Under a law which takes effect next week, Nevada businesses must start encrypting their email, or face a penalty.
According to the law, which was passed in 2005, but doesn’t take effect until next week, “A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”
What this means is that if you are a business in Nevada, and are sending email which contains anything that could be considered personal information (and let’s face it, an email address is personal), then you must, under this law, send it encrypted, or not at all.
So what exactly qualifies as “encrypted” under this law? According to the state of Nevada’s own legal definition:
” ‘Encryption’ means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.”
Zounds! This sounds like the definition of spyware! And, indeed under California law, a “computer contaminant” is defined as “any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information.”
This should be very interesting to watch.
In the meantime, we at ISIPP stand ready to help any business wanting to get some form of encryption in place so that they don’t become a test case.
The Internet Patrol is completely free, and reader-supported. Your tips via CashApp, Venmo, or Paypal are appreciated! Receipts will come from ISIPP.
CashApp us
Venmo us
Paypal us
Do you have any idea how this might impact marketers sending email to businesses in Nevada? Are there any additional steps that must be taken by marketers sending to Nevada?
What constitutes a Nevada business? Does the mail server need to be in Nevada to qualify?
Speaking as a mail geek, this is not really as onerous as it sounds. There are essentially two kinds of email encryption: content encryption and transport encryption. Content encryption has to be done by end users’ mailer programs (aka “MUA’s”: Mail User Agents) and encrypts the mail before it leaves the machine that it is composed on. Recipients have to also support the same kind of content encryption and have enough of a relationship with the sender that they can decrypt the mail sent to them. There are two incompatible standards for content encryption, PGP and S/MIME, and both of them have problems that are visible to end users. Transport encryption is done using TLS (and its predecessor SSL) and is handled almost invisibly to end users, sometimes between MUA’s and the mail servers (MTA’s: Mail Transport Agents) they hand mail to and commonly between MTA’s. Transport encryption means that the entire communications channel between machines is encrypted, i.e. not just the contents of mail but the entire conversation that is carried out between sending and receiving systems to offer mail from a sender to one or more recipients. Because businesses transfer mail outside of their own realms almost only through MTA-MTA communications and because it protects the sender and recipient addresses from snooping in transit, using transport encryption would satisfy the Nevada law and do so better than having everyone who writes email get personal mail encryption certificates or publish PGP keys.
All modern mail server software can support TLS, and a significant fraction of corporate mail servers have that support active. The big part of the Nevada mandate for encryption is that if Nevada companies follow it by the simplest approach of only sending mail over TLS sessions, they will have to stop sending mail to MTA’s that do not offer TLS service. Few if any of the major consumer ISP’s and mail providers in the US offer it today.