Kentucky has become the 47th state in the nation to enact a data breach notification law. H.R. 232, signed by Governor Steve Beshear on April 10, 2014, requires companies to notify residents of the Bluegrass State of security breaches of information involving their personally identifiable information. The new law also limits how cloud service providers can use student data.
New Mexico is poised to be the next to enact a breach notification law. The New Mexico House of Representatives unanimously passed a data breach notification bill on February 17, 2014. Alabama, New Mexico and South Dakota are the three states without a law requiring notification of security breaches involving personal information.
Data Breach Notification
Following the same general structure as the breach notification laws in other states, the Kentucky law provides that:
- A breach of the security of a data system occurs when there is unauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that actually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any resident of Kentucky. The law refers to acquisition, not “access,” and appears to have a “risk of harm” trigger.
- The good faith acquisition of personally identifiable information by an employee or agent of the information holder for the purposes of the information holder is not a breach if the personally identifiable information is not used or subject to further unauthorized disclosure.
- “Personally identifiable information” means an individual’s first name or first initial and last name in combination with the individual’s (i) Social Security number, (ii) driver’s license number, or (iii) account number, credit or debit card number, in combination with any required security code, access code or password that permit access to an individual’s financial account.
- Notification must be made as expediently as possible, without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
- Notice may be provided in writing and can be provided electronically under the E-Sign Act. Similar to other state breach notification laws, the Kentucky law provides that substitute notice may be made under certain circumstances (e.g., if the information holder demonstrates that the affected class of subject persons to be notified exceeds 500,000).
- If notification is required to more than 1,000 Kentuckians at one time, all nationwide consumer reporting agencies and credit bureaus also must be notified of the timing, distribution and content of the notices. However, the law does not require the Kentucky Attorney General be notified of the incident, as is the case in such states as California, Maryland, Massachusetts, New Hampshire and New York.
- Persons and entities subject to Title V of the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA) are exempted from coverage. Of course, other breach notification requirements are applicable to covered entities, business associates and certain vendors.
Protections for Student Data
The law is designed to protect student data at educational institutions, public or private, including any administrative units, that serve students in kindergarten through grade 12 when the data is stored in the “cloud” or online computing resources. In light of the Fordham Law School study finding a significant portion of the country’s public schools stores or handles student data in the cloud, similar laws likely will be enacted.
For purposes of the Kentucky law, “student data” means:
any information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student’s use of cloud computing services, or by an agent or employee of the educational institution in connection with the cloud computing services. Student data includes the student’s name, email address, email messages, postal address, phone number, and any documents, photos, or unique identifiers relating to the student.
Cloud providers subject to the Kentucky law must certify in their services contracts with educational institutions that the providers will comply with the new law.
The law prohibits cloud computing service providers from “processing student data for any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing services, unless the provider receives express permission from the student’s parent.” Defined broadly, “processing” means to “use, access, collect, manipulate, scan, modify, analyze, transform, disclose, store, transmit, aggregate, or dispose of student data.”
While the provider may assist an educational institution with certain research permitted under the Family Educational Rights and Privacy Act of 1974 (“FERPA”), it may not use the data to “advertise or facilitate advertising or to create or correct an individual or household profile for any advertisement purpose.”
Finally, the provider may not sell, disclose, or otherwise process student data for any commercial purpose.