Press "Enter" to skip to content

Nevada Installment Loan Companies Subject to Significant New Data Security Requirements

Nevada state capitolNevada installment loan companies are subject to significant new data security requirements as specified in Nevada Senate Bill 355, which was approved by Gov. Joe Lombardo in June and goes into effect Oct. 1, 2023.

The legislation amends numerous statutory sections pertaining to regulated entities, but particularly affects installment loan companies (“licensees”) licensed pursuant to the Nevada Installment Loan and Finance Act, Nev. Rev. Stat. Ann. § 675.010, et seq.

REMOTE EMPLOYEE WRITTEN AGREEMENT

Remote employees “engaging in the business of lending” must enter into a written agreement with licensees. An employee engages in the business of lending if they:

  1. Solicit loans in Nevada or make loans to persons in Nevada, unless these are isolated, incidental or occasional transactions; or
  2. Are located in Nevada and solicit loans outside of Nevada or make loans to persons located outside of Nevada, unless these are isolated, incidental or occasional transactions. Nev. Rev. Stat. Ann. § 675.060(2).

These remote employees must agree to:

  1. Maintain the confidentiality of data concerning borrowers and potential borrowers while working at the remote location;
  2. Maintain all data of the licensee electronically while working at the remote location;
  3. Read and comply with the data security policy adopted by the licensee;
  4. Keep any equipment provided to the employee by the licensee for use at the remote location safe and secure in the manner prescribed by the licensee;
  5. Never print or otherwise reproduce physical documents containing any data of the licensee at the remote location;
  6. Never disclose to a borrower or potential borrower that the employee is working at a remote location;
  7. Never convey to a borrower or potential borrower that the remote location at which the licensee is working is the place of business of the licensee; and
  8. Never conduct any interactions with a borrower or potential borrower in person at the remote location.
REMOTE LOCATION DATA SECURITY

Remote locations must be in the United States and must:

  1. Be sufficiently connected to the systems used by the licensee and allow the licensee to monitor and oversee the work of the employee as though the employee were performing the same work at the licensee’s place of business; and
  2. Require the employee to enter unique credentials, passwords, or similar information to access the computerized data system.
DATA SECURITY POLICY

If remote employees are engaging in the business of lending, the licensee must develop a written data security policy to ensure that:

  1. Data of the licensee that is stored at or accessible from a remote location is protected against unauthorized or accidental disclosure, access, use, modification, duplication or destruction;
  2. Remote employees can access the computerized data system of the licensee only through the use of a virtual private network or other similarly secure system;
  3. Updates and repairs necessary to keep data and equipment secure are installed or implemented immediately;
  4. All data is stored in a safe and secure manner;
  5. Each remote location contains computers or other electronic devices that use reasonable security measures, such as antivirus software and firewalls;
  6. The computerized data system may only be accessed through computers or other electronic devices that are issued by the licensee and can only be used by employees while performing activities approved by the licensee;
  7. An internal or external risk assessment is performed annually on the protection of the data;
  8. After the performance of a risk assessment, the data security policy is updated to correct any deficiencies identified in the risk assessment;
  9. The licensee has procedures in place establishing actions that must be taken upon the:
    1. Discovery of a breach of the security of the computerized data system; and
    2. Occurrence of an emergency, including a fire or natural disaster;
  10. The data of the licensee is disposed of in a timely and secure manner as required by applicable law and contractual requirements; and
  11. The licensee is able, without the licensee being physically present at a remote location, to disconnect, disable, or erase any computer or device provided to remote employees.
DATA BREACH NOTIFICATION REQUIREMENTS

The legislation also exempts licensees from Nevada’s data breach notification statutes (Nev. Rev. Stat. Ann. § 603A.300, et seq.) and instead creates new and different notice requirements, including:

  • Determination whether notice is required is based in part on an analysis of the risk of harm to affected residents;
  • A notice deadline of not more than 30 days, as opposed to just “in the most expedient time possible and without unreasonable delay”;
  • A prohibition of notice by email if a breach involves a username, password or other login credentials to an email account furnished by the licensee;
  • Specific information that must be included in a breach notification;
  • Notice to the attorney general if there are more than 500 affected residents.

Unlike the general data breach notification statutes, the legislation does not include:

  • A provision that a data collector subject to and compliant with the privacy and security provisions of the Gramm-Leach-Bliley Act is deemed to be in compliance with the notification requirements;
  • A requirement that a data collector notify consumer reporting agencies of a breach affecting more than 1,000 persons.

For more information and insight from Maurice Wutscher on data privacy and security laws and legislation, click here.

Photo: Zack Frank/stock.adobe.com

Print Friendly, PDF & Email

Eric Rosenkoetter is a principal at Maurice Wutscher LLP, and is focused on advising clients with respect to federal and state consumer financial protection laws and data privacy and security, and he is a Certified Information Privacy Professional though the International Association of Privacy Professionals. He also brings to the table experience as a litigator, chief compliance and ethics officer, director of legislative affairs, federal lobbyist, and administrative hearings officer. Eric earned his Juris Doctor from Washington University School of Law, and his Bachelor of Business Administration from Southern Methodist University. He is a member of the International Association of Privacy Professionals, the Receivables Management Association International (RMAI), and ACA International. He is admitted to practice law in Texas and Missouri and in the U.S. District Courts for the Northern, Southern, Eastern, and Western Districts of Texas. For more information, see https://mauricewutscher.com/attorneys/eric-rosenkoetter/

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.