Press "Enter" to skip to content
Nevada state capitol

Nevada Installment Loan Companies Subject to Significant New Data Security Requirements

Published July 11, 2023 by Eric Rosenkoetter

Nevada state capitolNevada installment loan companies are subject to significant new data security requirements as specified in Nevada Senate Bill 355, which was approved by Gov. Joe Lombardo in June and goes into effect Oct. 1, 2023.

The legislation amends numerous statutory sections pertaining to regulated entities, but particularly affects installment loan companies (“licensees”) licensed pursuant to the Nevada Installment Loan and Finance Act, Nev. Rev. Stat. Ann. § 675.010, et seq.

REMOTE EMPLOYEE WRITTEN AGREEMENT

Remote employees “engaging in the business of lending” must enter into a written agreement with licensees. An employee engages in the business of lending if they:

  1. Solicit loans in Nevada or make loans to persons in Nevada, unless these are isolated, incidental or occasional transactions; or
  2. Are located in Nevada and solicit loans outside of Nevada or make loans to persons located outside of Nevada, unless these are isolated, incidental or occasional transactions. Nev. Rev. Stat. Ann. § 675.060(2).

These remote employees must agree to:

  1. Maintain the confidentiality of data concerning borrowers and potential borrowers while working at the remote location;
  2. Maintain all data of the licensee electronically while working at the remote location;
  3. Read and comply with the data security policy adopted by the licensee;
  4. Keep any equipment provided to the employee by the licensee for use at the remote location safe and secure in the manner prescribed by the licensee;
  5. Never print or otherwise reproduce physical documents containing any data of the licensee at the remote location;
  6. Never disclose to a borrower or potential borrower that the employee is working at a remote location;
  7. Never convey to a borrower or potential borrower that the remote location at which the licensee is working is the place of business of the licensee; and
  8. Never conduct any interactions with a borrower or potential borrower in person at the remote location.
REMOTE LOCATION DATA SECURITY

Remote locations must be in the United States and must:

  1. Be sufficiently connected to the systems used by the licensee and allow the licensee to monitor and oversee the work of the employee as though the employee were performing the same work at the licensee’s place of business; and
  2. Require the employee to enter unique credentials, passwords, or similar information to access the computerized data system.
DATA SECURITY POLICY

If remote employees are engaging in the business of lending, the licensee must develop a written data security policy to ensure that:

  1. Data of the licensee that is stored at or accessible from a remote location is protected against unauthorized or accidental disclosure, access, use, modification, duplication or destruction;
  2. Remote employees can access the computerized data system of the licensee only through the use of a virtual private network or other similarly secure system;
  3. Updates and repairs necessary to keep data and equipment secure are installed or implemented immediately;
  4. All data is stored in a safe and secure manner;
  5. Each remote location contains computers or other electronic devices that use reasonable security measures, such as antivirus software and firewalls;
  6. The computerized data system may only be accessed through computers or other electronic devices that are issued by the licensee and can only be used by employees while performing activities approved by the licensee;
  7. An internal or external risk assessment is performed annually on the protection of the data;
  8. After the performance of a risk assessment, the data security policy is updated to correct any deficiencies identified in the risk assessment;
  9. The licensee has procedures in place establishing actions that must be taken upon the:
    1. Discovery of a breach of the security of the computerized data system; and
    2. Occurrence of an emergency, including a fire or natural disaster;
  10. The data of the licensee is disposed of in a timely and secure manner as required by applicable law and contractual requirements; and
  11. The licensee is able, without the licensee being physically present at a remote location, to disconnect, disable, or erase any computer or device provided to remote employees.
DATA BREACH NOTIFICATION REQUIREMENTS

The legislation also exempts licensees from Nevada’s data breach notification statutes (Nev. Rev. Stat. Ann. § 603A.300, et seq.) and instead creates new and different notice requirements, including:

  • Determination whether notice is required is based in part on an analysis of the risk of harm to affected residents;
  • A notice deadline of not more than 30 days, as opposed to just “in the most expedient time possible and without unreasonable delay”;
  • A prohibition of notice by email if a breach involves a username, password or other login credentials to an email account furnished by the licensee;
  • Specific information that must be included in a breach notification;
  • Notice to the attorney general if there are more than 500 affected residents.

Unlike the general data breach notification statutes, the legislation does not include:

  • A provision that a data collector subject to and compliant with the privacy and security provisions of the Gramm-Leach-Bliley Act is deemed to be in compliance with the notification requirements;
  • A requirement that a data collector notify consumer reporting agencies of a breach affecting more than 1,000 persons.

For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, where he provides counsel to businesses and consumer financial services firms nationwide. For many years, he has focused his practice on various aspects of financial services law. As a litigation attorney, he has conducted every aspect of the litigation process, including countless depositions, motion proceedings, bench and jury trials, and appeals in various courts. In addition, he has significant experience as a compliance and transactional attorney, providing strategic, business growth, legislative, compliance and regulatory advice to national corporations and trade associations. For example, he has drafted consumer contracts and disclosures designed to state-specific statutory requirements, and developed “Best Practices” guides and state-by-state compliance grids, for national financial services companies. He also conducted research and crafted a metrics report for a national trade association with analysis designed to counter the claims of advocacy groups. Eric’s experience also includes working for a national corporation as Executive Counsel, Chief Compliance and Ethics Officer, and Director of Legislative Affairs, and as a federal lobbyist and Director of Government and Public Affairs for a national financial services trade association. In the government sector, Eric presided over approximately 6,000 state administrative hearings, served as a staff attorney for the Missouri Senate, and handled litigation in 33 counties as a regional managing attorney. Eric frequently speaks to audiences on topics relevant to the financial services industry including regulatory compliance, data privacy law and related advocacy initiatives. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Published in Data Privacy and Security and State & Local Regulation

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.