02-22-2010 08:19 AM
Industry regulations like PCI-DSS and healthcare HIPAA are increasingly requiring stronger data protection and in some cases requiring encryption. In the United States, 45 states have enacted consumer privacy laws to protect customers’ Personal Identifiable Information (PII).
Both Massachusetts and Nevada have added specific guidelines—imposing stricter requirements for encryption.
A Nevada state law, SB227, mandates that anyone who “collects data” in Nevada must use encryption to protect personal information that is either transmitted electronically or contained on a data storage device that is moved beyond the controls of the data collector. This law went into effect January 1, 2010, and it applies to any commercial organization and state or local agency operating in Nevada.
Massachusetts has enacted similar encryption requirements. Anytime a Social Security number, bank account, or credit card number is combined with a person’s name, the information must be encrypted before being stored on portable devices or transmitted on public networks.