Nevada’s Senate Bill 227 came into effect January 1, 2010. It sets a new pace for regulations by defining encryption as “protection of data in electronic or optimal form, in storage or in transit”
(b) “Encryption” means the protection of data in electronic or optical form, in storage or in transit, using:
(1) An encryption technology that has been adopted by an established standards setting body, including, but not limited to, the Federal Information Processing Standards issued by the National Institute of Standards and Technology, which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data; and
(2) Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, including, but not limited to, the National Institute of Standards and Technology.
Strange that they leave it open-ended what an established standards setting body might include. They will leave it to lawyers to decide, I suppose.
Also strange is that this is far more specific than the Nevada state breach law, SB 347, which requires data only to be made unintelligible (based on the definition in NRS 205.4742).
The law forbids the transfer of personal information or data storage device containing personal information without the appropriate encryption. Devices that must use encryption include cell phones, computers, computer drives and magnetic tape. Compliance with other standards such as PCI DSS, HIPAA, GBLA or FISMA will not be considered sufficient for SB 227.
Step in the right direction? Yes. Perfect? No.