Earlier this month a new bill was passed which introduces stricter breach notification rules in Nevada. The definition of “personal information” has been expanded, extending the protections for state residents in the event of a data breach. Privacy groups will hail the passing of the bill, which ensures that Nevada residents are better protected against credit card fraud, identity theft, tax and insurance fraud. The new breach notification rules in Nevada come into effect on July 1, 2015.
The new law requires all companies doing business in Nevada to initiate a data breach response and alert affected individuals if their personal information is exposed. The state attorney general’s office and any other appropriate government bodies must also be notified, such as the OCR if the organization affected is covered by the Health Insurance Portability and Accountability Act (HIPAA).
The “personal information” definition includes data that could potentially be used by criminals for fraudulent purposes. Individuals must be alerted to allow them to take action to protect both their identity and credit.
The change was deemed necessary following a number of data breaches to affect state residents in recent months, and also to widen the definition of personal information to take new technology into account. Usernames are now included in the definition as are online account usernames and other unique identification numbers, such as driver authorization card numbers, insurance ID numbers, medical identification numbers and health plan numbers.
Any unique ID number is covered if it can be used with a password to gain access to other private information covered under the definitions. However, a breach response would only be required if passwords or access codes were also exposed in the data breach, or any other information that could allow access to accounts to be gained: Security questions and answers for example.
The expansion of the definitions does not only mean a change to data breach notification rules in Nevada. Individuals doing business in the state that collect and store data under the expanded definition of “personal information” will have to abide by Nevada’s data encryption laws. This does not give companies long to encrypt protected information if they are not doing so already. Any delay in implementation could result in a fine from the attorney general’s office for non-compliance with state regulations.
Nevada is one of the first states to introduce tougher data breach notification laws this year. Florida and California have already amended their state laws, and other states are expected to follow.