NEVADA DATA ENCRYPTION LAW TAKES EFFECT OCTOBER 1
As of October 1, 2008, Nevada Revised Statutes § 597.970 requires “businesses in the State [of Nevada]” to encrypt all personal, customer information transferred via “electronic transmission” outside the business. The law expressly excludes data transmitted via facsimile machine, but the rather broad application of “businesses in the State” and “electronic transmission” seems to encompass a very wide range of businesses and activities while failing to explain how, or when, the state will enforce the law. Furthermore, the definition of encryption under the law is so broad that businesses may be able to comply with the letter of the law without noticeably limiting hackers’ access to private data. Some critics suggest the law creates the semblance of security without actually delivering security, nevertheless, businesses with any links to Nevada should consider how the law will impact them.
CALIFORNIA LAWMAKERS APPROVE DATA PROTECTION BILL
California lawmakers recently approved Assembly Bill 1656, a data breach bill that—if enacted by the governor—would restrict the use and storage of certain personal data. Businesses that violate the proposed law and subsequently suffer a security breach would be liable for notifying consumers affected by the breach. If Governor Schwarzenegger signs this bill into law, California will be only the second state, after Minnesota, to pass a data breach law; however, Governor Schwarzenegger vetoed an earlier version of this bill last year that imposed greater financial liability on businesses.
Learn more about the California bill.
CREDIT CARD DATA STOLEN
Officials are investigating a string of credit card number thefts from restaurants in Louisiana and Mississippi. The thieves search out unsecured wireless networks with access to credit card information, install programs that capture and store the credit card information and periodically download the stolen credit card information across the wireless network. The thieves do this in parking lots using laptop computers—without ever entering the buildings. This is a technique used to acquire credit card information from large retailers, such as Barnes & Noble and TJX, Cos., as well as small businesses. The security problem is created both by unsecured and inadequately secured wireless networks. Depending on how the statute is interpreted, relying on unsecured or inadequately secured wireless networks to transmit credit card information might violate the Nevada Data Encryption Law, detailed above, if the business is located within Nevada. Similarly, businesses in Minnesota and California could have additional liability under the Minnesota Data Retention Act and the California Data Breach Bill, respectively, if the hackers were to access stored credit card information as opposed to intercepting credit card information being transferred across a wireless network.
HEARTBEAT-BASED ENCRYPTION FOR IMPLANTED MEDICAL DEVICES
Implanted medical devices are increasingly using wireless technology to allow health care professionals to access information stored in implanted devices and reprogram the device as the patient’s health needs change. The more common these devices become, the greater the risk that a malicious hacker will access the implanted device to obtain personal information or reprogram the device to harm the patient. In response to this threat, researchers are developing an encryption method based on the patient’s heartbeat to ensure secure transmissions. The process involves an external device and an internal device simultaneously creating an encryption key based on the patient’s heartbeat at that point in time. Because heartbeats vary over time, the process would create a unique encryption key each time that should thwart any attempt to retrieve and reuse the key.
Learn more about this topic.
If you have any comments or questions regarding this publication or would like additional information please contact one of the following attorneys:
This alert is a copyrighted publication produced by Oppenheimer Wolff & Donnelly LLP. The information contained in this alert is of a general nature and is subject to change. Readers should not act without further inquiry and/or consultation with legal counsel.