CYBERSECURITY & DATA PRIVACY TWO SIDES OF THE SAME COIN BY ROBERT L. KARDELL, FBI (RET.), JD, MBA, CPA, CISSP, GSEC, CFE, CFF, BAIRD HOLM LLP, OMAHA NEBRASKA RECENTLY PASSED THE NEBRASKA DATA Privacy Act (Privacy Act).1 The Privacy Act establishes new requirements for businesses to safeguard the personal information of Nebraska residents. The Privacy Act also grants individuals greater rights to access, control, and request the deletion of their data, aiming to enhance transparency of the use of personal data by businesses. While the Privacy Act is new, the Financial Data Protection and Consumer Notification of Data Security Breach Act of 2006 (as amended in 2018) (in particular, Neb. Rev. Stat. § 87-808, hereinafter referred to as the Security Act) requires Nebraska businesses to institute data security controls commensurate with the sensitivity of the information. The statute in part states: To protect personal information from unauthorized access, acquisition, destruction, use, modification, or disclosure, an individual or a commercial entity that conducts business in Nebraska and owns, licenses, or maintains computerized data that includes personal information about a resident of Nebraska shall implement and maintain reasonable security procedures and practices that are appropriate to the nature and sensitivity of the personal information owned, licensed, or maintained and the nature and size of, and the resources available to, the business and its operations, including safeguards that protect the personal information when the individual or commercial entity disposes of the personal information.2 Based on the plain language of the statute, the Security Act requires businesses to identify information it collects, categorize the information according to its sensitivity, and take appropriate measures to protect the data. The security measures must be appropriate to the sensitivity of the information, but the law does not require absolute security. The security can be tailored to the nature and size of the organization and limited to the resources available to the organization. Thus, smaller organizations with fewer resources or small nonprofit organizations may not have many resources, and therefore are not required to adopt expensive monitoring tools. 21 nescpa.org
RkJQdWJsaXNoZXIy MTg3NDExNQ==