Nevada Data Protection & Privacy Regulations

How to be Compliant with Nevada Data Privacy Laws Thursday September 10 th , 2009 11.30am – 12.00am PDT Alex Teu – Director of Education

Nev. Rev. Stat. § 603A.220
Nevada breach notification law
Effective since October 1, 2005
45 states have passed data breach notification law
Only states with no security breach law: Alabama, Kentucky, Mississippi, New Mexico and South Dakota

“ Breach” – An unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of PI maintained by Entity
“ Personal Information” – An individual's first name or first initial and last name in combination with any one or more of the following data elements, when the name and data elements are not encrypted:
SSN;
Driver's license number or ID card number;
Bank account number, credit or debit card number.
PI does not include the last four digits of a SSN or publicly available information that is lawfully made available to the general public.
What is it about?

Provide written notice to the affected customer
How soon? - “Most expedient time possible and without unreasonable delay”
Notify consumer reporting agencies if need to provide notice to more than 1000 consumers
Why you want to comply?
Attorney General may bring an action to stop a continuing or impending violation
Potential embarrassment and media coverage of data breach
Business reputation
What you need to do?

Nev. Rev. Stat. § 597.970
Effective January 1, 2008
“ A business in this State shall not transfer any personal information of a customer through an electronic transmission other than a facsimile to a person outside of the secure system of the business unless the business uses encryption to ensure the security of electronic transmission.”
Nevada is first state to mandate encryption .
This means that you are in violation merely by transmitting customer information in an unencrypted format, even if there is no actual breach of customer information.

Nev. Senate Bill 227
Effective January 1, 2010
New requirement: Nevada businesses must use encryption when data storage devices that contain PI are moved beyond the physical or logical controls of the business.
A “data storage device” is any device that stores information in electronic or optical medium. This includes, but not limited to, computers, cellular phones, and thumb drives.
The new law also mandates compliance with the Payment Card Industry Data Security Standard (“PCI DSS”) for businesses that accept payment cards.
The new law expands the original encryption requirement to both customer and non-customer personal information
The law creates a potential safe harbor against liability for damages resulting from a security breach unless resulting from gross negligence or intentional misconduct.

Best Practices & Preventive Steps
Use encrypted transfer methods when transmitting electronic information… email is NOT secure
Track all access to private data! Always know who accessed your data, what was accessed and what it was accessed.
Protect physical data wherever located
Protect your network
Manage user profiles
Select reliable solution vendors
Train your staff on security guidelines

Audit trail tracking
SAS 70 Type II certified
Document expiration controls
Authentication options
End-to-end encryption
Bullet Proof Security

Thank you for attending our webinar! Contact us for additional information: [email_address] [email_address] 1.888.716.9380 www.leapfile.com Free resources available for download: www.leapfile.com/accounting

Nevada Data Protection & Privacy Regulations

by Julia Mak on Sep 10, 2009

Accessibility

Categories

Tags

Upload Details

Usage Rights

1 Embed 2

Statistics

Nevada Data Protection & Privacy Regulations — Presentation Transcript