Nebraska Revised Statute 87-808
Security procedures and practices; disclosure of computerized data; contract provisions; compliance.
(1) To protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure, an individual or a commercial entity that conducts business in Nebraska and owns, licenses, or maintains computerized data that includes personal information about a resident of Nebraska shall implement and maintain reasonable security procedures and practices that are appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained and the nature and size of, and the resources available to, the business and its operations, including safeguards that protect the personal information when the individual or commercial entity disposes of the personal information.
(2)(a) An individual or commercial entity that discloses computerized data that includes personal information about a Nebraska resident to a nonaffiliated, third-party service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices that:
(i) Are appropriate to the nature of the personal information disclosed to the service provider; and
(ii) Are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.
(b) This subsection does not apply to any contract entered into before July 19, 2018. Any such contract renewed on or after July 19, 2018, shall comply with the requirements of this subsection.
(3) An individual or a commercial entity complies with subsections (1) and (2) of this section if the individual or commercial entity:
(a) Complies with a state or federal law that provides greater protection to personal information than the protections that this section provides; or
(b) Complies with the regulations promulgated under Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., or the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d to 1320d-9, as such acts and sections existed on January 1, 2018, if the individual or commercial entity is subject to either or both of such acts or sections.