New Law Limits Cloud Service Providers’ Collection of  Student Data

Kentucky is the 47th state, along with the District of Columbia, Guam, Puerto Rico and the Virgin Islands, to enact a data breach notification law requiring business entities to notify individuals of security breaches involving personally identifiable information. Kentucky’s law also aims to protect student data by imposing new limits on cloud service providers.

House Bill 232, signed into law by Governor Steve Beshear earlier this month, requires any entity transacting business in Kentucky that reasonably believes a data breach has caused or will cause identity theft or fraud to notify all affected Kentucky residents whose personally identifiable information is or may be compromised.1 The Kentucky law defines personally identifiable information as “an individual’s first name or first initial and last name” in combination with one of the following three elements:  (1) Social Security number; (2) driver’s license number; (3) account number, credit or debit number, in combination with any required security code, access code, or password permit access to an individual’s financial account.2

According to the new Kentucky law, in the event of a data breach, written or electronic notice must be provided “in the most expedient time possible and without unreasonable delay.”  Notification may be delayed, however, if law enforcement determines that notification would impede a related criminal investigation.3 If the number of notifications exceeds 1,000 individuals, notice must also be provided to the major credit reporting agencies.4

While Kentucky’s data breach notification requirements are fairly typical compared to other states, the law imposes a relatively unheard of restriction on cloud computing service providers. The new law regulates cloud computing service providers’ storage of educational institution student data for students in kindergarten to grade twelve. Student data includes the student’s “name, email address, email messages, postal address, phone number, and any documents, photos or unique identifiers relating to the student.”5 Section 2 of House Bill 232 prohibits cloud computing service providers from processing student data “for any purpose other than providing, improving, or maintaining the integrity of its cloud computing services” without express parental permission.6 The law permits limited disclosure for the purpose of assisting an educational institution with research, as permitted by the Family Educational Rights and Privacy Act of 1974 (“FERPA”).7 The law further prohibits the use of student data in advertising or the sale of student data for any commercial purpose.8 In addition, any cloud computing service provider working with an educational institution serving students in kindergarten to grade twelve must “certify in writing” to the institution that it will comply with the provisions of Section 2.9 This new restriction on cloud computing service providers demonstrates a continuing trend to increase protection of the personal information of minors.

Kentucky’s new law leaves only three other states—Alabama, South Dakota and New Mexico—without data breach notification laws, and proposed legislation in New Mexico was introduced earlier this year and recently passed the state House of Representatives.10 New Mexico’s proposed law, if it passes, will impose rigorous timing requirements for notice to affected residents and the New Mexico Attorney General. Specifically, the proposed law requires notification to affected individuals within 10 days of discovering the incident and, if more than 50 New Mexico residents are impacted, requires notification to the New Mexico Attorney General within 10 days.11 Unlike many state data breach notification laws, the proposed New Mexico law provides for a private right of action for individuals to recover costs associated with the data breach and statutory damages.12

While recent high-profile breaches have brought discussions of a potential federal breach notification law back to the forefront, states appear poised to continue to regulate in this area and are imposing increasingly strict standards on businesses that maintain personal information of their residents. To assist with the increasing challenge of complying with the myriad state data breach notification laws, clients should implement comprehensive incident response plans to ensure that internal policies and procedures allow the company to respond quickly and efficiently to a data security incident.  Clients should also provide frequent training of all employees so that all members of the organization are on the lookout for potential breaches and know what to do in the event of a data security incident.