Close
Login to MyACC
ACC Members


Not a Member?

The Association of Corporate Counsel (ACC) is the world's largest organization serving the professional and business interests of attorneys who practice in the legal departments of corporations, associations, nonprofits and other private-sector organizations around the globe.

Join ACC

ballard_spahr_logo-314x113.jpg

100 North City Parkway, Suite 1750  |  Las Vegas, NV 89106

Privacy and Data Security - What Nevada Businesses and In-House Counsel Need to Know

By Justin Shiroff and Joel Tasca

Data security is one of the most important emerging areas of law and a pivotal concern for businesses of all sizes all across the globe. Here in Nevada, it is no different. Businesses in every economic sector are under a host of statutory and common law obligations (both state and federal) to ensure the privacy of the data they collect and utilize. Once a business clearly identifies which federal regulations apply, and factors into account the Nevada state requirements, it can develop a cohesive plan that minimizes both the risk of suffering from a data security breach and the potential exposure that can result from such a breach.

There is no one central federal law or rule that covers data security. Instead, there is a patchwork of statutes and administrative regulations, propagated and enforced by a host of different administrative agencies, with little real sense of which agency's edicts hold sway should they ever come into conflict. Three of the most significant sources of federal data privacy regulation are the Federal Trade Commission (FTC) Act, the Gramm-Leach-Bliley Act (GLB), and the Health Insurance Portability and Accountability Act (HIPAA). For consumer privacy issues, the FTC relies on Section 5 of the FTC Act to hold businesses accountable for failing to either comply with their own privacy policies or safeguard data they have collected. Importantly, the FTC Act does not mandate that businesses have privacy policies; rather, the FTC's view is that when a business discloses such a policy, that business must comply with it.

GLB seeks to protect consumer financial privacy by limiting when a financial institution can disclose a consumer's nonpublic personal information to nonaffiliated third parties. Financial institutions must notify their customers about their information-sharing practices and tell consumers of their right to opt out if they don't want their information shared with certain nonaffiliated third parties. GLB also includes the Safeguards Rule, which requires companies to develop a written information security plan that describes their policies and procedures to protect customer records and information. Federal and state agencies with GLB-derived jurisdiction over financial institutions must implement regulations requiring the financial institutions to establish safeguards under their security program. These safeguards include (but are not limited to):

·Protection against unauthorized access to, or use of, these records or information that would result in substantial harm or inconvenience to any customer;

·Ensuring the security and confidentiality of customer records and information; and

·Protection against any anticipated threats or hazards to the security or integrity of these records.

HIPAA, subject to some minimal exceptions, requires health care providers and their business associates to comply with a number of regulations that roughly translate into three general rules. HIPAA's Privacy Rule requires that covered entities use, request and disclose the minimum amount of Personal Health Information (PHI) necessary to complete a transaction. The HIPAA Security Rule requires the implementation of data security procedures, protocols, and polices at administrative, technical, physical, and organizational levels to protect subject PHI. Finally, the HIPAA Transactions Rule mandates compliance with certain uniform standards established for certain electronic transactions.

Beyond the litany of federal regulations, Nevada has its own statutory scheme governing data privacy and security. Nevada's data privacy law applies to select entities that handle, collect, disseminate, or otherwise deal with "nonpublic personal information." Nonpublic personal information means "a natural person's first name or first initial and last name in combination with any one or more additional data element, when the name and data elements are not encrypted, including (but not limited to) a Social Security number; driver's license number; bank account, credit card, or debit card number, in combination with any required security code. There are some exceptions to this list, such as the last four digits of a Social Security number or the last four digits of a driver's license. Id. Nevada's privacy rules are among the more well-defined and expansive in the United States.

In spite of full compliance with federal and state law, breaches can and do still happen. Each of the federal laws has separate provisions for responding to a breach. Generally, the immediate response involves the following steps:

·Stop the breach;

·Notify the relevant internal privacy officer;

·Respond promptly;

·Investigate appropriately;

·Take steps to mitigate damage from the breach and then close the breach;

·Identify the data affected by the breach; and

·Determine if specific data types subject to the breach (PHI or other nonpublic personal information) require advanced reporting to a controlling administrative body, such as the Department of Health and Human Services for HIPAA breaches.

Nevada law also provides for certain requirements in the event of a breach, such as notice to affected parties and the effect law enforcement involvement has on giving notice. Nevada's data privacy laws do not expressly create a private right of action on behalf of individuals against businesses who fail to maintain the security of their data. However, the common law doctrines surrounding the right to privacy may provide an avenue for individuals to sue businesses when data breaches occur. These claims may be brought under the right of privacy itself, through claims such as public disclosure of private facts, or through common law negligence claims. Under the doctrine of negligence per se, a breach of the standard of care outlined by a statute— such as the privacy standards set out within N.R.S. § 603A.010—may be the basis for a common law negligence claim.

Counsel advising businesses must remain vigilant and be prepared not only to comply with myriad federal and state regulations concerning data privacy—they must also prepare for the very real damage that comes with a data breach incident. A strong relationship with experienced outside counsel, such as the Privacy and Data Security professionals at Ballard Spahr LLP, is essential to ensuring compliance with relevant privacy laws, minimizing the risks of a data breach, and developing a comprehensive response plan.

shiroff-justin-headshot.jpg

Justin Shiroff, is an associate at Ballard Spahr.

Justin A. Shiroff's practice is concentrated in commercial litigation (with an emphasis on consumer financial services litigation), as well as healthcare law and data privacy/cybersecurity. His experience also extends to disputes involving employment law. Mr. Shiroff has represented a range of clients that include information security providers, banks and other lending institutions, hospitals and gaming companies/resorts. In addition to his commercial litigation practice, in the health care services field, he has assisted clients in a variety of issues including regulatory and licensing concerns in the context of a hospital sale and acquisition. He has served as a legal researcher and consultant for television shows including "CSI: Crime Scene Investigation," "Lucifer," "Bones," "Notorious," "Rosewood," and "The Blacklist."

Direct: 702.868.7527 | Fax: 702.471.7070
shiroffj@ballardspahr.com

 

tasca-joel-headshot.jpg

Joel Tasca is a partner at Ballard Spahr. Mr. Tasca's practice encompasses a diverse range of complex litigation at both the trial and appellate levels in federal and state courts throughout the United States.

Mr. Tasca represents individuals and businesses of all sizes, including numerous Fortune 500 companies in a variety of industries. His clients have included major accounting firms, large pharmaceutical and chemical companies, professional sports teams, and state and local governmental entities. These representations have covered a broad range of complex litigation, including cases involving breach of contract, professional liability, securities fraud, consumer fraud, products liability, and ERISA.

Direct: 702.868.7511 | Fax: 702.471.7070
tasca@ballardspahr.com


lrrc-20logo-20white-20background.jpg

Things Corporate Counsel Should be Aware of Regarding Offering Sweepstakes and Contests


jams_no_tag-rgb-logo-compressed.jpg

NEUTRAL ANALYSIS AND SECOND OPINIONS


snell_wilmer_logo.jpg

 

TRADEMARKS, COPYRIGHTS AND TRADE SECRETS: ARE YOUR COMPANY'S INTELLECTUAL PROPERTY RIGHTS FULLY PROTECTED? 


ballard_spahr_logo-314x113.jpg

 RENEWABLE ENERGY TERMS AND CONCEPTS: A BEGINNER'S GLOSSARY

 


at_logo_-_rgb_-_high_res.jpg

 DATA SECURITY: IS YOUR COMPANY PROTECTED?


 

jordan_lawrence_sponsor_spotlight-logo.jpg

 

OVERCOMING THE DATA OBESITY CRISIS

 

 

 

ACC