Nebraska’s primary legislation directed to data privacy is the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 (the “Act”)¹. There are several federal statutory and regulatory schemes regarding data privacy, but these schemes are effective across the United States and are not exclusive to Nebraska.

________

¹Neb. Rev. Stat. §§ 87-801 through 87-808

Security Breach Act
In re Target Corp. Data Sec. Breach Litig., 66 F. Supp. 3d 1154 (D. Minn. 2014)
Prime Foods for Processing and Trading v. Greater Omaha Packing Co., Inc., No. 8:19CV73, 2019 WL 2358445 (D. Neb. June 4, 2019)
Weisenberger v. Ameritas Mut. Holding Co., 597 F. Supp. 3d 1351 (D. Neb. 2022)
IN RE: MOVEIT CUSTOMER DATA SECURITY BREACH LITIGATION This Or. Relates to the Following Cases: PROGRESS BELLWETHER CASES ONLY., No. 23-MD-3083-ADB-PGL, 2025 WL 2179475 (D. Mass. July 31, 2025)
NDPA
The NDPA went into effect January 1, 2025 and there have been no key decisions applying the legislation at the time this guidance was prepared.

Security Breach Act
“Personal Information” means either of the following: 
A Nebraska resident's first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident if either the name or the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable:     
-    Social Security number; 
-    motor vehicle operator’s license number or state identification number; 
-    account, credit card, or debit card number, in combination with any security code, access code, or password that would permit access to a financial account; 
-    unique electronic identification number or routing code, in combination with any required security code, access code, or password; or unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation. 
Or, a user name or email address, in combination with a password or security question and answer that would permit access to an online account.   
Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.2 
2 Neb. Rev. Stat. § 87-802(5) 
NDPA
“Personal data” means any information, including sensitive data, that is linked or reasonably linkable to an identified or identifiable individual, and includes pseudonymous data when the data is used by a controller or processor in conjunction with additional information that reasonably links the data to an identified or identifiable individual, but does not include deidentified data or publicly available information.3
“Sensitive data” a means a category of personal data, and includes:
-    Personal data revealing racial or ethnic origin, religious beliefs, mental or physical health diagnosis, sexual orientation, or citizenship or immigration states;
-    Genetic or biometric data that is process for the purpose of uniquely identifying an individual;
-    Personal data collected from a known child; or 
-    Precise geolocation data.4
3 Neb. Rev. Stat. §87-1102(20)
4 Neb. Rev. Stat. §87-1102(30)

Security Breach Act
Individuals or commercial entities to which the Security Breach Act applies, must implement and maintain reasonable security procedures and practices that are appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained and the nature and size of, and the resources available to, the business and its operations, including safeguards that protect the personal information when the individual or commercial entity disposes of the personal information.5
5 Neb. Rev. Stat. § 87-808(1)
NDPA
Controllers, those that determine the purpose and means of processing personal data, must limit the collection of personal data to what is adequate, relevant, and reasonably necessary in relation to the purposes for which that personal data is processed, as disclosed to the consumer; and for purposes of protecting the confidentiality, integrity, and accessibility of personal data, must establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue.6
6 Neb. Rev. Stat. §87-1112(1)

Security Breach Act
The Security Breach Act applies to individuals and commercial entities that conduct business in Nebraska and that own, license, or maintain computerized data that includes personal information about a resident of Nebraska.7
7 Neb. Rev. Stat. § 87-808(1)
NDPA
NDPA applies to a person that conducts business in the state of Nebraska or produces a product or service consumed by residents of the state of Nebraska, processes or engages in the sale of personal data, and is not a small business as determined under the federal Small Business Act, as such act existed on January 1, 2024. Notwithstanding the foregoing, NDPA has limited application to small businesses seeking to sell sensitive data. 
NDPA specifically does not apply to 
a)    State agency or political subdivision of this state;
b)    Financial institution, affiliate of a financial institution, or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., as such title existed on January 1, 2024;
c)    Covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. parts 160 and 164, as such parts existed on January 1, 2024, and Division A, Title XIII, and Division B, Title IV, of the federal Health Information Technology for Economic and Clinical Health Act, Public Law No. 111-5, as such act existed on January 1, 2024;
d)    Nonprofit organization;
e)    Institution of higher education;
f)    Electric supplier or supplier of electricity as defined in section 70-1001.01;
g)    Natural gas public utility as defined in section 66-1802; or
h)    Natural gas utility owned or operated by a city or a metropolitan utilities district.8
8 Neb. Rev. Stat. § 87-1103

Security Breach Act
N/A
NDPA
Process or processing means an operation or set of operations performed, whether by manual or automated means, on personal data or on sets of personal data, such as the collection, use, storage, disclosure, analysis, deletion, or modification of personal data.9
9 Neb. Rev. Stat. § 87-1102(23)

Neither the Security Breach Act nor the NDPA include principles applicable to personal data processing.

Security Breach Act
If an individual or commercial entity to which the Security Breach Act applies discloses computerized data that includes personal information about a Nebraska resident to a third-party service provider, the individual or commercial entity must require, by contract, that the third-party service provider implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information disclosed, and that are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.10
10 Neb. Rev. Stat. § 87-808(1)
NDPA
Pursuant to the NDPA, a controller is prohibited from processing personal data for a purpose that is neither reasonably necessary to nor compatible with the disclosed purposed for which the personal data is process, as disclosed to the consumer, without consent or as otherwise permitted under the NDPA. Further, controllers are prohibited from processing personal data in violation of state and federal laws prohibiting unlawful discrimination against consumers, discriminating against a consumer for exercising any of the consumer rights contained in the NDPA, including by denying a good or service, charging a different price or rate for a good or service, or providing a different level of quality of a good or service to the consumer, or processing the sensitive data of a consumer without obtaining the consumer's consent, or, in the case of processing the sensitive data of a known child, without processing that data in accordance with the federal Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq., as such act existed on January 1, 2024.11
If a controller discloses personal data to a processor, those who process personal data on behalf of a controller, the processor must adhere to the instructions of a controller and assist the controller in complying with its obligations under the NDPA, including assisting the controller in responding to consumer rights requests, assisting the controller with regard to complying with the requirement relating to the security of processing personal data and to the notification of a breach of security, and providing necessary information to enable the controller to conduct and document data protection assessments.12
There shall also be a contract between a controller and a processor governing the processing procedures, including:
a)    Clear instructions for processing data;
b)    The nature and purpose of processing;
c)    The type of data subject to processing;
d)    The duration of processing;
e)    The rights and obligations of both parties; and
f)    A requirement that the processor shall:
i.    Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
ii.    At the controller's direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law;
iii.    Make available to the controller, on reasonable request, all information in the processor's possession necessary to demonstrate the processor's compliance with the requirements of the [NDPA];
iv.    Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor; and
v.    Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data.13
11 Neb. Rev. Stat. § 87-1112
12 Neb. Rev. Stat. § 87-1115(1)
13 Neb. Rev. Stat. § 87-1115(2)

Security Breach Act
Individuals and commercial entities subject to the Security Breach Act must implement and maintain reasonable security procedures and practices that are appropriate to (i) the nature and sensitivity of the personal information owned, licensed, or maintained, and (ii) the nature and size of the business and/or operations of such individual or commercial entity.14
These requirements also apply to the disposal of personal information.15
Additionally, as mentioned above, if an individual or commercial entity to which the Security Breach Act applies disclosures computerized data that includes personal information about a Nebraska resident to a third-party service provider, the individual or commercial entity must require, by contract, that the third-party service provider implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information disclosed, and that are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.16
This provision of the Security Breach Act does not apply to contracts entered into before July 19, 2018, but does apply to such contracts renewed on or after July 19, 2018.  Additionally, an individual or commercial entity is deemed compliant with this provision if it: (i) complies with a state or federal law that provides greater protection to personal information than the Security Breach Act provides; or (ii) is subject to and complies with regulations promulgated under Title V of the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996.17
14 Neb. Rev. Stat. § 87-808(2)(a)
15 Neb. Rev. Stat. § 87-808(1)
16 Neb. Rev. Stat. § 87-808(2)
17 Neb. Rev. Stat. § 87-808(3) 
NDPA
Those subject to the NDPA must establish, implement, and maintain reasonable administrative, technical, and physical data security practices that are appropriate to the volume and nature of the personal data at issue, for purposes of protecting the confidentiality, integrity, and accessibility of personal data.18
Additionally, as mentioned above, controllers must enter into an agreement with its processors dictating, in part, the duration of processing and further requirements that processors are subject to a duty of confidentiality with respect to the data, that all personal data be deleted or returned, at the controller’s discretion, following completion of the services.19
18 Neb. Rev. Stat. §87-1112(1)
19 Neb. Rev. Stat. §87-1115(2)

Security Breach Act
N/A
NDPA
Pursuant to the NDPA, controllers must comply with authenticated consumer requests to:
a)    Confirm whether a controller is processing the consumer's personal data and to access the personal data;
b)    Correct inaccuracies in the consumer's personal data, taking into account the nature of the personal data and the purposes of the processing of the consumer's personal data;
c)    Delete personal data provided by or obtained about the consumer;
d)    If the data is available in a digital format and the processing is completed by automated means, obtain a copy of the consumer's personal data that the consumer previously provided to the controller in a portable and, to the extent technically feasible, readily usable format that allows the consumer to transmit the data to another controller without hindrance; or
e)    Opt out of the processing of the personal data for purposes of:
i.    Targeted advertising;
ii.    The sale of personal data; or
iii.    Profiling in furtherance of a decision that produces a legal or similarly significant effect concerning the consumer.
A consumer, or the parent or legal guardian of a child whose personal data is being processed, may submit a request of the above consumer rights to the controller at any time.20 
20 Neb. Rev. Stat. § 87-1107

Security Breach Act
N/A
NDPA
Generally, the processing of personal data is limited to the purpose that is reasonably necessary or compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer. This can be expanded, however, if the controller obtains the consumer’s consent.21 
With regard to sensitive data, consumer consent must be obtained prior to any processing. In the case of persons falling under the small business exception, consent must still be obtained prior to the sale of any sensitive data.22
Consent shall be a clear and affirmative act signifying a consumer’s freely given, specific, informed, and unambiguous agreement to process personal data relating to the consumer, including a statement written by electronic means or any other unambiguous affirmative action by the consumer. Consent specifically does not include: 
a)    Acceptance of a general or broad term of use or similar document that contains a description of personal data processing along with other, unrelated information;
b)    Hovering over, muting, pausing, or closing a given piece of content; or
c)    Agreement obtained through the use of a dark pattern.23
With regard to the parental consent for the processing of personal data obtained from a child under 13, i.e., sensitive data, a processor will be deemed in compliance with the NDPA if it complies with the verifiable parental consent requirements of the federal Children's Online Privacy Protection Act of 1998, 15 U.S.C. 6501 et seq., and the rules, regulations, and guidance adopted and promulgated under such act as such act, rules, regulations, and guidance existed on January 1, 2024.24
21 Neb. Rev. Stat. § 87-1112(2)(a)
22 Neb. Rev. Stat. § 87-1112(2)(d); Neb. Rev. Stat. § 87-1118
23 Neb. Rev. Stat. § 87-1102(6)
24 Neb. Rev. Stat. § 87-1106

Security Breach Act
N/A
NDPA
As referenced above, the processing of personal data is limited to the purpose that is reasonably necessary or compatible with the disclosed purpose for which the personal data is processed, as disclosed to the consumer.25
This limitation is passed through to any of the controller’s processors via the contract between the parties, in particular, including clear instructions for processing data, the nature of purpose of processing, the type of data subject to processing, etc.26
25 Neb. Rev. Stat. § 87-1112
26 Neb. Rev. Stat. § 87-1115

Neither the Security Breach Act nor the NDPA have specific provisions regulating cross-border data transfers.

Security Breach Act
“Breach” means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity. Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system if the personal information is not used or subject to further unauthorized disclosure. Acquisition of personal information pursuant to a search warrant, subpoena, or other court order or pursuant to a subpoena or order of a state agency is not a breach of the security of the system.27
27 Neb. Rev. Stat. § 87-802(1)
NDPA
The NDPA does not define “incidents,” “breach,” or any similar term.

Security Breach Act
Yes.  An individual or commercial entity that is subject to the Security Breach Act, when it becomes aware of a breach of its system security, must conduct an investigation to determine whether it is likely that personal information has been or will be used for an unauthorized purpose.28 If such investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, notice must be given to the Nebraska resident as soon as possible.29 If notice of a breach is required to be given to a Nebraska resident, the Nebraska Attorney General must also be notified of the breach at the time the Nebraska resident is notified.30 Notice may be provided through the following means: written, telephonic, or electronic. The Security Breach Act also provides for substitute notice under certain circumstances.  
 ________
28 Neb. Rev. Stat. § 87-803(1)
29 Neb. Rev. Stat. § 87-803(1)
30 Neb. Rev. Stat. § 87-803(1)
NDPA
The NDPA does not have specific breach notification provisions, however, it does specifically indicate that nothing in the NDPA shall be construed to restrict a controller’s ability to preserve the integrity or security of systems or investigate, report, or prosecute those responsible for breaches of system security. Moreover, it requires that processors assist controllers with regard to complying with the requirement relating to the security of processing personal data and to the notification of a breach of security of the processor's system relating to an operator's or driver's license, taking into account the nature of processing and the information available to the processor.31
31 Neb. Rev. Stat. § 87-1115(1)(b); Neb. Rev. Stat. § 87-1126(1)(h)

Security Breach Act
The Nebraska Attorney General has the exclusive investigative and enforcement authority under the 
Act.32
32 Neb. Rev. Stat. § 87-806(1)
NDPA
The Nebraska Attorney General is the exclusive regulator of the NDPA.33
33 Neb. Rev. Stat. § 87-1119

Security Breach Act
In the event of a data breach, the Nebraska Attorney General may recover direct economic damages resulting from the breach on behalf of each affected Nebraska resident.34 The Nebraska Attorney General may enforce the provisions of the Security Breach Act related to the use, storage, and disclosure of personal information under the provisions of the Consumer Protection Act.35 
 
________
34 Neb. Rev. Stat. § 87-806(2). 
35 Neb. Rev. Stat. § 87-806(1); The Consumer Protection Act is located at Neb. Rev. Stat. § 59-1601 et seq.
NDPA
The NDPA does not have any specific provisions relating to the consequences of a data breach.

Security Breach Act
The Security Breach Act has no general statutory directive regarding electronic marketing.  However, it should be noted that the Uniform Deceptive Trade Practices Act, as enacted in Nebraska, prohibits one from knowingly making a false or misleading statement in an internet privacy policy regarding the use of personal information submitted by members of the public.36  
36 Neb. Rev. Stat. § 87-302(15)
NDPA
If a controller sells personal data to third parties or processes personal data for the purpose of targeted advertising, it must clearly and conspicuously disclose the process and manner in which a consumer may opt out of that process. Additionally, consumers have a separately outlined consumer right to opt out of the processing of personal data for purposes of targeted advertising, the sale of personal data, or profiling in furtherance of a decisions that procures a legal or similarly significant effect concerning the consumer.37
37 Neb. Rev. Stat. § 87-1107; Neb. Rev. Stat. § 87-1114.

Security Breach Act
N/A
NDPA
While there are no sector-specific or industry-specific affirmative privacy requirements, there are sector-specific exceptions for those who would otherwise be subject to the NDPA. The NDPA specifically does not apply to a: 
a)    State agency or political subdivision of this state;
b)    Financial institution, affiliate of a financial institution, or data subject to Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., as such title existed on January 1, 2024;
c)    Covered entity or business associate governed by the privacy, security, and breach notification rules issued by the United States Department of Health and Human Services, 45 C.F.R. parts 160 and 164, as such parts existed on January 1, 2024, and Division A, Title XIII, and Division B, Title IV, of the federal Health Information Technology for Economic and Clinical Health Act, Public Law No. 111-5, as such act existed on January 1, 2024;
d)    Nonprofit organization;
e)    Institution of higher education;
f)    Electric supplier or supplier of electricity as defined in section 70-1001.01;
g)    Natural gas public utility as defined in section 66-1802; or
h)    Natural gas utility owned or operated by a city or a metropolitan utilities district.38
38 Neb. Rev. Stat. § 87-1103

There are no specific provisions relating to appointing Data Protection Officers or similar roles under the Security Breach Act or the NDPA.

Security Breach Act
N/A
NDPA
Controllers have obligations with regarding to consumer requests, as further discussed above, pursuant to the NDPA. Where a controller has obtained personal data about a consumer from a source other than the consumer, it shall be in compliant with a consumer’s deletion request by retaining a r record of the deletion request and the minimum data necessary for the purpose of ensuring the consumer's personal data remains deleted from the business's records and not using the retained data for any other purpose under the NDPA; or opting the consumer out of the processing of that personal data for any purpose other than a purpose that is exempt under the NDPA.39
Additionally, controllers must conduct and document a data protection assessment.40
39 Neb. Rev. Stat. § 87-1108(6)
40 Neb. Rev. Stat. Ann. § 87-1118(1)

Security Breach Act
N/A
NDPA
A controller must conduct a document a data protection assessment of each of the following processing activities involving personal data:
a)    The processing of personal data for purposes of targeted advertising;
b)    The sale of personal data;
c)    The processing of personal data for purposes of profiling, if the profiling presents a reasonably foreseeable risk of:
i.    Unfair or deceptive treatment of or unlawful disparate impact on any consumer;
ii.    Financial, physical, or reputational injury to any consumer;
iii.    A physical or other intrusion on the solitude or seclusion, or the private affairs or concerns, of any consumer, if the intrusion would be offensive to a reasonable person; or
iv.    Other substantial injury to any consumer;
d)    The processing of sensitive data; and
e)    Any processing activity that involves personal data that presents a heightened risk of harm to any consumer.
A data protection assessment must identify and weigh the direct or indirect benefits that may flow from the processing to the controller, the consumer, other stakeholders, and the public, against the potential risks to the rights of the consumer associated with that processing, as mitigated by safeguards that can be employed by the controller to reduce the risk. Controllers must factor the use of deidentified data, the reasonable expectation of consumers, the context of the processing, and the relationship between the controller and the consumer whose personal data will be processed into the assessment.
The above requirements may be satisfied in a single assessment where a comparable set of processing operations include similar activities. Further, if a controller must complete a data protection assessment for compliance with other laws or regulations, it may constitute compliance with the above requirements if the assessment has a reasonably comparable scope and effect.
A controller’s data protection assessment must be submitted to the Attorney General in response to a civil investigative demand, but they are otherwise confidential and exempt from disclosure as a public record.41
41 Neb. Rev. Stat. § 87-1116

Security Breach Act
As mentioned above, if an individual or commercial entity to which the Security Breach Act applies disclosures computerized data that includes personal information about a Nebraska resident to a third-party service provider, the individual or commercial entity must require, by contract, that the third-party service provider implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information disclosed, and that are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.42
42 Neb. Rev. Stat. § 87-808(2)
NDPA
As discussed above, if a controller discloses personal data to a processor, those who process personal data on behalf of a controller, the processor must adhere to the instructions of a controller and assist the controller in complying with its obligations under the NDPA, including assisting the controller in responding to consumer rights requests, assisting the controller with regard to complying with the requirement relating to the security of processing personal data and to the notification of a breach of security, and providing necessary information to enable the controller to conduct and document data protection assessments.43
There shall also be a contract between a controller and a processor governing the processing procedures, including:
a)    Clear instructions for processing data;
b)    The nature and purpose of processing;
c)    The type of data subject to processing;
d)    The duration of processing;
e)    The rights and obligations of both parties; and
f)    A requirement that the processor shall:
i.    Ensure that each person processing personal data is subject to a duty of confidentiality with respect to the data;
ii.    At the controller's direction, delete or return all personal data to the controller as requested after the provision of the service is completed, unless retention of the personal data is required by law;
iii.    Make available to the controller, on reasonable request, all information in the processor's possession necessary to demonstrate the processor's compliance with the requirements of the NDPA;
iv.    Allow, and cooperate with, reasonable assessments by the controller or the controller's designated assessor; and
v.    Engage any subcontractor pursuant to a written contract that requires the subcontractor to meet the requirements of the processor with respect to the personal data.44
Additionally, in its privacy notice to consumers, a controller shall identify any category of personal data that the controller shares with any third party and any category of third party with whom the control shares personal data.45
43 Neb. Rev. Stat. § 87-1115(1)
44 Neb. Rev. Stat. § 87-1115(2)
45 Neb. Rev. Stat. § 87-1113

Security Breach Act
As referenced above, the Nebraska Attorney General may recover direct economic damages resulting from a breach on behalf of each affected Nebraska resident.46 The Nebraska Attorney General may enforce the provisions of the Security Breach Act related to the use, storage, and disclosure of personal information under the provisions of the Consumer Protection Act, but this does not give rise to a private cause of action.47  
 
46 Neb. Rev. Stat. § 87-806(2). 
47 Neb. Rev. Stat. § 87-806(1); The Consumer Protection Act is located at Neb. Rev. Stat. § 59-1601 et seq.
NDPA
Subject to a thirty-day cure period, a person who violates the NDPA is liable for a civil penalty in an amount not to exceed $7,500 for each violation. The Attorney General may bring an action to recover the aforementioned civil penalty, to restrain or enjoin the person from violating the NDPA, or to recover the civil penalty and seek injunctive relief. The Attorney General may also recover reasonable attorney's fees and other reasonable expenses incurred in investigating and bringing an action under this section.48
The NDPA does not provide a private right of action.49
48 Neb. Rev. Stat. § 87-1124
49 Neb. Rev. Stat. § 87-1125

Security Breach Act
N/A
NDPA
Processors must allow, and cooperate with, reasonable assessments by the controller or the controller’s designated assessor. Alternatively, processors may arrange for a qualified and independent assessor to conduct an assessment of the processor's policies and technical and organizational measures in support of the requirements under the Data Privacy Act using an appropriate and accepted control standard or framework and assessment procedure. The processor shall provide a report of the assessment to the controller on request.50
50 Neb. Rev. Stat. § 87-1115(2)(f)(iv), (3)

Security Breach Act
N/A
NDPA
The most recent development to legislation has been the passage and implementation of the NDPA. On 17 April, 2024, Nebraska Governor Jim Pillen signed into law Legislative Bill 1074, which included the NDPA. It came into effect January 1, 2025.