While not nearly as significant as prescriptive the Massachusetts Privacy Protection regulation, 201 CMR 17.00, it is a step in the right direction for Kentucky as the Senate struggles to approve legislation that would cover the nation.
Kentucky Gov. Steve Beshear signed H.R. 232 on April 10, 2014, making the Commonwealth the 47th state to enact a data breach notification law. The law also limits how cloud service providers can use student data. A breach notification law inNew Mexicomay follow shortly.
The Kentucky law follows the same general structure of many of the breach notification laws in the other states:
A breach of the security of the system happens when there isunauthorized acquisition of unencrypted and unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individualsthatactually causes, or leads the information holder to reasonably believe has caused or will cause, identity theft or fraud against any resident of Kentucky. The law does not refer to “access” only acquisition, and appears to have a risk of harm trigger.
The notification required under the law must be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
Notice may be provided in writing and can be provided electronically if the E-Sign Act requirements are met. For larger breaches, the law also contains substitute notice provisions similar to those in other states.
The law is designed to protect student data at educational institutions, public or private,including any administrative units, that serve students in kindergarten throughgrade twelve when stored in the “cloud”.We may see more of these kinds oflaws, particularly in light of theFordham Law School studyon the topic. For purposes of this law, “student data” means any information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student’s use of cloud computing services, or by an agent or employee of the educational institution in connection with the cloud computing services. Student data includes the student’s name, email address, email messages, postal address, phone number, and any documents, photos, or unique identifiers relating to the student.
Cloud providers serving these institutions in Kentucky need to be aware of this law not only so they can take steps to comply, but because it requires the providers to certify in their services contracts with the educational institutions that the providers will comply with this new law.