States bear down on security breaches

Nevada is at the forefront of states that are passing laws requiring businesses – even small businesses – to encrypt customer data, The Wall Street Journal reports.

The Journal tells the story of Alicia Granstedt, a Las Vegas hair stylist, who used to accept credit card numbers over email but has now started encrypting email communications.

It is a hassle, "but I can't afford to be responsible for someone having their identity stolen," she said.

But Nevada is just the first of several states adopting such laws.

Starting in January, Massachusetts will require businesses that collect information about that state's residents to encrypt sensitive data stored on laptop computers and other portable devices. Michigan and Washington state are considering similar regulations

Nevada's new law imposes a $1,000 fine per breach per customer. And more importantly, they establish a standard that can be used by plaintiffs in civil suits to argue that a business that lost data was negligent.

"Breach-notification laws deal with what happens after the horse leaves the barn," said Daniel Crane, undersecretary of the Massachusetts Office of Consumer Affairs and Business Regulation. The new regulation in his state "is intended to prevent the horse from getting out of the barn in the first place."