Click here to review text of state statute
Information Covered / Important Definitions
Personal information of Nebraska residents.
Definition includes (i) unique electronic identification number or routing code in combination with any required security code, access code or password, (ii) unique biometric data, such as fingerprint, voice print, or retina or iris image, or other unique physical representation, and (iii) a user name or email address in combination with a password or security question and answer that permits access to an online account.
“Security Breach” means an unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information.
“Redact” means altering or truncating data in a way that only the last four digits of a social security number, driver’s license number, state identification card, or account number are accessible.
“Encrypted” means converted by use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key. Data is not considered encrypted if the confidential process or key was or is reasonably believed to have been acquired as a result of the security breach.
Covered Entities* / Third Party Recipients
Subject to statute:
Individual or commercial entity that conducts business in Nebraska and that owns or licenses computerized data which includes personal information about a Nebraska resident.
Third party recipients:
Any individual or commercial entity that maintains computerized data containing personal information that the individual or commercial entity does not own must notify the owner or licensee of the information of any security breach when it becomes aware of such breach if use of personal information for an unauthorized purpose occurred or is reasonably likely to occur.
Notice Procedures & Timing / Other Obligations
Written, electronic or telephonic notice must be provided to victims of a security breach as soon as possible and without unreasonable delay, unless a law enforcement agency determines that notice will impede a criminal investigation (in which case notification is delayed until authorized by law enforcement).
- Substitute notice is available by means prescribed in the statute if costs to exceed $75,000, affected class exceeds 100,000 persons, covered entity has insufficient contact information, or if the covered entity has ten employees or fewer and demonstrates that the cost of providing notice will exceed $10,000.
- Notice not required if, after a reasonable and prompt investigation, the covered entity determines there is no reasonable likelihood that the personal information has been or will be used for an unauthorized purpose.
Encryption Safe Harbor / Other Exemptions
Encryption Safe Harbor:
Statute not applicable if the personal data (name or data elements) that was lost, stolen, or accessed by an unauthorized individual is encrypted, redacted, or otherwise altered such that the name or data elements are unreadable.
Exemption for good faith acquisition of personal information by an employee or agent of a covered entity for the purposes of the covered entity so long as personal information is not used or subject to further unauthorized disclosure.
Acquisition of personal information pursuant to search warrant, subpoena or court order is not a security breach.
Covered entity that maintains and complies with its own notification procedures as part of an information security policy and whose procedures are consistent with the timing requirements of the Nebraska statute is deemed in compliance.
Any covered entity that complies with the procedures imposed by its primary or functional federal or state regulator is deemed in compliance with the Nebraska statute if it notifies affected residents and the Attorney General in accordance with the maintained procedures in the event of a security breach.
Notification to Regulator / Waiver
Attorney general must be notified not later than time when notice is provided to affected residents.
A determination of no likelihood of harm: Does not require notification to attorney general.
A waiver of the statute is void and unenforceable.
Direct economic damages for each affected Nebraska resident injured by a violation.
Private Cause of Action / Enforcement
Private Cause of Action: No.
Enforcement by attorney general only.
* Note: Please refer to individual state statutes for a complete list of covered entities as the list of legal and commercial entities described in this chart as “subject to statute” in most cases is not exhaustive. Please also note that rules applicable to state agencies, government bodies and other public institutions are not discussed in this chart.
Click here to review text of state statute