Nevada is one of a small number of states that actually defines the term ‘encryption’ as used in its breach disclosure law.
NRS 205.4742 “Encryption” defined. “Encryption” means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:
1. Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;
2. Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or
3. Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.
(Added to NRS by 1999, 2704)
Initially, I read this as basically saying that any control used to prevent or hinder unauthorized access to data counts as encryption. After all, why would a data owner want to hinder or obstruct legitimate access? But what the heck is a “computer contaminant”? I thought maybe it meant some kind of electronic taggant — after all, this is financial stuff. I figured it might be the digital equivalent of an exploding dye packet in a cash drawer.
Nope. Basically, it means “evilware” — virii, worms, spyware, etc. So, what we have here is a law designed to protect data from being accessed by malefactors that defines one of its key controls (encryption) as (in part) the use of malware to deprive legitimate data owner access to his data!
Basically, Nevada seems to have passed their law defining encryption back when encryption was thought (by the ignorant) to be something pornographers, drug dealers, Communists, and mafiosi used. Accordingly, it is defined by statute in negative terms. Now, when it is rightly seen as a critical means of protecting “good” information and keeping it from some of the very bad guys listed above, Nevada remains saddled with their earlier definition, and IMO they look all the more foolish for it.