Financial Services Law Developments: FYI: Nevada Installment Loan Companies Subject to Significant New Data Security Requirements

Tuesday, July 11, 2023

FYI: Nevada Installment Loan Companies Subject to Significant New Data Security Requirements

Nevada installment loan companies are subject to significant new data security requirements as specified in Nevada Senate Bill 355, which was approved by Gov. Joe Lombardo in June and goes into effect Oct. 1, 2023.

The legislation amends numerous statutory sections pertaining to regulated entities, but particularly affects installment loan companies ("licensees") licensed pursuant to the Nevada Installment Loan and Finance Act, Nev. Rev. Stat. Ann. § 675.010, et seq.

REMOTE EMPLOYEE WRITTEN AGREEMENT

Remote employees "engaging in the business of lending" must enter into a written agreement with licensees. An employee engages in the business of lending if they:

Solicit loans in Nevada or make loans to persons in Nevada, unless these are isolated, incidental or occasional transactions; or
Are located in Nevada and solicit loans outside of Nevada or make loans to persons located outside of Nevada, unless these are isolated, incidental or occasional transactions.

Nev. Rev. Stat. Ann. § 675.060(2).

These remote employees must agree to:

Maintain the confidentiality of data concerning borrowers and potential borrowers while working at the remote location;
Maintain all data of the licensee electronically while working at the remote location;
Read and comply with the data security policy adopted by the licensee;
Keep any equipment provided to the employee by the licensee for use at the remote location safe and secure in the manner prescribed by the licensee;
Never print or otherwise reproduce physical documents containing any data of the licensee at the remote location;
Never disclose to a borrower or potential borrower that the employee is working at a remote location;
Never convey to a borrower or potential borrower that the remote location at which the licensee is working is the place of business of the licensee; and
Never conduct any interactions with a borrower or potential borrower in person at the remote location.

REMOTE LOCATION DATA SECURITY

Remote locations must be in the United States and must:

Be sufficiently connected to the systems used by the licensee and allow the licensee to monitor and oversee the work of the employee as though the employee were performing the same work at the licensee's place of business; and
Require the employee to enter unique credentials, passwords, or similar information to access the computerized data system.

DATA SECURITY POLICY

If remote employees are engaging in the business of lending, the licensee must develop a written data security policy to ensure that:

Data of the licensee that is stored at or accessible from a remote location is protected against unauthorized or accidental disclosure, access, use, modification, duplication or destruction;
Remote employees can access the computerized data system of the licensee only through the use of a virtual private network or other similarly secure system;
Updates and repairs necessary to keep data and equipment secure are installed or implemented immediately;
All data is stored in a safe and secure manner;
Each remote location contains computers or other electronic devices that use reasonable security measures, such as antivirus software and firewalls;
The computerized data system may only be accessed through computers or other electronic devices that are issued by the licensee and can only be used by employees while performing activities approved by the licensee;
An internal or external risk assessment is performed annually on the protection of the data;
After the performance of a risk assessment, the data security policy is updated to correct any deficiencies identified in the risk assessment;
The licensee has procedures in place establishing actions that must be taken upon the:

Discovery of a breach of the security of the computerized data system; and
Occurrence of an emergency, including a fire or natural disaster;
The data of the licensee is disposed of in a timely and secure manner as required by applicable law and contractual requirements; and
The licensee is able, without the licensee being physically present at a remote location, to disconnect, disable, or erase any computer or device provided to remote employees.

DATA BREACH NOTIFICATION REQUIREMENTS

The legislation also exempts licensees from Nevada's data breach notification statutes (Nev. Rev. Stat. Ann. § 603A.300, et seq.) and instead creates new and different notice requirements, including:

Determination whether notice is required is based in part on an analysis of the risk of harm to affected residents;
A notice deadline of not more than 30 days, as opposed to just "in the most expedient time possible and without unreasonable delay";
A prohibition of notice by email if a breach involves a username, password or other login credentials to an email account furnished by the licensee;
Specific information that must be included in a breach notification;
Notice to the attorney general if there are more than 500 affected residents.

Unlike the general data breach notification statutes, the legislation does not include:

A provision that a data collector subject to and compliant with the privacy and security provisions of the Gramm-Leach-Bliley Act is deemed to be in compliance with the notification requirements;
A requirement that a data collector notify consumer reporting agencies of a breach affecting more than 1,000 persons.

Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6^th Floor
Chicago, Illinois 60602
Direct: (312) 551-9320
Fax: (312) 284-4751

Mobile: (312) 493-0874
Email: rwutscher@MauriceWutscher.com

Admitted to practice law in Illinois

NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.

Our updates and webinar presentations are available on the internet, in searchable format, at:

Financial Services Law Updates

and

The Consumer Financial Services Blog™

and

Webinars

PLEASE NOTE:

The editor and sponsoring law firm of this blog represent and serve banks, lenders, loan buyers, loan servicers, debt collectors, and other financial services companies. We do not represent consumers.

Any communications or information obtained may be provided to our clients, including for the purpose of debt collection.

The information in this blog and related updates is general in nature, and should not be considered legal advice.

Legal advice requires a full and complete understanding of a particular situation. Your situation may involve material facts that prevent the direct application of the information in this blog and related updates.

You will not become a client of the editor or sponsoring law firm simply by reading this blog.

In order to become a client of the editor or sponsoring law firm, the editor or sponsoring law firm must agree to represent you in writing.

Until we agree to represent you in writing, we are not prevented from representing any other party.

Until you are a client of the editor or sponsoring law firm, any communications with us will not be confidential.

The Editor's Bio

Ralph T. Wutscher
Maurice Wutscher LLP
20 N. Clark Street, 33rd Floor
Chicago, Illinois 60602
Direct: (312) 493-0874
RWutscher@MauriceWutscher.com
https://www.MauriceWutscher.com/

Ralph Wutscher's practice focuses primarily on representing depository and non-depository mortgage lenders and servicers, as well as mortgage loan investors, distressed asset buyers and sellers, loss mitigation companies, automobile and other personal property secured lenders and finance companies, credit card and other unsecured lenders, and other consumer financial services providers. He represents the consumer lending industry as a litigator, and as regulatory compliance counsel.

Ralph has substantial experience in defending private consumer finance lawsuits, including cases ranging from large interstate putative class actions to localized single-asset cases, as well as in responding to regulatory investigations and other governmental proceedings. His litigation successes include not only victories at the trial court level, but also on appeal, and in various jurisdictions. He has successfully defended numerous putative class actions asserting violations of a wide range of federal and state consumer protection statutes. He is frequently consulted to assist other law firms in developing or improving litigation strategies in cases filed around the country.

Ralph also has substantial experience in counseling clients regarding their compliance with federal laws, and with state and local laws primarily of the Midwestern United States. For example, he regularly provides assistance in connection with portfolio or program audits, consumer lending disclosure issues, the design and implementation of marketing and advertising campaigns, licensing and reporting issues, compliance with usury laws and other limitations on pricing, compliance with state and local “predatory lending” laws, drafting or obtaining opinion letters on a single- or multi-state basis, interstate branching and loan production office licensing, evaluations and modifications of new or existing products and procedures, debt collection and servicing practices, proper methods of responding to consumer inquiries and furnishing consumer information, as well as proposed or existing arrangements with settlement service providers and other vendors, and the implementation of procedural or other operational changes following developments in the law.

Ralph is a member of the Governing Committee of the Conference on Consumer Finance Law. He is also the immediate past Chair of the Preemption and Federalism Subcommittee for the ABA's Consumer Financial Services Committee. He served on the Law Committee for the former National Home Equity Mortgage Association, and completed two terms as Co-Chair of the Consumer Credit Committee of the Chicago Bar Association.

Ralph received his Juris Doctor from the University of Illinois College of Law, and his undergraduate degree from the University of California at Los Angeles (UCLA). He is a member of the national Mortgage Bankers Association, the American Bankers Association, the Conference on Consumer Finance Law, DBA International, the ACA International Members Attorney Program, as well as the American and Chicago Bar Associations.

Ralph is admitted to practice in Illinois, as well as in the United States Court of Appeals for the Seventh Circuit, the United States District Courts for the Northern and Southern Districts of Illinois, and the United States District Court for the Eastern District of Wisconsin, and has been admitted pro hac vice in various jurisdictions around the country.