Do you have an internet business? Do you sell into Nevada or Massachusetts? E-commerce companies who do business in these states, or with customers in these states, are now subject to data privacy laws requiring not only notification of data breaches — but encryption of stored or transmitted personal data.

In 2008 both Nevada and Massachusetts passed data privacy laws requiring encryption of personal data. The Nevada law requires all businesses to encrypt personally-identifiable customer data that are transmitted electronically. The Massachusetts law requires encryption of personal information on laptops and portable devices. Both states’ laws apply not only to resident businesses, but also to out-of-state companies with operations or customers in those states. Any company doing business in all 50 states will have to comply with these data encryption requirements.

For purposes of both laws, the personal information affected by the data privacy encryption law includes an individual’s name, plus one of the following: driver’s license, credit card information, or social security number (SSN).

Both laws establish liability standards for failing to encrypt personal information as required. The Nevada law allows companies complying with the encryption requirements to benefit from a $1,000 per individual cap on liability, which are otherwise unlimited under a lawsuit for negligence. Links:

Text of Nevada data privacy security and encryption law (NRS 597.970)

Text of Massachusetts data privacy security and encryption law (201 CMR 17.00: Standards for The Protection of Personal Information of Residents of the Commonwealth)

Michigan and Washington are among states currently considering similar laws.