Nebraska Data Breach Notification Laws: Reporting Rules & Timelines (2026)

If your business handles personal information belonging to Nebraska residents, a data breach triggers specific legal obligations under the Nebraska Financial Data Protection and Consumer Notification of Data Security Breach Act. Neb. Rev. Stat. 87-801 et seq. sets out the requirements for determining when a breach has occurred, who must be notified, what information triggers notification, and the consequences of noncompliance. Nebraska's law has evolved significantly since its original enactment, with recent amendments expanding the definition of personal information to include biometric data and login credentials.

This guide covers the full scope of Nebraska's breach notification requirements, including what personal information triggers the law, who must be notified, the notification timeline, the cybersecurity safe harbor, penalties, and how the state's broader data privacy framework interacts with breach obligations.

Who Must Comply With Nebraska's Breach Notification Law

Nebraska's law applies to any individual or commercial entity that conducts business in Nebraska and owns, licenses, or maintains computerized data that includes personal information about a Nebraska resident. This includes businesses physically located outside Nebraska if they hold data belonging to Nebraska residents.

The law distinguishes between data owners and third-party data maintainers. When a third party that maintains data on behalf of another entity becomes aware of a breach, it must notify the data owner or licensee "as soon as possible." The data owner then carries the primary responsibility to notify affected consumers and the Attorney General.

Government Entities

Nebraska's breach notification law applies to state and local government entities that maintain personal information about Nebraska residents. Government agencies have the same notification obligations as private businesses.

What Qualifies as a Breach

Under Neb. Rev. Stat. 87-802, a "breach of the security of the system" means the unauthorized acquisition of unencrypted computerized data that materially compromises the security, confidentiality, or integrity of personal information maintained by the individual or commercial entity.

Good Faith Exception

A good faith acquisition of personal information by an employee or agent of the individual or commercial entity does not constitute a breach, provided the personal information is not used for an unauthorized purpose or subject to further unauthorized disclosure.

Encryption Safe Harbor

Nebraska provides a clear safe harbor for encrypted data. A breach does not trigger notification requirements if the personal information was encrypted, and the encryption key or other means to decipher the information was not also acquired. If the encryption key was compromised along with the data, the safe harbor does not apply.

Risk of Harm Analysis

Nebraska law includes a risk assessment component. After discovering a possible breach, the entity must conduct a reasonable and prompt investigation to determine the likelihood that personal information has been or will be used for an unauthorized purpose. Notification is required only if the investigation determines that the use of the information for an unauthorized purpose has occurred or is reasonably likely to occur.

Personal Information That Triggers Notification

Nebraska's definition of personal information is one of the broadest among U.S. states. Under Neb. Rev. Stat. 87-802, personal information means a Nebraska resident's first name or first initial and last name combined with any one or more of the following data elements:

• Social Security number
• Driver's license number or state identification card number
• Account number or credit or debit card number combined with any required security code, access code, or password that would permit access to the account
• Unique electronic identification number or routing code combined with any required security code, access code, or password
• Biometric data (fingerprint, voice print, retina or iris image, or other unique physical representation or digital representation of biometric data)
• Username or email address combined with a password or security question and answer that would permit access to an online account

The inclusion of biometric data and username/password combinations places Nebraska among the states with the most comprehensive definitions of protected personal information.

Personal information does not include publicly available information that is lawfully made available to the general public from federal, state, or local government records.

Notification Timeline

Nebraska requires notification "as soon as possible and without unreasonable delay" under Neb. Rev. Stat. 87-803. The state does not impose a specific day count, giving entities flexibility to investigate before notifying.

When Delay Is Permitted

Delay in notification is reasonable if it is necessary to:

1. Determine the scope of the breach and restore the reasonable integrity, security, and confidentiality of the data system
2. Comply with a request from law enforcement that notification may impede a criminal investigation

When a delay occurs for law enforcement purposes, notification must be made as soon as possible after law enforcement determines disclosure no longer compromises the investigation.

Who Must Be Notified

Affected Individuals

Every Nebraska resident whose unencrypted personal information was or is reasonably believed to have been acquired by an unauthorized person must be notified. The notification must include:

• A description of the incident in general terms
• The type of personal information that was subject to the breach
• The telephone number, address, and website of the entity providing notice
• The toll-free telephone numbers, addresses, and websites of the major consumer reporting agencies
• The toll-free telephone number, address, and website of the Federal Trade Commission
• A statement advising the individual to remain vigilant by reviewing account statements and monitoring credit reports

Nebraska Attorney General

The Nebraska Attorney General must be notified at the same time as affected individuals. The AG notification must include:

• A description of the nature of the breach
• The number of Nebraska residents affected
• Steps the entity has taken related to the breach
• A copy of the notification sent to affected individuals

Consumer Reporting Agencies

When a breach affects more than 500 Nebraska residents, the entity must also notify the nationwide consumer reporting agencies without unreasonable delay. This notification must include the timing, distribution, and content of the notices sent to affected individuals.

How to Provide Notification

Nebraska permits the following notification methods:

• Written notice sent by mail to the last known address of the individual
• Electronic notice if the entity's primary means of communication with the individual is by electronic means, consistent with the E-SIGN Act (15 U.S.C. 7001)
• Telephone notification

Substitute Notice

Substitute notice is available when:

• The cost of notification would exceed $75,000
• The affected class exceeds 100,000 Nebraska residents
• The entity does not have sufficient contact information

Substitute notice must consist of all of the following:

1. Email notice to individuals for whom the entity has an email address
2. Conspicuous posting of the notice on the entity's website
3. Notification to major statewide media outlets

Note that Nebraska's substitute notice thresholds ($75,000 cost and 100,000 affected individuals) are lower than many other states, making it harder to qualify for substitute notice.

The Cybersecurity Safe Harbor

Nebraska provides a unique cybersecurity framework safe harbor. Under Neb. Rev. Stat. 87-806, an entity that creates, maintains, and reasonably complies with a written cybersecurity program that contains administrative, technical, and physical safeguards for the protection of personal information is entitled to an affirmative defense against any tort action brought under Nebraska law that alleges that the entity failed to implement reasonable information security controls that resulted in a data breach.

Qualifying cybersecurity frameworks include:

• NIST Cybersecurity Framework
• NIST Special Publication 800-171
• FedRAMP Security Assessment Framework
• CIS Critical Security Controls
• ISO/IEC 27000 series
• HIPAA Security Rule (for covered entities)
• GLBA Title V (for financial institutions)
• FISMA (for government contractors)
• PCI DSS (for payment card processors)

This safe harbor is an affirmative defense, meaning the entity must prove at trial that it maintained and reasonably complied with the qualifying framework at the time of the breach.

Enforcement and Penalties

Nebraska's breach notification law is enforced by the Nebraska Attorney General under the Consumer Protection Act (Neb. Rev. Stat. 59-1601 et seq.). Violations of the breach notification statute are treated as violations of the Consumer Protection Act.

The Attorney General may seek:

• Injunctive relief to stop ongoing violations
• Civil penalties up to $25,000 per violation
• Restitution for affected consumers

There is no private right of action for breach notification violations. Only the Attorney General can bring enforcement actions. However, the cybersecurity safe harbor suggests the legislature anticipated tort claims related to inadequate data security, even though the notification statute itself does not create a private cause of action.

Exemptions

Certain entities are exempt from Nebraska's breach notification requirements if they comply with equivalent federal notification frameworks:

• GLBA-regulated financial institutions that comply with the Interagency Guidance on Response Programs for Unauthorized Access to Customer Information
• HIPAA-covered entities that comply with HIPAA breach notification requirements
• Entities subject to other federal breach notification laws that provide equivalent or greater protection

These entities must still maintain their federal compliance to benefit from the exemption.

More Nebraska Laws

• Nebraska Recording Laws
• Nebraska Data Privacy Laws
• Nebraska Recording Laws
• Nebraska Whistleblower Laws
• Nebraska Sexting Laws
• Nebraska Car Seat Laws
• Nebraska Dog Bite Laws
• Nebraska Child Support Laws

Sources and References

This article draws from the following official Nebraska government sources:

• Neb. Rev. Stat. 87-801 et seq. (Financial Data Protection and Consumer Notification Act) - Full text of Nebraska's breach notification statute
• Neb. Rev. Stat. 87-802 (Definitions) - Definitions of personal information and breach
• Neb. Rev. Stat. 87-803 (Notification Requirements) - Notification timeline and methods
• Neb. Rev. Stat. 87-806 (Cybersecurity Safe Harbor) - Affirmative defense for compliant entities
• Nebraska Attorney General - AG consumer protection and breach reporting portal

This article provides general legal information about [Nebraska data privacy laws](/us-laws/data-privacy-laws/nebraska-data-privacy-laws) and breach notification requirements. It is not legal advice, and it does not create an attorney-client relationship. Data breach response involves time-sensitive obligations. Consult a qualified attorney licensed in Nebraska for guidance specific to your situation.