The Constangy Cyber Team understands the paramount importance of staying informed about the intricacies of data breach notification regulations. With our Cybersecurity & Data Privacy Desktop Reference and these interactive maps, we provide guidance to navigate these complexities. Our interactive maps offer you online access to our succinct summaries of the essential aspects of various consumer and regulatory notification obligations. Please contact us should you have any questions. We look forward to working with you should you have to navigate the consumer notification and/or regulatory reporting process.  

The information provided in the map is meant to serve as a helpful guide and is not intended to be legal advice. 

Back To Map
Rapid Response Hotline 877.382.2724

Nebraska

Data Breach Notification Statute

Highlights

Covered Entities:

An individual or a commercial entity that conducts business in Nebraska and that owns or licenses computerized data that includes personal information about a resident of Nebraska.

Consumer Notification:

A covered entity shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be used for an unauthorized purpose. If the investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, the individual or commercial entity shall give notice to the affected Nebraska resident.

Regulatory Notification:

If notice of a breach of security of the system is required, the covered entity shall also, not later than the time when notice is provided to the Nebraska resident, provide notice of the breach of security of the system to the Attorney General.

Notification Timeline:

Notice shall be made as soon as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

Data Format:

Computerized data.

Citations:

Neb. Rev. Stat. §§87-801 through 807.

More Details

Definitions:

  • Breach: The unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by a covered entity.
  • Personal Information (PI):
    • A Nebraska resident's first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident if either the name or the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable:
      • Social security number;
      • Motor vehicle operator's license number or state identification card number;
      • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account;
      • Unique electronic identification number or routing code, in combination with any required security code, access code, or password; or
      • Unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation; or
      • A username or email address, in combination with a password or security question and answer, that would permit access to an online account.
  • Medical Information: N/A
  • Health Insurance Information: N/A

Safe Harbors:

  • Encryption: There is no breach if the acquired computerized data was encrypted. Encrypted means converted by use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key. Data shall not be considered encrypted if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach of the security of the system.
  • Good Faith: Good faith acquisition of personal information by an employee or agent of a covered entity for the purposes of the covered entity is not a breach of the security of the system if the personal information is not used or subject to further unauthorized disclosure.
  • Risk of Harm: Notification is not required if, after a good faith, reasonable, and prompt investigation to determine the likelihood that personal information has been or will be used for an unauthorized purpose, determines that the use of information about a Nebraska resident for an unauthorized purpose has not occurred or is not reasonably likely to occur.
  • Law Enforcement Delay: Notice required by this section may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice shall be made in good faith, without unreasonable delay, and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.

Direct Notice:

  • Timing: Notice must be given to affected persons as soon as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity of the computerized data system.
  • Format: N/A
  • Content: N/A
  • Method: Notice may be provided through:
    • Written notice;
    • Telephonic notice;
    • Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. 7001, as such section existed on January 1, 2006.
  • Substitute Notice: Substitute may be provided under two circumstances:
    • If the covered entity required to provide notice demonstrates that the cost of providing notice will exceed seventy-five thousand dollars ($75,000), that the affected class of Nebraska residents to be notified exceeds one hundred thousand residents (100,000), or that the covered entity does not have sufficient contact information to provide notice. Substitute notice under this subdivision requires all of the following:
      • Electronic mail notice if the covered entity has electronic mail addresses for the members of the affected class of Nebraska residents;
      • Conspicuous posting of the notice on the website of the covered entity if the covered entity maintains a website; and
      • Notice to major statewide media outlets; or
    • If the covered entity required to provide notice has ten (10) employees or fewer and demonstrates that the of providing notice will exceed ten thousand dollars ($10,000). Substitute notice under this subdivision requires all of the following:
      • (Electronic mail notice if the covered entity has electronic mail addresses for the members of the affected class of Nebraska residents;
      • Notification by a paid advertisement in a local newspaper that is distributed in the geographic area in which the covered entity is located, which advertisement shall be of sufficient size that it covers at least one-quarter of a page in the newspaper and shall be published in the newspaper at least once a week for three consecutive weeks;
      • Conspicuous posting of the notice on the website of the covered entity if the covered entity maintains a website; and
      • Notification to major media outlets in the geographic area in which the covered entity is located.

Remediation Services:

N/A

Regulatory Notice:

If notice of a breach of security of the system is required, the covered entity shall also, not later than the time when notice is provided to the Nebraska resident, provide notice of the breach of security of the system to the Attorney General.

Credit Reporting Agencies Notice:

N/A

Third-Party Notice:

An individual or a commercial entity that maintains computerized data that includes personal information that the individual or commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system when it becomes aware of a breach if use of personal information about a Nebraska resident for an unauthorized purpose occurred or is reasonably likely to occur. Cooperation includes, but is not limited to, sharing with the owner or licensee information relevant to the breach, not including information proprietary to the individual or commercial entity.

HIPAA:

N/A

Private Action:

N/A

Associated Regulations:

  • Information Security Standard (Neb. Rev. Stat. § 87-808).

Information Security Standard

Highlights

Covered Entities: An individual or commercial entity that conducts business in Nebraska and owns, licenses, or maintains computerized data that includes personal information about a resident of Nebraska.

First Party Security Standard: To protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure, an individual or a commercial entity that conducts business in Nebraska and owns, licenses, or maintains computerized data that includes personal information about a resident of Nebraska shall implement and maintain reasonable security procedures and practices that are appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained and the nature and size of, and the resources available to, the business and its operations, including safeguards that protect the personal information when the individual or commercial entity disposes of the personal information.

Third Party Security Standard: An individual or commercial entity that discloses computerized data that includes personal information about a Nebraska residents to a nonaffiliated, third-party service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information disclosed to the service provider and are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.

Disposal/Destruction Standard: An individual or commercial entity must safeguard personal information when disposing of records containing personal information.

Data Format: Electronic.

Citations: Neb. Rev. Stat. §§ 87-801 through 808.

More Details

Definitions:

  • Personal Information (PI): A Nebraska resident’s first name or first initial and last name in combination with any one (1) or more of the following data elements that relate to the individual if either the name or the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable:
    • Social Security number;
    • Motor vehicle operator’s license number or state identification card number;
    • Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account;
    • Unique electronic identification number or routing code, in combination with any required security code, access code, or password; or
    • Unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation; or
    • A user name or email address, in combination with a password or security questions and answer, that would permit access to an online account.

PI does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Methods of Compliance:

The statute does not define how to safeguard data containing personal information. The statute requires measures be appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained and the nature and size of, and the resources available to, the business and its operations.

The statute requires third-party service providers by contract to implement and maintain reasonable security procedures and practices appropriate to the nature of the personal information disclosed and reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.

A subject entity may comply with requirements if it complies with state or federal law that provides greater protection to personal information than the protections to personal information required in this section.

Exclusions:

  • Health Care: A subject entity is in compliance with the statute if it complies with the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d to 1320d-9.
  • Financial: A subject entity is in compliance with the statute if it complies with the regulations of Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq.
  • Other: These requirements do not apply to any contract entered into before July 19, 2018.

Enforcement/Penalties:

A violation of the information security requirement is considered a violation of the state Consumer Protection Act. The Attorney General may bring an action for violation of the statute.

A violation may result in civil penalties and other remedies. The statute does not create a private right of action.

Associated Regulations:

N/A

Back to Page