New State Attempts at Data Security Laws Offer Uncertain Promise

A legal standard for information security has started to emerge from state information privacy laws and Federal Trade Commission enforcement actions. A Nevada law that will take effect later this year and requires encryption in transit for all personal information takes a leap, the authors argue, by directly mandating encryption for personal data. While the Nevada law does not specify what type of encryption is required, proposed regulations in New Jersey would specify encryption for both stored and in transit communication. Compliance with detailed security standards could become unmanageable if multiple states specify distinct security requirements purporting to govern interstate computer systems, according to the authors.