Dara Security

Nevada's Data Privacy and Protection Law Updates

June 13, 2014

Nevada, as with 48 of the 50 states, has a Data Privacy and Protection law. This law has been in place since 2008 and has been updated twice since then.

Nevada's Data Privacy and Protection law has two principal sets of provisions. First, the law incorporates the requirements of the Payment Card Industry Data Security Standard (PCI DSS) for all companies doing business in the state that accept a payment card in connection with a sale of goods or services. With this provision, Nevada gives the PCI DSS, an industry standard developed by a private rulemaking body, the force of law in the state. This is significant because it means a company doing business in the state of Nevada that fails to meet PCI DSS standards is in violation of the data privacy law and is subject to any and all penalties.

The second provision applies to companies that collect private information on Nevada residents, but not in connection with the sale of goods or services. This provision covers companies that collect employee data for payroll purposes or doctors' offices that collect patient data for medical records. Similar to the first provision, the second requires protecting data from unauthorized access. However, it goes a step further by requiring the use of encryption to protect the data. Encryption of personal information is required during electronic transmission or while in storage on data storage devices.

What Is "Personal Information" Under The Data Privacy and Protection Law?

The statute defines "personal information" as "a natural person's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

--Social security number

--Driver's license number or identification card number

--Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person's financial account"

The definition does not include "the last four digits of a social security number or publicly available information that is lawfully made available to the general public."

When Is A Transmission Subject To The Data Privacy and Protection Law?

Nevada's law covers essentially all electronic transmissions, except conventional faxes and voice telephone calls, that are sent outside the company's internal computer and communications systems. This category would include emails, transmissions of data to offsite data processing vendors, and any non-voice Internet communications.

When Must Stored Data Be Encrypted?

Some of the most controversial provisions of the Nevada law have to do with encryption of data on a "data storage device" that is moved "beyond the logical or physical controls of the data collector or its data storage contractor."

The Data Privacy and Protection law defines a data storage device quite comprehensively as "any device that stores information or data from any electronic or optical medium, including, but not limited to, computers, cellular telephones, magnetic tape, electronic computer drives and optical computer drives, and the medium itself." Based on this broad definition, any device or medium on which personal information is stored must be kept within the system or premises of the data controller or its data storage vendor, or the personal information stored on the device or medium must be encrypted.

How Dara Security Approaches The Data Privacy Law

These provisions put a heavy burden on a business to control its employees' use of laptops, flash drives, and other devices and media that can easily be loaded with sensitive data and removed from the employer's premises. Under the data security breach notification laws already in effect in most states, losses of unencrypted laptops and other devices that contain personal information can obligate an organization to notify affected persons. The Nevada law turns the legal screw even tighter, by making the act of removing the unencrypted device from the employer's premises a violation of law in itself, even if no security breach results.

Dara Security is a certified PCI QSA firm, the only one in Nevada, and we can help you understand the data privacy law and, more importantly, ensure you have the proper security in all your personal information and data transactions. Call us today to find out how to make your home or business the safest it can be.