Limits on data-breach class action lawsuits passed

Lawmakers approved a bill March 13 that prevents a private entity from being liable in a class action resulting from a cybersecurity event in certain circumstances.

Under LB241, introduced by Syracuse Sen. Bob Hallstrom, private entities that experience a data breach are not liable in a class action unless the cybersecurity event was caused by the entity’s “willful, wanton or gross negligence.”

The bill defines a cybersecurity event as one that leads to unauthorized access to, disruption or misuse of nonpublic information, such as Social Security or driver’s license numbers or financial account information, security codes or passwords.

Qualifying private entities under the bill do not include corporations, religious or charitable organizations, associations, businesses and nonprofits.

LB241 passed on a vote of 36-10.