On May 13, Nevada Governor Brian Sandoval signed Assembly Bill 179, which expands the definition of personal information for purposes of Nevada’s data breach notification and data security law. Effective July 1, 2015, personal information will include an individual’s medical identification number or health insurance identification number and a user name, unique identifier or email address with its associated password, access code or security question and answer that would permit access to an online account. In order to be personal information, the additional elements must be in combination with an individual’s first name or first initial and last name.
With the revision, Nevada joins states like California and Florida, which recently revised their data breach notification statutes to include username or email in combination with password to an online account in their definition of information which, if breached, would require notice to affected individuals. However, Nevada currently is unique in that its data breach notification statute is part of a larger omnibus data security law that includes a provision requiring the encryption of personal information transferred electronically outside of a business, except in the case of fax transmissions. As a result, businesses will now be required to encrypt a wider array of information in transmission, including usernames and passwords for online accounts.