Nebraska Modifies Consumer Protection Provisions
The state of Nebraska modified its provisions relating to consumer protection under its Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 (“FDP”). These provisions are effective on July 17, 2018.
The amendment prohibits certain fees under the Credit Report Protection Act; changes provisions relating to the FDP; requires additional reasonable security procedures and practices regarding personal information; provides applicability for certain provisions; harmonizes provisions; and repeals the original sections.
Section 1 of the amendment defines “Substantially similar type of security product” for purposes of the Credit Report Protection Act to mean any product that provides the same level of protection to a consumer’s or protected consumer’s credit report as that provided under the Credit Report Protection Act regardless of the contact method used by a consumer or protected consumer to request, temporarily lift, or remove a restriction placed on the consumer’s or protected consumer’s credit report.
Section 4 of the amendment provides that a consumer reporting agency shall not charge any fee for placing, temporarily lifting, or removing a security freeze placed under section 8-2603 or for placing, temporarily lifting, or removing any other substantially similar type of security product. This subsection does not apply if the substantially similar type of security product, alone or in combination with another product, provides greater protection to the consumer than a security freeze.
Section 7 provides that to protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure, an individual or a commercial entity that conducts business in Nebraska and owns, licenses, or maintains computerized data that includes personal information about a resident of Nebraska shall implement and maintain reasonable security procedures and practices that are appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained and the nature and size of, and the resources available to, the business and its operations, including safeguards that protect the personal information when the individual or commercial entity disposes of the personal information.
An individual or commercial entity that discloses computerized data that includes personal information about a Nebraska resident to a nonaffiliated, third-party service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices that:
- are appropriate to the nature of the personal information disclosed to the service provider; and
- are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.
This subsection does not apply to any contract entered into before the effective date of this act. Any such contract renewed on or after the effective date of this act shall comply with the requirements of this subsection.
An individual or a commercial entity complies with this section 7 of the amendment if the individual or commercial entity:
- complies with a state or federal law that provides greater protection to personal information than the protections that this section provides; or
- complies with the regulations promulgated under Title V of the Gramm-Leach-Bliley Act, 15 U.S.C. 6801 et seq., or the Health Insurance Portability and Accountability Act of 1996, 42 U.S.C. 1320d to 1320d-9, as such acts and sections existed on January 1, 2018, if the individual or commercial entity is subject to either or both of such acts or sections.
Section 8 provides that a violation of section 7 of this act shall be considered a violation of section 59-1602 and be subject to the Consumer Protection Act and any other law which provides for the implementation and enforcement of section 59-1602. A violation of section 7 of this act does not give rise to a private cause of action.
Rhona Kyeyune, LLM, is a regulatory compliance consultant with CLA. She is a graduate of Makerere University and earned her master of laws at Boston University School of Law.
Comments are closed.