With the advent of the new year, Nevada becomes the first state to explicitly mandate compliance with the Payment Card Industry (PCI) Data Security Standard (PCI-DSS) by businesses that accept credit or debt cards. Nevada Senate Bill 227 (the Nevada Act), which was signed into law in May 2009, takes effect January 1, 2010. The law amends Chapter 603A of the Nevada Revised Statutes to require that any data collector doing business in Nevada that accepts a payment card in connection with a sale of goods or services, must comply with the current version of the PCI-DSS, as adopted by the PCI Security Standards Council no later than the date for compliance set forth in the PCI-DSS or by the PCI Security Standards Council.
While compliance with PCI standards has been proposed previously by other states (and in 2007 Minnesota adopted its Plastic Card Security Act, which included PCI-like elements), no other state has directly imposed the PCI-DSS standards on businesses as a matter of law. Card merchants in Nevada and elsewhere were already required by credit card issuers, such as Visa and Master Card, to comply with the PCI-DSS as a condition to the ability of such merchants to accept payment cards. The difference is that Nevada approach makes this a legal requirement for those doing business in Nevada rather than simply an industry standard.
The Nevada Act also imposes an encryption requirement on businesses that transmit personal data outside of the secure system of the business. Unlike in other states, such as Massachusetts, where encryption is referenced in applicable data breach statutes, the Nevada law goes further by specifying that the type of encryption must have been adopted by an established standards setting body, such as the Federal Information Processing Standards issued by the National Institute of Standards and Technology (NIST), and the business must use appropriate management and safeguards of cryptographic keys to protect the integrity of the encryption using guidelines promulgated by an established standards setting body, such as the NIST.
Because there is not a clear remedies provision in the Nevada Act, the Nevada law does not make clear what the consequences are for failure to comply, and whether there is a private right of action or whether a violation may result in only an enforcement action by a state agency. However, the Nevada Act does provide a safe harbor from liability for damages by a business that is in compliance with the PCI-DSS or encryption standards, as applicable, where the breach was not caused by the gross negligence or intentional misconduct of the business or any of its agents. This appears to create a very nice liability shield from third party claims, so it is logical to assume that the statute is in fact intended to expose a non-compliant business to third party damages claims.
Link to Nevada Act: https://www.leg.state.nv.us/75th2009/Bills/SB/SB227_EN.pdf