Last spring we posted a summary of Nevada’s data security laws. Since then, during the 2015 legislative session, the Nevada legislature adopted certain amendments to the statute. The changes took effect on July 1, 2015.
The “Personal Information” Definition Has Been Updated
To keep up with the ever-increasing types of personally identifying information being created about us, Nevada amended the definition of “personal information” to include some of those new kinds of identifying information. The additions to the statute are set forth in bold text as follows.
In NRS 603A.040, the term personal information now “means a natural person’s first name or first initial an last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
-
Social security number;
-
Driver’s license number, driver authorization card number or identification car number;
-
Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account;
-
A medical identification number or a health insurance identification number;
-
A user name, unique identifier of electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.
The amended statute also provides that personal information “does not include the last four digits of a social security number, the last four digits of a driver’s license, or the last four digits of a driver authorization card number or the last four digits of an identification card number or publically available information that is lawfully made available to the general public from federal, state or local government records.”
Business Considerations Based on the Amended Statute?
In light of this amendment, businesses should consider checking the kinds of information that they collect, create, store and/or share to determine if any of it now falls within this amended definition of “personal information”. If it does, additional data protection and breach response measures should also be considered.
Given the rapidly-evolving digital ecosystem we now live and work in, this will certainly not be the last revision to Nevada’s privacy, data protection and breach response statutory scheme. Stay tuned for additional updates.
