Nevada, like most states, has a data security statute that addresses what to do when there’s a data breach. Here’s a quick summary of the Nevada law, which is found at N.R.S. § 603A.010 et seq, “Security of Personal Information”.
Who The Law Applies To. The law applies to any governmental agency, institution of higher education, corporation, financial institution, retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information.
“Nonpublic personal information” is a person’s first name or first initial and last name in combination with one or more of the following elements (when both the name and elements are not encrypted):
- A social security number; or
- Driver’s license number or identification card number; or
- Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.
What Triggers the Breach Notification Law. When a data collector that owns or licenses computerized data (which includes personal information) discovers or receives notification of a breach in its security if it knows or might reasonably believe that unencrypted personal information was acquired by an unauthorized person, the notification requirement is triggered.
What is a Breach. The Nevada statute defines “breach” as the “unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the data collector”. Examples include computer network hacking or other forms of cybercrime, the loss or theft of a laptop or external drive containing unencrypted personally identifiable information, or the accidental exposure of personal information by inadvertent email to a third party.
When and How To Notify. When a breach is confirmed, the disclosure must be made “in the most expedient time possible and without unreasonable delay”. Written notification is permitted, as is electronic notification that complies with the Electronic Signatures in Global and National Commerce Act. If providing notice would exceed $250,000 in costs, substitute notification may be used. Substitute notification must include:
- Notification by electronic mail when the data collector has electronic mail addresses for the subject persons;
- Conspicuous posting of the notification on the Internet website of the data collector, if the data collector maintains a website; and
- Notification to major statewide media.
There are two remaining exceptions to the notice requirements. First, a data collector that maintains its own notification policies and procedures as part of an information security policy that is ‘consistent’ with the other notification requirements is presumptively in compliance with the law’s requirements if it “notifies subject persons in accordance with its policies and procedures in the event of a breach of the security of the system data.” Second, a data collector who complies with the Gramm-Leach Bliley Act is deemed in compliance with the Nevada law’s notification requirements.
What is Encryption. Unlike many other states, Nevada has very specific and stringent standards for encryption of data. Encryption, under the Nevada law, means the protection of data in electronic or optical form, in storage or in transit, using:
- An encryption technology that has been adopted by an established standards setting body . . . which renders such data indecipherable in the absence of associated cryptographic keys necessary to enable decryption of such data;
- Appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body . . .; and
- Any other technology or method identified by the Office of Information Security of the Division of Enterprise Information Technology Services of the Department of Administration in regulations adopted pursuant to N.R.S. § 603A.217.
What if Law Enforcement is Involved. If law enforcement is involved, notification of a data breach may be delayed if notification will impede a criminal investigation. However, once the law enforcement agency determines that notification will not compromise the investigation, notification must be made.
The full set of breach notification requirements were enacted in 2005 and are found at N.R.S. § 603A.220.
What’s the Takeaway? When a data breach is discovered, time is of the essence. Given the legal requirements associated with notifying affected persons following a data breach (and the potential consequences for failing to properly do so), many companies now proactively create and rehearse data breach response plans so that when it does occur, they will be better prepared to deal with it. Moreover, retaining competent counsel should be considered as the first step in the breach response process, in order to make sure the statutory requirements are properly understood and met.