New data security laws take effect in Nevada this January
In order to strengthen data security laws, new additions have taken effect in Nevada and New Hampshire on January 1, 2010. Nevada’s law makes it the first state to mandate compliance with the entire Payment Card Industry Data Security Standard (PCI DSS) and impose a requirement on businesses and government agencies to encrypt sensitive data transmitted or carried outside of the premises of the business or agency.
Nevada’s law addresses transaction data created by a customer’s use of a credit, debit, or other payment card, and personal information, and applies to “a data collector doing business” in Nevada. The law requires that a data collector that accepts payment cards is now required to comply with “the current version” of the PCI DSS, no later than the date for compliance set forth by the PCI DSS or the PCI Security Standards Council. Data collectors who do not accept payment cards must use encryption when transferring personal information through “an electronic, non voice transmission other than a facsimile” to a person outside the secure system of the data collector and when moving any data storage device containing personal information “beyond the logical or physical controls of the data collector.”
The Nevada law redefines “encryption” as
(1) “an encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology”.
(2) “[a]ppropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.”
The new law also establishes a safe harbor by stating that a data collector is not liable for damages for a breach of the system data security if the data collector is in compliance with this law and the security breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees, or agents.
Subscribe to the comments for this post