WeVote

Bill

Bill

LB 241

Provide immunity from liability for cybersecurity events

109th Legislature (2025-2026) Introduced by Bob Hallstrom

LB 241 shields private entities from class-action suits after cybersecurity events unless the incident involved willful, wanton, or gross negligence.

Approved by Governor on March 17, 2025
0
WeVote Research Nonpartisan
Bill Summary · LB 241

Summary — LB 241 (2025)

Provide immunity from liability for cybersecurity events
Approved by Governor March 17, 2025

Main purpose

LB 241 narrows class-action liability for private entities following cybersecurity events. It prevents class-action suits against private entities for cybersecurity incidents unless the claimant shows the incident was caused by the private entity’s willful, wanton, or gross negligence (i.e., ordinary negligence is insufficient).

Key provisions

  • Defines key terms used in the statute:
    • Cybersecurity event — an event causing unauthorized access to, or disruption or misuse of, an information system or nonpublic information stored on such a system.
    • Information system — electronic resources organized to collect/process/etc. nonpublic information; includes specialized systems (industrial control, PBX, environmental control systems).
    • Nonpublic information — not publicly available information that, together with an identifier (name, number, etc.), can identify a person when combined with: SSN; driver’s license/state ID; financial account or card numbers; security/access codes or passwords to financial accounts; or biometric records.
    • Private entity — broadly defined to include corporations, partnerships, limited liability companies, religious or charitable organizations, associations, etc., whether for-profit or not-for-profit.
    • Publicly available information — lawfully available through government records or information a private entity reasonably believes is public.
  • Immunity rule:
    • A private entity is not liable in a class action resulting from a cybersecurity event unless the event was caused by willful, wanton, or gross negligence by that private entity.
  • The statute addresses class-action liability only; it does not expressly alter other causes of action (e.g., individual lawsuits) in the text of the enacted provision.

Who is affected

  • Primarily private entities subject to cybersecurity incidents — businesses, non-profits, religious and charitable organizations, associations, etc.
  • Consumers and individuals whose nonpublic information may be exposed; their ability to pursue class-action remedies is curtailed unless they prove a high level of culpability.
  • Plaintiffs’ lawyers and defendants in cybersecurity litigation; insurers and risk managers who advise or insure against cyber risks.

Procedural and legislative timeline

  • Introduced: Jan 14, 2025 (Sen. Bob Hallstrom, primary sponsor; several cosponsors).
  • Committee hearing: Feb 3, 2025 (Banking, Commerce and Insurance Committee). Advanced to General File.
    • Proponents: Nebraska Bankers Association; Nebraska Grocery Industry Association; Nebraska Retail Federation; Nebraska Insurance Federation; Nebraska Telecommunications Association; Chambers of Commerce; credit union and community banker groups.
    • Opponent noted: Nebraska Association of Trial Attorneys.
  • Multiple amendment efforts:
    • AM246 (Conrad) would have tied coverage to breach definitions in state law and required notice/Attorney General certification; it failed.
    • AM474 (Cavanaugh) sought to clarify this section would not limit consumer rights under the Data Privacy Act; it failed.
    • MO55 (motion to reconsider AM474) was filed and failed.
  • Passed Final Reading: March 13, 2025 (36–11–2). Presented to and approved by the Governor: March 17, 2025.

Potential impact and considerations

  • Reduces exposure of private entities to class-action liability after cyber incidents unless plaintiffs can prove gross-level fault, which raises the evidentiary burden for plaintiffs and may decrease class-action filings or settlements.
  • Could shift emphasis toward individual suits or statutory remedies not covered by the class-action limitation.
  • Supporters argued it protects businesses from costly class litigation for routine breaches; opponents raised concerns it limits consumer recourse and accountability for inadequate cybersecurity.
  • Interaction with Nebraska’s Data Privacy Act and other state breach-notification or consumer-protection statutes was debated (attempted amendments sought to clarify these relationships but were not adopted).

Note: The enacted language applies specifically to class actions; it does not explicitly abrogate other remedies or statutory claims that are not class actions.

Compiled from official sources — confirm details with the bill’s official record.

Sign in to ask a question.