FAQ on Nevada's Security of Personal Information Law (NRS 603A)

InfoSecCompliance ("ISC") was recently asked by a prospective client to provide a summary of Nevada's Security of Personal Information law (NRS 603A) and a recent amendment to the Security Law that incorporated the Payment Card Industry Data Security Standard ("PCI"). ISC decided to try something new and create a Frequently Asked Questions document around the PCI requirements contained in the Security Law. For better or worse (after sinking in 15 - 20 hours) ISC ended up doing FAQs for the entireNevada Security Law. This turned out to be a much bigger work than originally anticipated, so ISC is going to do a five-part blog post series breaking down the Nevada Security Law into (hopefully) digestible parts.


This FAQ is broken down into six sections that will be posted over five posts over the next week or so. The postings will be broken down as follows:

Post One: The Basics of Nevada's Security Law and Destruction of Records

Post Two: Security Breach Notice

Post Three: Required Security Measures

Post Four: Encryption and PCI Compliance

Post Five: Remedies, Penalties and Enforcement

I will update this page with new links to each post as the post is made. This is the first time I have tried to convert a complex law into an FAQ format and I am not certain how it turned out. The goal was to make the law digestable by not only lawyers, but also security and privacy professionals. If you have the time, please leave a comment or send me an email and let me know if it worked for you or what could be improved. If this format is effective, ISC may do it for other laws as well (where possible).

Please note, while I am an attorney this post does not in any way constitute legal advice or a legal opinion, and should not be relied upon to take any action or be the basis for any inaction. This law is complex and additional research is necessary. If you are interested in a full legal analysis please contact me directly at djn@davidnavetta.com.