Clarification – AB 144 and the possibility of identity theft
Legislative Counsel Brenda Erdoes has offered clarification about the provisions of Assembly Bill 144 requiring the names, driver’s license numbers, and earnings of Nevada construction workers to be available for inspection by the public.
As discussed previously in this space, the purpose of the requirement is to provide proof that at least 50 percent of workers on a construction project are Nevadans. The chain of custody for this personally identifying information (PII) is as follows: The building contractor records driver’s license or state ID numbers of the workers, and turns the information over to the city or other agency with whom he has a
project labor agreement building contract. The city retains the information, and must make it available for public inspection upon request. (Correction subsequent to post.)
The plain language, as they say in legal circles, suggests an identity theft bonanza. It suggests that any person can walk in off the street and ask to see project records that include this personally identifying information.
Ms. Erdoes points to other Nevada statutes she believes will mitigate the likelihood of data breach. NRS 239B.030 provides that nobody is required to provide personal information to government, unless the administration of a government program requires it. In which case, the information must be “… maintained in a confidential manner,” and disclosed only for the purpose of the intended program.
Don’t assume government agencies know how to handle confidential data properly. The Reasonable Reporter snapped this photo one morning while waiting to talk with a government official. Based on the post-it note, the documents on the reception desk were to be picked up by someone without an access card to the secure area. They were positioned so that anyone in the lobby could reach under the glass and grab them. The docs contained personally identifying information, and it was clearly visible.
The construction businesses, too, must follow a Nevada statute regulating personally identifying information, Ms. Erdoes told the Reasonable Reporter. NRS Chapter 603A contains PII rules for business. These entities, like the government, are expected to know and follow the law as it relates to handling PII. The daily headlines suggest many businesses of the size that dominate this category aren’t aware of their obligations to protect PII, much less how to do it. Certainly, nobody representing these businesses raised concerns about AB 144’s red flags during this week’s hearings in Government Affairs. That begs the question.
The Reasonable Reporter continues to believe that everyone is at risk here. Without specific direction on handling PII, the employers risk breaking other state laws, and perhaps federal laws, even as they follow the new law. The construction workers are subject to a regulatory scheme requiring them to risk their security in order to earn a living. The government workers who receive and store the data are also required to hand it over to the public and the press. Since it’s contained within a larger package that’s legally required to be available to the public, will they be aware of the sensitive contents? These folks risk disciplinary measures just for doing their jobs, unless they have specific instructions about how to proceed upon initially receiving these packages. And, not to put too fine a point on it, see photo above.
The question for Ms. Erdoes and the Legislative Counsel Bureau is, why does AB 144 fail to incorporate references to the above-named statutes that direct data handling procedures? And is the mere existence of these other laws sufficient as constructive notice, when awareness of cybercrime and identity theft is still developing? Ms. Erdoes says it would be impractical to cite the many sections of relevant Nevada law for each new provision that deals with PII.