Nevada's Security of Personal Information Law Post Five: Remedies, Penalties and Enforcement

The following FAQs address the remedies, penalties and enforcement of Nevada's Security of Personal Information Law.  The rest of the FAQ is linked to here.

(6) REMEDIES, PENALTIES AND ENFORCEMENT (603A.900 - 920)

Does the Nevada Security law provide individuals with a private cause of action against a data collector that suffered a breach of personal information?

Not explicitly.  There is no explicit private right of action provided under the Security Law.  However, the Security Law itself may be used to establish the reasonable standard of care in a negligence action.

Does the Nevada Security law provide data collectors that have been breached with a remedy against the party that unlawfully acquired or benefitted from personal information?

Yes.  A data collector that provides notification may commence an action for damages against a person that unlawfully obtained or benefitted from the personal information that was obtained, including without limitation, the reasonable costs of notification, reasonable attorney's fees and costs and punitive damages when appropriate. The costs of notification include, without limitation, labor, materials, postage and any other costs reasonably related to providing the notification.  In addition section 603A.910 allows a court to award a data collector restitution for the reasonable costs of notification.

Does the Nevada attorney general have the right to enforce the Security Law?

Yes, the attorney general has the right to bring an action for injunctive relief (permanent or temporary) against any person he or she has reason to believe is violating or proposing to violate the Security Law.

Does the Nevada Security Law impose fines or penalties for non-compliance?

The Security Law does not reference any fines or penalties for non-compliance.

Can/Will the State of Nevada audit or investigate companies to determine if they are compliant with the Security Law?

The law itself does not make any reference to compliance audits or investigations.  However, such investigations and audits are likely within the attorney general's overall powers.  It is possible that the Nevada AG's office could engage in investigations and audits, but as of this writing there is no evidence they intend to do so.  If they did, at least with respect to PCI compliance, it would shift the relative incentives for compliance.  Currently the only time a merchant's actual PCI compliance is truly tested is if they suffer a breach.  Audits and investigations would allow scrutiny of PCI compliance (as well as compliance with the rest of the law) prior to any breach occurring.  This could incentivize some merchants to get more serious about PCI compliance, and it could also make the compliance process more expensive.

Please note, while I am an attorney this post does not in any way constitute legal advice or a legal opinion, and should not be relied upon to take any action or be the basis for any inaction.  The this law is complex and additional research is necessary.  If you are interested in a full legal analysis please contact me directly at djn@davidnavetta.com