On April 10, 2014, Kentucky Governor Steve Beshear signed H.B. 232 into law, making Kentucky the 47th state to enact data breach notification legislation. Prior to H.B. 232, Kentucky was one of only four states—including Alabama, New Mexico, and South Dakota—that had not adopted data breach notification legislation. H.B. 232 also includes a separate section addressing the protection and processing of student data by cloud computing service providers.
Data Breach Notification
A summary of H.B. 232’s data breach notification provisions, which generally mirror the statutes enacted in the other 46 states, as well as the District of Columbia, Guam, Puerto Rico, and the Virgin Islands, is provided below.
H.B. 232 covers “personally identifiable information,” which is defined as an individual’s first name or first initial and last name in combination with one or more of the following data elements when the name or data element is not redacted: (1) Social Security number; (2) driver’s license number; or (3) account number, credit or debit card number in combination with any required security code, access code, or password that would permit access to an individual’s financial account. H.B. 232 does not apply to paper records—only unencrypted, unredacted computerized data.
H.B. 232 applies to an “information holder,” which is defined as any person or business entity that conducts business in Kentucky. H.B. 232 does not apply to any person or entity subject to Title V of the Gramm-Leach-Bliley Act, any person or entity subject to HIPAA, or any Kentucky agencies, local governments, or political subdivisions. In addition, any information holder that maintains its own notification procedures as part of an information security policy that is otherwise consistent with H.B. 232’s timing requirements is deemed to be in compliance with H.B. 232 so long as affected residents are notified in accordance with the policy.
Notification under H.B. 232 is triggered on a “risk of harm” basis. Specifically, H.B. 232 defines a “breach of the security of the system” as the unauthorized acquisition of unencrypted, unredacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained by the information holder as part of a database regarding multiple individuals that causes or leads the information holder to believe has caused or will cause identity theft or fraud against a Kentucky resident. Upon notification or discovery of a breach of the security of the system, an information holder must notify any resident of Kentucky whose unencrypted information was or is reasonably believed to have been acquired by an unauthorized person.
Notification Content and Method
H.B. 232 does not include any specific notification content requirements. Notification may be provided in writing, or, if the information holder can demonstrate that the cost of providing notice would exceed $250,000, that the number of individuals to be notified exceeds 500,000, or that they do not have sufficient contact information for those affected, via substitute notice, which must include e-mail notification if the information holder has e-mail addresses for the affected individuals, a conspicuous posting regarding the incident on the information holder’s website, and notification to major statewide media.
Notification should occur “in the most expedient time possible and without unreasonably delay” subject to the legitimate needs of law enforcement and any measures necessary to determine the scope of the breach and restore the reasonable integrity of the data system.
H.B. 232 does not require notification to the Kentucky Attorney General or any other state regulatory authority. However, if the information holder discovers circumstances requiring notification of more than 1,000 persons at one time, consumer reporting agencies must be notified without unreasonably delay.
Protections for Student Data in the Cloud
Section 2 of H.B. 232 is intended to address ongoing debate regarding how cloud computing service providers, such as Google, Facebook, or Microsoft, should handle the increasing amount of student data school districts maintain in the cloud, particularly in light of recently published findings from a Fordham Law School study highlighting security risks to cloud-based student data.
Specifically, Section 2 of H.B. 232 prohibits cloud computing service providers from processing “student data” for any purpose other than providing, improving, developing, or maintaining the integrity of their cloud computing services unless they receive express permission from the student’s parent. H.B. 232 also prohibits cloud computing service providers from using student data in advertising and from selling, disclosing, or otherwise processing student data for any commercial purpose. “Student data” is defined broadly as any information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student’s use of cloud computing services or by an employee or agent of an educational institution, including a student’s name, e-mail address, e-mail messages, postal address, phone number, and any documents, photos, or unique identifiers relating to the student. The term “processing” is also defined broadly to include use, access, collection, manipulation, scanning, modification, analysis, transformation, disclosure, storage, transmission, aggregation, or disposal or student data. H.B. 232 does allow cloud computing service providers to assist educational institutions with research permitted under FERPA.