Nevada recently joined the growing list of states seeking to regulate how businesses handle consumers’ personal data. Businesspeople in every state should be aware of Nev. Rev. Stat. Ann. §597.970, which became effective Oct. 1, 2008. This new Nevada law specifies a particular security measure—encryption—to be used when businesses transfer consumer data in certain circumstances.

Nevada appears to be the first state to designate encryption as a means of data security: many comparable state statutes only require “reasonable” security measures, and others do not require any specific security measures at all. See, e.g., R.I. Gen. Laws § 11-49.2-2(2) (requiring “reasonable” procedures); Tex. Bus. & Com. Code § 48.102(a) (same); see also Conn. Pub. Act. No. 08-167 (specifying no single security measure). On May 1, 2009, Massachusetts law will follow Nevada in part: on that date, Massachusetts code will require laptops to be encrypted by the “use of an algorithmic process, or an alternative method at least as secure, into a form in which meaning cannot be assigned without the use of a confidential process or key.” 201 C.M.R. 17.04(5), implementing M.G.L. ch. 93H. While there is some debate about whether or not encryption has a significant effect on data security, the Nevada and Massachusetts statutes suggest that states may begin to mandate it, regardless.

Download the .PDF to learn more.