Written by Anne Kierig

An amendment to Nebraska’s data breach notification law, signed by the Governor earlier this month and effective July 20, 2016, makes key changes to the state’s notification regime.  First, the law expands the definition of “personal information” to include “a user name or email address, in combination with a password or security question and answer, that would permit access to an online account.”  Nebraska will be the fifth state, including California, Florida, Nevada, and Wyoming, to require notification in the event of a breach of account credentials.  The law also will require notice to the Nebraska Attorney General no later than the time notice is provided to Nebraska residents affected by a breach.  Finally, the law will exempt encrypted data (defined as data “converted by use of an algorithmic process . . . into a form in which the data is rendered unreadable or unusable without use of a confidential process or key”) from a notification exemption safe harbor “if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach of the security of the system.”  The Nebraska state legislature passed the bill, LB 835, unanimously.