Slashdot Mirror

← Back to Stories (view on slashdot.org)

Nevada Businesses Must Start Encrypting E-Mail By Oct. 1st

Posted by Soulskill on from the wouldn't-bet-on-it dept.

dtothes writes "Baseline is reporting the state of Nevada has a statute about to go in effect on October 1, 2008 that will force businesses to encrypt all personally identifiable information transmitted over the Internet. They speak with a Nevada legal expert who says the problem is that the statute is written so broadly that the law could potentially open up a ton of unintentional liability and allow for the interpretation of things like password-protected documents to be considered sufficiently encrypted. Quoting: 'Beyond the infrastructure impact, the statute itself looks like Swiss cheese. Bryce K. Earl, a Las Vegas-based attorney, ... has been following the issue closely and believes there are some problems with the statute as it is on the books right now, namely the broad definition of encryption, the lack of coordination with industry standards and the unclear nature of penalties both criminal and civil.'"

15 of 178 comments (clear)

  1. I wonder . . . by base3 · · Score: 4, Interesting

    . . . which Nevada legislator's friend or relative just happens to sell some kind of compliant encryption solution.

    --
    One CPU cycle wasted on digital restrictions management is ONE TOO MANY.
    1. Re:I wonder . . . by clone53421 · · Score: 4, Funny

      You could always put the password into a text file, zip it, and password-protect the zip with their old password before you e-mailed it to them.

      --
      Alexander Peter Kristopeit bought his basement from his mommy for one dollar.
    2. Re:I wonder . . . by Ferzerp · · Score: 4, Informative

      RTFL. There is "personal information"

            NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

                  1. Social security number.

                  2. Driver's license number or identification card number.

                  3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account.

      Ê The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.

                  (Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)

    3. Re:I wonder . . . by Cajun+Hell · · Score: 4, Interesting

      But the the best encryption is free and the text of the law doesn't even exclude it. If someone wanted this bill to make money for their friend, they sure screwed up.

      --
      "Believe me!" -- Donald Trump
    4. Re:I wonder . . . by morgan_greywolf · · Score: 4, Funny

      You could always put the password into a text file, zip it, and password-protect the zip with their old password before you e-mailed it to them.

      Duh. Obviously that wouldn't work, since they don't know their old password. You'd have to password protect the password with their new password!

      --
      My blog
  2. Just ROT-13 twice by Anonymous Coward · · Score: 5, Funny

    If they are not clear on the definition of encryption, just ROT-13 your messages twice and specify that's the type of encryption you use. You then have to ROT-13 it twice again to decrypt.

    1. Re:Just ROT-13 twice by Anonymous+Psychopath · · Score: 4, Informative

      For the humor-impaired, performing ROT-13 twice results in the same text as the original unencrypted message. Performing ROT-13 twice again to "decrypt" would once again result in the same text as the original, unencrypted message. It's just a joke, relax.

      --

      Eagles may soar, but weasels don't get sucked into jet engines.

    2. Re:Just ROT-13 twice by Beryllium+Sphere(tm) · · Score: 4, Funny

      This is irresponsible advice. There are known-plaintext attacks on reduced-round variants of ROT13. Always use the full 16 rounds to be sure you're actually getting the security that double ROT-13 promises.

  3. I approve... by elzbal · · Score: 4, Funny

    ... the encryption of my customer records at Nevada's brothels.

    I just hope they do more than password protecting the word docs...

  4. Re:Force Encryption eh by Angostura · · Score: 4, Funny

    I have developed a system by which each character is taken and broken up into a pattern of ones and zeros. The exact pattern is determined by looking up the character in a table. The receiver has to unscramble this pattern of ones and zeros by looking the pattern up in a similar table and then regenerating the character.

    I call this system ASCII and I believe that it is a simple type of encryption, albeit with a very public public key, and no private key.

  5. Bad summary by russotto · · Score: 4, Informative
    The statute forces businesses to encrypt "Personal Information", which by law consists ONLY of the following

    NRS 603A.040 "Personal information" defined. "Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: 1. Social security number. 2. Driver's license number or identification card number. 3. Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account. Ê The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public. (Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)

    So businesses merely need to refrain from putting social security numbers, drivers license numbers, and passwords in email and other insecure communication channels and they're good. They can even send the password, provided they don't send the account number along with it. This makes forgotten password recovery a bit harder, but it's not impossible to comply with.

  6. Re:Force Encryption eh by LordEd · · Score: 4, Funny

    I use ROT26. It must be twice as secure at ROT13.

  7. Re:How about http web traffic? by rtfa-troll · · Score: 4, Informative

    Yes and no. The law says that you have to encrypt when you send personal data. The definition of encryption is pretty broad but the definition of personal data is very narrow so you could have a web site which is unencrypted except for the part where the customers identified themselves.

    Overall, I don't see the problem with this. That they allow weak encryption is a red herring. Strong encryption will also comply with the ruling and so most people will use that. Weak encryption is often better than nothing. There are loopholes, but those can be closed later. This looks like a good start.

    --
    =~ s,(.*),<sarcasm>$1</sarcasm>,g if any_point_you_wish();
  8. Insecure anyway... by DrYak · · Score: 4, Informative

    So based on this legislation, resetting a users password and sending them the new password via email is illegal?

    This is an extremely insecure procedure, unless you make sure that, upon receiving the e-mail, the user will quickly log-in and change the pass to another one (the mailed password only used as a temporary pass). Or if the mail actually is a special reset-URL which could let the user choose his own.

    An email is just as secure as a postcard. Everyone (for example the postman could read it). Same for the e-mail : it transits un-encrypted and could be intercepted at any point on the way to the receiver.

    --
    "Sufficiently advanced satire is indistinguishable from reality." - [Tips: 1DrYakQDKCQ6y52z6QbnkxHXAocMZJE61o ]
  9. The Real Problem... by lax-goalie · · Score: 4, Informative

    ...isn't primarily with the law, it's with the Nevada definition of "encryption". Writing definitions of such things for legislation is a more difficult problem than you might think. (I helped draft Virginia's definition of encryption, and what we ended up with ain't perfect.) But in this case, Nevada's definition just plain sucks.

    One of the challenges of writing legislation is that you really can't refer to specific technologies, otherwise you end up having to update the law every time the technology is broken.

    Also, if you rely on a punch list of approved technologies, you effectively block out alternatives. ("But your honor, I used Blowfish because it's more secure than Triple-DES." "Sorry, son, Blowfish isn't on the list I see here. Guilty!")

    Unfortunately, this is a case of "Not a Bad Idea, Piss-poor Implementation". There's a lot for Nevada to fix here.