There is also a succinct summary of the differences in Federal Reserve Interagency Guidelines4 as the distinction applies to financial institutions: Distinction Between the Security Guidelines and the Privacy Rule The requirements of the Security Guidelines and the interagency regulations regarding financial privacy (Privacy Rule) both relate to the confidentiality of customer information. However, they differ in the following key respects: » The Security Guidelines address safeguarding the confidentiality and security of customer information and ensuring the proper disposal of customer information. They are directed toward preventing or responding to foreseeable threats to, or unauthorized access or use of, that information. » The Privacy Rule limits a financial institution’s disclosure of nonpublic personal information to unaffiliated third parties, such as by selling the information to unaffiliated third parties. Subject to certain exceptions, the Privacy Rule prohibits disclosure of a consumer’s nonpublic personal information to a nonaffiliated third party unless certain notice requirements are met and the consumer does not elect to prevent, or “opt out of,” the disclosure. SECURITY CONTROLS & APPLICATION OF NEBRASKA LAW As mentioned, the more sensitive the information, the more security controls should be in place to protect that information. For example, information that includes Social Security numbers, financial information, account balances, and information on children, siblings, spouses, etc. should be protected with more security and controls such as multifactor authentication (MFA), virtual private networks, firewalls, auditing and monitoring software, and so forth. The process of identifying and categorizing information for security protections closely parallels the identification, classification, and data-mapping requirements found in data privacy laws. Both privacy and security require a thorough understanding of all data being collected, saved, used, maintained, and shared or transferred. All data, wherever it may be stored, must be categorized for sensitivity so that proper security controls can be implemented. At each stage of a file’s digital life cycle, owners of digital data should pause for a complete understanding of the sensitivity of the data to ensure proper controls are identified and implemented. A digital life cycle can include several disparate stages, which may include collection, maintenance, use, archiving, and destruction of data. DATA COLLECTION When data is initially collected, an assessment should be completed as to the sensitivity of the information and the method used to collect such data. A few simple assessment questions may be appropriate: 1. Does the information include any types of data defined as personally identifiable information (PII) under Neb. Rev. Stat. § 87-802, e.g., Social Security numbers, financial account numbers, driver’s license numbers, government identification numbers, or electronic code, routing number, etc.? 2. Does the method of collection require encryption in transit and password protection, or is the system protected behind a firewall or virtual private network (VPN)? 3. Who is the information being collected from? Does the data provider own the data or provide information on behalf of someone else? Does the data provider have the right to provide the necessary information or consent? 4. Is the data being verified when provided? 5. Is the data collection process protected with identity verification? DATA MAINTENANCE & USE 1. Where is the data being stored, locally or on a cloud-based platform? 2. What does the contract or agreement with the storage provider include in terms of cybersecurity procedures, notification procedures, and indemnification provisions? 3. Does the platform store the information in an encrypted state? What type of encryption is used, such as cryptographic keys and algorithms used, and who manages the process? 4. Who is allowed to access the data, change or modify the data, and delete the data? 5. What back-up procedures are in place? Have the backup procedures been tested? DATA ARCHIVING 1. When is data moved to an archive, or to the archive state? 2. Is the archived data encrypted? And what types of encryption algorithms are used? 3. Who has access to the archived data? 4. How is the data maintained and/or regularly tested for readability and integrity? 5. Is access to the archived data monitored and how long are logs kept? 23 nescpa.org
RkJQdWJsaXNoZXIy MTg3NDExNQ==