Last week I discussed what type of information is considered “personal information” under the Consumer Notification of Data Security Breach Act of 2006; Nebraska Statutes § 87-801. If you are storing “personal information” which is subject to a data security breach, the Act requires that the person or entity storing that information provide notice of the breach to those whose personal information is being stored. How do you give notice and meet the requirements of the Act?
The Act says notice can be written, telephonic or, under certain circumstances, electronic. Of course, as always, there are exceptions to these types of notice. In this case, “substitute notice” may be given under the following circumstances:
- if the notice would cost in excess of $75,000;
- if there are more than 100,000 residents to be notified; or
- if the individual or entity does not have sufficient contact information to provide notice;
So, the exception begs the questions; what is substitute notice? It requires these things:
- E-mail notice (if the individual or entity has e-mail addresses;
- Conspicuous posting of the notice on a website if one is maintained;
- Notice to major statewide media outlets.
In the case of a small business (ten or fewer employees) which can demonstrate that the notice will cost more than $10,000 there is an extra step to substitute notice. In addition to the above, such an entity must take out a paid advertisement in a local newspaper that is distributed in the geographic area in which the entity is located. The ad must cover at least one-quarter of a page in the newspaper and must be published once a week for three consecutive weeks.
Complying with the Act will not cure all potential liability in the event you suffer digital security breach. Compliance will, however, reduce the headache that is associated with such an event.