Nevada Expands Personal Data Definition in Breach Notice, Data Encryption Law

Bloomberg Law: Privacy & Data Security brings you single-source access to the expertise of Bloomberg Law’s privacy and data security editorial team, contributing practitioners,...

May 18 — In a move that may add significant new compliance burdens, as of July 1 companies doing business in Nevada will have to employ encryption to protect an expanded list of personal information if it leaves their premises and notify state residents if that information is compromised in a data breach, under a recent amendment (A.B. 179) to the state's data breach notification statute.

Under the bill, which was signed into law May 13 by Gov. Brian Sandoval (R), the definition of personal information is expanded to include a “user name, unique identifier or electronic mail address in combination with a password, access code or security question and answer that would permit access to an online account.”

Personal information now also includes medical or health insurance identification numbers and driver's authorization identification numbers.

Longstanding Encryption Requirement 

In June 2005, Nevada passed an omnibus data security law with breach notification requirements and other identity theft protection provisions, including a provision requiring the encryption of personal information transferred electronically outside of a business, except in the case of fax transmissions. Businesses that processed payment card data could comply with the new requirements by meeting the Payment Card Industry Data Security Standard.

The data encryption requirement's effective date was delayed until Oct. 1, 2008, to give Nevada businesses time to implement new encryption software.

Then in 2009, the state amended the law to require that as of Jan. 1, 2010, personal information that is transferred on hardware or mobile information storage devices and moved outside the secured physical and logical boundaries of an entity doing business in Nevada also be encrypted.

Massachusetts also has specific personal data security requirements similar to Nevada's statutory mandate. In November 2009, the Massachusetts Office of Consumer Affairs and Business Regulation adopted the final version of a new data security regulation.

A.B. 179, as enrolled and signed into law, is available at