Mandated Timeframe for Breach Reporting and/or Consumer Notification

Without unreasonable delay
Laws related specifically to personal information
  • Breach Reporting & Consumer Notification
  • Protect Personal Information
  • Program for Protection/Security
  • Vendor Specific Obligations
  • Vendor Mandated Contracts
  • Employee Training
  • Required Disposal of Retained Personal Information
  • Require Vendors to Protect Personal Information
  • Verification of Vendor Protection/Security Program
  • Vendor Notification to Organization of Breach/Suspected Breach
Fines & Penalties

Violations of breach notification laws:

- Attorney General may bring an action

Regulation Levels
  • Breach Reporting
  • Consumer Notifications
  • Vendor Management
  • Vendor Contract Required
Level Description
  • None to minimal
  • Basic Requirements
  • Comprehensive Requirements
  • Extensive Requirements
Quick Facts
  • If breach notification is required to more than 1,000 persons, it must also be reported, without unreasonable delay, to specified consumer reporting agencies.
  • Nevada State Attorney General may bring an action to obtain a temporary or permanent injunction for violation of the ‘Security of Personal Information’ laws. An organization may be liable for damages if they cannot prove compliance with the breach, notification, and data protection laws.
  • An organization that maintains records with personal information must implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure. If measures are not taken, the organization may be held liable for damages related to the breach.
  • A data collector that must send breach notifications may commence an action for all damages from whomever illegally accessed their records and may be rewarded restitution.
  • Vendors must notify Organizations upon discovery of a breach or suspected breach. The Organization is responsible for submitting any required regulatory reporting and consumer notifications.
  • If your breach affects residents in other jurisdictions, those individuals must be notified based on the breach notification laws of the jurisdiction where they reside.
  • Organizations must contract with Vendors to whom the Organization discloses personal information.
  • Vendors must have measures in place to protect personal information from unauthorized access, acquisition, destruction, use, modification or disclosure.
  • Vendors who are businesses operating in Nevada must have measures in place for the destruction of records containing personal information so the records are unreadable or undecipherable.
  • Operators of Internet websites or online services who collect personal information from consumers in Nevada must provide consumers the right to opt-out of the sale of their personal information and must implement processes to support this option.
  • Organizations may be fined or penalized for Vendor violations.
  • Increased regulations on personal information handled by educational facilities
    • teachers can be terminated for not protecting student’s personal information.
Statutes and Laws
  • NRS § 603A Security and Privacy of Personal Information

    NRS § 603A.020 “Breach of the security of the system data” defined

    NRS § 603A.200 Destruction of certain records

    NRS § 603A.210 Security measures

    NRS § 603A.215 Security measures for data collector that accepts payment card; use of encryption; liability for damages; applicability

    NRS § 603A.217 Alternative methods of and technologies for encryption

    NRS § 603A.220 Disclosure of breach of security of system data; methods of disclosure

    NRS § 603A.300 to 603A.360 Notice Regarding Privacy of Information Collected on Internet from Consumers

    NRS § 603A.900 Civil Action

    NRS § 603A.910 Restitution

    NRS § 603A.920 Injunction

    NV Department of Education – Information Security and Privacy Policy, VII. Breaches in Security

BAck to map