This alert is to advise clients and friends of the Firm of a Nevada law change which requires encryption of electronic transfers (email) containing personal information.

If you ever email messages that contain a customer’s name and social security number, you need to encrypt that information prior to sending it.  A new Nevada law went into effect that could change the way your business handles emails and other electronic data.  The law, generally intended to protect against identity theft, places a requirement that “a business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” SB 347 codified as NRS 597.970.

What is “personal information”? As defined in NRS 603A.040, personal information means a person’s name in combination with:
(1) a social security number, or
(2) a driver’s license number, or
(3) a bank account, credit or debit card number in combination with a code that would allow access to the person’s financial account.  This means that a combination of a person’s name and any of information listed above should never be sent in an email or other electronic transmission that is not properly encrypted. 

Companies that use email to send customer billing information, credit card or bank account information (eg. related to a purchase), or, exchanging credit information, loan applications,  or other financial information are particularly at risk.  It is not uncommon at all to exchange this kind of information with new or long time customers.  Make sure your outgoing email, or the sensitive information, is encrypted when you send it out.   This may be as simple as password protecting your documents, or adopting a secure and encrypted email arrangement for key customers with whom you exchange this information on a regular basis.  Your website capture of credit card or ordering information should already be using Transport Layer Security (TLS) or its predecessor, Secure Sockets Layer (SSL), commonly noted by the locked padlock in the lower corner of the web page.  Both utilize encryption to protect the data from discovery if intercepted.

The new law, originally adopted in 2005, but with a delayed start date, is a part of a larger effort to protect Nevadans from identity theft and punish parties that are involved in stealing personal financial information.   NRS Chapter 603A contains a variety of consumer protections and remedies.  http://www.leg.state.nv.us/NRS/NRS-603A.html  For example, the law states that businesses which collect personal information must follow certain procedures to keep information secure and to destroy that information after it is no longer needed.  Additionally, a company that has a security breach must disclose that fact to any person whose unencrypted information may have been compromised.   You certainly do not want to be the business that needs to contact your customers with that information, or worse, to have to publicly disclose it to reach a broader legally-required audience.

The direct penalties for failing to comply with the new standards for safekeeping personal information can also be steep.  Violation of a legal standard established to prevent injury is one of the quickest ways to subject yourself to a negligence judgment. (See eg. Atkinson v. MGM Grand Hotel, Inc. 120 Nev. 639 (2004).  In addition to a potential lawsuit, your company may be subject to a temporary or permanent injunction brought by the Attorney General or the District Attorney.  Even worse, if you find the thief, your failure to comply with NRS 603A may well prevent you from being entitled to full restitution from the party responsible for the security breach.

For more information on this new law or any other laws affecting your business, please contact us at any of our statewide offices. And remember, encrypt that personal information.