Fortifying Data Breach Legislation in the State of Nevada
Nev. Rev. Stat. §§ 603A.010, 242.183 is a data breach notification law that passed in the U.S. state of Nevada in 2005 that has been amended several times since, most recently in 2015. Nev. Rev. Stat. §§ 603A.010, 242.183 forms the legal framework for the regulation of data breach incidents within the state of Nevada, as the law sets forth various requirements that individuals, businesses, and organizations adhere to in order to achieve compliance. Furthermore, the law also empowers the Nevada Attorney General to impose sanctions and penalties against business entities within the state that fail to oblige with the provisions laid out in the law.
What is the scope and application of Nev. Rev. Stat. §§ 603A.010, 242.183?
In terms of the scope and application of Nev. Rev. Stat. §§ 603A.010, 242.183, the provisions of the law apply to “any governmental agency, institution of higher education, corporation, financial institution or retail operator, or any other type of business entity or association (collectively, Entity), that owns or licenses computerized data that includes PI.” On the contrary, the law also states that “an entity that maintains its own notification policies and procedures as part of an information security policy for the treatment of PI that is otherwise consistent with the timing requirements of the statute shall be deemed in compliance with the notification requirements of the statute if it notifies subject persons in accordance with its policies and procedures in the event of a security breach.”
What are the data breach notification requirements under Nev. Rev. Stat. §§ 603A.010, 242.183?
Under Nev. Rev. Stat. §§ 603A.010, 242.183, business entities within the state that experience a data breach are responsible for providing notification to all affected parties and individuals. These notifications must provide said parties and individuals with information concerning the scope and severity of the breach, as well as the measures that the affected entity has taken to restore the reasonable integrity of the data system that was breached, in addition to other pertinent details. Affected entities must also provide notice to all three major credit reporting agencies within the U.S. in the event that a security breach affects more than 1,000 residents within the state of Nevada.
What categories of personal information are covered under Nev. Rev. Stat. §§ 603A.010, 242.183?
Under Nev. Rev. Stat. §§ 603A.010, 242.183, the following categories of personal information are legally protected in the event that a data breach occurs, in combination with a Nevada resident’s first name or first initial and last name, in instances where such information has not been encrypted:
- Social security numbers.
- Driver’s license numbers or authorization, as well as state identification card numbers.
- Bank account numbers.
- Credit and debit card numbers with any necessary passwords, security questions, or access codes that could be used to permit access to an individual’s financial account.
- Health insurance and medical ID numbers.
- Unique login information, such as a username and password, as well as any security questions or passcodes that could be used to gain access to an individual’s account.
What are the penalties for violating Nev. Rev. Stat. §§ 603A.010, 242.183?
The data breach provisions established by Nev. Rev. Stat. §§ 603A.010, 242.183 are enforceable by the Nevada Attorney General. With this being said, the Nevada Attorney General has the authority to impose the following punishments against entities within the state that are found to be in non-compliance with the law:
- Civil action.
- Monetary damages in the form of lawyer fees.
- Punitive damages.
- Notification costs.
- A short-term or permanent injunction.
Through amendments made to Nev. Rev. Stat. §§ 603A.010, 242.183 in 2015, residents of the state of Nevada were provided with an updated level of legal protection as it concerns data breaches. As such, residents have a number of legal avenues to protect themselves against the adverse consequences that can result from having one’s personal information compromised during a data breach, whether it be in the form of a civil action, punitive damages, or restitution. When compared with many other U.S. data notification laws at the state level, the punishments that can be imposed against entities within Nevada under Nev. Rev. Stat. §§ 603A.010, 242.183 are particularly rigorous.