On May 13, Nevada Governor Brian Sandoval signed into law an amendment to Nevada’s data security laws that may create new compliance burdens. The amendment extends the definition of “personal information” to which Nevada’s data encryption and breach notification rules apply.
Nevada law already requires companies to encrypt transmissions of personal information and notify state residents if their personal information is disclosed in a data breach. A.B. 179 extends the definition of “personal information” to include (i) driver authorization card numbers, (ii) medical and health insurance identification numbers and usernames, and (iii) email addresses and other unique identifiers in combination with a password, access code or security question, and answer that would permit access to an online account.
Beginning July 1, any transmissions of these new personal information categories must be encrypted, and if a company experiences a data breach of such personal information, it must notify the affected parties. The amendment’s new definition of “personal information” makes Nevada’s privacy laws broader than those of a number of other states. This change, along with other more stringent data security requirements in other states, such as Massachusetts, should cause companies that collect personal information from users throughout the United States to evaluate how they intend to comply with the various statutory obligations under each state’s laws.