2005 Nevada Revised Statutes - Chapter 603A — Security of Personal Information

CHAPTER 603A - SECURITY OF PERSONALINFORMATION

GENERAL PROVISIONS

NRS 603A.010 Definitions.

NRS 603A.020 Breachof the security of the system data defined.

NRS 603A.030 Datacollector defined.

NRS 603A.040 Personalinformation defined.

APPLICABILITY

NRS 603A.100 Waiverof provisions of chapter prohibited.

REGULATION OF BUSINESS PRACTICES

NRS 603A.200 Destructionof certain records.

NRS 603A.210 Securitymeasures.

NRS 603A.220 Disclosureof breach of security of system data; methods of disclosure.

REMEDIES AND PENALTIES

NRS 603A.900 Civilaction.

NRS 603A.910 Restitution.

NRS 603A.920 Injunction.

_________

GENERAL PROVISIONS

NRS 603A.010 Definitions. As used in this chapter, unless the context otherwiserequires, the words and terms defined in NRS603A.020, 603A.030 and 603A.040 have the meanings ascribed tothem in those sections.

(Added to NRS by 2005, 2503)

NRS 603A.020 Breachof the security of the system data defined. Breachof the security of the system data means unauthorized acquisition of computerizeddata that materially compromises the security, confidentiality or integrity ofpersonal information maintained by the data collector. The term does notinclude the good faith acquisition of personal information by an employee oragent of the data collector for a legitimate purpose of the data collector, solong as the personal information is not used for a purpose unrelated to thedata collector or subject to further unauthorized disclosure.

(Added to NRS by 2005, 2503)

NRS 603A.030 Datacollector defined. Data collector means anygovernmental agency, institution of higher education, corporation, financialinstitution or retail operator or any other type of business entity orassociation that, for any purpose, whether by automated collection orotherwise, handles, collects, disseminates or otherwise deals with nonpublicpersonal information.

(Added to NRS by 2005, 2504)

NRS 603A.040 Personalinformation defined. Personal informationmeans a natural persons first name or first initial and last name incombination with any one or more of the following data elements, when the nameand data elements are not encrypted:

1. Social security number.

2. Drivers license number or identification cardnumber.

3. Account number, credit card number or debit cardnumber, in combination with any required security code, access code or passwordthat would permit access to the persons financial account.

The termdoes not include publicly available information that is lawfully made availableto the general public.

(Added to NRS by 2005, 2504; A 2005, 22ndSpecial Session, 109)

APPLICABILITY

NRS 603A.100 Waiverof provisions of chapter prohibited. Anywaiver of the provisions of this chapter is contrary to public policy, void andunenforceable.

(Added to NRS by 2005, 2506)

REGULATION OF BUSINESS PRACTICES

NRS 603A.200 Destructionof certain records.

1. A business that maintains records which containpersonal information concerning the customers of the business shall takereasonable measures to ensure the destruction of those records when thebusiness decides that it will no longer maintain the records.

2. As used in this section:

(a) Business means a proprietorship, corporation,partnership, association, trust, unincorporated organization or other enterprisedoing business in this State.

(b) Reasonable measures to ensure the destructionmeans any method that modifies the records containing the personal informationin such a way as to render the personal information contained in the recordsunreadable or undecipherable, including, without limitation:

(1) Shredding of the record containing thepersonal information; or

(2) Erasing of the personal information from therecords.

(Added to NRS by 2005, 2504)

NRS 603A.210 Securitymeasures.

1. A data collector that maintains records whichcontain personal information of a resident of this State shall implement andmaintain reasonable security measures to protect those records fromunauthorized access, acquisition, destruction, use, modification or disclosure.

2. A contract for the disclosure of the personalinformation of a resident of this State which is maintained by a data collectormust include a provision requiring the person to whom the information isdisclosed to implement and maintain reasonable security measures to protectthose records from unauthorized access, acquisition, destruction, use,modification or disclosure.

3. If a state or federal law requires a data collectorto provide greater protection to records that contain personal information of aresident of this State which are maintained by the data collector and the datacollector is in compliance with the provisions of that state or federal law,the data collector shall be deemed to be in compliance with the provisions ofthis section.

(Added to NRS by 2005, 2504)

NRS 603A.220 Disclosureof breach of security of system data; methods of disclosure.

1. Any data collector that owns or licensescomputerized data which includes personal information shall disclose any breachof the security of the system data following discovery or notification of thebreach to any resident of this State whose unencrypted personal informationwas, or is reasonably believed to have been, acquired by an unauthorizedperson. The disclosure must be made in the most expedient time possible andwithout unreasonable delay, consistent with the legitimate needs of lawenforcement, as provided in subsection 3, or any measures necessary todetermine the scope of the breach and restore the reasonable integrity of thesystem data.

2. Any data collector that maintains computerized datawhich includes personal information that the data collector does not own shallnotify the owner or licensee of the information of any breach of the securityof the system data immediately following discovery if the personal informationwas, or is reasonably believed to have been, acquired by an unauthorizedperson.

3. The notification required by this section may bedelayed if a law enforcement agency determines that the notification willimpede a criminal investigation. The notification required by this section mustbe made after the law enforcement agency determines that the notification willnot compromise the investigation.

4. For purposes of this section, except as otherwiseprovided in subsection 5, the notification required by this section may beprovided by one of the following methods:

(a) Written notification.

(b) Electronic notification, if the notificationprovided is consistent with the provisions of the Electronic Signatures inGlobal and National Commerce Act, 15 U.S.C. 7001 et seq.

(c) Substitute notification, if the data collectordemonstrates that the cost of providing notification would exceed $250,000, theaffected class of subject persons to be notified exceeds 500,000 or the datacollector does not have sufficient contact information. Substitute notificationmust consist of all the following:

(1) Notification by electronic mail when thedata collector has electronic mail addresses for the subject persons.

(2) Conspicuous posting of the notification onthe Internet website of the data collector, if the data collector maintains anInternet website.

(3) Notification to major statewide media.

5. A data collector which:

(a) Maintains its own notification policies and proceduresas part of an information security policy for the treatment of personalinformation that is otherwise consistent with the timing requirements of thissection shall be deemed to be in compliance with the notification requirementsof this section if the data collector notifies subject persons in accordancewith its policies and procedures in the event of a breach of the security ofthe system data.

(b) Is subject to and complies with the privacy andsecurity provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq.,shall be deemed to be in compliance with the notification requirements of thissection.

6. If a data collector determines that notification isrequired to be given pursuant to the provisions of this section to more than1,000 persons at any one time, the data collector shall also notify, withoutunreasonable delay, any consumer reporting agency, as that term is defined in15 U.S.C. 1681a(p), that compiles and maintains files on consumers on anationwide basis, of the time the notification is distributed and the contentof the notification.

(Added to NRS by 2005, 2504)

REMEDIES AND PENALTIES

NRS 603A.900 Civilaction. A data collector that provides thenotification required pursuant to NRS603A.220 may commence an action for damages against a person thatunlawfully obtained or benefited from personal information obtained from recordsmaintained by the data collector. A data collector that prevails in such anaction may be awarded damages which may include, without limitation, the reasonablecosts of notification, reasonable attorneys fees and costs and punitive damageswhen appropriate. The costs of notification include, without limitation, labor,materials, postage and any other costs reasonably related to providing thenotification.

(Added to NRS by 2005, 2506)

NRS 603A.910 Restitution. In addition to any other penalty provided by law for thebreach of the security of the system data maintained by a data collector, thecourt may order a person who is convicted of unlawfully obtaining or benefitingfrom personal information obtained as a result of such breach to payrestitution to the data collector for the reasonable costs incurred by the datacollector in providing the notification required pursuant to NRS 603A.220, including, withoutlimitation, labor, materials, postage and any other costs reasonably related toproviding such notification.

(Added to NRS by 2005, 2506)

NRS 603A.920 Injunction. If the Attorney General or a district attorney of anycounty has reason to believe that any person is violating, proposes to violateor has violated the provisions of this chapter, he may bring an action againstthat person to obtain a temporary or permanent injunction against theviolation.

(Added to NRS by 2005, 2506)

 


Disclaimer: These codes may not be the most recent version. Nevada may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.