Effective Wednesday, October 1, each business in Nevada must encrypt customers’ personal information when it is transmitted outside the business’ secure network, such as when it's transmitted over wifi. Initially passed in October 2007, it was said to have been the first law of this type.
The Commonwealth of Massachusetts has also instituted a rule through its Office of Consumer Affairs, effective January 1, 2009, that requires encryption of any personal data that is "portable," such as on a laptop or a USB card.
A similar bill, 1022, but one which required all such stored data to be encrypted, was considered in Michigan, but it died in committee. Similarly, Senate Bill 6425, in the state of Washington, would have "effectively require encryption for payment card data in transit and require either encryption or other data-masking measures for payment card primary account numbers while they are in storage," but it also died in committee.
"Most state data breach notice laws do not require businesses to notify their customers when customers’ digital personal information has been stolen or lost if the information was encrypted," reported the web site of Davis Wright & Tremaine, LLP. "The Federal Trade Commission encourages but does not mandate that consumers’ personal data be encrypted." In comparison, the European Union required encryption of personal data as far back as 1998.
Within the U.S. federal government itself, the Office of Management and Budget required in 2006 that all sensitive agency data on laptops be encrypted.
With the frequent losses and thefts of laptops, USB drives, and even discarded but unwiped hard disk drives, expect more states to pass similar laws.