Security Breach Notification Law in the State of Nebraska
Neb. Rev. Stat. §§ 87-801 is a security breach notification law that was passed in the U.S. state of Nebraska in 2006. The law lays out the requirements that business entities are responsible for adhering to in the event that a security breach occurs. Furthermore, the law also outlines the protocol that should be followed in the event that a security breach affects a significant number of residents within the state of Nebraska. Additionally, Neb. Rev. Stat. §§ 87-801 also provides the Nebraska attorney general the authority to impose numerous penalties against business entities within the state that are found to be in violation of the law, which can range from subpoenas to monetary damages.
What are the security breach notification requirements under Neb. Rev. Stat. §§ 87-801?
Under Neb. Rev. Stat. §§ 87-801, a business entity within Nebraska that experiences a security breach is responsible for notifying all affected parties “as soon as possible and without unreasonable delay, consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.” Moreover, these notifications may be provided to residents of Nebraska via written, telephone, and electronic notice, permitting the electronic notices are “consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. § 7001 (E-SIGN Act).”
Alternatively, business entities are also authorized to provide substitute security breach notifications to affected consumers within Nebraska, albeit under certain circumstances. Such circumstances include situations where the cost of providing affected consumers with standard notification would exceed the cost of $75,000, the affected class of consumers is more than 100,000, or the business entity that experienced the breach does not have sufficient contact information as it pertains to the affected class of consumers. Conversely, small businesses within Nebraska that employ less than 10 people are also permitted to provide substitute notifications to affected consumers in the event of a security breach. These notifications must provide consumers with the following information:
- Email notification, if the affected entity has the email addresses of consumers that were affected by the security breach.
- Notification by a paid advertisement in a local newspaper that is distributed in the geographic area in which the Entity is located, which advertisement shall be of sufficient size that it covers at least one-quarter of a page in the newspaper and shall be published in the newspaper at least once a week for three consecutive weeks.
- Conspicuous post of the security breach notification on the affected entity’s website, permitting the affected entity maintains a website.
- Notification to all major media outlets around the geographic area in which the security breach took place.
What categories of personal information are protected under Neb. Rev. Stat. §§ 87-801?
Under Neb. Rev. Stat. §§ 87-801, the following categories of personal information are legally protected should they be compromised following a security breach, in combination with a Nebraska resident’s first name or first initial and last name, in instances where the following data elements have not been redacted or otherwise rendered unreadable:
- Social security numbers.
- Driver’s license numbers and state identification card numbers.
- Financial account numbers.
- Credit and debit card numbers, as well as any passcodes, security codes, or access codes that could be used to gain entry into an individual’s financial account.
- Unique electronic ID number or routing code (along with a required password, security, or access code).
- Biometric identifiers, including iris and retina images or finger and voiceprints, among others.
- Login credentials, as well as any security questions or information that could be used to gain entry into an individual’s online account.
What are the penalties for violating Neb. Rev. Stat. §§ 87-801?
In terms of penalties in relation to non-compliance with the law, the provisions set forth in Neb. Rev. Stat. §§ 87-801 are enforced by the Nebraska attorney general. With this being said, the Nebraska attorney general has the authority to impose punishments against business entities within the state that are found to be in violation of the law. More specifically, “violators may face action in the form of subpoenas, and the Attorney General may seek and recuperate financial damages for each Nebraska resident whose personal information was compromised and is affected by a violation.”
As data and security breaches continue to grow in frequency due to the interconnectedness of our current society as it concerns internet communications, legislation such as Neb. Rev. Stat. §§ 87-801 allows American consumers to seek justice and compensation should their personal information be compromised during a security breach. To this point, when compared to many other data breach notification laws at the U.S. state level, the categories of personal information that are protected under the law are particularly substantial. As such, residents of the state of Nebraska can ensure that their personal information is being protected at all times.