Nevada’s recently amended law will, among other things, create the first state mandate to encrypt online account credentials. Specifically, on May 13, 2015, Nevada Governor Sandoval approved a bill (“AB 179”) to expand the definition of “personal information” for purposes of the state’s security breach notification and personal information safeguards laws. In so doing, Nevada became the fifth state this year to amend (i.e., expand) the scope and obligations of its state breach law. Montana, North Dakota, Washington and Wyoming have also expanded their respective breach laws this year. Other states, such as California and Illinois, continue consideration of significant amendments to their respective breach laws.

Effective July 1, 2015, AB 179 will expand the definition of “personal information” for purposes of the Nevada breach and safeguards laws to include an individual’s first name or initial and last name in combination with the following new data elements:

  1. driver authorization card number;
  2. medical identification number or health insurance identification number; or
  3. user name, unique identifier or e-mail address in combination with a password, access code or security question and answer that would permit access to an online account.

IMPACT

The big news in this amendment is the impact this will have on the data security safeguards required for companies that handle personal information relating to Nevada residents. While several states have recently expanded their breach laws to cover online account credentials (see California, Florida and Wyoming), the same cannot be said for state safeguards laws. The Nevada amendment is significant because the state’s encryption requirements will now apply to these

new data elements. What that means is that companies will not be able to do the following with respect to online account credentials (and other “personal information” for purposes of the Nevada law, including the additional data elements added by AB 179):

  1. transfer “personal information” through an electronic, non-voice transmission (other than a fax) to a person outside of the company’s secure system unless the transmission is encrypted in accordance with certain standards; or
  2. move a “data storage device” containing “personal information” beyond the logical or physical controls of the company or its data storage contractor unless the information is encrypted.