	Global Data Privacy Guide
	USA, Nebraska
	(United States) Firm Baird Holm LLP Contributors David Kramer Grayson Derrick Updated 01 Mar 2022
What is the key legislation?	Nebraska’s primary legislation directed to data privacy is the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 (the “*Act”)¹. There are several federal statutory and regulatory schemes regarding data privacy, but these schemes are effective across the United States and are not exclusive to Nebraska. ________ ¹Neb. Rev. Stat. §§ 87-801 through 87-808*
What data is protected?	The Act protects personal information, of which there are two categories under the Act ²: Information that includes the first name or first initial, along with the last name, of a Nebraska resident, in combination with one or more of the following data elements related to that Nebraska resident: Social Security number; motor vehicle operator’s license number or state identification number; account, credit card, or debit card number, in combination with any security code, access code, or password that would permit access to a financial account; unique electronic identification number or routing code, in combination with any required security code, access code, or password; or unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation. Information that includes a user name or email address, in combination with a password or security question and answer that would permit access to an online account. Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records. ________ ²Neb. Rev. Stat. § 87-802(5)
Who is subject to privacy obligations?	The Act applies to individuals and commercial entities that conduct business in Nebraska and that own, license, or maintain computerized data that includes personal information about a resident of Nebraska.³ ^________ ³Neb. Rev. Stat. § 87-808(1)
What are the principles applicable to personal data processing?	Nebraska does not have a statutory mandate regarding the general collection of personal data.
How is the processing of personal data regulated?	If an individual or commercial entity to which the Act applies discloses computerized data that includes personal information about a Nebraska resident to a third-party service provider, the individual or commercial entity must require, by contract, that the third-party service provider implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information disclosed, and that are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.⁴ ^________ ⁴Neb. Rev. Stat. § 87-808(1)
How are storage, security and retention of personal data regulated?	Individuals and commercial entities subject to the *Act* must implement and maintain reasonable security procedures and practices that are appropriate to (i) the nature and sensitivity of the personal information owned, licensed, or maintained, and (ii) the nature and size of the business and/or operations of such individual or commercial entity.⁵ These requirements also apply to the disposal of personal information.⁶ Additionally, as mentioned above, if an individual or commercial entity to which the Act applies disclosures computerized data that includes personal information about a Nebraska resident to a third-party service provider, the individual or commercial entity must require, by contract, that the third-party service provider implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information disclosed, and that are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.⁷ This provision of the Act does not apply to contracts entered into before July 19, 2018, but does apply to such contracts renewed on or after July 19, 2018. Additionally, an individual or commercial entity is deemed compliant with this provision if it: (i) complies with a state or federal law that provides greater protection to personal information than the Act provides; or (ii) is subject to and complies with regulations promulgated under Title V of the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996.⁸ ________ ⁵Neb. Rev. Stat. § 87-808(2)(a) ⁶Neb. Rev. Stat. § 87-808(1) ⁷Neb. Rev. Stat. § 87-808(2) ⁸Neb. Rev. Stat. § 87-808(3)
What are the data subjects' rights?	Noto provided for within the Act.
Are there restrictions on cross-border data transfers?	Not applicable.
Are there any notification requirements for data breaches?	Yes. An individual or commercial entity that is subject to the Act, when it becomes aware of a breach of its system security, must conduct an investigation to determine whether it is likely that personal information has been or will be used for an unauthorized purpose.⁹ If such investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, notice must be given to the Nebraska resident as soon as possible.¹⁰ If notice of a breach is required to be given to a Nebraska resident, the Nebraska Attorney General must also be notified of the breach at the time the Nebraska resident is notified.¹¹ Notice may be provided through the following means: written, telephonic, or electronic. The Act also provides for substitute notice under certain circumstances. ________ ⁹Neb. Rev. Stat. § 87-803(1) ¹⁰Neb. Rev. Stat. § 87-803(1) ¹¹Neb. Rev. Stat. § 87-803(1)
Who is the privacy regulator?	The Nebraska Attorney General has the exclusive investigative and enforcement authority under the Act.¹² ^________ ¹²Neb. Rev. Stat. § 87-806(1)
What are the consequences of a privacy breach?	In the event of a data breach, the Nebraska Attorney General may recover direct economic damages resulting from the breach on behalf of each affected Nebraska resident.¹³ The Nebraska Attorney General may enforce the provisions of the Act related to the use, storage, and disclosure of personal information under the provisions of the Consumer Protection Act.¹⁴ ________ ¹³Neb. Rev. Stat. § 87-806(2). The Consumer Protection Act is located at Neb. Rev. Stat. § 59-1601 et seq ¹⁴Neb. Rev. Stat. § 87-806(1)
How is electronic marketing regulated?	Nebraska has no general statutory directive regarding electronic marketing. However, it should be noted that the Uniform Deceptive Trade Practices Act, as enacted in Nebraska, prohibits one from knowingly making a false or misleading statement in an internet privacy policy regarding the use of personal information submitted by members of the public.¹⁵ ^________ ¹⁵Neb. Rev. Stat. § 87-302(15)
Are there any recent developments or expected reforms?	The Uniform Law Commission’s Uniform Personal Data Protection Act was introduced in January 2022 to the Nebraska Unicameral, if passed, it will provide comprehensive data protection for personal data in Nebraska.

Global Data Privacy Guide

Back XLS

What is the key legislation?

Nebraska’s primary legislation directed to data privacy is the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 (the “Act”)¹. There are several federal statutory and regulatory schemes regarding data privacy, but these schemes are effective across the United States and are not exclusive to Nebraska.

________

¹Neb. Rev. Stat. §§ 87-801 through 87-808

What data is protected?

The Act protects personal information, of which there are two categories under the Act ²:

Information that includes the first name or first initial, along with the last name, of a Nebraska resident, in combination with one or more of the following data elements related to that Nebraska resident:
- Social Security number;
- motor vehicle operator’s license number or state identification number;
- account, credit card, or debit card number, in combination with any security code, access code, or password that would permit access to a financial account;
- unique electronic identification number or routing code, in combination with any required security code, access code, or password; or
- unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation.
Information that includes a user name or email address, in combination with a password or security question and answer that would permit access to an online account.
Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

________

²Neb. Rev. Stat. § 87-802(5)

Who is subject to privacy obligations?

The Act applies to individuals and commercial entities that conduct business in Nebraska and that own, license, or maintain computerized data that includes personal information about a resident of Nebraska.³

^________

³Neb. Rev. Stat. § 87-808(1)

What are the principles applicable to personal data processing?

Nebraska does not have a statutory mandate regarding the general collection of personal data.

How is the processing of personal data regulated?

If an individual or commercial entity to which the Act applies discloses computerized data that includes personal information about a Nebraska resident to a third-party service provider, the individual or commercial entity must require, by contract, that the third-party service provider implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information disclosed, and that are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.⁴

^________

⁴Neb. Rev. Stat. § 87-808(1)

How are storage, security and retention of personal data regulated?

Individuals and commercial entities subject to the Act must implement and maintain reasonable security procedures and practices that are appropriate to (i) the nature and sensitivity of the personal information owned, licensed, or maintained, and (ii) the nature and size of the business and/or operations of such individual or commercial entity.⁵ These requirements also apply to the disposal of personal information.⁶ Additionally, as mentioned above, if an individual or commercial entity to which the Act applies disclosures computerized data that includes personal information about a Nebraska resident to a third-party service provider, the individual or commercial entity must require, by contract, that the third-party service provider implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information disclosed, and that are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.⁷ This provision of the Act does not apply to contracts entered into before July 19, 2018, but does apply to such contracts renewed on or after July 19, 2018. Additionally, an individual or commercial entity is deemed compliant with this provision if it: (i) complies with a state or federal law that provides greater protection to personal information than the Act provides; or (ii) is subject to and complies with regulations promulgated under Title V of the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996.⁸

________

⁵Neb. Rev. Stat. § 87-808(2)(a)
⁶Neb. Rev. Stat. § 87-808(1)
⁷Neb. Rev. Stat. § 87-808(2)
⁸Neb. Rev. Stat. § 87-808(3)

What are the data subjects' rights?

Noto provided for within the Act.

Are there restrictions on cross-border data transfers?

Not applicable.

Are there any notification requirements for data breaches?

Yes. An individual or commercial entity that is subject to the Act, when it becomes aware of a breach of its system security, must conduct an investigation to determine whether it is likely that personal information has been or will be used for an unauthorized purpose.⁹ If such investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, notice must be given to the Nebraska resident as soon as possible.¹⁰ If notice of a breach is required to be given to a Nebraska resident, the Nebraska Attorney General must also be notified of the breach at the time the Nebraska resident is notified.¹¹ Notice may be provided through the following means: written, telephonic, or electronic. The Act also provides for substitute notice under certain circumstances.

________

⁹Neb. Rev. Stat. § 87-803(1)
¹⁰Neb. Rev. Stat. § 87-803(1)
¹¹Neb. Rev. Stat. § 87-803(1)

Who is the privacy regulator?

The Nebraska Attorney General has the exclusive investigative and enforcement authority under the Act.¹²

^________

¹²Neb. Rev. Stat. § 87-806(1)

What are the consequences of a privacy breach?

In the event of a data breach, the Nebraska Attorney General may recover direct economic damages resulting from the breach on behalf of each affected Nebraska resident.¹³ The Nebraska Attorney General may enforce the provisions of the Act related to the use, storage, and disclosure of personal information under the provisions of the Consumer Protection Act.¹⁴

________

¹³Neb. Rev. Stat. § 87-806(2). The Consumer Protection Act is located at Neb. Rev. Stat. § 59-1601 et seq

¹⁴Neb. Rev. Stat. § 87-806(1)

How is electronic marketing regulated?

Nebraska has no general statutory directive regarding electronic marketing. However, it should be noted that the Uniform Deceptive Trade Practices Act, as enacted in Nebraska, prohibits one from knowingly making a false or misleading statement in an internet privacy policy regarding the use of personal information submitted by members of the public.¹⁵

^________

¹⁵Neb. Rev. Stat. § 87-302(15)

Are there any recent developments or expected reforms?

The Uniform Law Commission’s Uniform Personal Data Protection Act was introduced in January 2022 to the Nebraska Unicameral, if passed, it will provide comprehensive data protection for personal data in Nebraska.

Global Data Privacy Guide

USA, Nebraska

Global Data Privacy Guide

USA, Nebraska

Members