Recently, Iowa and Nebraska enacted information security laws applicable to personal information. Iowa’s law applies to operators of online services directed at and used by students in kindergarten through grade 12, whereas Nebraska’s law applies to all commercial entities doing business in Nebraska who own or license Nebraska residents’ personal information.

In Iowa, effective July 1, 2018, HF 2354 will impose information security requirements on operators of websites, online services, online applications or mobile applications who have actual knowledge that their sites, services or applications are designed, marketed and used primarily for kindergarten through grade 12 school purposes (“Operators”). Under the law, Operators will be required to implement and maintain information security procedures and practices consistent with industry standards and applicable state and federal laws to prevent students’ personal information from unauthorized access, destruction, use, modification or disclosure. Operators also are prohibited from selling or renting students’ information. The law does not apply to “general audience” websites, online services, online applications or mobile applications.

In Nebraska, effective July 18, 2018, LB757 requires commercial entities that conduct business in Nebraska and own, license or maintain computerized data that includes Nebraska residents’ personal information to implement and maintain reasonable security procedures and practices, including safeguards for the disposal of personal information. Under the law, commercial entities also must require, by contract, that their service providers institute and maintain reasonable security procedures and practices (the service provider provision applies to contracts entered into on or after the effective date of the law). A violation of the information security requirements under the law is subject to the penalty provisions of the state’s Consumer Protection Act, but expressly does not give rise to a private cause of action.