Since the beginning of 2015, numerous states have amended their data breach notification statutes to include expanded definitions of personal information, clarifications on encryption standards, and new notice content and timing requirements. On April 13, 2016, Nebraska joined this roster when Governor Pete Ricketts signed LB 835 into law, amending Nebraska’s Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006. The amendment becomes effective on July 20, 2016, and contains three key updates.
First, the new law states that personal information is not considered to be encrypted if the encryption key or process is reasonably believed to have been acquired during the breach. This change emphasizes the importance of effective encryption key management to ensure that encrypted data is protected in the event of a breach.
Next, and following a growing trend set by other recent state data breach law amendments, the amendment expands the statute’s definition of “personal information” to include an individual’s user name or email address, in combination with a password or security question and answer that would permit access to an online account.
Finally, the new law adds the requirement for a breached entity to notify the Nebraska Attorney General’s office no later than the time that notice is provided to affected Nebraska residents. Although many recent state amendments have set a certain threshold number of affected state residents before notification to a regulator is required, Nebraska’s update requires notification whenever an entity notifies any Nebraska resident or residents of a breach. Additionally, notification to the Nebraska Attorney General is required even if the entity maintains its own notice procedures or follows those established by its primary or functional state or federal regulator.
For assistance with tracking the continuing developments in state breach notification laws, please refer to BakerHostetler’s regularly updated state-by-state survey.