The Nevada Revised Statutes Chapter 603A (“Nevada Law”) is a state statutory privacy and data security law that protects the personally identifiable information of Nevada residents. The Nevada Law mandates data security standards for government, academic institutions, and corporations that collect nonpublic personal information. It also imposes additional privacy notice standards for internet website operators.
Personal information (Data security provisions)
The Nevada Law’s data security provisions govern the collection, use, and disclosure of personal information. The term “personal information” is defined as an individual’s first and last name, in combination with any of five types of identifier data, including social security number, state-issued identification number, health insurance identification number, financial account number with the access code, and a user name for an online account with the password. The statute also provides three safe-harbors that excludes data from the definition: encryption, data-masking, and public information.
Covered information (Privacy provisions)
The privacy provisions of the Nevada Law govern covered information. The term “covered information” is similar to personal information; however, it is much broader in scope. Covered information does not need to be in combination with a first and last name, but rather any identifier that allows the individual to be personally identifiable will do, including a physical address, email address, and telephone number.
Data collectors that collect, use, disclose, or otherwise deal with personal information are required to comply with provisions related to:
- Data security measures
- Data destruction
- Data breach notification
Operators that collect covered information through a website or internet service must comply with provisions concerning:
- Privacy notice
- Do Not Sell request
An entity may be both a data collector and an operator.
Enforcement & Liability
The Nevada state Attorney General is authorized to enforce the Nevada Law. The Attorney General may pursue temporary or permanent injunctions, and any other remedies provided by law to do so. The regulator may also seek fines of up to $5,000 per violation. Each individual data subject may constitute a single violation. There is an express denial of a private right of action for individuals that have been harmed by a violation of the law. Thus, a data subject may not file a civil suit against a entity that is not in compliance.