Volume 5, Issue 1
March 31, 2006
In the wake of recent security breaches at various consumer credit reporting agencies and financial institutions causing the release of private information that can be used to commit identity theft crimes, the federal government and many state governments are undertaking efforts to require greater protection of personal information. Nevada is one of those states that recently passed new laws to enhance penalties for identity theft crimes, impose new notice requirements on credit card issuers and require "data collectors" to enact security measures. While primarily geared toward customer information, the new law, which became effective as of January 1, 2006, is sufficiently broad enough to cover employee information maintained by employers and, thus, requires human resource professionals to prepare new security policies.
The new law is found at Chapter 603A of the Nevada Revised Statues, NRS 603A.010 - NRS 603A.920. It defines "data collectors" to include any corporation or other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information. In turn, "personal information" is defined as the combination of a person's first name or initial along with their last name and any one or more of the following types of data: (1) a social security number or employer identification number; (2) a driver's license number or identification card number; or (3) an account number, credit card number or debit card number along with a security code, access code or password. Given these broad definitions, arguably any employer with employee documents containing an employee's name and social security number is a data collector covered by the new law.
This Nevada law requires covered data collectors to implement and maintain reasonable security measures to protect records with personal information from unauthorized access, acquisition, destruction, use, modification or disclosure. Additionally, for those data collectors who own or license computerized data that includes personal information, there are notice and disclosure obligations owed to any resident of this State in the event of a breach of the security of any computer system containing the resident's personal data, if there is proof or a reasonable belief that the resident's unencrypted personal data has been acquired by an unauthorized person. The good faith acquisition of the information by an employee or agent for a legitimate purpose does not constitute a security breach so long as the personal information is not used for an improper purpose or subject to further unauthorized disclosure.
In light of this new law's broad reach, human resource departments are advised to implement reasonable security measures to protect any and all covered personal data. Since June 1, 2005, employers are already required to have policies and procedures in place for the destruction of any employee documents that constitute "consumer information" under the Fair Credit Reporting Act (FCRA) (see KZA Employer Report, Volume 4, Issue 4 (May 23, 2005)). Thus, most employers should be able to build from their FCRA policy and procedures.
Link to the NRS: http://www.leg.state.nv.us/NRS/NRS-603A.html
Employer Report articles are for general information only; they are not intended and should not be construed to be legal advice. Reading or replying to such articles does not establish an attorney-client relationship. In addition, because the subject matters and applicable laws discussed in Employer Report articles are often in a state of change and not always applicable to every type of business entity or organization, readers should consult with counsel before making decisions based on the same.