Data Protection Impact Assessment (DPIA) - Nevada

DATA PROTECTION IMPACT ASSESSMENT (DPIA)

State of Nevada

Prepared By: [________________________________]
Title: [________________________________]
Organization: [________________________________]
Date of Assessment: [__/__/____]
Assessment Version: [____]
Classification: ☐ Confidential ☐ Internal Use Only ☐ Restricted

1. Project Overview

1.1 Project Identification

1.2 Project Description

Purpose and Objectives:
[________________________________]

Business Justification:
[________________________________]

Anticipated Duration: ☐ One-time project ☐ Ongoing operation ☐ Defined period: [____]

1.3 Nevada Nexus Analysis

☐ Organization conducts business in Nevada
☐ Organization owns or licenses personal information of Nevada residents
☐ Organization is an "operator" under NRS 603A.330 (maintains an internet website or online service for commercial purposes)
☐ Organization collects and maintains covered information from consumers who use or visit the website/service (NRS 603A.320)
☐ Organization sells or licenses covered information about Nevada consumers

PRACTITIONER NOTE: Nevada occupies a unique position in state data protection law. While it lacks a comprehensive consumer privacy statute, it enacted SB 220 (effective October 1, 2019), one of the first state laws requiring website operators to provide consumers an opt-out mechanism for the sale of covered information. This is separate from and predates much of the CCPA-style legislation in other states. Organizations operating websites accessible to Nevada consumers must comply with both the general data security provisions (NRS 603A.010-.290) and the online privacy provisions (NRS 603A.300-.360).

2. Scope of Processing

2.1 Data Subjects

Identify all categories of individuals whose data is processed:

☐ Nevada resident customers/consumers
☐ Employees located in Nevada
☐ Independent contractors
☐ Job applicants
☐ Website visitors/online service users
☐ Vendors/suppliers
☐ Minors (under 18)
☐ Other: [________________________________]

Estimated number of Nevada residents affected: [________________________________]

2.2 Categories of Personal Information

Personal Information under NRS 603A.040 (Breach Notification):

"Personal information" means a natural person's first name or first initial and last name in combination with any one or more of the following data elements (when the name or data element is not encrypted):

☐ Social Security number
☐ Driver's license number or identification card number
☐ Account number, credit card number, or debit card number, in combination with any required security code, access code, or password that would permit access to the person's financial account
☐ Medical identification number or health insurance identification number
☐ Username, unique identifier, or email address in combination with a password, access code, or security question and answer that would permit access to an online account

Covered Information under NRS 603A.320 (SB 220 Online Privacy):

"Covered information" means any of the following collected through an internet website or online service from a consumer who resides in Nevada:

☐ First and last name
☐ Home or physical address (including street name and city/town)
☐ Email address
☐ Telephone number
☐ Social Security number
☐ Identifier that allows specific person to be contacted physically or online
☐ Any other information concerning a person collected from the person through the operator's website/online service and maintained in combination with any identifying information

2.3 Sensitive Data Considerations

☐ Health/medical information
☐ Financial account credentials
☐ Social Security numbers
☐ Biometric data (not specifically defined in NRS 603A but may trigger other obligations)
☐ Minor's data (COPPA and state obligations)
☐ Authentication credentials (username + password combinations)

2.4 Data Volume and Retention

2.5 Processing Activities

☐ Collection (direct from consumer)
☐ Collection (from third parties)
☐ Storage/hosting
☐ Analysis/profiling
☐ Sale of covered information (triggers SB 220 obligations)
☐ Licensing of covered information
☐ Sharing with affiliates
☐ Sharing with third-party service providers
☐ Transfer to other jurisdictions
☐ Automated decision-making
☐ De-identification/anonymization
☐ Destruction/disposal
☐ Other: [________________________________]

3. Legal Basis and Nevada Law Overlay

3.1 Applicable Nevada Statutes

A. NRS 603A.010 - 603A.290: Security of Personal Information

• Applicability: Any data collector that owns or licenses personal information of a resident of Nevada, or any data collector that maintains such information and whose principal place of business is in Nevada (NRS 603A.030).
• Security Obligation: Must implement and maintain reasonable security measures to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure (NRS 603A.210).
• Data Destruction: Businesses that maintain records containing personal information must take reasonable measures to destroy or arrange for the destruction of those records when the records are no longer needed (NRS 603A.200). Acceptable methods: shredding, erasing, or otherwise modifying PI to make it unreadable or indecipherable.
• Encryption Safe Harbor: NRS 603A provides a safe harbor from breach notification for encrypted data where the encryption key has not been accessed by an unauthorized person.

B. NRS 603A.300 - 603A.360: Online Privacy (SB 220 / SB 260)

• Effective Date: October 1, 2019 (SB 220); amended by SB 260 effective October 1, 2021.
• Applicability: "Operators" -- persons who own or operate an internet website or online service for commercial purposes and who collect and maintain covered information from consumers residing in Nevada who use or visit the site/service (NRS 603A.330).
• Opt-Out Right: An operator must establish a designated request address through which a consumer may submit a verified request directing the operator not to make any sale of covered information the operator has collected or will collect about that consumer (NRS 603A.345).
• Response Timeline: The operator must respond to a verified request within 60 days (extendable by 30 days with notice to consumer) (NRS 603A.345).
• "Sale" Definition: Exchange of covered information for monetary consideration by the operator to a person for the person to license or sell the covered information to additional persons (NRS 603A.340). Excludes: disclosure to service providers, affiliates, or in connection with mergers/acquisitions.
• No Private Right of Action: Only the Attorney General may enforce SB 220 violations.
• Penalties: Injunctive relief; civil penalty of up to $5,000 per violation (NRS 603A.360).

C. Additional Nevada Privacy-Related Laws

☐ NRS 205.4617 (Computer crimes, unauthorized access)
☐ NRS 598.0915 (Deceptive trade practices -- potential overlay for privacy misrepresentations)
☐ NRS 603A.215 (PCI-DSS compliance provisions for data security)
☐ Federal overlay: GLBA, HIPAA, COPPA, FERPA as applicable

3.2 Consumer Rights Assessment (Nevada)

3.3 Notice Requirements

Privacy Notice (SB 220):
☐ Organization posts a notice on its website/online service identifying the categories of covered information collected
☐ Notice identifies categories of third parties with whom information may be shared
☐ Notice provides description of process for consumer to review and request changes to covered information
☐ Notice discloses whether third parties may collect information about consumer's online activities
☐ Notice effective date is posted

4. Data Flow and Transfers

4.1 Data Flow Mapping

4.2 Third-Party Recipients

PRACTITIONER NOTE: Under SB 220, sharing covered information with a service provider who processes data on behalf of the operator, or with an affiliate for internal purposes, does not constitute a "sale." Carefully classify each recipient to determine whether opt-out obligations attach.

4.3 Cross-Border Transfers

☐ Data remains within the United States
☐ Data transferred internationally -- specify jurisdictions: [________________________________]
☐ Transfer mechanisms in place: ☐ Standard Contractual Clauses ☐ Binding Corporate Rules ☐ APEC CBPR ☐ Other: [________________________________]

4.4 Access Controls

☐ Role-based access control (RBAC) implemented
☐ Least privilege principle enforced
☐ Joiner/mover/leaver process documented
☐ Privileged access reviews conducted: ☐ Quarterly ☐ Semi-annually ☐ Annually
☐ Access logging enabled

5. Security and Technical Controls

5.1 Reasonable Security Measures (NRS 603A.210)

Nevada law requires "reasonable security measures" to protect personal information. The following controls address this standard:

Encryption:
☐ Encryption at rest: Algorithm: [________________________________] Key length: [____]
☐ Encryption in transit (TLS 1.2+): [________________________________]
☐ Encryption key management procedures documented
☐ Encrypted data safe harbor acknowledged (breach notification exemption)

Network Security:
☐ Firewalls/next-gen firewalls deployed
☐ Network segmentation implemented
☐ Intrusion detection/prevention systems (IDS/IPS)
☐ Secure DNS configuration
☐ VPN for remote access

Endpoint Protection:
☐ Antivirus/anti-malware on all endpoints
☐ Endpoint detection and response (EDR)
☐ Mobile device management (MDM) for devices accessing PI
☐ Automatic patching/update procedures

PCI-DSS Alignment (NRS 603A.215):

Nevada's NRS 603A.215 provides that a data collector that complies with PCI-DSS is deemed to be in compliance with the reasonable security measures requirement of NRS 603A.210 for data within the scope of PCI-DSS. This provision is unique among state data security laws.

☐ PCI-DSS Level: [____]
☐ Last PCI-DSS assessment date: [__/__/____]
☐ Qualified Security Assessor (QSA): [________________________________]
☐ PCI-DSS Report on Compliance (ROC) available: ☐ Yes ☐ No

Logging and Monitoring:
☐ Centralized log management (SIEM)
☐ Log retention period: [________________________________]
☐ Real-time alerting configured
☐ Regular log review process documented

Vulnerability Management:
☐ Vulnerability scanning frequency: [________________________________]
☐ Penetration testing frequency: [________________________________]
☐ Patch management timeline: Critical: [____] hours; High: [____] days

5.2 Organizational Controls

☐ Information security policies documented and approved
☐ Employee security awareness training: frequency [________________________________]
☐ Background checks for employees with PI access
☐ Vendor due diligence and security assessment program
☐ Change management procedures
☐ Business continuity and disaster recovery plans
☐ Physical security controls for facilities housing PI

5.3 Data Destruction Controls (NRS 603A.200)

☐ Paper records: cross-cut shredding or incineration
☐ Electronic records: secure wiping (NIST 800-88 compliant) or physical destruction
☐ Destruction certificates maintained
☐ Destruction schedule aligned with retention policy
☐ Third-party destruction vendor: [________________________________]
☐ Vendor destruction certification obtained: ☐ Yes ☐ No

5.4 Authentication and Authorization

☐ Multi-factor authentication (MFA) for systems containing PI
☐ Strong password policies enforced (minimum length, complexity, rotation)
☐ Single sign-on (SSO) / SAML integration
☐ Session timeout configured: [____] minutes
☐ Account lockout after failed attempts: [____] attempts

6. Risk Assessment

6.1 Threat Identification

6.2 Risk Rating Matrix

6.3 SB 220 Compliance Risk Assessment

7. Mitigations and Residual Risk

7.1 Planned Mitigations

7.2 Testing and Validation

☐ Penetration test scheduled/completed: Date: [__/__/____]
☐ Privacy-by-design review completed
☐ SB 220 opt-out mechanism tested end-to-end
☐ Breach notification procedures tabletop exercise completed
☐ Data destruction procedures verified
☐ Vendor security assessments current

7.3 Residual Risk Determination

Overall Residual Risk Rating: ☐ Low ☐ Medium ☐ High ☐ Critical

Decision: ☐ Accept residual risk ☐ Implement additional mitigations ☐ Block/do not proceed

Justification:
[________________________________]

8. Incident Response and Breach Notification

8.1 Nevada Breach Notification Requirements (NRS 603A.220)

Triggering Event: Unauthorized acquisition of computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by a data collector (NRS 603A.220).

Definition of Personal Information (NRS 603A.040):
First name or first initial + last name in combination with:

• Social Security number
• Driver's license or state ID number
• Account number, credit/debit card number + security code/access code/password
• Medical identification number or health insurance identification number
• Username, unique identifier, or email address + password/access code/security question and answer

Notification Timeline:

• Individual notice: In the most expedient time possible and without unreasonable delay (NRS 603A.220)
• Consumer Reporting Agencies (CRAs): If 1,000 or more Nevada residents are affected, notify nationwide CRAs of the timing, distribution, and content of the notice (NRS 603A.220)

Notification Methods:

• Written notice to last known mailing address
• Electronic notice (if consistent with E-SIGN Act)

Substitute Notice (NRS 603A.220): Available if:

• Cost would exceed $250,000; OR
• More than 500,000 persons affected; OR
• Insufficient contact information

Substitute notice consists of: (1) email notice if email address available; (2) conspicuous posting on organization's website; and (3) notification to major statewide media.

Exemptions:

• Encryption safe harbor: encrypted data where key not compromised
• Good-faith employee acquisition (not for fraudulent/unlawful purpose)
• Law enforcement delay: notification may be delayed upon request of law enforcement (NRS 603A.220)
• Entities complying with GLBA, HIPAA, or other federal breach notification requirements may be deemed in compliance

8.2 Incident Response Plan

Phase 1: Detection and Initial Assessment (0-24 hours)
☐ Incident identified and logged in tracking system
☐ Incident response team activated
☐ Initial scope and severity assessed
☐ Evidence preservation initiated
☐ Legal counsel engaged
☐ Determination: Is this a "breach" under NRS 603A.220?

Phase 2: Investigation and Containment (24-72 hours)
☐ Full scope of breach determined
☐ Number of Nevada residents affected identified
☐ Categories of personal information compromised catalogued
☐ Breach contained and systems secured
☐ Law enforcement notification considered
☐ Encryption status of compromised data verified (safe harbor analysis)

Phase 3: Notification Preparation
☐ Draft notification letter prepared (reviewed by NV-licensed counsel)
☐ Notification content includes:

• General description of the incident
• Type of personal information compromised
• Telephone number for the data collector
• Advice to remain vigilant (review statements, monitor credit)
• Toll-free numbers for credit reporting agencies
  ☐ CRA notification prepared (if 1,000+ NV residents affected)
  ☐ Substitute notice evaluated if applicable (cost > $250K, 500K+ persons, or insufficient contact info)

Phase 4: Notification Delivery
☐ Individual notices sent to affected Nevada residents
☐ CRA notification sent (if threshold met)
☐ Internal documentation completed
☐ Post-incident review scheduled

8.3 Multi-Jurisdictional Coordination

☐ Identify all states where affected individuals reside
☐ Map notification requirements for each applicable state
☐ Identify most restrictive timeline and comply accordingly
☐ Federal law overlay analysis (GLBA, HIPAA, FERPA) completed
☐ International notification requirements assessed (if applicable)

9. SB 220 Online Privacy Compliance Checklist

This section provides a detailed compliance assessment specific to Nevada's online privacy law (NRS 603A.300-.360).

9.1 Operator Status Determination

☐ Organization owns or operates an internet website or online service
☐ Website/service operates for commercial purposes
☐ Organization collects and maintains covered information from Nevada consumers
☐ Conclusion: Organization IS / IS NOT an "operator" under NRS 603A.330

9.2 Opt-Out Mechanism Requirements

☐ Designated request address established (NRS 603A.345)

• Type: ☐ Email ☐ Web form ☐ Toll-free number ☐ Postal address
• Address/URL: [________________________________]
  ☐ Verification process for consumer identity documented
  ☐ Response timeline: 60 days from receipt (extendable by 30 days with consumer notice)
  ☐ Process to cease sale of consumer's covered information upon verified request
  ☐ Records of opt-out requests maintained

9.3 Privacy Notice Requirements

☐ Categories of covered information collected are disclosed
☐ Categories of third parties with whom information may be shared are identified
☐ Process for consumer to review and request changes to covered information is described
☐ Disclosure of whether third parties may collect information about consumer's online activities across sites
☐ Effective date of notice posted

9.4 Exemptions Analysis

SB 220 does NOT apply to:
☐ Financial institutions subject to GLBA (NRS 603A.310)
☐ Entities subject to HIPAA (NRS 603A.310)
☐ Disclosures to service providers processing on behalf of operator
☐ Disclosures to affiliates for internal purposes
☐ Disclosures in connection with mergers, acquisitions, or similar transactions

10. Approvals and Accountability

10.1 DPIA Review and Sign-Off

10.2 Review Schedule

☐ Annual review required: Next review date: [__/__/____]
☐ Triggered review upon material change to processing
☐ Triggered review upon change to Nevada law
☐ Triggered review upon security incident involving Nevada resident data

10.3 Decision

☐ APPROVED -- Processing may proceed subject to identified mitigations
☐ CONDITIONALLY APPROVED -- Processing may proceed only after completion of: [________________________________]
☐ NOT APPROVED -- Processing may not proceed. Reason: [________________________________]

Decision Authority:

Name: [________________________________]
Title: [________________________________]
Date: [__/__/____]
Signature: [________________________________]

11. Attachments

☐ Data flow diagrams / system architecture
☐ Records of processing activities (ROPA) entry
☐ Vendor list and data processing agreements
☐ SB 220 privacy notice (current version)
☐ Opt-out request handling procedures
☐ Breach notification template (Nevada-specific)
☐ PCI-DSS Report on Compliance (if applicable)
☐ Penetration test / vulnerability assessment reports
☐ Employee training records
☐ Data destruction certificates / procedures

Sources and References

• NRS Chapter 603A -- Security and Privacy of Personal Information: https://www.leg.state.nv.us/nrs/nrs-603a.html
• Nevada Attorney General -- Consumer Protection: https://ag.nv.gov/
• Nevada SB 220 (2019 Session): https://www.leg.state.nv.us/App/NELIS/REL/80th2019/Bill/6365/Overview
• Nevada SB 260 (2021 Session -- SB 220 amendments): https://www.leg.state.nv.us/App/NELIS/REL/81st2021/Bill/7485/Overview
• NIST Cybersecurity Framework: https://www.nist.gov/cyberframework
• PCI Security Standards Council: https://www.pcisecuritystandards.org/