Nebraska Statutes § 87-801 et seq
Type of Data Covered: Computerized or electronic data.
Is Breach Defined?
"Breach of the security of the system means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity. Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system if the personal information is not used or subject to further unauthorized disclosure. Acquisition of personal information pursuant to a search warrant, subpoena, or other court order or pursuant to a subpoena or order of a state agency is not a breach of the security of the system."
When is notice required?
Notice is required for all affected Nebraska residents and must be given "...without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system." Notice must be given to the Attorney General as well. Notice can be written, telephonic, electronic, or via "substitute notice," depending on the circumstances. Unfortunately, there are no specific requirements for the content of the notice.
What are the penalties for non-compliance?
Violations have their own section of the law, § 87-806, which reads as follows:
"For purposes of the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006, the Attorney General may issue subpoenas and seek and recover direct economic damages for each affected Nebraska resident injured by a violation of the act."