Global Data Privacy Guide |
|
USA, Nebraska |
|
(United States)
Firm
Baird Holm LLP
Contributors
David Kramer |
|
What is the key legislation? | Nebraska’s primary legislation directed to data privacy is the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 (the “Act”)1. There are several federal statutory and regulatory schemes regarding data privacy, but these schemes are effective across the United States and are not exclusive to Nebraska.
________ 1Neb. Rev. Stat. §§ 87-801 through 87-808 |
What data is protected? | The Act protects personal information, of which there are two categories under the Act 2:
________ 2Neb. Rev. Stat. § 87-802(5) |
Who is subject to privacy obligations? | The Act applies to individuals and commercial entities that conduct business in Nebraska and that own, license, or maintain computerized data that includes personal information about a resident of Nebraska.3
________ 3Neb. Rev. Stat. § 87-808(1) |
What are the principles applicable to personal data processing? | Nebraska does not have a statutory mandate regarding the general collection of personal data. |
How is the processing of personal data regulated? | If an individual or commercial entity to which the Act applies discloses computerized data that includes personal information about a Nebraska resident to a third-party service provider, the individual or commercial entity must require, by contract, that the third-party service provider implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information disclosed, and that are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.4
________ 4Neb. Rev. Stat. § 87-808(1) |
How are storage, security and retention of personal data regulated? | Individuals and commercial entities subject to the Act must implement and maintain reasonable security procedures and practices that are appropriate to (i) the nature and sensitivity of the personal information owned, licensed, or maintained, and (ii) the nature and size of the business and/or operations of such individual or commercial entity.5 These requirements also apply to the disposal of personal information.6 Additionally, as mentioned above, if an individual or commercial entity to which the Act applies disclosures computerized data that includes personal information about a Nebraska resident to a third-party service provider, the individual or commercial entity must require, by contract, that the third-party service provider implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information disclosed, and that are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.7 This provision of the Act does not apply to contracts entered into before July 19, 2018, but does apply to such contracts renewed on or after July 19, 2018. Additionally, an individual or commercial entity is deemed compliant with this provision if it: (i) complies with a state or federal law that provides greater protection to personal information than the Act provides; or (ii) is subject to and complies with regulations promulgated under Title V of the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996.8
________ 5Neb. Rev. Stat. § 87-808(2)(a) |
What are the data subjects' rights? | Noto provided for within the Act. |
Are there restrictions on cross-border data transfers? | Not applicable. |
Are there any notification requirements for data breaches? | Yes. An individual or commercial entity that is subject to the Act, when it becomes aware of a breach of its system security, must conduct an investigation to determine whether it is likely that personal information has been or will be used for an unauthorized purpose.9 If such investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, notice must be given to the Nebraska resident as soon as possible.10 If notice of a breach is required to be given to a Nebraska resident, the Nebraska Attorney General must also be notified of the breach at the time the Nebraska resident is notified.11 Notice may be provided through the following means: written, telephonic, or electronic. The Act also provides for substitute notice under certain circumstances.
________ 9Neb. Rev. Stat. § 87-803(1) |
Who is the privacy regulator? | The Nebraska Attorney General has the exclusive investigative and enforcement authority under the Act.12
________ 12Neb. Rev. Stat. § 87-806(1) |
What are the consequences of a privacy breach? | In the event of a data breach, the Nebraska Attorney General may recover direct economic damages resulting from the breach on behalf of each affected Nebraska resident.13 The Nebraska Attorney General may enforce the provisions of the Act related to the use, storage, and disclosure of personal information under the provisions of the Consumer Protection Act.14
________ 13Neb. Rev. Stat. § 87-806(2). The Consumer Protection Act is located at Neb. Rev. Stat. § 59-1601 et seq 14Neb. Rev. Stat. § 87-806(1) |
How is electronic marketing regulated? | Nebraska has no general statutory directive regarding electronic marketing. However, it should be noted that the Uniform Deceptive Trade Practices Act, as enacted in Nebraska, prohibits one from knowingly making a false or misleading statement in an internet privacy policy regarding the use of personal information submitted by members of the public.15
________ 15Neb. Rev. Stat. § 87-302(15) |
Are there any recent developments or expected reforms? | The Uniform Law Commission’s Uniform Personal Data Protection Act was introduced in January 2022 to the Nebraska Unicameral, if passed, it will provide comprehensive data protection for personal data in Nebraska. |
Global Data Privacy Guide
USA, Nebraska
(United States) Firm Baird Holm LLPContributors David Kramer Grayson Derrick
Updated 01 Mar 2022Nebraska’s primary legislation directed to data privacy is the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 (the “Act”)1. There are several federal statutory and regulatory schemes regarding data privacy, but these schemes are effective across the United States and are not exclusive to Nebraska.
________
1Neb. Rev. Stat. §§ 87-801 through 87-808
The Act protects personal information, of which there are two categories under the Act 2:
- Information that includes the first name or first initial, along with the last name, of a Nebraska resident, in combination with one or more of the following data elements related to that Nebraska resident:
- Social Security number;
- motor vehicle operator’s license number or state identification number;
- account, credit card, or debit card number, in combination with any security code, access code, or password that would permit access to a financial account;
- unique electronic identification number or routing code, in combination with any required security code, access code, or password; or
- unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation.
- Information that includes a user name or email address, in combination with a password or security question and answer that would permit access to an online account.
- Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.
________
2Neb. Rev. Stat. § 87-802(5)
The Act applies to individuals and commercial entities that conduct business in Nebraska and that own, license, or maintain computerized data that includes personal information about a resident of Nebraska.3
________
3Neb. Rev. Stat. § 87-808(1)
Nebraska does not have a statutory mandate regarding the general collection of personal data.
If an individual or commercial entity to which the Act applies discloses computerized data that includes personal information about a Nebraska resident to a third-party service provider, the individual or commercial entity must require, by contract, that the third-party service provider implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information disclosed, and that are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.4
________
4Neb. Rev. Stat. § 87-808(1)
Individuals and commercial entities subject to the Act must implement and maintain reasonable security procedures and practices that are appropriate to (i) the nature and sensitivity of the personal information owned, licensed, or maintained, and (ii) the nature and size of the business and/or operations of such individual or commercial entity.5 These requirements also apply to the disposal of personal information.6 Additionally, as mentioned above, if an individual or commercial entity to which the Act applies disclosures computerized data that includes personal information about a Nebraska resident to a third-party service provider, the individual or commercial entity must require, by contract, that the third-party service provider implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information disclosed, and that are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.7 This provision of the Act does not apply to contracts entered into before July 19, 2018, but does apply to such contracts renewed on or after July 19, 2018. Additionally, an individual or commercial entity is deemed compliant with this provision if it: (i) complies with a state or federal law that provides greater protection to personal information than the Act provides; or (ii) is subject to and complies with regulations promulgated under Title V of the Gramm-Leach-Bliley Act or the Health Insurance Portability and Accountability Act of 1996.8
________
5Neb. Rev. Stat. § 87-808(2)(a)
6Neb. Rev. Stat. § 87-808(1)
7Neb. Rev. Stat. § 87-808(2)
8Neb. Rev. Stat. § 87-808(3)
Noto provided for within the Act.
Not applicable.
Yes. An individual or commercial entity that is subject to the Act, when it becomes aware of a breach of its system security, must conduct an investigation to determine whether it is likely that personal information has been or will be used for an unauthorized purpose.9 If such investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, notice must be given to the Nebraska resident as soon as possible.10 If notice of a breach is required to be given to a Nebraska resident, the Nebraska Attorney General must also be notified of the breach at the time the Nebraska resident is notified.11 Notice may be provided through the following means: written, telephonic, or electronic. The Act also provides for substitute notice under certain circumstances.
________
9Neb. Rev. Stat. § 87-803(1)
10Neb. Rev. Stat. § 87-803(1)
11Neb. Rev. Stat. § 87-803(1)
The Nebraska Attorney General has the exclusive investigative and enforcement authority under the Act.12
________
12Neb. Rev. Stat. § 87-806(1)
In the event of a data breach, the Nebraska Attorney General may recover direct economic damages resulting from the breach on behalf of each affected Nebraska resident.13 The Nebraska Attorney General may enforce the provisions of the Act related to the use, storage, and disclosure of personal information under the provisions of the Consumer Protection Act.14
________
13Neb. Rev. Stat. § 87-806(2). The Consumer Protection Act is located at Neb. Rev. Stat. § 59-1601 et seq
14Neb. Rev. Stat. § 87-806(1)
Nebraska has no general statutory directive regarding electronic marketing. However, it should be noted that the Uniform Deceptive Trade Practices Act, as enacted in Nebraska, prohibits one from knowingly making a false or misleading statement in an internet privacy policy regarding the use of personal information submitted by members of the public.15
________
15Neb. Rev. Stat. § 87-302(15)
The Uniform Law Commission’s Uniform Personal Data Protection Act was introduced in January 2022 to the Nebraska Unicameral, if passed, it will provide comprehensive data protection for personal data in Nebraska.