Data Privacy Regulations

Terms of Use

This summary of regulations is provided for information purposes only.
No action based on this summary alone should be undertaken.
Each individual or entity must obtain appropriate guidance for its specific circumstances.


Did You Know?

  • Limited methods of notification delivery
  • Data owners are responsible for breach reporting and notifications
  • Vendors must report to NE data owners and cooperate
  • Other state laws, federal laws, industry regulations, and/or out-of-country laws may apply 

Who Me?


Nebraska breach and notification laws may apply if you are an individual or a commercial entity that:

  • Conducts business in Nebraska and that owns or licenses computerized data that includes PII about a Nebraska resident
  • Maintains computerized data that includes PII that you do not own or license

 There are exceptions.

What is PII?


PII relevant to a breach in Nebraska include a person's name plus one of the following:

  • Social Security Number
  • Motor vehicle operator's license or state identification number
  • Account number or credit  or debit card number in combination any security code, access code or password, etc. permitting access to the person's account
  • Unique electronic identification number or routing code, with any required security code, access code, or password
  • Unique biometric data



A few applicable statutes include, but are not limited to:

Nebraska Revised Statutes

Chapter 87 Trade Practices

87-801 to 87-807



The state attorney general may issue subpoenas and seek and recover direct economic damages for each affected Nebraska resident injured by a violation of the act.



When considering reporting requirements, it would include, but not limited to:

  • The combination of personal information breached
  • If the data was computerized
  • If the data was encrypted or redacted
  • If the data included any kind of key or password
  • If it was acquired by an unauthorized person
  • If there is a risk of information being used for an unauthorized purpose


Depending on impact and type of breach there may be specific entities to report to and specific time limits to report a breach. The notifications must be made in the most expedient manner possible and without unreasonable delay, unless law enforcement advises the person it will interfere with an investigation.


Requires detailed information and potential provision of services

Disclosure may be made by written notice, telephone, or electronically (with stipulations).

A substitute notice, with specific requirements, may be sent if the person demonstrates that the cost of providing the notice would exceed $75,000, or the persons to be notified exceeds 100,000, or they do not have sufficient contact information.

An alternate substitute notice, with specific requirements, may be sent if the person demonstrates that they have ten employees or fewer and the cost will exceed $10,000.

Contact the Privacy Experts at CSR