Nebraska Enacts Law Protecting Companies from Class Action Liability for Cyber Events
On March 17, 2025, Nebraska Governor Jim Pillen signed Legislative Bill 241 into law, which limits class action liability for private entities for cybersecurity events. The new law will take effect three months from the adjournment of the Nebraska Legislature’s 2025 session. Several states have now passed laws that give companies a degree of protection against class action data breach lawsuits. Tennessee implemented a very similar law in 2024, and a handful of states have implemented data breach safe harbor laws to limit the costs arising from data breaches.
The aim of the Nebraska shield law is to protect companies from excessive liability while also encouraging them to implement robust cybersecurity. The Nebraska liability shield law prohibits class action lawsuits against private companies related to adverse cyber events unless those events are premised on the company’s willful, wanton, or grossly negligent conduct. If companies implement and maintain reasonable and appropriate cybersecurity measures, they will be protected against class action lawsuits. The shield law does not offer protection against regulatory lawsuits, such as those seeking penalties for HIPAA violations.
Private companies are defined as any corporation, religious or charitable organization, association, partnership, limited liability company, liability partnership, or other private business entities, irrespective of whether it is a nonprofit or for-profit enterprise. Adverse cyber events are classed as any event that results in unauthorized access to, disruption of, or misuse of information systems or nonpublic information stored in an information system. The definition therefore covers malware, ransomware, hacking, and incidents involving malicious insiders.
An information system is any system used for the collection, maintenance, processing, sharing, or use of electronic nonpublic information or any specialized system. Non-public information is defined as information that is not publicly available that concerns a person and can be used to identify a person in combination with any of the following: Social Security number; driver’s license number; other state identification number; financial account, debit, or credit card number; security or access code or password that would permit access to such person’s financial accounts; or any biometric record.
Get The FREE
HIPAA Compliance Checklist
Immediate Delivery of Checklist Link To Your Email Address
Please Enter Correct Email Address
Your Privacy Respected
HIPAA Journal Privacy Policy
