Key Takeaways: Nebraska has become the latest state to enact statutory limits on lawsuits relating to adverse cyber events. The law, which will go into effect three months from adjournment of the Nebraska Legislature’s 2025 session, prohibits class action lawsuits arising from cybersecurity events against private companies, unless they are premised on the company’s willful, wanton, or grossly negligent conduct. The statute closely resembles Tennessee’s 2024 law which provides similar limitations on private actions arising from such events.

On March 17, 2025, Nebraska Governor Jim Pillen signed into law Legislative Bill 241 (“LB241”), which provides immunity from class action lawsuits for private entities that suffer certain adverse cyber events. Under the newly-enacted law, companies that experience cybersecurity events (defined as any event resulting in the unauthorized access to, disruption of, or misuse of an “information system” or nonpublic information stored within an information system) will only be liable in a class action if the event was caused by willful, wanton, or gross negligence on the part of the company.

What You Need to Know

Who is Affected

As noted above, the law applies to “private entities,” which are defined as any corporation, religious or charitable organization, association, partnership, limited liability company, liability partnership, or other private business entity, regardless of whether it is a for-profit or not-for-profit enterprise. “Information system” is broadly defined as any system used for the collection, maintenance, processing, sharing, or use of electronic nonpublic information or any specialized system (including industrial, process control, telephone switching, and environmental control systems).

Important Definitions

“Nonpublic information” is defined as any information that is not publicly available, that concerns a person, and that can be used to identify such person, in combination with: (i) Social Security number; (ii) driver’s license number (or other state identification number); (iii) financial account, debit, or credit card number; (iv) security or access code or password that would permit access to such person’s financial accounts; or (v) any biometric record. This definition of “nonpublic information” is slightly different than what appears in the definition of “personal information” under the state data breach notification law, which requires a resident’s first name or initial and last name in combination with similar enumerated data elements. Notably, Nebraska’s state data breach notification law requires that a financial account, debit card, or credit card number be compromised in combination with a required access code in order to trigger a notification obligation, whereas LB241 separates these elements, allowing either the account/card number or an access code to constitute “nonpublic information” for which the class action immunity may apply.

Implications for Businesses

LB241 is intended to shield companies who fall victim to malware, ransomware, and other cyber threats (whether internal or external) from excessive liability while encouraging them to maintain robust data security measures. Importantly, the law only provides protections against class action lawsuits, not isolated lawsuits or regulatory enforcement actions. Moreover, the statute does not directly address the state’s data breach notification law or comprehensive consumer privacy law. Further, as mentioned above, the statutes use different definitions of what constitutes personal information. Thus, there is the chance these laws may be subject to conflicting interpretation and construction. 

Comparison with Other States

Nebraska follows in the footsteps of several other states which have enacted liability shields. In 2024, Tennessee enacted a statute that nearly identically resembles LB241 in an attempt to limit costs associated with data breaches. In 2018, Ohio became the first state to enact a so-called “data breach safe harbor” that provided an affirmative defense in tort-based data breach claims for companies that implement certain controls and programs that meet industry-standard framework requirements, such as the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Several other states, including Nevada, Iowa, and Utah have passed similar safe harbor laws.

For additional guidance on LB241 and other data privacy and security issues, please reach out to Koley Jessen’s Data Privacy and Security Practice Area.

_{This content is made available for educational purposes only and to give you general information and a general understanding of the law, not to provide specific legal advice. By using this content, you understand there is no attorney-client relationship between you and the publisher. The content should not be used as a substitute for competent legal advice from a licensed professional attorney in your state.}