In my post last week I mentioned that Nebraska has a law call the Data Protection and Consumer Notification of Data Security Breach Act of 2006. It is found in the Nebraska Statutes beginning at section 87-801. The name is mouthful. But while it is clear that a simple name was not the goal of the Act, making consumers aware of any potential data breaches of their personal information is. The substance of the Act provides in part that:
[a]n individual or commercial entity conducting business in Nebraska and that owns or licenses computerized data that includes personal information about a resident of Nebraska shall, when it becomes aware of a breach of the security of the system, conduct in good faith a reasonable and prompt investigation to determine the likelihood that personal information has been or will be used for unauthorized purpose.
Neb.Rev.Stat. § 87-803(1).
If the individual or commercial entity finds that a breach occurred and that personal information has been or will be used for unauthorized purpose then it must, “as soon as possible and without unreasonable delay,” give notice of such to the affected Nebraska resident. Id. That notice also must be consistent with “the legitimate needs of law enforcement and consistent with any measures necessary to determine the scope of the breach and to restore the reasonable integrity of the computerized data system.” Id. The notice may be delayed, however, if a law enforcement agency determines the notice will impede a criminal investigation. Neb.Rev.Stat. §87-803(3).
The Act also extends to individuals or commercial entities that maintain computerized data that includes personal information that the individual or commercial entity does not own or license. Neb.Rev.Stat. § 87-803(2). In that scenario, the individual or commercial entity maintaining such data is obligated to give notice and cooperate with the owner or licensee of the information.
Next week I will go in to some of the implications of the requirements of this Act.