Section 675.297 - Data security policy requiredA licensee who authorizes any employee to engage in the business of lending in this State at a remote location shall develop and adhere to a written data security policy. The data security policy must set forth procedures and requirements to ensure that:
1. Data of the licensee that is stored at or accessible from a remote location is protected against unauthorized or accidental disclosure, access, use, modification, duplication or destruction;2. An employee working at a remote location is able to access the computerized data system of the licensee and other computer systems of the licensee only through the use of a virtual private network or other system that: (a) Requires the use of a username and password, frequent password changes, multifactor authentication, a system that automatically prevents a person from accessing an account upon the failure of the person to enter the appropriate credentials after a set number of attempts or any combination thereof; and(b) Uses data encryption;3. Any updates or repairs necessary to keep data and equipment secure are installed or implemented immediately;4. All data of the licensee is stored in a safe and secure manner and the computerized data system of the licensee is capable of being modified to accommodate the storage of data necessary for an employee working at a remote location to perform his or her work;5. Each remote location at which an employee works contains computers or other electronic devices which make use of reasonable security measures, such as antivirus software and firewalls;6. The computerized data system of the licensee and other computer systems of the licensee may only be accessed through computers or other electronic devices which: (a) Are issued by the licensee; and(b) May only be used by an employee while performing activities approved by the licensee;7. An internal or external risk assessment is performed annually on the protection of the data of the licensee from reasonably foreseeable internal or external risks;8. After the performance of a risk assessment pursuant to subsection 7, the data security policy is updated to correct any deficiencies identified in the risk assessment;9. The licensee has procedures in place which establish the actions that must be taken upon the: (a) Discovery of a breach of the security of the computerized data system, including, without limitation, any actions that must be taken concerning the disclosure of the breach as required by NRS 675.283 or other applicable law; and(b) Occurrence of an emergency, including, without limitation, a fire or natural disaster, that has the potential to impact the storage of or access to data of the licensee;10. The data of the licensee is disposed of in a timely and secure manner as required by applicable law and contractual requirements; and11. The licensee is able, without the licensee or an agent of the licensee being physically present at a remote location, to disconnect any computer or device provided to an employee at a remote location from the computerized data system of the licensee or other computer systems of the licensee and disable and erase any data from such a computer or device upon termination of the employee's employment with the licensee.Added to NRS by 2023, 3473Added by 2023, Ch. 527,§6, eff. 10/1/2023.