Click here to review text of state statute
Information Covered / Important Definitions
Personal information of Nevada residents when the name and the data elements are not encrypted.
Definition includes (i) medical identification number, (ii) health insurance identification number, and (iii) a user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.
“Security Breach” means unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information.
Covered Entities* / Third Party Recipients
Subject to statute:
Any institution of higher education, corporation, financial institution, or retail operator or any other type of business entity or association (including a data broker) that handles, collects, disseminates, or otherwise deals with nonpublic personal information.
Third party recipients:
Any covered entity that maintains computerized data containing personal information that the covered entity does not own must notify the owner or licensee of the information of any security breach immediately following discovery of the breach.
Notice Procedures & Timing / Other Obligations
Written or electronic notice must be provided to victims of a security breach within the most expedient time possible and without unreasonable delay, unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $250,000, affected class exceeds 500,000 persons, or covered entity has insufficient contact information.
- Notice only required if security breach materially compromises the security, confidentiality or integrity of personal information.
Any covered entity that must notify more than 1,000 residents at one time of a security breach is also required to notify consumer reporting agencies of the security breach without unreasonable delay.
A business maintaining records which contain personal information concerning customers must take reasonable measures to protect records from unauthorized access and, when they are no longer needed, ensure the destruction of those records in accordance with the statute.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data that was lost, stolen or accessed by an unauthorized individual is encrypted.
Exemption for good faith acquisition of personal information by an employee or agent of the covered entity for a legitimate purpose of the covered entity so long as the personal information is not used for a purpose unrelated to the covered entity or subject to further unauthorized disclosure.
A covered entity is deemed in compliance with the Nevada statute if it maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Nevada statute.
A covered entity is deemed in compliance with the Nevada statute if it complies with the privacy and security provisions of the GLBA.
Notification to Regulator / Waiver
A determination of no likelihood of harm: Does not require notification to attorney general.
A waiver of the statute is void and unenforceable.
Attorney General may bring an action against a covered entity to obtain a temporary or permanent injunction against violations.
Failure to report a Security Breach is a deceptive trade practice for which the Attorney General could impose civil and criminal penalties.
Private Cause of Action / Enforcement
Private Cause of Action: No.
A covered entity that provides the notification required by the Nevada statute may commence an action for damages against a person that unlawfully obtained or benefited from personal information obtained from records maintained by the covered entity. Damages and restitution relief are available.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute