Nevada Security and Privacy of Personal Information
Nev. Rev. Stat. § 603A.010, et seq.
SUMMARY:
EFFECTIVE. October 1, 2005
WHO DOES THIS LAW APPLY TO. (1) Any person, business or government agency that owns or licenses computerized data that includes Personal Information; and (2) any person, business, or government agency that maintains computerized data that includes Personal Information on State residents.
WHAT IS A BREACH. Unauthorized acquisition of unencrypted computerized data that materially compromises the security, integrity, or confidentiality of Personal Information maintained by a person, business, or government agency.
WHAT IS PERSONAL INFORMATION. An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data element are not encrypted:
-
Social Security Number.
-
Driver’s license number or identification card number.
-
Account number, credit card, or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.
Personal Information does not include the last four digits of a social security number, driver’s license or identification card, or publicly available information that is lawfully available from Federal, State, or local government records.
WHO TO NOTIFY OF THE BREACH. Notification of the breach must be sent to the residents affected. If more than 1,000 residents are involved in a breach, the person, business, or government agency shall also notify, without unreasonable delay, all consumer reporting agencies that maintain files on consumers nationwide (as defined by 15 U.S.C. § 1618a(p)), of the date of distribution and content of the notice.
EXCEPTION. This Section does not apply to the following:
-
A good faith acquisition of Personal Information by an employee or agent of the entity for internal purposes only is not a breach, if it is not used for an unrelated purpose, or subject to further unauthorized disclosure.
-
A person, business or government agency which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected individuals are notified by the person, business, or government agency in accordance with its policies.
-
A person, business, or government agency that is subject to and complies with the Gramm-Leach Bliley Act, 15 U.S.C. § 6801, et seq. is considered in compliance with this Section.
WHEN TO NOTIFY OF THE BREACH. Notification must be sent when the person, business or government agency discovers or is notified of a security breach. The disclosure shall be made in the most expedient manner possible and without unreasonable delay consistent with the needs of law enforcement, and any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines it will impede a criminal investigation. In that instance, notification shall be made after clearance by law enforcement.
HOW TO NOTIFY OF THE BREACH. Notice may be provided by one of the following methods:
-
Written.
-
Electronic (if consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).
-
Substitute notice as provided below.
SUBSTITUTE NOTICE AVAILABLE. If the person, business, or government agency can demonstrate that the cost of providing notice will exceed $250,000, the affected class of persons to be notified exceeds 500,000, or the person, business or government agency has insufficient contact information, substitute notice may be used. Substitute notice shall consist of all of the following:
-
Email notice if the person, business, or government agency has an Email address for the individual(s) subject to notice.
-
Conspicuous posting of the notice on the website of the person, business, or government agency if one is maintained.
-
Notification to major statewide media.
NOTICE TO THIRD-PARTIES. If a person, business, or government agency maintains unencrypted data that includes Personal Information that it does not own, then the person, business, or government agency shall notify the owner or licensee of the security breach immediately upon discovery. The person, business, or government agency that owns or licenses the computerized data shall provide notice to the individual.
CONSEQUENCES FOR FAILING TO NOTIFY. A person, business or government agency that complies with the notice requirements of this law may file a lawsuit against any person that unlawfully obtained or benefitted from the Personal Information, to recover notification costs, attorney’s fees and costs, and punitive damages.
In the event a person or business violates the provisions of this law, the Attorney General may obtain a court order to prevent any further violations. If there is a violation of the data security or data breach reporting requirements, it is a deceptive trade practice under state law and the Nevada Attorney General could impose civil and criminal penalties for violations of those requirements.
PRIVATE RIGHT OF ACTION. None provided in the statute. A data collector that provides the requisite notice may commence an action for damages against a person who unlawfully obtained or benefited from personal information obtained from records maintained by the data collector.
REQUIREMENTS OF REASONABLE SECURITY MEASURES.
DATA DISPOSAL PROVISIONS. Nev. Rev. Stat. § 603A.200. 1. A business that maintains records which contain personal information concerning the customers of the business shall take reasonable measures to ensure the destruction of those records when the business decides that it will no longer maintain the records. 2. As used in this section: (a) “Business” means a proprietorship, corporation, partnership, association, trust, unincorporated organization or other enterprise doing business in this State; (b) “Reasonable measures to ensure the destruction” means any method that modifies the records containing the personal information in such a way as to render the personal information contained in the records unreadable or undecipherable, including, without limitation: (1) Shredding of the record containing the personal information; or (2) Erasing of the personal information from the records.
LEGISLATIVE UPDATES.
S.B. 347 – Signed into law 6/17/2005, Effective 10/1/2005.
S.B. 186 – Signed into law 6/15/2011, Effective 10/1/2011.
A.B. 179 – Signed into law 5/13/2015, Effective 7/1/2015.
S.B. 260/ A.B. 61 – Signed into law 6/2/2021, Effective 10/1/2021.
For more information, see here: https://www.leg.state.nv.us/NRS/NRS-603A.html
These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only. No Claim to Original State Government Works. This may not be the most recent version. The State may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.