A Safe Harbor for “Data Collectors” if a Data Breach Occurs

This post by Drinkwater Law Offices

Posted in Liability Protection, Risk Management

By Bonnie Drinkwater, Esq. and Kerry Kolvet, Esq.

If you collect confidential data on your customers or clients, an important change in the law will provide you with a mechanism to reduce your liability if the data is lost or stolen.

On the heels of ineffective data breach notification laws, Nevada Senate bill 227, a more proactive approach, offers a safe harbor to businesses that collect personal information if a data breach occurs. Some important definitions apply:

backup_tapesAre you a “data collector?”

A “data collector” is defined in Nevada Revised Statute 603A as “any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information.”

If you collect data, what constitutes “personal information?”

Personal Information is defined as a natural person’s first name or first initial and last name in combination with a (i) social security number (ii) driver’s license number or identification card number, or (iii) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.

So, if I am a data collector, what do I need to do to get the safe harbor?

Effective January 1, 2010, you will need to encrypt personal information that is either transmitted electronically or contained in a data storage device that has moved beyond the data collector’s control (e.g. on a laptop computer).

There are specific requirements contained in the statute! If you do encrypt the data, you, as a business owner, will avoid liability if that encrypted data is lost or improperly accessed! In addition, it is possible that courts will take the encryption requirement into account in determining what constitutes negligent conduct associated with data breaches.

Companies that follow the statutes may even be eligible for reductions on their insurance.

All of these are good reasons to check out SB 227 in the 2009 session information on the Nevada Legislature website at www.leg.state.nv.us or download the bill now  Senate Bill 227

© 2009 Drinkwater Law Offices

 

 

One Response to “A Safe Harbor for “Data Collectors” if a Data Breach Occurs”

  1. On July 14th, 2010 at 12:29 am Dallas Shredding Said:

    Data that is not your own is of course questionable. You should have an acceptable reason for collecting or storing data, other than your very own. We do need to safeguard our private information in order to avoid any kind of fraud from happening. Shredding your documents may be a basic preventive measure but it is still effective. The government may have access to your personal information, but fraudsters may also do and this is what we need to avoid.

Leave a Comment

* indicates required field

NSBDC Website Business e-News Home Who We Are What We Do How Can We Help Toolbox Education and Training All Services Legal