Kentucky Gov. Steve Beshear signed H.R. 232 on April 10, 2014, making the Commonwealth the 47th state to enact a data breach notification law. The law also limits how cloud service providers can use student data. A breach notification law in New Mexico may follow shortly.
Data Breach Notification Mandate
The Kentucky law follows the same general structure of many of the breach notification laws in the other states:
- A breach of the security of the system happens when there is unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any resident of Kentucky. The law does not refer to “access” only acquisition, and appears to have a risk of harm trigger.
- The good faith acquisition of personally identifiable information by an employee or agent of the information holder for the purposes of the information holder is not a breach if the personally identifiable information is not used or subject to further unauthorized disclosure.
- “Personally identifiable information” means an individual’s first name or first initial and last name in combination with the individual’s (i) Social Security number, (ii) Driver’s license number; or (iii) Account number, credit or debit card number, in combination with any required security code, access code, or password permit access to an individual’s financial account.
- The notification required under the law must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
- Notice may be provided in writing and can be provided electronically if the E-Sign Act requirements are met. For larger breaches, the law also contains substitute notice provisions similar to those in other states.
- If notification is required to more than 1,000 Kentuckians at one time under this law, all nationwide consumer reporting agencies and credit bureaus also must be notified of the timing, distribution and content of the notices. However, the law does not require the Kentucky Attorney General to be notified of the incident, as is the case in a number of other states such as California, Maryland, Massachusetts, New Hampshire, and New York.
- The law excludes persons and entities that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA). Of course, covered entities, business associates and certain vendors have their own breach notification requirements.
Protections for Student Data In the Cloud
The law is designed to protect student data at educational institutions, public or private, including any administrative units, that serve students in kindergarten through grade twelve when stored in the “cloud”. We may see more of these kinds of laws, particularly in light of the Fordham Law School study on the topic. For purposes of this law, “student data” means
any information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student’s use of cloud computing services, or by an agent or employee of the educational institution in connection with the cloud computing services. Student data includes the student’s name, email address, email messages, postal address, phone number, and any documents, photos, or unique identifiers relating to the student.
Cloud providers serving these institutions in Kentucky need to be aware of this law not only so they can take steps to comply, but because it requires the providers to certify in their services contracts with the educational institutions that the providers will comply with this new law.
Specifically, the law prohibits cloud computing service providers from “processing student data for any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing services, unless the provider receives express permission from the student’s parent.” Processing is defined pretty broadly, it means to “use, access, collect, manipulate, scan, modify, analyze, transform, disclose, store, transmit, aggregate, or dispose of student data.”
While the provider may assist an educational institution with certain research permitted under the Family Educational Rights and Privacy Act of 1974, also known as “FERPA,” it may not use the data to “advertise or facilitate advertising or to create or correct an individual or household profile for any advertisement purpose.” Finally, the provider may not sell, disclose, or otherwise process student data for any commercial purpose.