Nevada's Security of Personal Information Law Post One: The Basics of Nevada's Security Law and Destruction of Records
The following FAQs cover "the basics" of Nevada's Security of Personal Information Law, as well as the data destruction obligations of the law. Blog Post Two: Security Breach Notice under Nevada's Security Law is now also available.
(1) THE BASICS
What is the general purpose of this law?
Nevada's Security of Personal Information law establishes legal requirements for certain organizations concerning the security of personal information.
What are the basic requirements of Nevada's Security Law?
The Security Law sets forth legal obligations with respect to:
(1) destruction of records containing personal information (NRS 603A.200);
(2) maintenance of reasonable security measures(NRS 603A.210);
(3) disclosure of security breaches impacting the personal information of Nevada residents (NRS 603A.220);
(4) compliance with the Payment Card Industry Data Security Standard ("PCI") for organizations that accept payment cards (SB 227); and
(5) encryption of personal information in transmission and on data storage devices that are moved (SB 227).
Who does the Nevada Security Law apply to?
The Security Law applies to "data collectors", which are defined as:
any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information.
Some observations:
- Application to service providers. Unlike some breach notice laws and data privacy laws, this definition does not make a distinction between the "controller/owner/licensee" of the personal information (the entity on the front end of a transaction collecting and using personal information) and a "data processor" or "service provider" (the entity that processes, transmits or stores personal information for or on behalf of the controller). While that distinction is made later for purposes of the Security Law's breach notice provisions, other sections of the law do not differentiate between the two.
- Residency trigger. Physical location or "doing business" in Nevada is not relevant for this definition. If an organization handles, collects, disseminates or otherwise deals with nonpublic personal information, which is defined by reference to residents of Nevada, then it is a "data collector." As such this law technically has national/international reach if you an out-of-state organization handling personal information of Nevada residents.
What is "personal information" under the law?
The definition of personal information under the Security Law is very similar to definitions used by other state and federal laws. Personal information includes a natural person's first name or first initial, and last name, in combination with any of the following data elements, when the name and data elements are not encrypted: (1) SS#; (2) driver's license number or identification card number; and/or (3) account number, credit card number or debit card number, in combination with a security code, password or access code that would permit access to the person's account. However, personal information does not include the last four digits of a social security number or publicly available information that is lawfully made available to the general public. Some observations:
- Encryption. If either the name or data elements are encrypted, then neither constitute "personal information."
- Security Code Combined with Credit Card Number. If just the Primary Account Number (PAN) of a credit/debit card is combined with a first initial/first and last name, neither constitute "personal information" - a security code, access code or password must also be combined with the PAN.
- Public Records. It is possible that social security numbers and other identifying information may appear in public records, and if that information is lawfully made available to the general public then it would not constitute "personal information" under the Security Law even if the other requirements were satisfied.
(2) DESTRUCTION OF RECORDS (NRS 603A.200)
What records must be destroyed under the Security Law?
Any records which contain personal information concerning the customers of a business. While "record" is not defined specifically in the Security Law this would appear to include "hard copies" and computerized data containing personal information.
Who must destroy personal information records?
Any "business," (which includes a proprietorship, corporation, partnership, association, trust, unincorporated organization or other enterprise doing business in Nevada) that maintains records which contain personal information. Some observations:
- Doing business in Nevada. This section of the Security Law refers to businesses rather than "data collectors," and unlike the definition of data collector, to be a "business" under this section of the Security Law the organization must be "doing business" in Nevada. While this section may appear to create a smaller subset of companies, since the concept of "doing business" may include simply running a website that is accessible by Nevada residents, the practical effect may be a nationwide scope for many online companies.
- Operations outside of Nevada. Companies that have incorporated in Nevada (which has been a popular place for California companies to incorporate because of lower taxes) are subject to the law even if their main operations are outside of the State.
- Application to service providers. This section of the Security Law again does not make a distinction between a data owner/controller and a data processor/service provider. In other words, it does not matter how a business gets personal records (whether directly from consumers or employees, from a third party or on behalf of a third part), as long as it maintains records which contain personal information.
What actions must be taken to destroy personal information records?
The Security Law requires businesses to take "reasonable measures to ensure the destruction" of personal information records. "Reasonable measures to ensure the destruction" means:
any method that modifies the records containing the personal information in such a way as to render the personal information contained in the records unreadable or undecipherable.
The law specifies two (non-exclusive) examples of general methods that meet this standard, including "shredding of the record" and "erasing" the personal information from the records. Some observations:
- Destruction methods. While the law does specify "shredding" and "erasing" it does not indicate a methodology that should be taken. For instance some "erasing" may still allow personal information to be retrieved from records from which it was "erased." Some shredding may also be inadequate and allow thieves to "decipher" (e.g. put back together) shredded documents.
- Destruction standards. Organizations should confer with their security professionals to determine the best methodology to achieve this "erasing" of personal information from a record so it is truly unreadable or undecipherable. One option, typically considered amongst the highest standards, is the US Department of Defense 5220.22-M Clearing and Sanitization standard, DoD 5220.22-M. In addition, strongly encrypted records may satisfy the reasonable destruction standard as well, but the "unreadability" may erode over time as encryption methods become obsolete or weakened.
When must businesses destroy personal information records?
Personal information records must be destroyed when the business decides that it will no longer maintain the records. Unlike other laws that may require destruction of personal information records after certain periods of time, the Nevada law allows organizations to subjectively determine when they no longer want to retain the records. As such they fully control the timing of these particular destruction duties.
Up Next: Blog Post Two: Security Breach Notice under Nevada's Security Law
Please note, while I am an attorney this post does not in any way constitute legal advice or a legal opinion, and should not be relied upon to take any action or be the basis for any inaction. The this law is complex and additional research is necessary. If you are interested in a full legal analysis please contact me directly at djn@davidnavetta.com