Senate Bill: 347
Nevada Revised Statute: § 603A.220
Effective Date: January 1, 2006
Definition of Personal Information: A natural person’s first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
(a) Social security number;
(b) Driver’s license number or identification card number;
(c) Account number, credit card number or debit card number, in combination with any required security code, access code, or password that would permit access to the person’s financial account.
Summary: Any data collector that owns or licenses computerized data which includes personal information shall disclose any breach of the security of the system data following discovery or notification of the breach to any resident of this State whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system data.
Senate Bill: 227
Effective Date: January 1, 2010
Summary: Nevada Senate Bill 227 repeals existing data encryption requirements for organizations that collect personal information, replacing them with updated and expanded rules under Nev. Rev. Stat. § 603A. It added two significant (but mutually exclusive) data security obligations. If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the PCI Data Security Standard or by the PCI Security Standards Council or its successor organization. A data collector doing business in this State whom does not accept credit cards shall not transfer any personal information through an electronic, non-voice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission; or move any data storage device containing personal information beyond the logical or physical controls of the data collector or its data storage contractor unless the data collector uses encryption to ensure the security of the information.
Visit the state Web site