This post by Drinkwater Law Offices
By Bonnie Drinkwater, Esq. and Kerry Kolvet, Esq.
If you collect confidential data on your customers or clients, an important change in the law will provide you with a mechanism to reduce your liability if the data is lost or stolen.
On the heels of ineffective data breach notification laws, Nevada Senate bill 227, a more proactive approach, offers a safe harbor to businesses that collect personal information if a data breach occurs. Some important definitions apply:
Are you a “data collector?”
A “data collector” is defined in Nevada Revised Statute 603A as “any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information.”
If you collect data, what constitutes “personal information?”
Personal Information is defined as a natural person’s first name or first initial and last name in combination with a (i) social security number (ii) driver’s license number or identification card number, or (iii) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.
So, if I am a data collector, what do I need to do to get the safe harbor?
Effective January 1, 2010, you will need to encrypt personal information that is either transmitted electronically or contained in a data storage device that has moved beyond the data collector’s control (e.g. on a laptop computer).
There are specific requirements contained in the statute! If you do encrypt the data, you, as a business owner, will avoid liability if that encrypted data is lost or improperly accessed! In addition, it is possible that courts will take the encryption requirement into account in determining what constitutes negligent conduct associated with data breaches.
Companies that follow the statutes may even be eligible for reductions on their insurance.