As we previously reported last month, amendments to Nevada’s privacy laws go into effect on July 1, 2015. The amendments expand the types of information that constitute “personal information” to include electronic mail addresses and passwords, driver authorization card numbers, medical and health insurance identification numbers, and other similar information. The expanded definition applies to both Nevada’s breach notification and data encryption laws, which means that – breach notification obligations aside – companies doing business in Nevada must take the expanded definition into consideration when complying with Nevada’s encryption laws.
Specifically, Nevada requires the encryption of:
- Any electronic, non-fax transfer of personal information outside of the company; and
- Any data storage device containing personal information when it is moved beyond the company’s controls.
As a reminder, these encryption requirements are similar to those required under Massachusetts’ regulations. However, the definition of “personal information” used in the Massachusetts regulations is narrower than the amended definition in Nevada and does not include e-mails and passwords, and medical and health insurance identification numbers.
Tip: Although the amended Nevada law takes effect on July 1, 2015, companies are not required to comply with the amended provisions until July 1, 2016.