|Nev. Rev. Stat. § 603A.010 et seq. |
S.B. 347 (signed into law June 17, 2005, Chapter 485)
Effective October 1, 2005: Provisions regarding (i) forgery laboratories, (ii) crimes against older and vulnerable persons, (iii) requirements for state actors, and (iv) credit card issuer requirements
Effective January 1, 2006: (i) credit card issuer requirements, (ii) data destruction requirements, (iii) “reasonable protections” requirements, (iv) security breach notification provisions
Effective January 1, 2008: Encryption provisions
Application. Any governmental agency, institution of higher education, corporation, financial institution or retail operator, or any other type of business entity or association (collectively, Entity), that owns or licenses computerized data that includes PI.
Security Breach Definition. An unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of PI maintained by Entity.
Notification Obligation. Any Entity to which the statute applies shall disclose any breach of the security of the system data following discovery or notification of the breach to any resident of NV whose unencrypted PI was, or is reasonably believed to have been, acquired by an unauthorized person.
- Good-faith acquisition of PI by an employee or agent of the Entity for the legitimate purposes of the Entity is not a breach of the security of the system if the PI is not otherwise used or subject to further unauthorized disclosure.
Notification to Consumer Reporting Agencies. If an Entity determines that notification is required to be given to more than 1,000 persons at any one time, the Entity shall also notify, without unreasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis of the time the notification is distributed and the content of the notification.
Third-Party Data Notification. If an Entity maintains computerized data that includes PI that the Entity does not own, the Entity must notify the owner or licensee of the information of any breach of the security of the system data immediately following discovery if the PI was, or is reasonably believed to have been, acquired by an unauthorized person.
Timing of Notification. The disclosure shall be made in the most expedient time possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system data.
Personal Information Definition. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
PI does not include the last four digits of a Social Security Number or publicly available information that is lawfully made available to the general public.
- Social Security Number;
- Driver license number or NV identification card number; or
- Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account.
Notice Required. Notice may be provided by one of the following methods:
Substitute Notice Available. If the Entity demonstrates that the cost of providing notice would exceed $250,000, the affected class of subject persons to be notified exceeds 500,000, or the Entity does not have sufficient contact information. Substitute notice shall consist of all of the following:
- Written notice; or
- Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).
Exception: Own Notification Policy. An Entity that maintains its own notification policies and procedures as part of an information security policy for the treatment of PI that is otherwise consistent with the timing requirements of the statute shall be deemed in compliance with the notification requirements of the statute if it notifies subject persons in accordance with its policies and procedures in the event of a security breach.
- Email notice when the Entity has an email addresses for the subject persons;
- Conspicuous posting of the notice on the Entity’s Web site if the Entity maintains one; and
- Notification to major statewide media.
Exception: Compliance with Other Laws.
Other Key Provisions:
- Gramm-Leach-Bliley Act. An Entity that is subject to and complies with the privacy and security provisions of the Gramm-Leach-Bliley Act shall be deemed to be in compliance with the notification requirements.
- Delay for Law Enforcement. The notification required by the statute may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification must be made after the law enforcement agency determines that the notification will not compromise the investigation.
- AG Enforcement. If the state AG or a district attorney of any county has reason to believe that any person is violating, proposes to violate or has violated the provisions of the statute, he may bring an action against that person to obtain a temporary or permanent injunction against the violation.
- Right of Action for Data Collector. A data collector that provides the requisite notice may commence an action for damages against a person that unlawfully obtained or benefited from personal information obtained from records maintained by the data collector.
- Special Notification Obligations for Government Agencies and Elected Officers. See Nev. Rev. Stat. § 242.181.
- Special Rules Applicable to Electronic Health Records. See Nev. Rev. Stat. §§ 439, 603A.100.
- Waiver Not Permitted.