Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Limited methods of notification delivery
  • Reporting to Consumer Reporting Agencies may be required
  • Data owners are responsible for breach reporting and notifications
  • New laws effective July 1, 2015
  • Nevada has PII data protection, retention, and disposal laws
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply 

Who Me?


Nevada breach and notification laws may apply if you are a data collector that:

  • Owns or licenses computerized data that includes PII about a resident of Nevada
  • Maintains computerized data which includes PII that you do not own

 There are exemptions.

What is PII?


PII relevant to a breach in Nevada include a person's name plus one or more of the following:

  • Social Security Number
  • Driver license, driver authorization or identification card numbers
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account
  • Medical ID or health insurance ID numbers
  • User name, e-mail etc. with password, etc. or security question/answer permitting access to account



A few applicable statutes include, but are not limited to:

  • Title 52—Trade Regulations And Practices \ Chapter 603a - Security Of Personal Information:
  • General Provisions:  NRS 603A.010 to NRS 603A.040
  • Regulation of Business Practices:  NRS 603A.220
  • Remedies and Penalties:  NRS 603A.900 to NRS 603A.920


Nevada has stringent laws related to protection, retention and disposal of personal information.  A data collector that maintains records with personal information must implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure.  Some of these include vendor security measures required of vendors by contract, PCI standards, encryption, etc.



NV State Attorney General may bring an action to obtain a temporary or permanent injunction for violation of the ‘Security of Personal Information’ laws. A data collector may be liable for damages if they cannot prove compliance with the breach, notification, and data protection laws.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If the data was encrypted or redacted
  • If the data included any kind of key or password
  • If it was acquired by an unauthorized person
  • If it materially compromises the personal information held by the data collector


Depending on impact and type of breach there may be specific entities to report to and specific time limits to report a breach. The notifications must be made in the most expedient manner possible and without unreasonable delay, unless law enforcement advises the person it will interfere with an investigation.


Requires detailed information and potential provision of services

Notification with specific information, without unreasonable delay, to specified consumer reporting agencies, if applicable.

Disclosure may be made by written notice or electronically (with stipulations).

A substitute notice, with specific requirements, may be sent if the cost of providing the notice would exceed $250,000 or the persons notified exceeds 500,000 or they do not have sufficient contact information.

Contact the Privacy Experts at CSR