Nevada Enacts Consumer Health Data Law and Modifies Data Breach Notification Requirements for Lenders | Practical Law

Nevada Enacts Consumer Health Data Law and Modifies Data Breach Notification Requirements for Lenders | Practical Law

Nevada has enacted SB 370, which protects broadly defined consumer health data by requiring additional disclosures and consumer consent and authorization regarding data collection, sharing, and sales, granting consumers access and deletion rights, imposing security and processor obligations, and prohibiting the use of geofencing around health care service facilities. It also enacted SB 355, which modifies data breach requirements for licensed in-state lenders.

Nevada Enacts Consumer Health Data Law and Modifies Data Breach Notification Requirements for Lenders

by Practical Law Data Privacy & Cybersecurity
Published on 22 Jun 2023Nevada
Nevada has enacted SB 370, which protects broadly defined consumer health data by requiring additional disclosures and consumer consent and authorization regarding data collection, sharing, and sales, granting consumers access and deletion rights, imposing security and processor obligations, and prohibiting the use of geofencing around health care service facilities. It also enacted SB 355, which modifies data breach requirements for licensed in-state lenders.
On June 15, 2023, Nevada Governor Joe Lombardo signed SB 370, a law protecting consumer health data privacy and SB 355, a law amending the state's data breach notification obligations for financial lenders.

Consumer Health Data Privacy Law

SB 370 takes effect on March 31, 2024 and protects Nevada residents and individuals whose consumer health data is collected in Nevada but excludes individuals acting in employment contexts. The law also prohibits geofencing around an entity that provides in-person health care services to:
  • Identify or track consumers seeking health care services.
  • Collect consumer health data.
  • Send consumers health data or health care service-related notifications, messages, or advertisements.
SB 370 broadly defines consumer health data as personal information, including a persistent unique identifier, that is linked or reasonably linkable to a consumer and an entity uses to identify the consumer's past, present, or future health status, including:
  • Information relating to:
    • any health condition or status, diseases, or diagnosis;
    • social, psychological, behavioral, or medical interventions;
    • surgeries or other health-related procedures;
    • medication use or acquisition;
    • bodily functions, vital signs, or symptoms;
    • reproductive or sexual health care; and
    • gender-affirming care.
  • Biometric data related to health status information. This includes data generated from the measurement or technological processing of an individual's physiological, biological, or behavioral characteristics that identifies a consumer, individually or with other data.
  • Genetic data related to health status information.
  • Precise location information that an entity uses to indicate a consumer's attempt to receive or acquire health services or products.
  • Any information that is derived or extrapolated from non-health information, including through algorithms or machine learning.
The definition excludes personal information that is used to either:
  • Provide access to or enable gameplay by a person on a video game platform.
  • Identify the shopping habits or interests of a consumer, if that information is not used to identify a consumers' specific past, present or future health status.
SB 370 covers:
  • Regulated entities, which include any legal entity that both:
    • conducts business in Nevada or provides products or services targeted to Nevada consumers; and
    • alone or with others, determines the purpose and means of processing, sharing, or selling consumer health data.
Regulated entities must:
  • Maintain and conspicuously post on their main website a link to, or otherwise provide consumers in a clear and conspicuous manner, a consumer health data privacy policy that clearly and conspicuously discloses how consumers can exercise their rights under the law, how the entity notifies consumers about changes to the consumer health data privacy policy, and the categories of:
    • consumer health data they collect and the purposes for their collection, use, and sharing;
    • how consumer health data will be processed;
    • sources from which they collect consumer health data;
    • consumer health data they share; and
    • third parties and affiliates with whom they share consumer health data, including whether a third party may collect consumer health data over time and across different Internet websites or online services.
  • Disclose and receive affirmative consent before:
    • collecting, using, or sharing additional categories of consumer health data;
    • collecting, using, or sharing consumer health data for additional purposes; or
    • sharing consumer health data with a third party or affiliate, with limited exceptions.
  • Restrict access to consumer health data to those necessary to:
    • further purposes for which they have consumer consent; or
    • provide a consumer-requested product or service.
  • Implement and maintain reasonable administrative, physical, and technical data security measures to protect consumer health data appropriate to its nature and volume that:
    • satisfies the regulated industries' standard of care to protect the confidentiality, integrity, and accessibility of consumer health data; and
    • complies with the state's data security statute (NRS 603A.010 to 603A.290).
  • Impose specified contract obligations on their processors. Processors that fail to meet their obligations or act outside their contract's scope are considered regulated entities under SB 370 and subject to all of its requirements. Regulated entities violate SB 370 if they contract with a processor to process consumer health data inconsistently with the regulated entity's stated policy.
Regulated entities may not collect or share any consumer health data except either:
  • With the consumer's consent for the collection for a specified purpose. Consent for collecting and sharing must be separate and distinct.
  • To the extent necessary to provide a consumer-requested product or service.
Consent must be obtained before collecting or sharing any consumer health data. Consent requests must clearly and conspicuously disclose:
  • The categories of consumer health data collected or shared.
  • The purposes for collecting or sharing the consumer health data.
  • The categories, if any, of entities with whom the consumer health data is shared.
  • How the consumer may withdraw their consent.
Consumer health data sales require a separate and distinct specified prior consumer authorization.
The SB 370 grants consumers the right to:
  • Confirm whether a regulated entity is collecting, sharing, or selling their consumer health data.
  • Access a list of all third parties with whom the regulated entity has shared or sold their consumer health data.
  • Withdraw their consent for consumer health data collection and sharing.
  • Request deletion of their consumer health data.
Regulated entities must comply with consumer requests without undue delay or within 45 days of authenticating the request, which may be extended once by 45 additional days if both:
  • Reasonably necessary, taking into account the complexity and number of the consumer's requests.
  • The regulated entity informs the consumer of the extension and its reason within the initial 45-day period.
SB 370 excludes:
  • HIPAA covered entities and business associates.
  • Financial institutions, their affiliates, and information subject to the Gramm-Leach-Bliley Act.
  • Patient-identifying information under the federal substance abuse confidentiality law and regulations (Part 2) (42 U.S.C. § 290dd-2; 42 C.F.R. §§ 2.1 to 2.67).
  • Information protected under other federal laws, including the Fair Credit Reporting Act, the Family Educational Rights and Privacy Act, and federal substance abuse confidentiality law and regulations (Part 2).
  • Persons who hold nonrestrictive licenses pursuant to state gaming and licensing laws.
  • Information processed by government agencies and tribal nations for civic or governmental or related purposes and operations.
  • Law enforcement agencies, including contractors of law enforcement agencies and law enforcement activities.
  • Information that has been de-identified in accordance with the HIPAA Privacy Rule.
SB 370 does not include a private right of action.

Modified Data Breach Notification Requirements for Lenders

SB 355 takes effect October 1, 2023 and modifies data breach reporting obligations for entities licensed under Nevada's financial lending statute (NRS 675.060). SB 355 exempts licensed lenders from Nevada's general data breach notification statute (NRS 603A.010 to 603A.040 and 603A.220) and imposes similar, but distinct, data breach notification reporting obligations on licensed lenders, including:
  • Adding a risk of harm assessment threshold to triggering events. Unlike Nevada's general data breach notification statute, notice to affected individuals is not required if the licensed lender determines that the breach event is not reasonably likely to subject the Nevada resident to a risk of harm.
  • Adding the unauthorized acquisition of an encryption key or other means to unencrypt encrypted personal information to triggering events. Unlike Nevada's general data breach notification statute, which only requires notification where encrypted information is accessed without authorization, licensed lenders that experience a breach event involving theft or exfiltration of encryption keys may need to notify affected individuals.
  • Requiring licensed lenders to notify affected individuals within 30 days after discovering or being notified of a breach. Nevada's general data breach does not contain a specific timing requirement.
  • Prohibiting licensed lenders from sending notification to an affected individual's email account when a breach involves the email account's associated usernames, passwords, or other login credentials.
  • Specifying that notifications must be written in plain language and include the licensed lender's contact information, the types of information affected by the breach, contact information for major credit reporting agencies, and if known, the length of time the personal information was potentially exposed.
  • Requiring licensed lenders to advise in their notifications to affected individuals to change passwords and security questions if a breach involves usernames, passwords or other login credentials to an online account.
SB 355 also requires licensed lenders to notify the Attorney General if more than 500 residents are affected by a breach, unlike Nevada's general data breach notification statute, which does not contain a requirement to notify the government. Under SB 355, notification to the Attorney General must be done within 30 days of discovering or being notified of a breach and include:
  • The actual or estimated number of affected state residents.
  • A list of the personal information types affected by the breach.
  • The length of time the personal information was potentially exposed, if known.
  • The date of the breach and when the licensed lender discovered or was notified about it.
  • A summary of actions taken to contain the breach.
  • A sample copy of the notification the licensed lender sent to affected residents.
For more on Nevada's general data breach notification statute, see State Q&A, Data Breach Notification Laws: Nevada.