NRS 603A “SECURITY OF INFORMATION MAINTAINED BY DATA COLLECTORS AND OTHER BUSINESSES” is the legal authority that dictates how a business will handle its client’s private and personal information. It defines any business entity that deals with people’s personal information (no matter how small or large) as a “Data collector” and is responsible for the proper control, management, and disposal of that information.
This statute lays out how a business should go about its overall security measures, handling credit card payments, permitted alternative forms of encryption, destruction of certain records, and duties of the business entity when faced with a data breach.
In the case of a data breach, a data collector will not be held legally liable for any damages if they are in compliance with NRS 603A and the breach is not caused by gross negligence or intentional misconduct.
Violation of this statute constitutes a deceptive trade practice under criminal law punishable by an injunction and up to $5,000 in penalties for EACH violation.
The most up-to-date version of this statute can be found here.