Timing of Consumer Notification
“As soon as possible without unreasonable delay.”
Method of Notice
Written or phone. Email allowed if complies with E-SIGN.
Breach Definition
Unauthorized acquisition of unencrypted computerized data that compromises security, confidentiality, or integrity of personal information maintained by individual or commercial entity.
PII Definition
Individual’s first name or first initial and last name, and any of these if not encrypted, redacted, or otherwise made unreadable,
  1. Social Security number;
  2. Motor vehicle operator’s license or state identity card;
  3. Account number or credit or debit card number, in combination with required security code, access code, or password that would permit access to individual’s financial account;
  4. Electronic identification number or routing code, in combination with required security code, access code, or password; or
  5. Unique biometric data, including fingerprints, voice print, or retina or iris image; OR
  6. User name or email address, in combination with password or security question and answer that would permit access to online account.
Third Party Notice
If data collector maintains data for a third party, it must notify them after becoming aware of breach.
How to Notify
No specific content requirement.
Substitute Notice
All: (a) email if entity has email addresses of affected people; (b) conspicuous posting on entity’s website, if it maintains one, and (c) notice to major statewide media outlets.
Credit Monitoring
Not required.
When to Notify Credit Agencies
Not required.
This State's Law
For substitute notice, slightly different procedures if entity has fewer than 10 employees and notification will cost more than $10,000.
State Government Agency Notification Required
Yes, Nebraska Attorney General before or at the same time as notice to consumer.