Recently, I posted about the requirements of the Data Protection and Consumer Notification of Data Security Breach Act of 2006; Nebraska Statutes § 87-801. What does this Act mean for business and individuals in Nebraska? In my last post I noted that the Act requires notification to individuals if there is a security breach involving “personal information.” But how do you know if you have “personal information?” The Act defines “personal information” as:
[A] Nebraska resident’s first name or first initial and last name in combination with any one or more of the following data elements that relate to the resident if either the name or the data elements are not encrypted, redacted, or otherwise altered by any method or technology in such a manner that the name or data elements are unreadable:
(a) Social security number;
(b) Motor vehicle operator’s license number or state identification card number;
(c) Account number or credit or debit card number, in combination with any required security code, access code, or password that would permit access to a resident’s financial account;
(d) Unique electronic identification number or routing code, in combination with any required security code, access code, or password; or
(e) Unique biometric data, such as a fingerprint, voice print, or retina or iris image, or other unique physical representation.
Neb.Rev.Stat. § 87-802(5). The Act also specifically excludes any “publicly available information that is lawfully made available to the general public from federal, state, or local government records.” Neb.Rev.Stat. § 87-802(5)
So, if you store information falling within the definition of “personal information” you need to assess how and when to provide notification to those Nebraska residents affected by a security breach (which itself is defined as “the unauthorized acquisition of unencrypted computerized data that compromises the security, confidentiality, or integrity of personal information maintained by an individual or a commercial entity”). Failing to do so creates a risk that suit could be brought for violating the Act.
However, though there have been no reported cases discussing the implications of the Act, the Act itself vests the power to enforce it with the Attorney General. See Neb.Rev.Stat. § 87-806. That appears to mean that the Act does not vest a private citizen with a cause of action to enforce its terms; rather, the Attorney General of Nebraska would have the only power to sue for violations of the Act (I will write more about when statutes confer private causes of action to individuals in subsequent posts). I will discuss what the Act says about “notice” and how to avoid such a suit in my next post.