Nevada Law Incorporates PCI and Provides a Liability Safe Harbor

Nevada appears to be the second State to incorporate the Payment Card Industry Data Security Standard (PCI) into its personal information security law. Minnesota is the other State that incorporated part of PCI into its law.  In contrast to the Minnesota law (which only partially incorporated one subsection of PCI), the Nevada amendment requires "data collectors" doing business in Nevada to comply with the entire PCI standard:

If a data collector doing business in this State accepts a payment card in connection with a sale of goods or services, the data collector shall comply with the current version of the Payment Card Industry (PCI) Data Security Standard, as adopted by the PCI Security Standards Council or its successor organization, with respect to those transactions, not later than the date for compliance set forth in the Payment Card Industry (PCI) Data Security Standard or by the PCI Security Standards Council or its successor organization.

Unfortunately there is a built in ambiguity in the law since neither the PCI standard itself, nor the PCI Security Standards Council set the PCI compliance date.  Rather, that is done by each card brand.  Ignoring that glitch, obviously, by incorporating PCI into its law, Nevada has explicitly given the PCI "the force of law."  This could have significant legal implications:  see more HERE and HERE. The Nevada amendment also appears to create a partial "safe harbor" for compliance with the law (and by extension PCI):

3. A data collector shall not be liable for damages for a breach of the security of the system data if: (a) The data collector is in compliance with this section; and (b) The breach is not caused by the gross negligence or intentional misconduct of the data collector, its officers, employees or agents.

While it is apparent that this language precludes liability for damages under the Nevada statute itself, it may also have wider application.  In other words, would this language bar a "regular" negligence lawsuit arising out of a security breach as long as the data collector was PCI compliant?  "Damages" in a breach of contract lawsuit? The broad language used ("shall not be liable for damages") suggests a solid argument exists for a "safe harbor" (even if compliance with the PCI standard itself was not "reasonable security") against any cause of action not involving "gross negligence" or "intentional misconduct."  More research, and potentially case law, will be necessary before the scope of this safe harbor is clarified.