The data must be secured throughout its lifecycle. The Security Act even requires that information must be disposed of in a manner that will protect the information. Accordingly, the disposal of any hardware will require that sensitive information is wiped before disposal. The failure to maintain security of data at the end of its lifecycle is best exemplified with a recent settlement between the Office of the Comptroller of the Currency (OCC) and Morgan Stanley.3 After Morgan Stanley sold some outdated equipment, a purchaser of some of the equipment notified Morgan Stanley that the information on the equipment had not been wiped and was still accessible. After an investigation by the OCC, Morgan Stanley settled the action for $60 million. The requirements of the statute, though, have not been tested in court, because the attorney general has not brought an action against a business to enforce the statute. One final note on the Security Act, the first sentence of the Security Act requires businesses to protect data from “unauthorized access, acquisition, destruction, use, modification, or disclosure.” This language is substantially different from the notification provisions of Neb. Rev. Stat. § 87-802, which require notice to the “unauthorized acquisition of unencrypted computerized data.” This language is notably much narrower than the language of the protection provisions of the data security requirements. Thus, the failure to maintain security provisions will not necessarily result in a notification. PRIVACY VS. SECURITY The Privacy Act aims to protect the privacy of information and is focused on the rights of the individual to control the use and access of personal data. The Security Act, however, aims to proscribe the security measures necessary to protect such information. The Security Act focuses on specific technical controls, policies, and procedures to maintain security through access controls, configuration of networks and systems, maintenance, monitoring, and media protection. While the acts are separate, they are really two sides of the same coin. Both are focused on maintaining privacy of the data— one through privacy protections, the other through security requirements. Privacy Act Security Act Governs collection of data Ensures confidentiality of data Controls use and sharing of data Controls access to data Gives individuals right to obtain data Protects security of data Gives individuals right to request deletion Maintains integrity of data Promotes transparency through notices and disclosures Promotes safeguarding of data through security measures Requires data classification Requires data encryption and secure storage Mandates consents, notices, and policies Requires authorization, multifactor authentication, and passwords Sample Regulations and Laws HIPAA Privacy Rule HIPAA Security Rule GDPR NIST Cybersecurity Framework 22 Nebraska CPA
RkJQdWJsaXNoZXIy MTg3NDExNQ==