A new Nevada law (NRS 597.970) effective Oct. 1 requires that businesses in Nevada encrypt personal information whenever it is electronically transmitted outside the business by any means other than fax. Predictably, I got a press release from an encryption software vendor that said "Even if a business never sends customer information via e-mail, the business will be at risk if a server, desktop, laptop, or electronic storage device is lost, stolen, or compromised." The real problem is the law is incredibly vague.

According to Nevada law, personal information means your name and any of the following:

1. Social Security number.
2. Driver's license number or identification card number.
3. Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to the person's financial account.

Electronic transmission isn't defined, so one interpretation would include the telephone -- so if you forget the password to your online banking account, your bank will have to snail mail or fax you a new one. It does say "to a person outside of the secure system of the business," so you don't have to run out and encrypt all your disks like the vendor that brought this to my attention would like.

The law makes violations a misdemeanor but doesn't specify any penalties.

Since this is the backup blog, this law just reinforces the recommendation to encrypt any backup that's going to leave the data center. Encrypt your tapes, and use an online backup application that encrypts data in flight and at rest in someone else's data center.