Nebraska Governor Pete Ricketts has signed LB835 into law, updating the state’s data breach notification statute. The changes take effect on July 20, 2016.
With the updates, Nebraska joins a growing number of states that include a username or email in combination with a password or security question and answer that would permit access to an online account in the definition of personal information which, if acquired by an unauthorized person, would require notice.
In addition, the statute has been modified to require notice to the state’s Attorney General concurrent with notice provided to affected individuals. These notices must be provided “as soon as possible and without unreasonable delay,” consistent with law enforcement needs and the time necessary to determine the scope of the breach.
Finally, the amended statute provides that data will not be considered encrypted if the breach of security includes acquisition of the encryption key or confidential encryption method.