Kentucky Finally Jumps on the Breach Notice Bandwagon, and Adds a Cloud Computing Twist

By Jennifer Daniels

Security Breach Notice

Until last week, Kentucky was one of only four states that had not enacted a security breach notice law. On April 10, 2014, Kentucky adopted HB 232, a law that is pretty standard as it relates to security breach notice obligations. It applies to companies doing business in Kentucky, but includes an exception for information holders that have separate security breach notice obligations under Gramm Leach Bliley or HIPAA.  “Personally identifiable information” includes first name or initial and last name, in combination with social security number, drivers’ license number, or account number, credit or debit card number, in combination with any required access code. So, Kentucky has not gone so far as to include health information or generic password information as personal information. Under the statute, notice is triggered by an unauthorized acquisition of unencrypted and un-redacted computerized data that compromises the security, confidentiality, or integrity of personally identifiable information maintained in a database regarding multiple individuals that actually causes “or leads the information holder to reasonably believe has caused or will cause” identity theft or fraud against any resident of Kentucky.  So, as with many other state security breach notice laws, businesses suffering a security incident will need to contemplate whether it is reasonable to believe that the incident could lead to identity theft or fraud. Keep in mind when evaluating a security incident and whether to notify individuals, that if your business determines that the incident will not likely result in identity theft or fraud, it is important to document your decision-making process.  Under the new law, Kentucky does not require notice of a breach within a specified timeframe, but rather requires notice in the most expedient time possible and without unreasonable delay.

Cloud Computing of Student Data

At the end of 2013, Fordham Law School published a study finding that the contracts that schools enter into with service providers are weak in terms of privacy protections for student information shared with such service providers. According to the study, many schools do not contractually prohibit their vendors from selling or using personal information about students for marketing purposes. Schools have begun to use more and more digital learning programs, and without prohibitions on the nonacademic use of the information collected through such programs, there is a concern that such information may be made available to colleges or future employers without the knowledge or consent of the student or the parents.

To address the concerns around the data-mining of student information, Kentucky has now made it illegal for a cloud services provider to process K-12 student data for any purpose other than providing, improving, developing, or maintaining the integrity of its cloud computing service, unless the parent consents to such processing. Kentucky HB 252 providesA cloud computing service provider shall not in any case process student data to advertise or facilitate advertising or to create or correct an individual or household profile for any advertisement purpose, and shall not sell, disclose, or otherwise process student data for any commercial purpose.” The statute defines “student data” as “any information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student’s use of cloud computing services, or by an agent or employee of the educational institution in connection with the cloud computing services.” The term includes the student’s name, email address, email messages, postal address, phone number, and any documents, photos, or unique identifiers relating to the student. Accordingly, the definition is very broad. It is not clear whether a cloud provider would run afoul of the Kentucky statute if it analyzed aggregate, de-identified information for use for marketing purposes, in particular because the act of creating aggregate data is a form of processing. In addition, the definition of a “cloud computing service provider” under the statute is broad, including any person that operates a service that provides an educational institution with account based access to online computing resources.

Cloud service providers must certify to Kentucky K-12 educational institutions that they will comply with the provisions of HB 252.