Nebraska Revises Its Credit Report Protection Act, Uniform Deceptive Trade Practices Act, and Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006
Nebraska has enacted a variety of amendments to its Credit Report Protection Act, Uniform Deceptive Trade Practices Act, and Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 in order to increase consumer protection.
Under the Credit Report Protection Act, Nebraska has added the concept of a “protected consumer,” which is defined as an individual who is either under sixteen years of age at the time a request for the placement of a security freeze is made, or is an incapacitated person form whom a guardian or guardian ad litem has been appointed. The Credit Report Protection Act has been further amended to describe how security freezes apply to protected consumers, when they must be placed for a protected consumer, and how they may be lifted. These amendments do not apply to any person or entity that maintains a database used solely for criminal record information, personal loss history information, fraud prevention or detection, employment screening, or tenant screening.
The Uniform Deceptive Trade Practices Act has been amended to add in several new concepts. Once the amendments take effect, it will be a deceptive trade practice to represent that goods or services do not have sponsorship, approval, characteristics, ingredients, uses, benefits, or quantities that they have or that a person does not have a sponsorship, approval, status, affiliation, or connection that he or she has. It will also be a deceptive trade practice if, in connection with the solicitation of funds or other assets for any charitable purpose, or in connection with any charitable purpose, a person uses or employs any deception, fraud, false pretense, false promise, misrepresentation, unfair practice, or concealment, suppression, or omission of any material fact.
Finally, the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 has been amended in a handful of ways. First, the definition of “encrypted” now carves out data if the confidential process or key was or is reasonably believed to have been acquired as a result of the breach of the security of the system. Additionally, the definition of “personal information” now includes a user name or email address, in combination with a password or security question and answer, that would permit access to an online account. Finally, an individual or commercial entity who is required to notify a Nebraska resident of a breach of security of the system must also notify the Nebraska Attorney General not later than the time when the notice is provided to the Nebraska resident.
These revisions will become effective on July 19, 2016.