How to be Compliant with Nevada Data Privacy Laws Thursday September 10 th , 2009 11.30am – 12.00am PDT Alex Teu – Director of Education

Nev. Rev. Stat. § 603A.220 Nevada breach notification law Effective since October 1, 2005 45 states have passed data breach notification law Only states with no security breach law: Alabama, Kentucky, Mississippi, New Mexico and South Dakota

Nevada breach notification law

Effective since October 1, 2005

45 states have passed data breach notification law

Only states with no security breach law: Alabama, Kentucky, Mississippi, New Mexico and South Dakota

“ Breach” – An unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of PI maintained by Entity “ Personal Information” – An individual's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted: SSN; Driver's license number or ID card number; Bank account number, credit or debit card number. PI does not include the last four digits of a SSN or publicly available information that is lawfully made available to the general public. What is it about?

“ Breach” – An unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of PI maintained by Entity

“ Personal Information” – An individual's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:

SSN;

Driver's license number or ID card number;

Bank account number, credit or debit card number.

PI does not include the last four digits of a SSN or publicly available information that is lawfully made available to the general public.

Provide written notice to the affected customer How soon? - “Most expedient time possible and without unreasonable delay” Notify consumer reporting agencies if need to provide notice to more than 1000 consumers Why you want to comply? Attorney General may bring an action to stop a continuing or impending violation Potential embarrassment and media coverage of data breach Business reputation What you need to do?

Provide written notice to the affected customer

How soon? - “Most expedient time possible and without unreasonable delay”

Notify consumer reporting agencies if need to provide notice to more than 1000 consumers

Why you want to comply?

Attorney General may bring an action to stop a continuing or impending violation

Potential embarrassment and media coverage of data breach

Business reputation

Nev. Rev. Stat. § 597.970 Effective January 1, 2008 “ A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.” Nevada is first state to mandate encryption . This means that you are in violation merely by transmitting customer information in an unencrypted format, even if there is no actual breach of customer information.

Effective January 1, 2008

“ A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”

Nevada is first state to mandate encryption .

This means that you are in violation merely by transmitting customer information in an unencrypted format, even if there is no actual breach of customer information.

Nev. Senate Bill 227 Effective January 1, 2010 New requirement: Nevada businesses must use encryption when data storage devices that contain PI are moved beyond the physical or logical controls of the business. A “data storage device” is any device that stores information in electronic or optical medium. This includes, but not limited to, computers, cellular phones, and thumb drives. The new law also mandates compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) for businesses that accept payment cards. The new law expands the original encryption requirement to both customer and non-customer personal information The law creates a potential safe harbor against liability for damages resulting from a security breach unless resulting from gross negligence or intentional misconduct.

Effective January 1, 2010

New requirement: Nevada businesses must use encryption when data storage devices that contain PI are moved beyond the physical or logical controls of the business.

A “data storage device” is any device that stores information in electronic or optical medium. This includes, but not limited to, computers, cellular phones, and thumb drives.

The new law also mandates compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) for businesses that accept payment cards.

The new law expands the original encryption requirement to both customer and non-customer personal information

The law creates a potential safe harbor against liability for damages resulting from a security breach unless resulting from gross negligence or intentional misconduct.

Best Practices & Preventive Steps Use encrypted transfer methods when transmitting electronic information… email is NOT secure Track all access to private data! Always know who accessed your data, what was accessed and what it was accessed. Protect physical data wherever located Protect your network Manage user profiles Select reliable solution vendors Train your staff on security guidelines

Use encrypted transfer methods when transmitting electronic information… email is NOT secure

Track all access to private data! Always know who accessed your data, what was accessed and what it was accessed.

Protect physical data wherever located

Protect your network

Manage user profiles

Select reliable solution vendors

Train your staff on security guidelines

Audit trail tracking SAS 70 Type II certified Document expiration controls Authentication options End-to-end encryption Bullet Proof Security

Audit trail tracking

SAS 70 Type II certified

Document expiration controls

Authentication options

End-to-end encryption

Thank you for attending our webinar! Contact us for additional information: [email_address] [email_address] 1.888.716.9380 www.leapfile.com Free resources available for download: www.leapfile.com/accounting