Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Data Disposal/Destruction
  • Risk Assessment
  • Requests for Information
Fines & Penalties

Violations of breach notification laws:
- Attorney General may bring an action

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Data Protection
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • If notification is required to more than 1,000 persons, it must also be reported, without unreasonable delay, to specified consumer reporting agencies.
  • Amplified definition of Personal Information applicable to breach requirements with five additional elements considered personal information.
  • Nevada State Attorney General may bring an action to obtain a temporary or permanent injunction for violation of the ‘Security of Personal Information’ laws. A data owner may be liable for damages if they cannot prove compliance with the breach, notification, and data protection laws.
  • A data owner that maintains records with personal information must implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure. If measures are not taken, the data owner may be held liable for damages related to the breach.
  • Security measures are required of vendors by contract, including Payment Card Industry Data Security Standard, encryption, etc.
  • Operators of Internet websites or online services who collected personal information from consumers in Nevada must provide consumers the right to opt-out of the sale of their personal information and must implement processes to support this option. (Effective October 1, 2019)
  • A data collector that must send breach notifications may commence an action for all damages from whomever illegally accessed their records and may be rewarded restitution.
  • Increased regulations on personal information handled by educational facilities
    • teachers can be terminated for not protecting student’s personal information.
  • If a vendor is breached, they must report it to the data owner. The data owner will be responsible to complete the reporting and consumer notifications.
  • If your breach affects residents in other states, you will need to notify those residents using that state’s rules.
Statutes and Laws
  • NRS § 603A Security and Privacy of Personal Information

    NRS § 603A.020 “Breach of the security of the system data” defined

    NRS § 603A.200 Destruction of certain records

    NRS § 603A.210 Security measures

    NRS § 603A.215 Security measures for data collector that accepts payment card; use of encryption; liability for damages; applicability

    NRS § 603A.217 Alternative methods of and technologies for encryption

    NRS § 603A.220 Disclosure of breach of security of system data; methods of disclosure

    NRS § 603A.300 to 603A.360 Notice Regarding Privacy of Information Collected on Internet from Consumers

    NRS § 603A.900 Civil Action

    NRS § 603A.910 Restitution

    NRS § 603A.920 Injunction

    NV Department of Education – Information Security and Privacy Policy, VII. Breaches in Security

BAck to map