Nevada’s data breach notification law is being amended. According to Nevada Senate Bill 227 (SB 227), “NRS 597.970 is hereby repealed” by amendments made to NRS 603A. According to on-line sources, such as realtime-itcompliance.com, the new law will go into effect on January 1, 2010. As in most states passing or amending their data breach notification laws, the new Nevada privacy law provides safe harbor for using encryption software.
Updated (26 May 2011): Are you a non-profit corporation based in Nevada? Read this.
Data Encryption Provides Safe Harbor From Breach Notification
NRS 603A extends safe harbor to any company that uses encryption to protect personal information:
Any data collector that owns or licenses computerized data which includes personal information shall disclose any breach of the security of the system data following discovery or notification of the breach to any resident of this State whose unencrypted personal information was, or is reasonably believed to have been, acquired by an unauthorized person. [my emphasis]
Also, SB 227 states that personal information shall not be transferred through “an electronic, nonvoice transmission” unless the data is encrypted (an exception is made for faxes). Plus, moving “any data storage device containing personal information beyond the logical or physical controls of the data collector or its data storage contractor” is not permitted unless said data is encrypted (a solution like full disk encryption would fit the bill quite nicely. You can start encrypting your computer with AlertBoot right now by following this link to the subscription page). In other words, not only do you get safe harbor with the use of encryption, not using it is illegal depending on the circumstances.
A “breach of the security system of the data” is the unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information….”
“Personal information” in turn is defined as a person’s first name, or initial, and last name in combination of
Social security number (exception given if it’s only the last four digits of a SSN)
Driver’s license number or identification card number
Account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.
The law goes to point out that the above is not personal information if it’s encrypted. (It seems to me that this is a pretty popular way of stating that losing encrypted information cannot be classified as a breach of data security).
How to Notify and When
If there is a breach of personal information of Nevada residents, and encryption was not used, those affected by a data breach can be notified via written notice (the mail, I guess); electronic notification; or a substitute notification if the cost of doing so would exceed $250,000 or involves more than 500,000 people.
Substitute notification includes e-mail; posting of the breach in a conspicuous part of the company website; and notifying statewide media.
However, it should be noted that the notification cannot proceed until law enforcement gives the greenlight: “the notification…must be made after the law enforcement agency determines that the notification will not compromise [a criminal] investigation.”
So, before doing anything, it looks like the police ought to be contacted.
(Well, actually, the first thing to do, and the smart thing to do, is encrypt personal data. I must also remind you to consult with your lawyer for more information; the above is not legal advice, nor am I lawyer.)
Related Articles and Sites: