As we will learn later this semester, Nevada has been on the front lines of creating law that protects personal information, requires encryption of credit card data, and adoption of PCI-DSS standards into law. Now they have adjusted their laws again to reflect technological changes in personal information. Nevada Governor Sandoval recently signed into law A.B. 179, which expands the definition of “Personal Information (PI)” in the state’s famous data security law. The law will take effect on July 1, 2015. Under the new law, PI now includes:
- A “user name, unique identifier or electronic mail address in combination with a password, access code, or security question and answer that would permit access to an online account;”
- A medical identification or health insurance identification number; and
- A driver authorization card number.
In addition, although Nevada’s data security law previously excluded “publicly available information…lawfully made available to the general public” from the definition of PI, the new law narrows the scope of that exclusion, limiting it to information available “from federal, state or local governmental records.”