On July 21, 2016, new changes to Nebraska’s Financial Data Protection and Consumer Notification of Data Security Breach Act become effective. In the event of a breach, any individual or commercial entity that conducts business in the state of Nebraska and owns or licenses computerized data that includes personalized data is required to 1) conduct an investigation to determine the likelihood that the personalized information has been or will be used for an unlawful purpose, and 2) notice any affected Nebraska residents. If notice is necessary, the individual or commercial entity must also notify the Attorney General. Moreover, if the personal information is maintained by an individual or commercial entity, but not owned or licensed by the individual or entity, they must notify the owner or licensee of the breach. Failure to comply may result in suit against the individual or commercial entity for damages a resident incurred because of the breach.
New updates to the law include defining personal information to include “a user name or email address, in combination with a password or security question and answer, that would permit access to an online account”. Additionally, the law is now triggered when encrypted data is stolen in addition to the confidential process or key used to decrypt the data.
Any individual or commercial entity that maintains and follows its own notice procedures regarding data breaches is deemed to be in compliance with the law. However, many other laws or regulations also cover data breaches, such as HIPAA, HITECH, GLBA, and other states where a resident affected by the breach resides. Businesses large and small should contact their attorney to ensure that they have a policy that complies with all applicable laws and regulations and reduces the risk of liability after a breach.