S.B. 291
- *SB291*
SENATE BILL NO. 291–SENATORS DOÑATE, FLORES AND TAYLOR
MARCH 6, 2025
____________
Referred to Committee on Commerce and Labor
SUMMARY—Revises provisions relating to personal information.
(BDR 52-39)
FISCAL NOTE: Effect on Local Government: Increases or Newly
Provides for Term of Imprisonment in County or City
Jail or Detention Facility.
Effect on the State: Yes.
~
EXPLANATION – Matter in bolded italics is new; matter between brackets [omitted material] is material to be omitted.
AN ACT relating to personal information; requiring certain
employers to implement and maintain reasonable security
measures to protect the personal information of certain
former residents of this State; revising requirements for
the provision of certain notifications in the event of a
breach of the security of the system data; prohibiting
certain persons from collecting social security numbers
under certain circumstances; prohibiting an employer
from retaliating against an employee for certain actions
relating to the security of personal information; requiring
the Department of Motor Vehicles to establish procedures
by which a victim of identity theft may obtain a new
driver’s license number; providing penalties; and
providing other matters properly relating thereto.
Legislative Counsel’s Digest:
Existing law imposes certain requirements upon data collectors with respect to 1
the security of personal information collected and maintained by the data collector. 2
(NRS 603A.010-603A.290) Existing law requires a data collector that maintains 3
records which contain personal information of a resident of this State to implement 4
and maintain reasonable security measures to protect those records from 5
unauthorized access, acquisition, destruction, use, modification or disclosure. (NRS 6
603A.210) Section 8 of this bill additionally requires a data collector to implement 7
and maintain such security measures to protect records containing personal 8
information of a person who was a resident of this State at the time at which the 9
personal information was obtained by the data collector. Section 16 of this bill 10
prohibits an employer from retaliating against an employee because the employee 11
– 2 –
- *SB291*
has filed a formal complaint alleging that the employer has failed to comply with 12
such requirements. 13
Existing law requires a data collector that owns, licenses or maintains 14
computerized data which includes personal information, after discovery or 15
notification of a breach of the security of the system data in which personal 16
information maintained by the data collector was, or is reasonably believed to have 17
been, acquired by an unauthorized person, to notify each affected resident of this 18
State and certain other persons. (NRS 603A.220) Section 9 of this bill requires a 19
data collector to provide such a notification to a former resident of this State who 20
was a resident of this State at the time at which the personal information was 21
obtained by the data collector. Section 9 provides that if the breach involves the 22
personal information of a current employee or former employee of the data 23
collector, the notification must be provided within 30 days after discovery or 24
notification of the breach. Section 9 deems a data collector to have complied with 25
the requirement for notification with respect to a former employee if the data 26
collector made a reasonable effort to provide the notification to the employee. 27
Section 4 of this bill requires a data collector who provides such a notification to a 28
current employee or former employee to provide to the employee monitoring 29
services and services to protect against identity theft at no cost for not less than 1 30
year after the date on which the notification was provided. Section 2 of this bill 31
defines “current employee” to mean a person who is currently employed by a data 32
collector. Section 3 of this bill defines “former employee” to mean a person who is 33
not a current employee and who has been employed by a data collector in the 34
immediately preceding 2 years. 35
Existing law makes a violation of the provisions governing the security of 36
personal information maintained by data collectors a deceptive trade practice, 37
thereby subjecting a data collector who violates those provisions to certain civil and 38
criminal penalties. (NRS 598.0999, 603A.290) Section 10 of this bill also makes a 39
violation of the provisions of sections 2-4 of this bill a deceptive trade practice. 40
Existing law provides for the issuance of drivers’ licenses by the Department of 41
Motor Vehicles. (Chapter 483 of NRS) Section 12 of this bill requires the 42
Department to establish procedures by which a licensee who is a victim of identity 43
theft may request that the number of his or her driver’s license be changed to a new 44
unique number. Section 14 of this bill prohibits the Department from charging a fee 45
for making such a change. Section 13 of this bill makes a conforming change so 46
that the definitions applicable to the provisions of existing law governing drivers’ 47
licenses apply to section 12. 48
Section 7 of this bill prohibits, with certain exceptions, a business operating in 49
this State that maintains records which contain personal information from 50
requesting, collecting or maintaining the full social security number of a customer. 51
Section 17 of this bill prohibits, with certain exceptions, an employer from 52
collecting the social security number of a prospective employee or requesting or 53
requiring that a prospective employee disclose his or her social security number 54
before the employer has made a formal offer of employment and the prospective 55
employee has accepted the offer. 56
Section 5 of this bill applies the definitions in existing law governing the 57
security of personal information maintained by data collectors to sections 2-4. 58
Section 6 of this bill provides that any waiver of the provisions of sections 2-4 is 59
contrary to public policy, void and unenforceable. Section 11 of this bill authorizes 60
the Attorney General or a district attorney to bring an action to obtain an injunction 61
against a violation of sections 2-4. 62
– 3 –
- *SB291*
THE PEOPLE OF THE STATE OF NEVADA, REPRESENTED IN
SENATE AND ASSEMBLY, DO ENACT AS FOLLOWS:
Section 1. Chapter 603A of NRS is hereby amended by 1
adding thereto the provisions set forth as sections 2, 3 and 4 of this 2
act. 3
Sec. 2. “Current employee” means a person who is currently 4
employed by a data collector. 5
Sec. 3. “Former employee” means a person who is not a 6
current employee and who has been employed by a data collector 7
during the immediately preceding 2 years. 8
Sec. 4. A data collector who, pursuant to NRS 603A.220, 9
provides notification of a breach of the security of the system data 10
to a current employee of the data collector or, if the data collector 11
is able to provide the notification after making a reasonable effort, 12
a former employee of the data collector shall provide to the 13
employee, at no cost to the employee, services to monitor his or her 14
credit and to protect against identity theft for not less than 1 year 15
after the date on which the notification was provided. 16
Sec. 5. NRS 603A.010 is hereby amended to read as follows: 17
603A.010 As used in NRS 603A.010 to 603A.290, inclusive, 18
and sections 2, 3 and 4 of this act, unless the context otherwise 19
requires, the words and terms defined in NRS 603A.020, 603A.030 20
and 603A.040 and sections 2 and 3 of this act have the meanings 21
ascribed to them in those sections. 22
Sec. 6. NRS 603A.100 is hereby amended to read as follows: 23
603A.100 1. The provisions of NRS 603A.010 to 603A.290, 24
inclusive, and sections 2, 3 and 4 of this act do not apply to the 25
maintenance or transmittal of information in accordance with NRS 26
439.581 to 439.597, inclusive, and the regulations adopted pursuant 27
thereto. 28
2. A data collector who is also an operator, as defined in NRS 29
603A.330, shall comply with the provisions of NRS 603A.300 to 30
603A.360, inclusive. 31
3. Any waiver of the provisions of NRS 603A.010 to 32
603A.290, inclusive, and sections 2, 3 and 4 of this act is contrary 33
to public policy, void and unenforceable. 34
Sec. 7. NRS 603A.200 is hereby amended to read as follows: 35
603A.200 1. A business that maintains records which contain 36
personal information concerning the customers of the business shall 37
take reasonable measures to ensure the destruction of those records 38
when the business decides that it will no longer maintain the 39
records. 40
2. Except as otherwise provided in subsection 3, a business 41
shall not request, collect or maintain the full social security 42
– 4 –
- *SB291*
number of a customer of the business. Nothing in the provisions of 1
this subsection prohibits a business from requesting, collecting or 2
maintaining the driver’s license number of a customer or any 3
other number issued to a person by a governmental entity. 4
3. The provisions of subsection 2 do not apply to: 5
(a) A banking or financial institution, as defined in 6
NRS 106.295. 7
(b) Any person who holds a nonrestricted license, as defined in 8
NRS 463.0177, or an affiliate, as defined in NRS 463.0133, of 9
such a person. 10
(c) The requesting, collection or maintenance of the full social 11
security number of a customer: 12
(1) For the purpose of billing or another reasonable 13
business purpose; or 14
(2) To comply with any provision of state or federal law, 15
including, without limitation, to report any information required 16
to be reported to the Internal Revenue Service. 17
4. As used in this section: 18
(a) “Business” means a proprietorship, corporation, partnership, 19
association, trust, unincorporated organization or other enterprise 20
doing business in this State. 21
(b) “Reasonable measures to ensure the destruction” means any 22
method that modifies the records containing the personal 23
information in such a way as to render the personal information 24
contained in the records unreadable or undecipherable, including, 25
without limitation: 26
(1) Shredding of the record containing the personal 27
information; or 28
(2) Erasing of the personal information from the records. 29
Sec. 8. NRS 603A.210 is hereby amended to read as follows: 30
603A.210 1. A data collector that maintains records which 31
contain personal information of a resident of this State or personal 32
information of a person who was a resident of this State at the 33
time at which the personal information was obtained by the data 34
collector shall implement and maintain reasonable security 35
measures to protect those records from unauthorized access, 36
acquisition, destruction, use, modification or disclosure. 37
2. If a data collector is a governmental agency and maintains 38
records which contain personal information of a resident of this 39
State, the data collector shall, to the extent practicable, with respect 40
to the collection, dissemination and maintenance of those records, 41
comply with the current version of the CIS Controls as published by 42
the Center for Internet Security, Inc. or its successor organization, or 43
corresponding standards adopted by the National Institute of 44
– 5 –
- *SB291*
Standards and Technology of the United States Department of 1
Commerce. 2
3. A contract for the disclosure of the personal information of a 3
resident of this State which is maintained by a data collector must 4
include a provision requiring the person to whom the information is 5
disclosed to implement and maintain reasonable security measures 6
to protect those records from unauthorized access, acquisition, 7
destruction, use, modification or disclosure. 8
4. If a state or federal law requires a data collector to provide 9
greater protection to records that contain personal information of a 10
resident or former resident of this State which are maintained by the 11
data collector and the data collector is in compliance with the 12
provisions of that state or federal law, the data collector shall be 13
deemed to be in compliance with the provisions of this section. 14
5. The Office of Information Security of the Office of the Chief 15
Information Officer within the Office of the Governor shall create, 16
maintain and make available to the public a list of controls and 17
standards with which the State is required to comply pursuant to any 18
federal law, regulation or framework that also satisfy the controls 19
and standards set forth in subsection 2. 20
Sec. 9. NRS 603A.220 is hereby amended to read as follows: 21
603A.220 1. Except as otherwise provided in subsection [7,] 22
8, a data collector that owns or licenses computerized data which 23
includes personal information of a resident of this State or personal 24
information of a person who was a resident of this State at the 25
time at which the personal information was obtained by the data 26
collector shall disclose any breach of the security of the system data 27
following discovery or notification of the breach to any resident of 28
this State or former resident of this State, if applicable, whose 29
unencrypted personal information was, or is reasonably believed to 30
have been, acquired by an unauthorized person. The disclosure must 31
be made in the most expedient time possible and without 32
unreasonable delay, consistent with the legitimate needs of law 33
enforcement, as provided in subsection 3, or any measures necessary 34
to determine the scope of the breach and restore the reasonable 35
integrity of the system data. Except as otherwise provided in 36
subsections 3 and 7, if the breach involves personal information of 37
a current employee or former employee of the data collector, the 38
data collector shall provide the disclosure required by this 39
subsection to each affected current employee or former employee 40
not less than 30 days after discovery or notification of the breach. 41
2. Any data collector that maintains computerized data which 42
includes personal information that the data collector does not own 43
shall notify the owner or licensee of the information of any breach 44
of the security of the system data immediately following discovery 45
– 6 –
- *SB291*
if the personal information was, or is reasonably believed to have 1
been, acquired by an unauthorized person. 2
3. The notification required by this section may be delayed if a 3
law enforcement agency determines that the notification will impede 4
a criminal investigation. The notification required by this section 5
must be made after the law enforcement agency determines that the 6
notification will not compromise the investigation. 7
4. For purposes of this section, except as otherwise provided in 8
subsection 5, the notification required by this section may be 9
provided by one of the following methods: 10
(a) Written notification. 11
(b) Electronic notification, if the notification provided is 12
consistent with the provisions of the Electronic Signatures in Global 13
and National Commerce Act, 15 U.S.C. §§ 7001 et seq. 14
(c) Substitute notification, if the data collector demonstrates that 15
the cost of providing notification would exceed $250,000, the 16
affected class of subject persons to be notified exceeds 500,000 or 17
the data collector does not have sufficient contact information. 18
Substitute notification must consist of all the following: 19
(1) Notification by electronic mail when the data collector 20
has electronic mail addresses for the subject persons. 21
(2) Conspicuous posting of the notification on the Internet 22
website of the data collector, if the data collector maintains an 23
Internet website. 24
(3) Notification to major statewide media. 25
5. A data collector which: 26
(a) Maintains its own notification policies and procedures as 27
part of an information security policy for the treatment of personal 28
information that is otherwise consistent with the timing 29
requirements of this section shall be deemed to be in compliance 30
with the notification requirements of this section if the data collector 31
notifies subject persons in accordance with its policies and 32
procedures in the event of a breach of the security of the system 33
data. 34
(b) Is subject to and complies with the privacy and security 35
provisions of the Gramm-Leach-Bliley Act, 15 U.S.C. §§ 6801 et 36
seq., shall be deemed to be in compliance with the notification 37
requirements of this section [.] with respect to customers of the data 38
collector. 39
6. If a data collector determines that notification is required to 40
be given pursuant to the provisions of this section to more than 41
1,000 persons at any one time, the data collector shall also notify, 42
without unreasonable delay, any consumer reporting agency that 43
compiles and maintains files on consumers on a nationwide basis, as 44
– 7 –
- *SB291*
that term is defined in 15 U.S.C. § 1681a(p), of the time the 1
notification is distributed and the content of the notification. 2
7. A data collector who makes a reasonable effort to provide 3
the disclosure required by this section to a former employee shall 4
be deemed to be in compliance with the notification requirements 5
of this section with respect to the former employee. 6
8. The provisions of this section do not apply to a person 7
licensed pursuant to chapter 675 of NRS. 8
Sec. 10. NRS 603A.260 is hereby amended to read as follows: 9
603A.260 A violation of the provisions of NRS 603A.010 to 10
603A.290, inclusive, and sections 2, 3 and 4 of this act constitutes a 11
deceptive trade practice for the purposes of NRS 598.0903 to 12
598.0999, inclusive. 13
Sec. 11. NRS 603A.290 is hereby amended to read as follows: 14
603A.290 If the Attorney General or a district attorney of any 15
county has reason to believe that any person is violating, proposes to 16
violate or has violated the provisions of NRS 603A.010 to 17
603A.290, inclusive, and sections 2, 3 and 4 of this act, the 18
Attorney General or district attorney may bring an action against 19
that person to obtain a temporary or permanent injunction against 20
the violation. 21
Sec. 12. Chapter 483 of NRS is hereby amended by adding 22
thereto a new section to read as follows: 23
1. The Department shall establish procedures by which a 24
licensee who is a victim of identity theft may request that the 25
number of his or her driver’s license be changed to a new unique 26
number. 27
2. As used in this section, “identity theft” means a violation 28
of the provisions of NRS 205.463, 205.464 or 205.465. 29
Sec. 13. NRS 483.020 is hereby amended to read as follows: 30
483.020 As used in NRS 483.010 to 483.630, inclusive, and 31
section 12 of this act, unless the context otherwise requires, the 32
words and terms defined in NRS 483.030 to 483.190, inclusive, 33
have the meanings ascribed to them in those sections. 34
Sec. 14. NRS 483.410 is hereby amended to read as follows: 35
483.410 1. Except as otherwise provided in subsection 6 and 36
NRS 483.330 and 483.417, for every driver’s license, including a 37
motorcycle driver’s license, issued and service performed, the 38
following fees must be charged: 39
40
An original or renewal license issued to a person 41
65 years of age or older ............................................ $13.50 42
– 8 –
- *SB291*
An original or renewal license issued to any 1
person less than 65 years of age which 2
expires on the eighth anniversary of the 3
licensee’s birthday .................................................... $37.00 4
An original or renewal license issued to any 5
person less than 65 years of age which 6
expires on or before the fourth anniversary of 7
the licensee’s birthday ................................................ 18.50 8
Administration of the examination required by 9
NRS 483.330 for a noncommercial driver’s 10
license ......................................................................... 25.00 11
Each readministration to the same person of the 12
examination required by NRS 483.330 for a 13
noncommercial driver’s license ................................. 10.00 14
Reinstatement of a license after suspension, 15
revocation or cancellation, except a 16
revocation for a violation of NRS 484C.110, 17
484C.120, 484C.130 or 484C.430, or 18
pursuant to NRS 484C.210 and 484C.220 ................. 75.00 19
Reinstatement of a license after revocation for a 20
violation of NRS 484C.110, 484C.120, 21
484C.130 or 484C.430, or pursuant to NRS 22
484C.210 and 484C.220 ........................................... 120.00 23
A new photograph, change of name, change of 24
other information, except address, or any 25
combination .................................................................. 5.00 26
A duplicate license .......................................................... 14.00 27
28
2. For every motorcycle endorsement to a driver’s license, a 29
fee of $5 must be charged. 30
3. If no other change is requested or required, the Department 31
shall not charge a fee to change the number of a driver’s license at 32
the request of a licensee who is a victim of identity theft pursuant 33
to section 12 of this act or to convert the number of a license from 34
the licensee’s social security number, or a number that was 35
formulated by using the licensee’s social security number as a basis 36
for the number, to a unique number that is not based on the 37
licensee’s social security number. 38
4. Except as otherwise provided in NRS 483.417, the increase 39
in fees authorized by NRS 483.347 and the fees charged pursuant to 40
NRS 483.415 must be paid in addition to the fees charged pursuant 41
to subsections 1 and 2. 42
5. A penalty of $10 must be paid by each person renewing a 43
license after it has expired for a period of 30 days or more as 44
– 9 –
- *SB291*
provided in NRS 483.386 unless the person is exempt pursuant to 1
that section. 2
6. The Department may not charge a fee for the reinstatement 3
of a driver’s license that has been: 4
(a) Voluntarily surrendered for medical reasons; or 5
(b) Cancelled pursuant to NRS 483.310. 6
7. All fees and penalties are payable to the Administrator at the 7
time a license or a renewal license is issued. 8
8. Except as otherwise provided in NRS 483.340, subsection 3 9
of NRS 483.3485, NRS 483.415 and 483.840, and subsection 3 of 10
NRS 483.863, all money collected by the Department pursuant to 11
this chapter must be deposited in the State Treasury for credit to the 12
Motor Vehicle Fund. 13
Sec. 15. Chapter 613 of NRS is hereby amended by adding 14
thereto the provisions set forth as sections 16 and 17 of this act. 15
Sec. 16. An employer shall not retaliate against an employee 16
because the employee has filed a formal complaint alleging that 17
the employer has not complied with the requirements of subsection 18
1 of NRS 603A.210. 19
Sec. 17. 1. Except as otherwise provided in subsection 2, an 20
employer shall not collect the social security number of a 21
prospective employee or request or require that a prospective 22
employee disclose his or her social security number before the 23
employer has made a formal offer of employment to the 24
prospective employee and the prospective employee has accepted 25
the offer. 26
2. An employer may collect, request or require the disclosure 27
of the social security number of a prospective employee before the 28
period specified in subsection 1: 29
(a) To perform a background check on the prospective 30
employee; 31
(b) If the position of employment requires a security 32
clearance; 33
(c) To perform any form of preemployment screening that is 34
authorized by law and which the employer deems necessary; or 35
(d) If necessary to comply with state or federal law. 36
Sec. 18. This act becomes effective on January 1, 2027. 37
H