Nebraska Data Breach Notification Letter

(Comprehensive Template – Attorney General & Consumer Variants)

[// GUIDANCE: This master template is designed to satisfy the Nebraska Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006, Neb. Rev. Stat. §§ 87-801 – 87-807. It contains two toggle-ready variants:
• Variant A – Notice to the Nebraska Attorney General (“AG”)
• Variant B – Notice to Affected Individuals (“Consumer Notice”)
Delete the variant you do not require and complete all bracketed placeholders before release.*]

TABLE OF CONTENTS

1. Document Header
2. Recitals & Context
3. Definitions
4. Operative Notice Provisions
5. Representations & Continuing Covenants
6. Reservation of Rights & Risk Allocation
7. General Provisions
8. Execution Block

1. DOCUMENT HEADER

[COMPANY LETTERHEAD]
[COMPANY LEGAL NAME]
[STREET ADDRESS] • [CITY, STATE ZIP] • Tel: [PHONE] • Email: [EMAIL]

Date: [DATE]

Variant A – Attorney General

The Honorable [NAME]
Attorney General of Nebraska
Office of the Attorney General
2115 State Capitol
Lincoln, NE 68509

Variant B – Affected Individual

[RECIPIENT NAME]
[RECIPIENT STREET ADDRESS]
[CITY, STATE ZIP]

Re: Notice of Data Security Breach Pursuant to Neb. Rev. Stat. §§ 87-801 – 87-807

2. RECITALS & CONTEXT

WHEREAS, [Company Legal Name] (the “Company”) is an entity subject to the Nebraska Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 (the “Act”); and

WHEREAS, on [DISCOVERY DATE] the Company discovered/determined that a data security incident (the “Incident”) occurred which resulted in/posed a reasonable likelihood of unauthorized acquisition of Personal Information, as that term is defined in Neb. Rev. Stat. § 87-802(5); and

WHEREAS, the Company has concluded its internal investigation in coordination with external cybersecurity professionals and counsel, and now provides this notice consistent with the Act and industry best practices;

NOW, THEREFORE, the Company hereby notifies the addressee as follows:

3. DEFINITIONS

The following capitalized terms apply throughout this Notice:

“Affected Individual” – The Nebraska resident whose Personal Information was, or is reasonably believed to have been, acquired without authorization during the Incident.

“Incident” – The data security event first detected on [DISCOVERY DATE] and confirmed on [VERIFICATION DATE], involving unauthorized access to/acquisition of the Company’s information systems.

“Personal Information” – The data elements enumerated in Neb. Rev. Stat. § 87-802(5) that were actually or potentially compromised, specifically: [e.g., Social Security numbers, driver’s license numbers, financial account numbers plus security codes, biometric data, user name + password, etc.].

“Notification Date” – The date of this letter, being within forty-five (45) days of discovery of the Incident, in accordance with Neb. Rev. Stat. § 87-803(1).

[// GUIDANCE: Add or delete defined terms as needed for the facts of your Incident.]

4. OPERATIVE NOTICE PROVISIONS

4.1 Description of the Incident

On [INCIDENT DATE RANGE], the Company experienced [brief factual description: e.g., “a sophisticated phishing attack leading to unauthorized access to an employee email account”]. The Incident was contained on [CONTAINMENT DATE]. A forensic investigation conducted by [FORENSIC FIRM] confirmed that certain files containing Personal Information were, or were likely to have been, accessed by an unauthorized actor.

4.2 Information Involved

The investigation determined that the following categories of Personal Information relating to [NUMBER OF AFFECTED INDIVIDUALS] Nebraska residents may have been compromised:
• [Category 1] – [e.g., Social Security numbers]
• [Category 2] – [e.g., Driver’s license numbers]
• [Category 3] – [e.g., Financial account numbers + access codes]

4.3 Actions Taken by the Company

1. Immediately isolated affected systems and engaged third-party cybersecurity experts.
2. Reset all internal credentials, implemented multi-factor authentication, and enhanced endpoint monitoring.
3. Notified federal law-enforcement authorities [FBI/Secret Service] on [LAW-ENFORCEMENT NOTICE DATE].
4. Established a dedicated incident-response call center and website: [TOLL-FREE NUMBER / URL].
5. Offered [12/24] months of complimentary credit monitoring and identity-theft protection through [SERVICE PROVIDER].

4.4 Steps the Affected Individual Can Take (Consumer Variant Only)

[// GUIDANCE: Customize language to align with the services you are providing.]

We recommend that you:
a. Remain vigilant by reviewing your account statements and monitoring free credit reports.
b. Place a fraud alert or security freeze on your credit file. Contact information for the three nationwide consumer reporting agencies (“CRAs”) is provided in Appendix A.
c. Report suspected identity theft to the Federal Trade Commission (“FTC”) at IdentityTheft.gov or 1-877-438-4338, and to your local law-enforcement agency.

4.5 Statutory Compliance Statements

1. This Notice is provided without unreasonable delay and not later than forty-five (45) days after discovery of the Incident, satisfying Neb. Rev. Stat. § 87-803(1).
2. [AG Variant] Because the Incident affects more than five hundred (500) Nebraska residents, the Company is simultaneously providing individual consumer notices as required under § 87-803(4).
3. The Company has not delayed notification due to law-enforcement request under § 87-803(3).

5. REPRESENTATIONS & CONTINUING COVENANTS

5.1 Accuracy. The Company represents that the information contained herein is accurate to the best of its knowledge as of the Notification Date.

5.2 Ongoing Cooperation. The Company will (i) supplement this Notice if materially new facts are discovered, and (ii) cooperate reasonably with the Attorney General and any law-enforcement investigation relating to the Incident.

6. RESERVATION OF RIGHTS & RISK ALLOCATION

6.1 No Admission. This Notice is not, and shall not be construed as, an admission of liability or wrongdoing by the Company.

6.2 Statutory Penalties. The Company expressly reserves all rights, defenses, and immunities available under applicable law, including but not limited to any limitations on statutory penalties under Neb. Rev. Stat. § 87-806.

6.3 Limitation of Liability to Consumers. Nothing in this Notice shall be deemed to waive any contractual limitations of liability or to create obligations beyond those imposed by law.

7. GENERAL PROVISIONS

7.1 Governing Law. This Notice shall be governed by and construed in accordance with the laws of the State of Nebraska, without regard to its conflict-of-laws principles.

7.2 Method of Notice. Delivery of this Notice has been effected by [U.S. Mail first-class / certified mail / electronic mail] consistent with Neb. Rev. Stat. § 87-803(7).

7.3 Consumer Reporting Agency Coordination. [If substitution notice is used, insert details per § 87-803(1)(d).]

8. EXECUTION BLOCK

Respectfully submitted,

[NAME OF AUTHORIZED SIGNATORY]
[Title]
[Company Legal Name]

Date: _______

Appendix A – Contact Information for Nationwide CRAs

• Equifax: 1-800-525-6285 • P.O. Box 740241, Atlanta, GA 30374-0241 • www.equifax.com
• Experian: 1-888-397-3742 • P.O. Box 4500, Allen, TX 75013 • www.experian.com
• TransUnion: 1-800-680-7289 • P.O. Box 2000, Chester, PA 19016-2000 • www.transunion.com

[// GUIDANCE: Verify CRA addresses and phone numbers at time of sending.]

End of Template