sucked into jet engines.
2. Re:Just ROT-13 twice by gparent · 2008-09-22 09:46 · Score: 3, Funny
  
  Your username is very fitting.
3. Re:Just ROT-13 twice by Beryllium+Sphere(tm) · 2008-09-22 09:59 · Score: 4, Funny
  
  This is irresponsible advice. There are known-plaintext attacks on reduced-round variants of ROT13. Always use the full 16 rounds to be sure you're actually getting the security that double ROT-13 promises.
How about http web traffic? by cryfreedomlove · 2008-09-22 07:59 · Score: 3, Interesting

If I am an ecommerce website, am I now expected to encrypt all http traffic destined for customers I know to be in Nevada?
1. Re:How about http web traffic? by fm6 · 2008-09-22 08:12 · Score: 3, Insightful
  
  If you're an ecommerce website, and you don't already use https for sensitive data (like credit card info), you are just begging to be ripped off. Or hadn't you noticed that little padlock icon that appears whenever you buy something online?
2. Re:How about http web traffic? by SoCalChris · 2008-09-22 08:18 · Score: 3, Interesting
  
  But from the sounds of this law, simply having a small "Hello fm6" message at the top of the page would require the entire page to be encrypted, not just the login/out and payment screens.
3. Re:How about http web traffic? by rtfa-troll · 2008-09-22 08:21 · Score: 4, Informative
  
  Yes and no. The law says that you have to encrypt when you send personal data. The definition of encryption is pretty broad but the definition of personal data is very narrow so you could have a web site which is unencrypted except for the part where the customers identified themselves.
  Overall, I don't see the problem with this. That they allow weak encryption is a red herring. Strong encryption will also comply with the ruling and so most people will use that. Weak encryption is often better than nothing. There are loopholes, but those can be closed later. This looks like a good start.
  
  --
  =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
4. Re:How about http web traffic? by Anonymous Coward · 2008-09-22 08:47 · Score: 3, Informative
  
  No. As others here have noted:
  
  NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: 1. Social security number. 2. Driver's license number or identification card number. 3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. ÃS The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public. (Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)
  Thus, simply having the username or first + last name on a page is insufficient to require encryption - if however, you are presenting the user with a credit card number of any of the above, then that page must be encrypted, which makes sense. This actually is a good piece of legislation if they defined what constitutes encryption - I don't know, and I don't feel like looking through the legalese.
I approve... by elzbal · 2008-09-22 08:00 · Score: 4, Funny

... the encryption of my customer records at Nevada's brothels.

I just hope they do more than password protecting the word docs...
And if you don't have an IT department? by Morris+Thorpe · 2008-09-22 08:04 · Score: 3, Insightful

Let's say you're a guy with a lawn mowing business and you have your web site (which you crudely built yourself) printed on the side of your truck.
Now, someone emails you with their name and address asking for a quote.
Good luck trying to figure out what this law (http://www.leg.state.nv.us/Nrs/NRS-597.html) means!
p.s. seems to me that the lawyer who wrote this article ought to know the difference between "affect" and "effect"...
"Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect."
1. Re:And if you don't have an IT department? by clone53421 · 2008-09-22 08:11 · Score: 3, Funny
  
  p.s. seems to me that the lawyer who wrote this article ought to know the difference between "affect" and "effect"...
  "Think about all the hotels, resorts, golf courses, pawn shops, nightclubs, check cashing, ski lodges and small businesses this is going to effect."
  Obviously they're being very optimistic about the economic impact...
  
  --
  Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
2. Re:And if you don't have an IT department? by Cajun+Hell · 2008-09-22 08:47 · Score: 3, Funny
  
  It looks like you're going to have to stop including people's Social Security Numbers in your lawnmowing quotes.
  
  --
  "Believe me!" -- Donald Trump
Re:Force Encryption eh by Angostura · 2008-09-22 08:06 · Score: 4, Funny

I have developed a system by which each character is taken and broken up into a pattern of ones and zeros. The exact pattern is determined by looking up the character in a table. The receiver has to unscramble this pattern of ones and zeros by looking the pattern up in a similar table and then regenerating the character.
I call this system ASCII and I believe that it is a simple type of encryption, albeit with a very public public key, and no private key.
Encryption Conniption by digitaldc · 2008-09-22 08:07 · Score: 3, Funny

As of posting time, representatives of the state had not gotten back to me with comment.

It was later found that the reason for this delay was a system-wide shutdown & widespread panic as they couldn't figure out how to encrypt or decrypt any of their correspondence properly.

--
He who knows best knows how little he knows. - Thomas Jefferson
Bad summary by russotto · 2008-09-22 08:10 · Score: 4, Informative

The statute forces businesses to encrypt "Personal Information", which by law consists ONLY of the following

NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: 1. Social security number. 2. Driver's license number or identification card number. 3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. Ê The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public. (Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)

So businesses merely need to refrain from putting social security numbers, drivers license numbers, and passwords in email and other insecure communication channels and they're good. They can even send the password, provided they don't send the account number along with it. This makes forgotten password recovery a bit harder, but it's not impossible to comply with.
Re:Force Encryption eh by LordEd · 2008-09-22 08:16 · Score: 4, Funny

I use ROT26. It must be twice as secure at ROT13.
Insecure anyway... by DrYak · 2008-09-22 08:23 · Score: 4, Informative

So based on this legislation, resetting a users password and sending them the new password via email is illegal?
This is an extremely insecure procedure, unless you make sure that, upon receiving the e-mail, the user will quickly log-in and change the pass to another one (the mailed password only used as a temporary pass). Or if the mail actually is a special reset-URL which could let the user choose his own.
An email is just as secure as a postcard. Everyone (for example the postman could read it). Same for the e-mail : it transits un-encrypted and could be intercepted at any point on the way to the receiver.

--
"Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
This is a good idea by JeanBaptiste · 2008-09-22 08:27 · Score: 3, Funny

Personally identifiable information should be encrypted.
Sincerely,
xz'Kxv!y{Ycut="xgq'^e;
The Real Problem... by lax-goalie · 2008-09-22 08:28 · Score: 4, Informative

...isn't primarily with the law, it's with the Nevada definition of "encryption". Writing definitions of such things for legislation is a more difficult problem than you might think. (I helped draft Virginia's definition of encryption, and what we ended up with ain't perfect.) But in this case, Nevada's definition just plain sucks.
One of the challenges of writing legislation is that you really can't refer to specific technologies, otherwise you end up having to update the law every time the technology is broken.
Also, if you rely on a punch list of approved technologies, you effectively block out alternatives. ("But your honor, I used Blowfish because it's more secure than Triple-DES." "Sorry, son, Blowfish isn't on the list I see here. Guilty!")
Unfortunately, this is a case of "Not a Bad Idea, Piss-poor Implementation". There's a lot for Nevada to fix here.