Existing law imposes certain requirements upon data collectors with respect to the security of personal information collected and maintained by the data collector. (NRS 603A.010-603A.290) Existing law requires a data collector that maintains records which contain personal information of a resident of this State to implement and maintain reasonable security measures to protect those records from unauthorized access, acquisition, destruction, use, modification or disclosure. (NRS 603A.210) Section 8 of this bill additionally requires a data collector to implement and maintain such security measures to protect records containing personal information of a person who was a resident of this State at the time at which the personal information was obtained by the data collector. Section 16 of this bill prohibits an employer from retaliating against an employee because the employee has filed a formal complaint alleging that the employer has failed to comply with such requirements.
Existing law requires a data collector that owns, licenses or maintains computerized data which includes personal information, after discovery or notification of a breach of the security of the system data in which personal information maintained by the data collector was, or is reasonably believed to have been, acquired by an unauthorized person, to notify each affected resident of this State and certain other persons. (NRS 603A.220) Section 9 of this bill requires a data collector to provide such a notification to a former resident of this State who was a resident of this State at the time at which the personal information was obtained by the data collector. Section 9 provides that if the breach involves the personal information of a current employee or former employee of the data collector, the notification must be provided within 30 days after discovery or notification of the breach. Section 9 deems a data collector to have complied with the requirement for notification with respect to a former employee if the data collector made a reasonable effort to provide the notification to the employee. Section 4 of this bill requires a data collector who provides such a notification to a current employee or former employee to provide to the employee monitoring services and services to protect against identity theft at no cost for not less than 1 year after the date on which the notification was provided. Section 2 of this bill defines “current employee” to mean a person who is currently employed by a data collector. Section 3 of this bill defines “former employee” to mean a person who is not a current employee and who has been employed by a data collector in the immediately preceding 2 years.
Existing law makes a violation of the provisions governing the security of personal information maintained by data collectors a deceptive trade practice, thereby subjecting a data collector who violates those provisions to certain civil and criminal penalties. (NRS 598.0999, 603A.290) Section 10 of this bill also makes a violation of the provisions of sections 2-4 of this bill a deceptive trade practice.
Existing law provides for the issuance of drivers' licenses by the Department of Motor Vehicles. (Chapter 483 of NRS) Section 12 of this bill requires the Department to establish procedures by which a licensee who is a victim of identity theft may request that the number of his or her driver's license be changed to a new unique number. Section 14 of this bill prohibits the Department from charging a fee for making such a change. Section 13 of this bill makes a conforming change so that the definitions applicable to the provisions of existing law governing drivers' licenses apply to section 12.
Section 7 of this bill prohibits, with certain exceptions, a business operating in this State that maintains records which contain personal information from requesting, collecting or maintaining the full social security number of a customer.
Section 17 of this bill prohibits, with certain exceptions, an employer from collecting the social security number of a prospective employee or requesting or requiring that a prospective employee disclose his or her social security number before the employer has made a formal offer of employment and the prospective employee has accepted the offer.
Section 5 of this bill applies the definitions in existing law governing the security of personal information maintained by data collectors to sections 2-4. Section 6 of this bill provides that any waiver of the provisions of sections 2-4 is contrary to public policy, void and unenforceable. Section 11 of this bill authorizes the Attorney General or a district attorney to bring an action to obtain an injunction against a violation of sections 2-4.
Statutes affected: As Introduced: 603A.010, 603A.100, 603A.200, 603A.210, 603A.220, 603A.260, 603A.290, 483.020, 483.410
BDR: 603A.010, 603A.100, 603A.200, 603A.210, 603A.220, 603A.260, 603A.290, 483.020, 483.410