Encrypting Personal Information

The states of Nevada and now Massachusetts require that holders of personal information must encrypt that information. Nevada imposes this requirement on businesses with respect to some kinds of information — names associated with social security numbers or various other kinds of access codes. Massachusetts imposes the requirement on everybody and applies it to storage on mobile devices and transmission through open networks.

A memo by the Chicago firm of Wildman Harrold describes both laws and gives citations.

Do we need this kind of rule in Canada? PIPEDA and its provincial counterparts require holders of personal information to keep it secure. At least the Ontario Information and Privacy Commissioner, and possibly her colleagues elsewhere, has said that information on mobile devices must be encrypted. See, e.g.:

Fact Sheet # 12 re personal health information [PDF], and
Educational brochure on PI generally

So: is encryption already the rule — at least for mobile devices?

Could one distinguish transmission of PI from its storage on a mobile device, if need be? So should PI necessarily be encrypted, under current law?

If not, do we need a law like that in Massachusetts or Nevada?

AND the definition of encryption is a bit vague, particularly in Nevada — while keeping the law technology neutral, should it say something more precise about the security level to be attained?