Last week, Nebraska Governor Pete Ricketts signed into law LB 835, which makes the following amendments to the state’s data breach notification statute:
- Adds to the definition of “personal information” a user name or email address, in combination with a password or security question and answer, that would permit access to an online account.
- Requires notice to the Nebraska Attorney General no later than notice is provided to Nebraska residents.
- Clarifies that data is not considered encrypted, defined as “converted by use of an algorithmic process . . . into a form in which the data is rendered unreadable or unusable without use of a confidential process or key,” if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach.
The amendments take effect July 20, 2016. Recognizing the breadth of information consumers store online, Nebraska will become the fifth state, joining California, Florida, Nevada, and Wyoming, to require notification in the event of a breach of account credentials. We will continue to track and keep you apprised of updates to state breach notification statutes.