Sections 87-801 to 87-808 shall be known and may be cited as the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006.

For purposes of the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006:

(1) Breach of the security of the system means the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity. Good faith acquisition of personal information by an employee or agent of an individual or a commercial entity for the purposes of the individual or the commercial entity is not a breach of the security of the system if the personal information is not used or subject to further unauthorized disclosure. Acquisition of personal information pursuant to a search warrant, subpoena, or other court order or pursuant to a subpoena or order of a state agency is not a breach of the security of the system;

(2) Commercial entity includes a corporation, business trust, estate, trust, partnership, limited partnership, limited liability partnership, limited liability company, association, organization, joint venture, government, governmental subdivision, agency, or instrumentality, or any other legal entity, whether for profit or not for profit;

(3) Encrypted means converted by use of an algorithmic process to transform data into a form in which the data is rendered unreadable or unusable without use of a confidential process or key. Data shall not be considered encrypted if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach of the security of the system;

(4) Notice means:

(a) Written notice;

(b) Telephonic notice;

(c) Electronic notice, if the notice provided is consistent with the provisions regarding electronic records and signatures set forth in 15 U.S.C. 7001, as such section existed on January 1, 2006;

(d) Substitute notice, if the individual or commercial entity required to provide notice demonstrates that the cost of providing notice will exceed seventy-five thousand dollars, that the affected class of Nebraska residents to be notified exceeds one hundred thousand residents, or that the individual or commercial entity does not have sufficient contact information to provide notice. Substitute notice under this subdivision requires all of the following:

(i) Electronic mail notice if the individual or commercial entity has electronic mail addresses for the members of the affected class of Nebraska residents;

(ii) Conspicuous posting of the notice on the website of the individual or commercial entity if the individual or commercial entity maintains a website; and

(iii) Notice to major statewide media outlets; or

(e) Substitute notice, if the individual or commercial entity required to provide notice has ten employees or fewer and demonstrates that the cost of providing notice will exceed ten thousand dollars. Substitute notice under this subdivision requires all of the following:

(i) Electronic mail notice if the individual or commercial entity has electronic mail addresses for the members of the affected class of Nebraska residents;

(ii) Notification by a paid advertisement in a local newspaper that is distributed in the geographic area in which the individual or commercial entity is located, which advertisement shall be of sufficient size that it covers at least one-quarter of a page in the newspaper and shall be published in the newspaper at least once a week for three consecutive weeks;

(iii) Conspicuous posting of the notice on the website of the individual or commercial entity if the individual or commercial entity maintains a website; and

(iv) Notification to major media outlets in the geographic area in which the individual or commercial entity is located;

(5) Personal information means either of the following:

(a) A Nebraska resident's first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident if either the name or the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable:

(i) Social security number;

(ii) Motor vehicle operator's license number or state identification card number;

(iii) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident's financial account;

(iv) Unique electronic identification number or routing code, in combination with any required security code, access code, or password; or

(v) Unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation; or

(b) A user name or email address, in combination with a password or security question and answer, that would permit access to an online account.

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records; and

(6) Redact means to alter or truncate data such that no more than the last four digits of a social security number, motor vehicle operator's license number, state identification card number, or account number is accessible as part of the personal information.

(1) An individual or a commercial entity that conducts business in Nebraska and that owns or licenses computerized data that includes personal information about a resident of Nebraska shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be used for an unauthorized purpose. If the investigation determines that the use of information about a Nebraska resident for an unauthorized purpose has occurred or is reasonably likely to occur, the individual or commercial entity shall give notice to the affected Nebraska resident. Notice shall be made as soon as possible and without unreasonable delay, consistent with the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.

(2) If notice of a breach of security of the system is required by subsection (1) of this section, the individual or commercial entity shall also, not later than the time when notice is provided to the Nebraska resident, provide notice of the breach of security of the system to the Attorney General.

(3) An individual or a commercial entity that maintains computerized data that includes personal information that the individual or commercial entity does not own or license shall give notice to and cooperate with the owner or licensee of the information of any breach of the security of the system when it becomes aware of a breach if use of personal information about a Nebraska resident for an unauthorized purpose occurred or is reasonably likely to occur. Cooperation includes, but is not limited to, sharing with the owner or licensee information relevant to the breach, not including information proprietary to the individual or commercial entity.

(4) Notice required by this section may be delayed if a law enforcement agency determines that the notice will impede a criminal investigation. Notice shall be made in good faith, without unreasonable delay, and as soon as possible after the law enforcement agency determines that notification will no longer impede the investigation.

(1) An individual or a commercial entity that maintains its own notice procedures which are part of an information security policy for the treatment of personal information and which are otherwise consistent with the timing requirements of section 87-803, is deemed to be in compliance with the notice requirements of section 87-803 if the individual or the commercial entity notifies affected Nebraska residents and the Attorney General in accordance with its notice procedures in the event of a breach of the security of the system.

(2) An individual or a commercial entity that is regulated by state or federal law and that maintains procedures for a breach of the security of the system pursuant to the laws, rules, regulations, guidances, or guidelines established by its primary or functional state or federal regulator is deemed to be in compliance with section 87-803 if the individual or commercial entity notifies affected Nebraska residents and the Attorney General in accordance with the maintained procedures in the event of a breach of the security of the system.

Any waiver of the provisions of the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 is contrary to public policy and is void and unenforceable.

(1) For purposes of the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006, the Attorney General may issue subpoenas and seek and recover direct economic damages for each affected Nebraska resident injured by a violation of section 87-803.

(2) A violation of section 87-808 shall be considered a violation of section 59-1602 and be subject to the Consumer Protection Act and any other law which provides for the implementation and enforcement of section 59-1602. A violation of section 87-808 does not give rise to a private cause of action.

The Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 applies to the discovery of or notification pertaining to a breach of the security of the system that occurs on or after July 14, 2006.

(1) To protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure, an individual or a commercial entity that conducts business in Nebraska and owns, licenses, or maintains computerized data that includes personal information about a resident of Nebraska shall implement and maintain reasonable security procedures and practices that are appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained and the nature and size of, and the resources available to, the business and its operations, including safeguards that protect the personal information when the individual or commercial entity disposes of the personal information.

(2)(a) An individual or commercial entity that discloses computerized data that includes personal information about a Nebraska resident to a nonaffiliated, third-party service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices that:

(i) Are appropriate to the nature of the personal information disclosed to the service provider; and

(ii) Are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.

(b) This subsection does not apply to any contract entered into before July 19, 2018. Any such contract renewed on or after July 19, 2018, shall comply with the requirements of this subsection.

(3) An individual or a commercial entity complies with subsections (1) and (2) of this section if the individual or commercial entity:

(a) Complies with a state or federal law that provides greater protection to personal information than the protections that this section provides; or

(b) Complies with the regulations promulgated under Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., or the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d to 1320d-9, as such acts and sections existed on January 1, 2018, if the individual or commercial entity is subject to either or both of such acts or sections.