NRS 597.970  Restrictions on transfer of personal information through electronic transmission. [Effective October 1, 2008.]

      1.  A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

      2.  As used in this section:

      (a) “Encryption” has the meaning ascribed to it in NRS 205.4742.

      (b) “Personal information” has the meaning ascribed to it in NRS 603A.040.

      (Added to NRS by 2005, 2506, effective October 1, 2008)

NRS 205.4742  Encryption” defined.  “Encryption” means the use of any protective or disruptive measure, including, without limitation, cryptography, enciphering, encoding or a computer contaminant, to:

      1.  Prevent, impede, delay or disrupt access to any data, information, image, program, signal or sound;

      2.  Cause or make any data, information, image, program, signal or sound unintelligible or unusable; or

      3.  Prevent, impede, delay or disrupt the normal operation or use of any component, device, equipment, system or network.

      (Added to NRS by 1999, 2704)

NRS 603A.040  Personal information” defined.  “Personal information” means a natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

      1.  Social security number.

      2.  Driver’s license number or identification card number.

      3.  Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.

Ê The term does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public.

      (Added to NRS by 2005, 2504; A 2005, 22nd Special Session, 109; 2007, 1314)

NRS 603A.200  Destruction of certain records.

      1.  A business that maintains records which contain personal information concerning the customers of the business shall take reasonable measures to ensure the destruction of those records when the business decides that it will no longer maintain the records.

      2.  As used in this section:

      (a) “Business” means a proprietorship, corporation, partnership, association, trust, unincorporated organization or other enterprise doing business in this State.

      (b) “Reasonable measures to ensure the destruction” means any method that modifies the records containing the personal information in such a way as to render the personal information contained in the records unreadable or undecipherable, including, without limitation:

             (1) Shredding of the record containing the personal information; or

             (2) Erasing of the personal information from the records.

      (Added to NRS by 2005, 2504)

      NRS 603A.210  Security measures.

      1.  A data collector that maintains records which contain personal information of a resident of this State shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.

      2.  A contract for the disclosure of the personal information of a resident of this State which is maintained by a data collector must include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.

      3.  If a state or federal law requires a data collector to provide greater protection to records that contain personal information of a resident of this State which are maintained by the data collector and the data collector is in compliance with the provisions of that state or federal law, the data collector shall be deemed to be in compliance with the provisions of this section.

      (Added to NRS by 2005, 2504)

      NRS 603A.220  Disclosure of breach of security of system data; methods of disclosure.

      1.  Any data collector that owns or licenses computerized data which includes personal information shall disclose any breach of the security of the system data following discovery or notification of the breach to any resident of this State whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, as provided in subsection 3, or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system data.

      2.  Any data collector that maintains computerized data which includes personal information that the data collector does not own shall notify the owner or licensee of the information of any breach of the security of the system data immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

      3.  The notification required by this section may be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. The notification required by this section must be made after the law enforcement agency determines that the notification will not compromise the investigation.

      4.  For purposes of this section, except as otherwise provided in subsection 5, the notification required by this section may be provided by one of the following methods:

      (a) Written notification.

      (b) Electronic notification, if the notification provided is consistent with the provisions of the Electronic Signatures in Global and National Commerce Act, 15 U.S.C. §§ 7001 et seq.

      (c) Substitute notification, if the data collector demonstrates that the cost of providing notification would exceed $250,000, the affected class of subject persons to be notified exceeds 500,000 or the data collector does not have sufficient contact information. Substitute notification must consist of all the following:

             (1) Notification by electronic mail when the data collector has electronic mail addresses for the subject persons.

             (2) Conspicuous posting of the notification on the Internet website of the data collector, if the data collector maintains an Internet website.

             (3) Notification to major statewide media.

      5.  A data collector which:

      (a) Maintains its own notification policies and procedures as part of an information security policy for the treatment of personal information that is otherwise consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if the data collector notifies subject persons in accordance with its policies and procedures in the event of a breach of the security of the system data.

      (b) Is subject to and complies with the privacy and security provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., shall be deemed to be in compliance with the notification requirements of this section.

      6.  If a data collector determines that notification is required to be given pursuant to the provisions of this section to more than 1,000 persons at any one time, the data collector shall also notify, without unreasonable delay, any consumer reporting agency, as that term is defined in 15 U.S.C. § 1681a(p), that compiles and maintains files on consumers on a nationwide basis, of the time the notification is distributed and the content of the notification.

      (Added to NRS by 2005, 2504)

REMEDIES AND PENALTIES

      NRS 603A.900  Civil action.  A data collector that provides the notification required pursuant to NRS 603A.220 may commence an action for damages against a person that unlawfully obtained or benefited from personal information obtained from records maintained by the data collector. A data collector that prevails in such an action may be awarded damages which may include, without limitation, the reasonable costs of notification, reasonable attorney’s fees and costs and punitive damages when appropriate. The costs of notification include, without limitation, labor, materials, postage and any other costs reasonably related to providing the notification.

      (Added to NRS by 2005, 2506)

      NRS 603A.910  Restitution.  In addition to any other penalty provided by law for the breach of the security of the system data maintained by a data collector, the court may order a person who is convicted of unlawfully obtaining or benefiting from personal information obtained as a result of such breach to pay restitution to the data collector for the reasonable costs incurred by the data collector in providing the notification required pursuant to NRS 603A.220, including, without limitation, labor, materials, postage and any other costs reasonably related to providing such notification.

      (Added to NRS by 2005, 2506)

      NRS 603A.920  Injunction.  If the Attorney General or a district attorney of any county has reason to believe that any person is violating, proposes to violate or has violated the provisions of this chapter, he may bring an action against that person to obtain a temporary or permanent injunction against the violation.

      (Added to NRS by 2005, 2506)

 

2005 Statutes of Nevada, Page 2506 (Chapter 485, SB 347)

 

nationwide basis, of the time the notification is distributed and the content of the notification.

      Sec. 25.  A data collector who provides the notification required pursuant to section 24 of this act may commence an action for damages against a person that unlawfully obtained or benefited from personal information obtained from records maintained by the data collector. A data collector that prevails in such an action may be awarded damages which may include, without limitation, the reasonable costs of notification, reasonable attorney’s fees and costs and punitive damages when appropriate. The costs of notification include, without limitation, labor, materials, postage and any other costs reasonably related to providing the notification.

      Sec. 26.  In addition to any other penalty provided by law for the breach of the security of the system data maintained by a data collector, the court may order a person who is convicted of unlawfully obtaining or benefiting from personal information obtained as a result of such breach to pay restitution to the data collector for the reasonable costs incurred by the data collector in providing the notification required pursuant to section 24 of this act, including, without limitation, labor, materials, postage and any other costs reasonably related to providing such notification.

      Sec. 27.  Any waiver of the provisions of this chapter is contrary to public policy, void and unenforceable.

      Sec. 28.  If the Attorney General or a district attorney of any county has reason to believe that any person is violating, proposes to violate or has violated the provisions of this chapter, he may bring an action against that person to obtain a temporary or permanent injunction against the violation.

      Sec. 29.  Chapter 597 of NRS is hereby amended by adding thereto a new section to read as follows:

      1.  A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.

      2.  As used in this section:

      (a) “Encryption” has the meaning ascribed to it in NRS 205.4742.

      (b) “Personal information” has the meaning ascribed to it in section 21 of this act.

      Sec. 30.  1.  This section and sections 1 to 13, inclusive, of this act become effective on October 1, 2005.

      2.  Sections 14 to 28, inclusive, of this act become effective on January 1, 2006.

      3.  Section 29 of this act becomes effective on October 1, 2008.

________

 

CHAPTER 486, AB 334

Assembly Bill No. 334–Assemblywoman Buckley

 

CHAPTER 486

 

AN ACT relating to privacy; requiring a governmental entity, except in certain circumstances, to ensure that social security numbers in its books and records are maintained in a confidential manner; prohibiting the inclusion of social security numbers in certain documents