Data Collectors Safe Harbor


On the heels of ineffective data breach notification laws, Senate bill 227, a more proactive approach, offers a safe harbor to businesses that collect personal information if a data breach occurs. Some important definitions apply:

Are you a “data collector?”

A “data collector” is defined in Nevada Revised Statute 603A as “any governmental agency, institution of higher education, corporation, financial institution or retail operator or any other type of business entity or association that, for any purpose, whether by automated collection or otherwise, handles, collects, disseminates or otherwise deals with nonpublic personal information.”

If you collect data, what constitutes “personal information?”

Personal Information is defined as a natural person’s first name or first initial and last name in combination with a (i) social security number (ii) driver’s license number or identification card number, or (iii) account number, credit card number or debit card number, in combination with any required security code, access code or password that would permit access to the person’s financial account.

So, if I am a data collector, what do I need to do to get the safe harbor?

Effective January 1, 2010, you will need to encrypt personal information that is either transmitted electronically or contained in a data storage device that has moved beyond the data collector’s control (e.g. on a laptop computer). There are specific requirements contained in the statute! If you do encrypt the data, you, as a business owner, will avoid liability if that encrypted data is lost or improperly accessed! In addition, it is possible that courts will take the encryption requirement into account in determining what constitutes negligent conduct associated with data breaches. Companies that follow the statutes may even be eligible for reductions on their insurance. All of these are good reasons to check out SB 227 in the 2009 session information on the Nevada Legislature website at or at