Pub. 14 2019-2020 Issue 6

NEBRASKA BANKERS ASSOCIATION 31 Bridgepoint is your partner for investment banking solutions that lead to optimal results. No matter the situation, you can rely on us for confidential and creative institutional investment banking services delivered by local professionals. • Distressed and bridge financing • Capital raising for growth or liquidity • Sell-side M&A advisory services for banks and operating companies • Leveraged finance solutions for community banks • Generous fee-sharing program for bankers WHEN IT’S TIME FOR DISTRESSED FINANCING, IT’S TIME FOR US OFFICES: Omaha • Lincoln • Des Moines • Denver • Chicago NEBRASKA PRINCIPALS: Matt Plooster • Gary Grote Wm. Lee Merrit • Mike Anderson Call Gary Grote, Managing Director 402-817-7900 www.bridgepointib.com Securities offered through an unaffiliated entity, M&A Securities Group, Inc., member FINRA/SIPC Third, some states may provide for notification to consumers regardless of the risk of harm andmay not exempt any financial institutions subject to GLBA. An example of such a statute is the Illinois statute 5 which requires notification of the incident without unreasonable delay and does not have a provision ex- empting a financial institution subject to GLBA or a provision allowing for delay due to a request from law enforcement. Finally, some states provide a more inclusive definition of personal data than GLBA. GLBA only covers the following data: • A customer’s name, address, or telephone number, in conjunction with ◦ the customer’s social security number; ◦ driver’s license number; ◦ account number, credit or debit card number; or • A combination of components of customer information that would allow someone to log onto or access the cus- tomer’s account, such as ◦ user name and password; or ◦ password and account number. While this list is similar to many state definitions, there are states which include things such as biometric data 6 , a driver's license number 7 , employer assigned ID 8 , mother's maiden name 9 , and many other examples. The implications of the dif- fering statutory definitions of personal information can create a burden on a financial institution to provide an analysis for each and every state in which they conduct business. Conclusion The GLBA only supersedes state law when the two statutes are in conflict. If the two statutes are not directly in conflict the financial institution will need to conduct an analysis first for GLBA and then for the state statute. This may mean that the bank may be providing notifications to some customers in one state but not to customers in another state. The lack of a federal superseding statute will lead to different conclusions for financial institutions in different states. And, financial institu- tions with business operations in different states may conclude that a single data breach may result in different notification to its customers in different states. An analysis of each state's breach notification statutes is required.  1 CFR-2016 Title 12 Vol 1 Part 30 App B 2 15 U.S. Code § 6807 3 T.C.A. § 47-18-2107 4 Iowa Code § 715C.1 5 815 ILCS 530 Personal Information Protection Act 6 IBID 7 Nebraska Revised Statute 87-802 8 S.D. Cod. Laws §§ 20-40-20 to -46 9 Tex. Bus. & Com. Code §§ 521.002, 521.053 For more information, contact Bob Kardell, JD, MBA, CISSP, CPA, CFE, CFF, attorney at Baird Holm LLP, (402) 334-0500 or bkardell@bairdholm.com . Bob is a member of the Technology and Intellectual Property Section of Baird Holm LLP specializing in cybersecurity and breach response. Bob is also a retired FBI Special Agent with over 27 years of fraud and investigative experience.