NRS 388.293 - Plan for security of data concerning pupils; successor entities of school service providers; notice of security breach. [Effective July 1, 2020.]

NV Rev Stat § 388.293 (2019) (N/A)
Copy with citation
Copy as parenthetical citation

1. A school service provider shall establish and carry out a detailed plan for the security of any data concerning pupils that is collected or maintained by the school service provider. The plan must include, without limitation:

(a) Procedures for protecting the security, privacy, confidentiality and integrity of personally identifiable information concerning a pupil; and

(b) Appropriate administrative, technological and physical safeguards to ensure the security of data concerning pupils.

2. A school service provider shall ensure that any successor entity understands that it is subject to the provisions of NRS 388.281 to 388.296, inclusive, and agrees to abide by all privacy and security commitments related to personally identifiable information concerning a pupil collected and maintained by the school service provider before allowing a successor entity to access such personally identifiable information.

3. A school service provider shall provide notice to a school district, charter school or university school for profoundly gifted pupils, as applicable, or a private school pursuant to NRS 394.1616, of any breach of the security of the system data in violation of the plan and any actions taken or being taken by the school service provider to address the breach. The notice must be provided as soon as practicable and without unreasonable delay.

4. A school district, charter school, university school for profoundly gifted pupils or private school that receives a notice pursuant to subsection 3 shall provide the notice to each pupil affected by the breach or, if a pupil is less than 18 years of age, the parent or legal guardian of the pupil. The notice must be provided as soon as practicable and without unreasonable delay.

5. As used in this section, “breach of the security of the system data” means unauthorized acquisition of computerized data that materially compromises the security, confidentiality or integrity of data concerning pupils that is collected or maintained by the school service provider. The term does not include the good faith acquisition of data concerning pupils by an employee or agent of the school service provider for a legitimate purpose of the school service provider, so long as the data is not used for a purpose unrelated to the school service provider or subject to further unauthorized disclosure.

(Added to NRS by 2015, 1854; A 2019, 3945, effective July 1, 2020)