Nevada is set to start enforcing compliance with a law governing how businesses operating in the state can transmit personally identifiable information (PII). The law (see article here, or see the actual statute here) was passed last year, and it goes into effect October 1st. It requires the use of encryption (or something that might faintly resemble data encryption) when PII is transmitted.
Like a lot of the state legislation dealing with privacy and security, it has a few problems....Nevada's law applies to all PII transmitted electronically except via facsimile. I'm not familiar with the state of the art in sniffing and hacking facsimile transmissions, but I'm guessing it isn't rocket science. The definition of encryption in the statute is bears no resemblence to any other definition I have ever read, and it opens the door to many different security controls potentially being permissable under the definition. See the definition at the end of the article, which should give cryptographers a lot of heartburn. You could use a simple letter substitution and have it pass for encryption using their definition. Well intended, but poorly executed in my book.
The proliferation of state laws dealing with privacy and security
continues, and it raises some interesting bigger picture questions to think about...
- Keeping track of the vario
us state's individual regulations and requirements is becoming a real quagmire, as they are diverging in terms of what comprises PII, what the organization needs to do in terms of breach notification, and what controls must be put in place.
- State compliance regulations like this are all bark and no bite- it's not like Nevada is going to have an enforcement group running around checking to make sure that every business that deals with PII is using encryption (as they define it). I guess if you had a breach, that fact that you might not have been using encryption might open you up from a liability standpoint.
- Are state legislatures really equipped to define best practices for securing access to PII? The answer is pretty clearly no.
It seems to me that we really need a federal law that is carefully constructued in this area.
Jim
NRS 205.4742
"Encryption" defined. "Encryption" means the use of any protective or
disruptive measure, including, without limitation, cryptography,
enciphering, encoding or a computer contaminant, to:
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.
Jim Hietala
Jim Hietala, GSEC, GCFW and CISSP, is the principal of Compliance Research Group, providing research, analysis, and consulting services in the areas of compliance, risk management, and IT security. Jim has provided consulting services to organizations such as SANS, The Open Group Security Forum, Logical Security, and a number of IT security and compliance vendors. He is a frequent speaker at industry conferences, and he recently authored a comprehensive course on IT risk management. He participates in the SANS Analyst/Expert program, having written several whitepapers and participated in several webcasts for SANS. He has also published numerous articles on information security, risk management, and compliance topics in publications including The ISSA Journal, Bank Accounting & Finance, Risk Factor, and others. He holds a B.S. in Marketing from Southern Illinois University.
Editorial focus: Compliance, Risk Management, IT Security, IT-GRC software, HIPAA, GLBA, Privacy
Jim can be reached at: jim@compliancefocus.com
