One Democrat joined nearly every Republican in the state's formally nonpartisan Legislature to advance the proposed law, which opponents argued will "make it harder for companies to be held accountable in the event that they actually are negligent with your personal information."
Sponsored by Sen. Bob Hallstrom of Syracuse, the bill (LB241) would prevent companies from being held liable in class-action lawsuits over data breaches unless the breach was caused by their own "willful, wanton, or gross negligence."
Hallstrom and his Republican allies in the Legislature cast the proposal as one meant to protect small businesses, which Hallstrom said were at risk of paying "significant settlements" and attorneys fees in the face of class-action lawsuits accusing them of acting with mere negligence — rather than gross negligence — when handling sensitive customer data.
After more than four hours of debate across two days, the Legislature voted 33-9 to send the bill to the second of three rounds of debate. Sen. Eliot Bostar, a Democrat from Lincoln, joined 32 conservatives in support of the bill. Five Democrats were present not voting and two lawmakers were absent.
The vote marked the second time in eight days that lawmakers have advanced legislation that progressive lawmakers cast as favors to big corporations at the expense of everyday Nebraskans.
Lawmakers last week gave first-round approval to another bill sponsored by Hallstrom, a freshman senator, that would change state law to define app-based ride-share and food delivery drivers as independent contractors in a move that opponents argued "shifts the balance in favor of billionaires against working people."
This week, Omaha Sen. Megan Hunt called Hallstrom's bill shielding private companies from class-action lawsuits following data breaches "corporate favoritism."
But Hallstrom, an attorney and former lobbyist, argued the legislation is meant to protect businesses from frivolous lawsuits following cybersecurity attacks that often result in no financial hit to consumers and occurred despite the company's efforts to shield sensitive consumer data like Social Security numbers and credit card information.
"Even with the existence of reasonable precautions — patches, updates, things that are taken care of by businesses on a regular and routine basis — they still face hackers and ransomwares," he said. "The bad actors are always a step ahead of them."
Lincoln Sen. George Dungan, a former public defender who still practices criminal law, warned that "the difference between gross negligence and negligence is a huge, huge step up."
"And that is going to be an incredibly difficult thing to prove," he said.
By heightening that standard, Omaha Sen. Terrell McKinney argued, the bill in effect "allows these companies to be negligent in storing your data."
"Why does the standard need to be raised from negligence to gross negligence?" McKinney said. "What is the purpose — outside of protecting these entities over people? ... I thought we were elected to serve the people."
The bill would still allow individuals to file lawsuits against companies in Nebraska alleging mere negligence, raising the standard to gross negligence only for class-action suits.
In December, the state itself sued a health care payment processor over a data breach last year that allegedly exposed the financial account details and protected health information of at least 575,000 state residents and ensnared roughly 100 million patients across the U.S.
At a news conference announcing the lawsuit, Nebraska's Republican Attorney General Mike Hilgers said state attorneys general are "almost the only entity that's strong enough to stand up to these big companies" in consumer protection cases.
©2025 Lincoln Journal Star, Neb., Distributed by Tribune Content Agency, LLC.
