Client Information Security Helping Organizations Protect Private Client Data


Kentucky Becomes 47th state with Data Breach Notification Law

Governor of Kentucky, Steve Beshear signed into Law – H.R. 232 in April 2014, making Kentucky the 47th state to legislate a Data Breach Notification Law. This law also restricts Cloud Service Providers from the utilization of student records/information.

The Kentucky Data Breach Notification Law obeys the same usual formation of many of the Data Breach Notification Laws in other states:

clip_image001 A breach of the security of the system happens when there is illegal gaining of uncontaminated and unpredicted computerized information that negotiates the security, confidentiality, and/or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that actually causes, or leads the information holder to reasonably trust has caused or will cause, identity theft or fraud against any resident of Kentucky.

The law does not refer to “entry” only gaining and appears to have a risk of harm spark.

clip_image001[1] “Personally Identifiable Information” means an individual’s first name or first initial and last name in combination with the individual’s (i) Social Security Number, (ii) Driver’s license number or (iii) Account number, (iv) credit/debit card number, in combination with any required security code, access code or password permit access to an individual’s financial account.

clip_image001[2] The good faith accomplishment of personally identifiable information by an employee or agent of the information holder for the purposes of the information holder is not a breach if the personally identifiable information is not used or subject to further unsanctioned revelation.

clip_image001[3] The notification required by the law must be made in the most convenient time possible and without unnecessary stay, consistent with the legitimate needs of law enforcement or any measures necessary to determine the scope of the breach and restore the reasonable veracity of the data system.

clip_image001[4] Notice may be provided in writing and can be provided electronically if the E-Sign Act necessities are encountered.

For larger breaches, the law also contains substitute notice provisions similar to those in other states.

clip_image001[5] If a notification is required to more than 1,000 Kentuckians at one time under this law, all nationwide consumer reporting agencies and credit bureaus also must be notified of the timing, distribution and content of the notices.

However, the law does not require the Kentucky Attorney General to be notified of the incident, as is the case in a number of other states such as California, Maryland, Massachusetts, New Hampshire and New York.

clip_image001[6] The law excludes people and organizations that are subject to Title V of the Gramm-Leach-Bliley Act of 1999 and the Health Insurance Portability and Accountability Act of 1996 (HIPAA).

Covered entities, business associates and certain vendors have their own breach notification requirements.

Safeguards for Student Records in the Cloud:

The law helps protect student records/information at educational societies, public/private which includes any managerial entities that operate students in kindergarten through twelfth grade when stored in the “Cloud”. We can see more of this variety of laws, particularly in light of the Fordham Law School Study on the topic.

For purposes of this law, “student data/record” means –

Any data/material, in any medium or setup that concerns a student and is created or provided by the student in the progression of the student’s use of Cloud Computing Services or by an agent or employee of the educational society in connection with the Cloud Computing Services.

Student information includes that student’s name, postal address, email address and messages, phone number, documents, photos or unique identifiers.

Cloud Providers serving these societies in Kentucky need to be conscious of this law not only so they can take necessary steps to comply, but because it requires the Providers to confirm in their services treaties with the educational societies that the Providers will comply with this law.

Specifically, the law forbids Cloud Computing Service Providers from –

“Processing student information for any purpose other than providing, improving, developing or maintaining the honesty of its cloud computing services, except the provider receives express permission from the student’s parent.”

The word ‘Processing’ is defined vastly and it means to “use, admittance, collect, manipulate, scan, modify, analyze, renovate, unveil, stockpile, transmit, aggregate or get rid of student data.”

While the provider may support an educational society with certain research permitted under the Family Educational Rights and Privacy Act of 1974 (FERPA), it may not use the information to “advertise or facilitate advertising or to create or correct an individual or domestic profile for any advertisement use.”

Providers may not sell, reveal or process student information.