Nebraska Data Breach Notification Law Amended

Pete Ricketts – the Governor of Nebraska – has recently put his name to a new bill (LB 835) that amends Nebraska Data Breach Notification Law. The bill was recently passed with a unanimous 46-0 vote.

The new bill expands the state’s definition of personal information and clarifies when data encryption does – and does not – require organizations to issue notifications to individuals affected by a security breach. The changes have been made to strengthen the state’s consumer protection laws.

The changes to Nebraska Data Breach Notification Law mean that when the law comes into effect on July 20, 2016., consumers will need to be notified of a data breach that exposes their first name (or initial) and last name in combination with any other data elements in the list below:

  • Social Security number
  • State identification card number
  • Unique electronic ID number or routing code (along with an access code or security code or password)
  • Account number or debit/credit card number along with information that would allow account access (security code for example)
  • Username or email address in combination with a password or security questions and answers that would allow an individual to access online accounts
  • Motor vehicle operator’s license number
  • Biometric data (retina scan or fingerprint for example)

In contrast to many states that include health insurance information and health data in their definitions of personal information, these are not included in the new definition of personal information in Nebraska.

Any organization that experiences a breach of personal information that affects Nebraska residents must issue notifications to consumers to alert them to the breach “without unreasonable delay.” The state attorney general must also be notified of a breach.

The new Nebraska data breach notification law clarifies when data is considered to be encrypted. If data encryption has been used to protect consumer data, notifications will not need to be issued after a data breach unless the confidential process or decryption key is reasonably believed to have been obtained by an attacker.

Author: Richard Anderson

Richard Anderson is the Editor-in-Chief of