On April 13, 2016, Nebraska Governor Pete Ricketts signed into law LB 835 (the “Bill”), which among other things, adds a regulator notification requirement and broadens the definition of “personal information” in the state’s data breach notification statute, Neb. Rev. Stat. §§ 87-802 to 87-804. The amendments take effect on July 20, 2016.
Specifically, the Bill:
- requires entities to notify the Nebraska Attorney General in the event of a data breach, and no later than notice is provided to Nebraska residents;
- adds to the definition of “personal information” a user name or email address, in combination with a password or security question and answer, that would permit access to an online account; and
- states that data is not considered “encrypted” for purposes of avoiding notification obligations if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach.