Nebraska Data Breach Rule Summary

Nebraska Data Breach Rule Summary

Neb. Rev. Stat. § 87-801 - § 87-808

 

SUMMARY:

EFFECTIVE.  July 14, 2006

WHO DOES THIS LAW APPLY TO.  (1) Any person, business, or government agency that conducts business in Nebraska and owns or licenses computerized data that includes Personal Information; and (2) any person, business, or government agency that maintains computerized data that includes Personal Information.

WHAT IS A BREACH.  Unauthorized acquisition of unencrypted computerized data that compromises the security, integrity or confidentiality of Personal Information maintained by a person, business, or government agency.  A good faith acquisition of Personal Information by an employee or agent of the person, business or government agency for internal purposes only is not a breach, if it is not used or subject to further unauthorized disclosure.  In addition, acquisition of Personal Information obtained from a Court or State order is not considered a breach.

WHAT IS PERSONAL INFORMATION.  An individual’s first name or first initial and last name in combination with any one or more of the following data elements, when the name or data element is not encrypted, redacted, or secured by any other method rendering the element unreadable or unusable:

• Social Security Number.

• Driver’s license number or State identification card number.

• Account number, credit card, or debit card number in combination with any required security code, access code, or password that would permit access to the individual’s financial account.

• Unique electronic identification number or routing code, in combination with any required security or access code, or password.

• Unique biometric data such as a fingerprint, voice print, retina or iris image, or other unique physical representation.

Personal Information does not include publicly available information that is lawfully available from Federal, State, or local government records.

WHO TO NOTIFY OF THE BREACH.  When a person, business or government agency becomes aware of a security breach, it shall conduct a reasonable and prompt investigation to determine the likelihood that Personal Information has been or will be used for an unauthorized purpose.  If an unauthorized use has or is likely to occur, notification of the breach must be sent to the residents affected.

EXCEPTION.  This Section does not apply to the following:

• A person, business or government agency which maintains its own notice procedures as part of a Personal Information security policy and is otherwise consistent with the timing requirements of this Section, is considered in compliance with this Section if the affected residents are notified by the person, business, or government agency in accordance with its policies.

• A person, business or government agency that is regulated by State or Federal law and maintains procedures for a security breach pursuant to the State or Federal laws or rules, is considered in compliance with this Section, if the affected residents are notified in accordance with such policies.

WHEN TO NOTIFY OF THE BREACH.  Notification must be sent when the person, business or government agency becomes aware of an incident of unauthorized acquisition.  The disclosure shall be made as soon as possible and without unreasonable delay consistent with the needs of law enforcement, and any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the data system. Notification may be delayed if law enforcement determines it will impede a criminal investigation.  In that instance, notification will be made as soon as possible following clearance by law enforcement. 

HOW TO NOTIFY OF THE BREACH.  Notice may be provided by one of the following methods:

• Written.

• Telephonic.

• Electronic (if consistent with the provisions regarding electronic records and signatures in 15 U.S.C. § 7001).

• Substitute notice as provided below.

SUBSTITUTE NOTICE AVAILABLE.  If the person, business, or government agency can demonstrate that the cost of providing notice will exceed $75,000, the affected class of persons to be notified exceeds 100,000, or the person, business or government agency has insufficient contact information, substitute notice may be used.  Substitute notice shall consist of all of the following:

• Email notice if the person, business, or government agency has an Email address for the individual(s) subject to notice.

• Conspicuous posting of the notice on the website of the person, business, or government agency if one is maintained.

• Notification to major statewide media.

OR

If the person, business, or government entity has 10 employees or less and can demonstrate that the cost of providing notice is more than $10,000, substitute notice will require all of the following:

• Email notice if the person, business, or government agency has an Email address for the individual(s) subject to notice.

• Notification by paid advertisement that is:

  • In a local newspaper distributed in the area in which the person, business or government agency is located;

  • At least one-quarter of a page in size; and

  • Published at least one a week for three consecutive weeks.

• Conspicuous posting of the notice on the website of the person, business, or government agency if one is maintained.

• Notification to major media outlets in the area in which the person, business or government agency is located.

NOTICE TO THIRD-PARTIES.  If a person, business, or government agency maintains data that includes Personal Information that it does not own, then the person, business or government agency shall, upon discovery, notify and cooperate with the owner or licensee regarding the security breach.  The person, business or government agency that owns or licenses the computerized data shall provide notice to the affected individual(s).  Cooperation shall include sharing information pertaining to the security breach, but does not include that which is proprietary.

CONSEQUENCES FOR FAILING TO NOTIFY.  The State Attorney General may seek and recover actual damages for each resident injured by violation of this law.

PRIVATE RIGHT OF ACTION.  None provided in the statute.

REQUIREMENTS OF REASONABLE SECURITY MEASURES.  Entities will also need to implement and maintain reasonable security procedures and practices that are appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained.

DATA DISPOSAL PROVISIONS.  Neb. Rev. Stat. § 87-808(1). To protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure, an individual or a commercial entity that conducts business in Nebraska and owns, licenses, or maintains computerized data that includes personal information about a resident of Nebraska shall implement and maintain reasonable security procedures and practices that are appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained and the nature and size of, and the resources available to, the business and its operations, including safeguards that protect the personal information when the individual or commercial entity disposes of the personal information.

LEGISLATIVE UPDATES.

L.B. 876 – Signed into law on 4/10/2006, Effective 7/14/2006.

L.B. 835 – Signed into law on 4/13/2016, Effective 7/20/2016.

L.B. 757 – Signed into law on 2/23/2018, Effective 3/1/2018.

 

For more information, see here:  https://www.nebraskalegislature.gov/laws/statutes.php?statute=87-801

AND

https://protectthegoodlife.nebraska.gov/data-breach-notification

 

These materials were obtained directly from the State Legislative websites and are posted here for your review and reference only.  No Claim to Original State Government Works.  This may not be the most recent version.  The State may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.