Skip to main content


Review: Nebraska Legislative Bill 757

Review: Nebraska Legislative Bill 757

On February 28, 2018, the Governor of Nebraska approved Legislative Bill 757. This bill is a response to the significant and growing number of data breaches that have affected companies such as Equifax, U.S. Securities and Exchange Commission (SEC), Deloitte, and others.

Legislative Bill 757 states that “An individual or a commercial entity that conducts business in Nebraska and owns, licenses, or maintains computerized data that includes personal information about a resident of Nebraska shall implement and maintain reasonable security procedures and practices that are appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained and the nature and size of, and the resources available to, the business and its operations.”

Legislative Bill 757 also states “An individual or commercial entity that discloses computerized data that includes personal information about a Nebraska resident to a nonaffiliated, third-party service provider shall require by contract that the service provider implement and maintain reasonable security procedures and practices that are appropriate to the nature of the personal information disclosed to the service provider; and are reasonably designed to help protect the personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure.”

What this means is that if your business collects personal information about a resident of Nebraska, or if you sell a Nebraska resident’s data to a third-party, YOU are responsible for making sure that “reasonable security” controls are implemented to protect those individuals. “Reasonable security” is not necessarily defined, but we know from other laws and court cases that the business must be able to demonstrate they are actively doing their best to protect customer information. That means continued improvement and maturity to the security controls your business deploys, not that you put controls in place to protect customer information years ago but haven’t done anything to improve security since.


Credit Freezes

The biggest-ticket item from Legislative Bill 757 is the amendment of an addition of provisions to multiple sections and statues of Nebraska law that deal with the Credit Report Protection Act, Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006.

These Legislative Bill 757 changes state that Credit Agencies:

  • Must receive sufficient proof of identity before adding/removing/thawing a credit freeze
    • If the credit agency does not have a record of an identity (a minor for example) and a freeze request is made, the credit agency must create a record and subsequently place the freeze.
  • The credit agency shall not charge fees for Add/Thaw/Removal of a Credit freeze
    • If a customer chooses to purchase something “better” than a credit freeze, such as credit monitoring, a few may be charged.
  • The credit agency shall not charge fees for the reissue of a lost pin/password the first time
    • After the first reissue, the credit agency may charge a fee of no more than $5.00 per time for reissuance of pin/password.


Vendor Management

In correlation to Vendor Management, Legislative Bill 757 puts the onus for protecting the information of Nebraska residents’ data on the organization collecting the data. The Bill states:

  • Anyone who conducts business in Nebraska and owns/licenses/maintains computerized Personally Identifiable Information (PII) about a Nebraskan must provide “reasonable security procedures and practices that are appropriate to the nature and sensitivity of the information.”
  • If said information is disclosed to a third party, a contract must be in place that requires the third party to also implement reasonable security controls.
    • Contracts signed before this law takes effect are excluded from this requirement.
    • Any contract renewed on or after the effective date of the law shall contain a requirement for security controls.


Notice to Customers in States Outside of Nebraska

With increasing regulations such as the European Union’s General Data Protection Regulation (GDPR) taking effect globally, and other privacy concerns arising in the past few months (Facebook, Panera, Delta, etc.), one should reasonably expect other states to adopt similar legislative guidance to protect the privacy of its residents. Furthermore, if you or your business collects or shares confidential information about your customers, expect to be held to a higher standard regarding your customer’s data privacy and plan to perform vendor management of any vendor with whom you share data.

Written by: Jeff Dice and Ronald Tortorello SBS CyberSecurity, LLC

SBS Resources

  • {Service} Vendor Management: Vendor Managaement can be time-consuming and difficult to manage across an organization. If you’re not sure where to start, or if you simply want to save yourself a ton of time, SBS offers a Full Service Vendor Management solution that can take on the heavy lifting for your organization’s vendor management program. SBS will help you report vendor management upstream more easily by performing your vendor risk assessment(s), reviewing due diligence and contract information, and helping you to make better data-driven security decisions.

Related Certifications:

Join our growing community of financial service professionals showing their commitment to strong cybersecurity with a cyber-specific certification through the SBS Institute. Click here to view a full list of certifications.
Certified Banking Vendor Manager   


Hacker Hour webinars are a series of free webinars hosted by SBS CyberSecurity. Unlike paid webinars, Hacker Hours are aimed to meet on a monthly basis to discuss cybersecurity issues and trends in an open format. Attendees are encouraged to join the conversation and get their questions answered. SBS will also offer products and services to help financial institutions with these specific issues.

Posted: Monday, May 7, 2018
Categories: Blog, In the News