Class action data breach bill clears first-round

Lawmakers advanced a bill from general file Feb. 12 that would prevent a private entity from being liable in a class action resulting from a cybersecurity event in certain circumstances.

Under LB241, introduced by Syracuse Sen. Bob Hallstrom, private entities that experience a data breach would not be liable in a class action unless the cybersecurity event was caused by the entity’s “willful, wanton or gross negligence.”

The bill defines a cybersecurity event as one that leads to unauthorized access to, disruption or misuse of nonpublic information, such as Social Security or driver’s license numbers or financial account information, security codes or passwords.

Qualifying private entities under the bill would include corporations, religious or charitable organizations, associations, businesses and nonprofits.

Hallstrom said the bill is meant to address a recent “surge” in class action lawsuits related to data breaches. Such suits have the potential to clog up the courts, he said, and often focus on potential losses, such as identity theft, rather than any actual monetary loss.

The results, he said, are higher cybersecurity premiums for businesses with little or no payout to those whose data is compromised. Despite a company’s best efforts, Hallstrom said, data breaches happen and companies should not have to face class action lawsuits if they are accused only of negligence and not “willful” negligence.

“Even with the existence of reasonable precautions — patches, updates [and] things that are taken care of by businesses on a regular and routine basis — they still face hackers and ransomwares,” Hallstrom said. “The bad actors are always a step ahead of them.”

Elmwood Sen. Robert Clements supported the bill. The bank he heads has a “military-grade” firewall, he said, but still has difficulty obtaining cyber security insurance.

“Even though we’re really trying hard, if we did have a breach, I think we could probably face a lawsuit in the millions of dollars and it could shut down my business,” Clements said.

Sen. Megan Hunt of Omaha opposed the bill. She said state and local level consumer protections are more important than ever now that the Trump administration has begun “dismantling” such protections at the national level.

Expressing concern that LB241 would limit access to legal redress, Lincoln Sen. George Dungan also opposed the measure. He said the difference between regular negligence and willful negligence is “huge” in a legal context and that the latter would be very difficult to prove against an entity involved in a data breach.

Also speaking against the proposal was Lincoln Sen. Danielle Conrad, who called it a “sweetheart deal” for a wide range of entities that would “favor big business over hardworking Nebraskans.”

Conrad also questioned the premise that reducing class action lawsuits, which can bundle hundreds or thousands of complaints into one case, would free up the state’s courts to tackle other issues, or that the bill would have a positive impact on cybersecurity premiums for businesses.

“LB241 provides a license to corporations large and small to act unreasonably — to act negligently — and to thus evade accountability through class action in state court,” Conrad said.

After rejecting a Conrad amendment on a 14-30 vote, lawmakers advance LB241 to the second round of debate 33-9.