Data Protection Report - Norton Rose Fulbright

On May 13, 2015, Governor Brian Sandoval of Nevada signed Assembly Bill No. 179 (“AB 179”) into law. AB 179 amends Nevada Revised Statutes § 603A.040, which defines “Personal Information” for Nevada’s laws on the security of personal information. This amendment will take effect on July 1, 2015.

The current law defines personal information as the combination of an individual’s first name or initial, last name, and one or more of the following: 1) a social security number, 2) a driver’s license or identification card number, or 3) an account number, credit or debit card number, in combination with any required security code or password that would permit access to the financial account. Section 603A.040 excludes from its definition encrypted data, data which includes only the last four digits of a social security, driver’s license or identification card number, and “information that is lawfully made available to the general public.”

AB 179 expands this definition to include driver authorization card numbers, medical or health insurance identification numbers, and usernames, unique identifiers or e-mail addresses, in combination with a password, access code, or security question and answer that would permit access to an online account. AB 179 also limits the public information exclusion of personal information, restricting it to publicly available information “from federal, state or local governmental records.”

This amendment brings Nevada laws into line with those of some other states, such as California’s Civil Code § 1798.82, that define personal information to include online account information. However, unlike California, Nevada does not provide for an alternate form of notification for breaches of online account data.

The broader definition of personal information could have an impact on businesses that own or license data of Nevada residents. First, increasing the categories of data included in the definition of personal information necessarily increases the probability that a security incident will trigger breach notification obligations. Second, because another section of Nevada’s security of personal information statutes, § 603A.215, requires that electronic, non-voice transmission (other than fax) of personal information use encryption, businesses will now need to ensure that any electronic transmission is encrypted to comply with Nevada law.