Nevada's Security of Personal Information Law Post Two: The Breach Notice Requirements
(3) SECURITY BREACH NOTICE (NRS 603A.220) What triggers the security breach notice obligations under the Security Law?
In order for the breach notice requirements to be triggered under the Security Law two general events must occur (with some sub-requirements discussed further below). First, there must have been a "breach of the security of the system data" discovered by a data collector or notified to a data collector. Second, "personal information" must have actually been acquired by an unauthorized person, or was "reasonably believed to have been acquired" by an unauthorized person. Some observations:
- "Reasonably believed" acquisitions. In some cases it may be very unclear as to whether any actual "acquisition" by an unauthorized person occurred. Forensic assessment may not yield enough information to reach a definitive conclusion on that issue. Nonetheless, if there is evidence of possible acquisition that outweighs contrary evidence, then reporting requirements may still apply under the "reasonably believed" standard. This standard is likely viewed as an objective standard - so even if the data collector subjectively believed that no acquisition occurred that belief would be tested against the available evidence with respect to the incident.
- Duty to investigate. Let's assume that an organization discovers a security breach, but the initial facts it receives do not provide any indication as to whether personal information was acquired by an unauthorized person. What if the company plugged the security hole and conducted no further investigation as to the question of acquisition? Is this permitted? Technically the answer appears to be 'yes.' That law does not impose any explicit duty to investigate whether personal information was acquired. As such, an organization could take the position that it never formed a reasonable belief of unauthorized acquisition, because it had no evidence of such acquisition. Whether this would hold up in court is another story, as some would argue that this complies with the letter of the law, but defeats its spirit. Moreover, the concept of "reasonable belief" may be argued to imply a reasonable investigation in order to form a belief one way or another.
What constitutes a security breach under the Nevada Security Law?
The Security Law sets forth a somewhat convoluted definition for "security breach." "Breach of the security of system data" is defined as: "unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of personal information maintained by the data collector." Some observations:
- No reference to systems. The security breach definition does not require breach of a particular network or system. Rather it focuses on unauthorized acquisition of computerized data. As such, it appears that it does not matter from which systems the data is taken as long as the data collector is "maintaining" the data. This would appear to include, for example, theft of a lap top, portable storage device or smart phone from an employee's car.
- 2-step process. Acquisition of computerized data containing personal information alone does not constitute a breach. In addition, there must be a material compromise of the security, confidentiality or integrity of personal information. In the event a thief could not get to the personal information (e.g. encryption or perhaps some sort of strong access control) then the Security Law would not be triggered.
- Material compromise. It is unclear how the concept of materiality is intended to work under this definition. For example, it seems that the security or confidentiality of personal information is either compromised or not compromised. Moreover, since the definition of personal information already requires a combination of first/last name and account numbers, it would seem that materiality is already built in. This reference may also refer to the volume of personal information exposed, but it is far from clear what the intent is.
What events must transpire for a notification duty to be triggered under the Security Law?
Unfortunately the definitions and requirements of the Security Law are somewhat convoluted. Breaking down the definition of "breach of the security of system data" and the trigger in section NRS 603A.220, it appears that the following events must occur:
(1) unauthorized acquisition of computerized data; AND
(2) a resulting material compromise of the security, confidentiality or integrity of personal information; AND
(3) discovery or notification of (1) and (2) by the data collector; AND
(4) a determination that unencrypted personal information of a Nevada resident was acquired by an unauthorized person; OR
(5) the existence of a reasonable belief that such personal information was acquired by an unauthorized person.
- Prerequisites. It appears that steps (1) through (3) are required before (4) and (5) come into play. If a "breach of the security of system data" as defined never occurs (see steps (1) and (2)) it cannot be discovered and you never get to (4) and (5) as part of your analysis. Moreover, obviously if there is no discovery or notification of the "breach of the security of system data" (step 3), then steps (4) and (5) cannot exist.
- Contradictory requirements concerning "reasonable belief" of acquisition. Steps (2) and (5) may be somewhat contradictory. Step (2) requires a determination as to whether a material compromise has occurred. There is no language indicating a trigger where the data collector has a "reasonable belief" that personal information has been compromised. In other words only if there has been an "actual" compromise of personal information will a "breach" have occurred (according to the definition of "breach of the security of system data"). For example, assume a laptop with personal information is stolen. Certainly there has been unauthorized acquisition of computerized data, but there may be no way to determine whether there has also been a material compromise of the security, confidentiality or integrity of personal information. Therefore, it would appear that one could reasonably argue that the data collector could not ascertain whether a "breach of the security of system data" existed, and therefore never "discovered" such a breach. That data collector would not even get to step (5) (which requires reporting if there is a reasonable belief of unauthorized acquisition) since step (2) is a pre-requisite to steps (4) and (5). Again, this is a very technical argument and it may be difficult to argue in court.
Who must provide notice of a security breach under the Nevada Security Law? And to whom?
Any data collector that owns or licenses computerized data which includes personal information must disclose a breach of that personal information to the Nevada resident that was impacted. Data collectors that have received computerized personal information from and owner or licensee (e.g. service providers) of computerized data must provide notice of a breach impacting computerized personal information immediately after discovering the breach. However, if a data collector is subject to and complies with the privacy and security provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et seq., it is deemed in compliance with the Security Law and apparently need not comply with its requirements (although those subject to GLB should already have breach notice response programs in place). Some observations:
- Application to service providers. "Data collector" as defined makes no distinction between "data owners/controllers" and "service providers." Both fall into the definition of data collector as long as they are handling personal information.
- Service providers as "licensees" of personal information. Data controllers often use service providers to process personal information for on behalf of the data controller. In fact, in some cases the personal information may initially be provided directly to the service provider (e.g. data hosting or application service providers). Typically most interpret "ownership and licensing" of personal information to mean that the data controller (the company seeking to collect and use the data on the front-end of a transaction for its own purposes) is the party responsible for notice, even if the data controller's service provider was the entity that suffered the actual breach. This view is buttressed by the requirement in the Security Law that service providers provide owners and licensees immediate notice of a breach. However, it is possible for a service provider to also be considered a "licensee" of computerized data containing personal information. Service provider agreements often provide the service provider with a limited license to use data including personal information for purposes of processing on behalf of the original data owner. Even if not explicit, service providers may have an implied license to use computerized personal information for the limited purposes of processing a transaction for the data controller. It is not clear from the language of the statute whether a data collector must have received a license directly from the individual providing personal information, or whether a service provider's potential status as a "sub-licensee" of personal information creates a direct duty to report to Nevada residents.
Do the Security Law's breach notice obligations apply to "hard copies" or paper records?
No, breach notice obligations under this subsection of the Security Law only relate to computerized data which includes personal information. However, other sections of the Security Law (such as the record destruction section (603A.200) and the security measure section (603A.210)) apply to "records," which would appear to include hard copies/paper records.
Who how soon must notice be provided under the Nevada Security Law?
Following discovery of a breach and acquisition by an unauthorized person (or the establishment of a reasonable belief of such acquisition), "owners" and "licensees" must provide notice to the relevant individuals "in the most expedient time possible and without unreasonable delay." However, notification can be delayed if a law enforcement agency determines that the notification will impede a criminal investigation. Service providers that suffer a breach must provide notice to the owner or licensee of the personal information immediately following the discovery of a breach resulting in acquisition by an unauthorized person, or reasonably believed unauthorized acquisition.
Besides, Nevada residents and the owner or licensee of computerized personal information, are there any other parties to whom data collectors must provide notice?
If a data collector determines that notification is required under the Security Law to be provided to more than 1,000 persons at any one time, the data collector shall also notify, without unreasonable delay, any "consumer reporting agency that compiles and maintains files on consumers on a nationwide basis" (as that term is defined in 15 U.S.C. § 1681a(p)), of the time the notification is distributed and the content of the notification.
Please note, while I am an attorney this post does not in any way constitute legal advice or a legal opinion, and should not be relied upon to take any action or be the basis for any inaction. The this law is complex and additional research is necessary. If you are interested in a full legal analysis please contact me directly at firstname.lastname@example.org