Joining Rhode Island and Tennessee, Nebraska’s breach notice law has been amended, with changes going into effect this summer. Key modifications include an obligation to notify the state Attorney General (with no threshold of the number of impacted individuals). Nebraska joins California, Connecticut, Florida, Hawaii, Indiana, Iowa, Louisiana, Maine, Maryland, Massachusetts, Missouri, New Hampshire, New Jersey, New York, North Carolina, Oregon, South Carolina, Oregon, Vermont, Virginia, Washington and Puerto Rico in requiring notice to a state authority in the event of a breach. Notice to the Attorney General must be made “no later than” notice to impacted individuals.
Also modified is the addition to the definition of personal information (that if breached, requires notice) of username or email address “in combination with a password or security question and answer, that would permit access to an online account.” This mirrors similar changes to the laws of California, Nevada, Florida and Wyoming.
The amendments also clarify when data is encrypted. (In Nebraska, notice is not required if data is encrypted.) As revised, data is not to be considered encrypted if the “confidential process or key” was acquired as a result of the breach, or is reasonably believed to have been acquired as a result of the breach.
TIP: If your organization suffers a national breach, keep in mind that starting July 20 notice will need to be made to the Nebraska Attorney General if there are impacted individuals in that state. Additionally, Nebraska joins a handful of states treating username/email and password as triggering information.