Nevada’s Governor recently approved amendments to Nevada laws that concern the ability of employees of Installment Loan Company licensees to work from remote locations and the collection of medical debt.  The amendments become effective on October 1, 2023.

Senate Bill 355 (“SB 355”) permits employees of Installment Loan Company licensees to work from remote locations.  It amends Nev. Rev. Stat. § 675.020 to add a definition of the term “remote location.”  The term is defined to mean any location, other than a licensed office or place of business, where an employee of a licensee conducts business.

As amended, Nev. Rev. Stat. § 675.0 also includes specified standards for employees of licensees working from a remote location.  Any licensee with remote employees must enter into a written agreement with such employees stating that they will conform to the specified standards, including:

• Maintaining the confidentiality of borrower data;
• Maintaining all data electronically and refraining from printing or otherwise storing physical records at a remote location;
• Completing a privacy and legal compliance training program at the licensee’s place of business prior to working remotely;
• Reading and complying with the licensee’s data security policy for remote locations;
• Refraining from representing to a borrower or other person that the lender is working at a remote location or that the lender is working at the licensee’s place of business; and
• Refraining from conducting any in person interactions with a borrower or potential borrower at the remote location.

Additionally, as amended, Nev. Rev. Stat. § 675.0 requires licensees to conduct annual reviews of remote employees to ensure that such employees comply with the requirements for remote locations.  Licensees must also maintain written data security policies ensuring that:

• Data that is accessible from a remote location is safe from unauthorized or accidental access and is protected by reasonable security measures, such as antivirus software and firewalls; 
• A remote employee can access the licensee’s systems only through a VPN on a licensee-issued computer that is strictly used for licensee-approved activities;
• Any updates or repairs necessary to keep data and equipment secure are installed or implemented immediately;
• A risk assessment is performed annually and the security policy is updated to correct any deficiencies identified in the risk assessment;
• The licensee has procedures in place in the event of a security breach or other emergency that has the potential to impact the storage of or access to data of the licensee;
• The data of the licensee is disposed of in a timely and secure manner as required by applicable law and contractual requirements; and
• The licensee is able to remotely disconnect any remote employee from accessing the licensee’s systems and erase any data from a licensee-issued device upon termination of the employee’s employment.

Finally, amended Nev. Rev. Stat. § 675.0 imposes mandatory notification requirements in the event of a security breach.  If a licensee discovers such a breach, the licensee must notify any Nevada resident whose personal information was acquired by an unauthorized person if the breach is reasonably likely to subject such resident to a risk of harm or the acquired information was not otherwise protected through encryption.

SB 355 also amends Nev. Rev. Stat. § 649.366 relating to the collection of medical debt by Collection Agencies.  Nev. Rev. Stat. § 649.366 requires Collection Agencies to send written notification by registered or certified mail to a debtor 60 days before taking any action to collect any medical debt.  SB 355 removes the requirement in § 649.366 that the mail be registered or certified.

We note that an entity engaged in any business activities covered in SB 355, including those related to remote employees or Collection Agencies, should consult the full text of SB 355 in order to determine how such changes will affect its business operations.

[View source.]