On July 19, 2018, Nebraska law will require individuals or companies that possess personal information of Nebraska residents to implement appropriate data security procedures and include appropriate contractual provisions with their vendors that have access to that personal information. Personal data includes the data of customers, employees, or any other Nebraska resident.
The Nebraska legislature enacted LB757 to amend the Nebraska Financial Data Protection and Consumer Notification of Data Security Breach Act. Among other requirements, LB757 imposes two requirements on individuals or commercial entities that conduct business in Nebraska and own or possess certain computerized personal information about Nebraska residents: the individual or company (1) must implement and maintain reasonable security procedures and practices to secure that data; and (2) must ensure that any third-party vendors that have access to the personal information contractually agree to implement appropriate security procedures and practices to protect that information. The failure to comply with LB757 can subject the company to enforcement by the Nebraska Attorney General. As a result, it is important to document the steps taken to comply with the bill.
To ensure compliance with the new law, companies should conduct and document a data privacy and security assessment. This assessment should analyze a number of areas, including answering each of the following questions:
- What information is collected?
- How is that information used?
- Where is the data stored?
- What security procedures are in place for each piece of data?
- How long do you retain the data and how do you delete it?
- Have you reviewed your privacy policies relevant to that data?
- To whom do you disclose or transfer that data (internally and externally)?
Following the data assessment, the company is well-positioned to conduct the contractual review portion of the compliance program. All contracts with third-parties who have access to any personal information must be reviewed to ensure that a contract is in place that includes the required provisions.
Conducting an LB757 compliance assessment is also an excellent opportunity to address and reduce the risk associated with other changing privacy and data security requirements, including identifying other applicable state or international laws, reviewing and revising privacy policies, data breach procedures, and user and vendor agreements, and considering cyber insurance. Taking proactive and preventative steps to review and update a privacy and security program can substantially reduce the risk of violating Nebraska and federal privacy laws and reduces the risk of the significant reputational harm and litigation that can arise following a data breach.
For more information contact Troy Meyerson.
Fraser Stryker attorneys participate actively in a wide array of community organizations. Visit our home page for more information about us.