The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.  

The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice. 

Back To Map
Rapid Response Hotline 877.382.2724

Nevada

Data Breach Notification Statute

Highlights

Covered Entities: Any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that handles, collects, disseminates or otherwise deals with nonpublic personal information.

Consumer Notification: Notification required when personal information “was, or is reasonably believed to have been, acquired by an unauthorized person.”

Regulatory Notification: None

Notification Timeline: The disclosure must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system data.

Data Format: Electronic

Citations: Nev. Rev. Stat. 603A.010 et. seq.

More Details

Definitions:

  • Breach: Unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information.
  • Personal Information (PI):
    • natural person’s first name or first initial and last name in combination with any one or more of the following data elements when neither the name or data elements are encrypted
      • Social security number
      • Driver’s license number, driver authorization card number or identification card number.
      • Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.
      • A medical identification number or a health insurance identification number.
    • A username, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.

Safe Harbors:

  • Encryption: means the protection of data in electronic or optical form, in storage or in transit, using:
    • “An encryption technology that has been adopted by an established standards setting body,” and “which renders such data indecipherable” without the associated keys to decrypt such data;
    • “Appropriate management and safeguards of cryptographic keys” to ensure the encryption remains secure using established guidelines; and
    • “Any other technology or method identified by the Office of Information Security of the Division of Enterprise Information Technology Services of the Department of Administration”
  • Good Faith: Breach does not include the good faith acquisition of personal information by an employee or agent of the data collector for a legitimate purpose of the data collector, so long as the personal information is not used for a purpose unrelated to the data collector or subject to further unauthorized disclosure.
  • Risk of Harm: N/A
  • Law Enforcement Delay: Notification may be delayed if law enforcement determines that the notification will impede a criminal investigation. Notification must be made after law enforcement finds “the notification will not compromise the investigation.”

Direct Notice:

  • Timing: The disclosure must be made in the most expedient time possible and while also considering “any measures necessary to determine the scope of the breach and restore the reasonable integrity of the system data.”
  • Format: N/A
  • Content: N/A
  • Method: Written notification, Electronic notification

Substitute Notice:

If the cost of notification exceeds $250,000 or more than 500,000 need to be notified, “or the data collector does not have sufficient contact information.” Substitute notification must consist of all the following:

  • Notification by email when the data collector has email addresses
  • Conspicuous posting on their website
  • Notification to major statewide media.

Remediation Services:

None

Regulatory Notice:

None

Credit Reporting Agencies Notice:

If more than 1,000 Nevada residents are notified, the entity must also notify any consumer reporting agency that compiles and maintains files on consumers on a nationwide basis of the time the notification is distributed and the content of the notification, without unreasonable delay.

Third-Party Notice:

A third party that does not own the breached data “shall notify the owner or licensee of the information of any breach” immediately following discovery if the personal information was, or is reasonably believed to have been, acquired by an unauthorized person.

HIPAA:

None

GLBA:

A data collector which:

  • Maintains its own notification policies and procedures as part of an information security policy for the treatment of personal information that is otherwise consistent with the timing requirements of this section shall be deemed to be in compliance with the notification requirements of this section if the data collector notifies subject persons in accordance with its policies and procedures in the event of a breach of the security of the system data.
  • Is subject to and complies with the privacy and security provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., shall be deemed to be in compliance with the notification requirements of this section.

Private Action:

None

Associated Regulations:

If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.

  • Information Security Standard (Nev. Rev. Stat. 603A.200)

Information Security Standard

Highlights

Covered Entities: A “data collector” means any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise handles, collects, disseminates or otherwise deals with nonpublic personal information.

First Party Security Standard: A data collector that maintains records which contain personal information of a resident of this State shall implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.

If a data collector is a governmental agency and maintains records which contain personal information of a resident of this State, the data collector shall, to the extent practicable, with respect to the collection, dissemination and maintenance of those records, comply with the current version of the CIS Controls as published by the Center for Internet Security, Inc. or its successor organization, or corresponding standards adopted by the National Institute of Standards and Technology of the United States Department of Commerce.

Third Party Security Standard: A business that discloses personal information about a Nevada resident pursuant to a contract with a nonaffiliated third party that is not subject to the requirements above shall include a provision requiring the person to whom the information is disclosed to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.

Disposal/Destruction Standard: A business that maintains records which contain personal information concerning the customers of the business shall take reasonable measures to ensure the destruction of those records when the business decides that it will no longer maintain the records.

“Reasonable measures to ensure the destruction" means any method that modifies the records containing the personal information in such a way as to render the personal information contained in the records unreadable or undecipherable, including, without limitation:

  • Shredding of the record containing the personal information; or
  • Erasing of the personal information from the records.

Data Format: Electronic and Physical.

Citations: Nev. Rev. Stat. 603A.010 et. seq.

More Details

Definitions:

  • Personal Information (PI): An individual’s first name or first initial and last name in combination with any one (1) or more of the following data elements, when the name and data element are not encrypted:
    • Social Security number;
    • Driver’s license number, driver authorization card number or identification card number;
    • Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the individual's financial account;
    • A medical identification number or health insurance identification number;
    • A user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.

PI does not include the last four (4) digits of a social security number, the last four digits of a driver’s license number, the last four digits of a driver authorization card number or the last four (4) digits of an identification card number or publicly available information that is lawfully made available to the general public from federal, state, or local governmental records.

Methods of Compliance:

The statute does not define what constitutes “reasonable security measures to protect records” containing personal information. However, a data collector is in compliance if it provides greater protection to such records pursuant to an applicable state or federal law.

If a data collector discloses personal information to a third party pursuant to a contract, the contract must require the third party to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.

If a data collector doing business in Nevada accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.

A data collector doing business in Nevada that does not accept payment card transactions shallt not electronically transfer any personal information through an electronic, nonvoice transmission other than a facsimile to a person outside of the secure system of the data collector unless the data collector uses encryption to ensure the security of electronic transmission; or move any data storage device containing personal information beyond the logical or physical controls of the data collector, its data storage contractor or, if the data storage device is used by or is a component of a multifunctional device, a person who assumes the obligation of the data collector to protect personal information, unless the data collector uses encryption to ensure the security of the information.

Exclusions:

  • Health Care: N/A
  • Financial: A data collector subject to and in compliance with the privacy and security provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., shall be deemed to be in compliance with the notification requirements of this section.
  • Other: The security measures for data collectors that accept payment card, use of encryption, liability for damages do not apply to telecommunication providers under certain conditions and data transmission over a secure, private communication channel for approval or processing of certain transactions and issuance of reports regarding account closures due to fraud, substantial overdrafts, abuse of automatic teller machines or related information regarding a customer.

Enforcement/Penalties:

If the Attorney General or a district attorney of any county has reason to believe that any person is violating, proposes to violate, or has violated the provisions of this statute, the Attorney General or district attorney may bring an action against that person to obtain a temporary or permanent injunction against the violation.

A data collector that provides the notification required pursuant to NRS 603A.220 may commence an action for damages against a person that unlawfully obtained or benefited from personal information obtained from records maintained by the data collector. A data collector that prevails in such an action may be awarded damages which may include, without limitation, the reasonable costs of notification, reasonable attorney’s fees and costs and punitive damages when appropriate. The costs of notification include, without limitation, labor, materials, postage and any other costs reasonably related to providing the notification.

In addition to any other penalty provided by law for the breach of the security of the system data maintained by a data collector, the court may order a person who is convicted of unlawfully obtaining or benefiting from personal information obtained as a result of such breach to pay restitution to the data collector for the reasonable costs incurred by the data collector in providing the notification required pursuant to NRS 603A.220, including, without limitation, labor, materials, postage and any other costs reasonably related to providing such notification.

Associated Regulations:

N/A

Back to Page