Nevada Expands PI Definition Under Data Breach Law

Becomes the fifth state to amend its data breach statute since January 2015

The definition of “personal information” (“PI”) just got a little bit bigger in the Silver State. On May 13, Nevada Governor Brian Sandoval signed A.B. 179 into law, approving an expansion of what constitutes PI under Nevada’s data breach law. The amendment keeps all of the prior data elements but adds the following as part of the definition of PI, when unencrypted and combined with a person’s first name or first initial and last name:

• Driver authorization card numbers;
• Medical identification or health insurance identification numbers; and
• User names, unique identifiers, or email addresses in combination with passwords, access codes, or security questions and answers permitting access to an online account.

The existing law exempts from the definition of PI the last four digits of a social security number, a driver’s license number, or an identification card number, as well as “publicly available” information.   A.B. 179 adds a new exemption for the last four digits of a driver authorization card number, and clarifies that the public availability exemption applies to information lawfully made available from federal, state, or local government records.

Although the bill officially becomes effective on July 1, 2015, it also contains a provision that exempts businesses and “data collectors” from complying with the amendatory provisions until July 1, 2016.  This grace period might provide a good opportunity for businesses to review the security measures in place around the additional protected data elements in A.B. 179, as well as their compliance with Nevada’s existing encryption requirements.

Though not a part of A.B. 179, Nevada’s data breach statute requires businesses that accept payment cards in connection with sales of goods or services must comply with the most current requirements of the Payment Card Industry Data Security Standard (PCI DSS).  But just because a business doesn’t process payments cards, doesn’t mean it’s off the hook.  If a business isn’t subject to the PCI DSS, but it collects other PI, the statute requires that information to be encrypted before sending the PI electronically (other than via facsimile) to third parties or storing the PI in an environment outside the business’ control.  Because of the amendments and broad definition of “personal information,” companies that have free online services and accounts – such as social media sites, email account services, file sharing sites, password-restricted message boards and the like – could fall into the statute’s scope, even though they may not collect payment card information. All companies doing business within the Silver State should review their practices for compliance with Nevada’s encryption requirements, and be prepared to respond to any security breaches in accordance with the amended consumer breach notification requirements.