2005 Nevada Revised Statutes - Chapter 603A — Security of Personal Information
CHAPTER 603A - SECURITY OF PERSONALINFORMATION
GENERAL PROVISIONS
NRS 603A.010 Definitions.
NRS 603A.020 Breachof the security of the system data defined.
NRS 603A.030 Datacollector defined.
NRS 603A.040 Personalinformation defined.
APPLICABILITY
NRS 603A.100 Waiverof provisions of chapter prohibited.
REGULATION OF BUSINESS PRACTICES
NRS 603A.200 Destructionof certain records.
NRS 603A.210 Securitymeasures.
NRS 603A.220 Disclosureof breach of security of system data; methods of disclosure.
REMEDIES AND PENALTIES
NRS 603A.900 Civilaction.
NRS 603A.910 Restitution.
NRS 603A.920 Injunction.
_________
GENERAL PROVISIONS
NRS
(Added to NRS by
NRS
(Added to NRS by
NRS
(Added to NRS by
NRS
1. Social security number.
2. Drivers license number or identification cardnumber.
3. Account number, credit card number or debit cardnumber, in combination with any required security code, access code or passwordthat would permit access to the persons financial account.
The termdoes not include publicly available information that is lawfully made availableto the general public.
(Added to NRS by
APPLICABILITY
NRS
(Added to NRS by
REGULATION OF BUSINESS PRACTICES
NRS
1. A business that maintains records which containpersonal information concerning the customers of the business shall takereasonable measures to ensure the destruction of those records when thebusiness decides that it will no longer maintain the records.
2. As used in this section:
(a) Business means a proprietorship, corporation,partnership, association, trust, unincorporated organization or other enterprisedoing business in this State.
(b) Reasonable measures to ensure the destructionmeans any method that modifies the records containing the personal informationin such a way as to render the personal information contained in the recordsunreadable or undecipherable, including, without limitation:
(1) Shredding of the record containing thepersonal information; or
(2) Erasing of the personal information from therecords.
(Added to NRS by
NRS
1. A data collector that maintains records whichcontain personal information of a resident of this State shall implement andmaintain reasonable security measures to protect those records fromunauthorized access, acquisition, destruction, use, modification or disclosure.
2. A contract for the disclosure of the personalinformation of a resident of this State which is maintained by a data collectormust include a provision requiring the person to whom the information isdisclosed to implement and maintain reasonable security measures to protectthose records from unauthorized access, acquisition, destruction, use,modification or disclosure.
3. If a state or federal law requires a data collectorto provide greater protection to records that contain personal information of aresident of this State which are maintained by the data collector and the datacollector is in compliance with the provisions of that state or federal law,the data collector shall be deemed to be in compliance with the provisions ofthis section.
(Added to NRS by
NRS
1. Any data collector that owns or licensescomputerized data which includes personal information shall disclose any breachof the security of the system data following discovery or notification of thebreach to any resident of this State whose unencrypted personal informationwas, or is reasonably believed to have been, acquired by an unauthorizedperson. The disclosure must be made in the most expedient time possible andwithout unreasonable delay, consistent with the legitimate needs of lawenforcement, as provided in subsection 3, or any measures necessary todetermine the scope of the breach and restore the reasonable integrity of thesystem data.
2. Any data collector that maintains computerized datawhich includes personal information that the data collector does not own shallnotify the owner or licensee of the information of any breach of the securityof the system data immediately following discovery if the personal informationwas, or is reasonably believed to have been, acquired by an unauthorizedperson.
3. The notification required by this section may bedelayed if a law enforcement agency determines that the notification willimpede a criminal investigation. The notification required by this section mustbe made after the law enforcement agency determines that the notification willnot compromise the investigation.
4. For purposes of this section, except as otherwiseprovided in subsection 5, the notification required by this section may beprovided by one of the following methods:
(a) Written notification.
(b) Electronic notification, if the notificationprovided is consistent with the provisions of the Electronic Signatures inGlobal and National Commerce Act, 15 U.S.C. 7001 et seq.
(c) Substitute notification, if the data collectordemonstrates that the cost of providing notification would exceed $250,000, theaffected class of subject persons to be notified exceeds 500,000 or the datacollector does not have sufficient contact information. Substitute notificationmust consist of all the following:
(1) Notification by electronic mail when thedata collector has electronic mail addresses for the subject persons.
(2) Conspicuous posting of the notification onthe Internet website of the data collector, if the data collector maintains anInternet website.
(3) Notification to major statewide media.
5. A data collector which:
(a) Maintains its own notification policies and proceduresas part of an information security policy for the treatment of personalinformation that is otherwise consistent with the timing requirements of thissection shall be deemed to be in compliance with the notification requirementsof this section if the data collector notifies subject persons in accordancewith its policies and procedures in the event of a breach of the security ofthe system data.
(b) Is subject to and complies with the privacy andsecurity provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq.,shall be deemed to be in compliance with the notification requirements of thissection.
6. If a data collector determines that notification isrequired to be given pursuant to the provisions of this section to more than1,000 persons at any one time, the data collector shall also notify, withoutunreasonable delay, any consumer reporting agency, as that term is defined in15 U.S.C. 1681a(p), that compiles and maintains files on consumers on anationwide basis, of the time the notification is distributed and the contentof the notification.
(Added to NRS by
REMEDIES AND PENALTIES
NRS
(Added to NRS by
NRS
(Added to NRS by
NRS
(Added to NRS by
Disclaimer: These codes may not be the most recent version. Nevada may have more current or accurate information. We make no warranties or guarantees about the accuracy, completeness, or adequacy of the information contained on this site or the information linked to on the state site. Please check official sources.