Nevada installment loan companies are subject to significant new data security requirements as specified in Nevada Senate Bill 355, which was approved by Gov. Joe Lombardo in June and goes into effect Oct. 1, 2023.
The legislation amends numerous statutory sections pertaining to regulated entities, but particularly affects installment loan companies ("licensees") licensed pursuant to the Nevada Installment Loan and Finance Act, Nev. Rev. Stat. Ann. § 675.010, et seq.
REMOTE EMPLOYEE WRITTEN AGREEMENT
Remote employees "engaging in the business of lending" must enter into a written agreement with licensees. An employee engages in the business of lending if they:
- Solicit loans in Nevada or make loans to persons in Nevada, unless these are isolated, incidental or occasional transactions; or
- Are located in Nevada and solicit loans outside of Nevada or make loans to persons located outside of Nevada, unless these are isolated, incidental or occasional transactions.
Nev. Rev. Stat. Ann. § 675.060(2).
These remote employees must agree to:
- Maintain the confidentiality of data concerning borrowers and potential borrowers while working at the remote location;
- Maintain all data of the licensee electronically while working at the remote location;
- Read and comply with the data security policy adopted by the licensee;
- Keep any equipment provided to the employee by the licensee for use at the remote location safe and secure in the manner prescribed by the licensee;
- Never print or otherwise reproduce physical documents containing any data of the licensee at the remote location;
- Never disclose to a borrower or potential borrower that the employee is working at a remote location;
- Never convey to a borrower or potential borrower that the remote location at which the licensee is working is the place of business of the licensee; and
- Never conduct any interactions with a borrower or potential borrower in person at the remote location.
REMOTE LOCATION DATA SECURITY
Remote locations must be in the United States and must:
- Be sufficiently connected to the systems used by the licensee and allow the licensee to monitor and oversee the work of the employee as though the employee were performing the same work at the licensee's place of business; and
- Require the employee to enter unique credentials, passwords, or similar information to access the computerized data system.
DATA SECURITY POLICY
If remote employees are engaging in the business of lending, the licensee must develop a written data security policy to ensure that:
- Data of the licensee that is stored at or accessible from a remote location is protected against unauthorized or accidental disclosure, access, use, modification, duplication or destruction;
- Remote employees can access the computerized data system of the licensee only through the use of a virtual private network or other similarly secure system;
- Updates and repairs necessary to keep data and equipment secure are installed or implemented immediately;
- All data is stored in a safe and secure manner;
- Each remote location contains computers or other electronic devices that use reasonable security measures, such as antivirus software and firewalls;
- The computerized data system may only be accessed through computers or other electronic devices that are issued by the licensee and can only be used by employees while performing activities approved by the licensee;
- An internal or external risk assessment is performed annually on the protection of the data;
- After the performance of a risk assessment, the data security policy is updated to correct any deficiencies identified in the risk assessment;
- The licensee has procedures in place establishing actions that must be taken upon the:
- Discovery of a breach of the security of the computerized data system; and
- Occurrence of an emergency, including a fire or natural disaster;
- The data of the licensee is disposed of in a timely and secure manner as required by applicable law and contractual requirements; and
- The licensee is able, without the licensee being physically present at a remote location, to disconnect, disable, or erase any computer or device provided to remote employees.
DATA BREACH NOTIFICATION REQUIREMENTS
The legislation also exempts licensees from Nevada's data breach notification statutes (Nev. Rev. Stat. Ann. § 603A.300, et seq.) and instead creates new and different notice requirements, including:
- Determination whether notice is required is based in part on an analysis of the risk of harm to affected residents;
- A notice deadline of not more than 30 days, as opposed to just "in the most expedient time possible and without unreasonable delay";
- A prohibition of notice by email if a breach involves a username, password or other login credentials to an email account furnished by the licensee;
- Specific information that must be included in a breach notification;
- Notice to the attorney general if there are more than 500 affected residents.
Unlike the general data breach notification statutes, the legislation does not include:
- A provision that a data collector subject to and compliant with the privacy and security provisions of the Gramm-Leach-Bliley Act is deemed to be in compliance with the notification requirements;
- A requirement that a data collector notify consumer reporting agencies of a breach affecting more than 1,000 persons.
Ralph T. Wutscher
Maurice Wutscher LLP
The Loop Center Building
105 W. Madison Street, 6th Floor
Chicago, Illinois 60602
Direct: (312) 551-9320
Fax: (312) 284-4751
Mobile: (312) 493-0874
Admitted to practice law in Illinois
Alabama | California | Florida | Illinois | Massachusetts | New Jersey | New York | Ohio | Pennsylvania | Tennessee | Texas | Washington, DC
NOTICE: We do not send unsolicited emails. If you received this email in error, or if you wish to be removed from our update distribution list, please simply reply to this email and state your intention. Thank you.
Our updates and webinar presentations are available on the internet, in searchable format, at: