Nebraska Legislature Changes Breach Notification Rules.

The regulatory compliance burden for banks and all other businesses in Nebraska that deal with personal information has just been increased. By changing the definition of personal information to include things like usernames, passwords, and security questions there is now more information that needs to be protected in order to avoid breaches and the hassles that accompany them.

An amendment to Nebraska’s data breach notification law, effective July 20, 2016, contains key changes to the state’s notification regime. The law:

1. Expands the definition of “personal information” to include “a username or email address, in combination with a password or security question and answer, that would permit access to an online account.”
2. Requires notice to the Nebraska Attorney General no later than the time notice is provided to Nebraska residents affected by a breach.
3. Exempts encrypted data from a notification exemption safe harbor if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach of the security of the system.

When the law goes into effect, Nebraska will be the fifth state, including California, Florida, Nevada, and Wyoming, to require notification in the event of a breach of account credentials.

If you have questions about how this law may affect your bank, or for any IT security and compliance issues, contact ITPAC today.