The Nevada law that requires businesses to encrypt data that is transmitted to customers took effect this month, and is expected to have an impact far beyond the state’s borders. An article in today’s Wall Street Journal highlighted some of the challenges of the bill, to which all companies doing business with people in Arizona must comply.

Nevada is just the first of several states that are considering similar laws. Already, more than 40 states have breach notification laws, which require businesses to notify customers if their personal information is stolen or exposed. But beyond requiring notification, these laws do very little to prevent the attacks from occurring in the first place. There’s a big difference between telling someone, “your personal information was exposed,” and requiring action to prevent it from being exposed. The Nevada law is the first that takes this tactic, going much further than any notification law ever has.

According to the Journal article, notification laws reduce identity theft by only about two percent. Clearly, these laws have been a failure. Notification laws do nothing at all to address the core problem, they only attempt to address the after-effects.

The Arizona law puts some real teeth into the issue of identity theft. While you may still be liable under notification laws to give notice of a breach or potential breach, the new Nevada law means you have to take action to prevent it from happening by using encryption. And what’s more, if you don’t do it, it will cost you, and cost you plenty. Under the regulation, if you did comply with the mandate to use encryption, if a breach still occurs, your damages are capped at $1,000 per incident. However, if you did not use encryption, civil penalties are unlimited.