Kentucky Governor Steve Beshear signed a data breach notification bill on April 10, adding Kentucky to the ranks of U.S. states requiring notice to individuals in the event of a data breach and leaving Alabama, New Mexico and South Dakota as the only states that do not require such notice.
Kentucky’s data breach notification bill (HB 232) is formulated similarly to other state data breach notification laws. Notice to individuals by an “information holder” is required when there is “unauthorized acquisition of unencrypted and unredacted computerized data” that includes an individual’s name plus their social security number, driver’s license number or financial account information that would permit access to an individual’s financial account. The statute requires notice when the information holder reasonably believes that the unauthorized acquisition has caused or will cause identity theft or fraud against any Kentucky resident.
In addition to the data breach requirements, Kentucky’s bill included an amendment targeted at services that provide cloud computing to educational institutions that raises novel and fundamental issues. The amendment defines a cloud computing service as one that “provides, and is marketed and designed to provide, an educational institution with account-based online access to online computing resources.” These providers are prohibited from processing “student data” for any purpose “other than providing, improving, developing or maintaining the integrity of its cloud computing services” without express permission from the student’s parent. Specifically, the cloud computing services are prohibited from using student data to advertise, facilitate advertising or “to create or correct an individual or household profile for any advertisement purpose” or to sell or process student data for any commercial purpose.
“Student data” is limited to the “information or material, in any medium or format, that concerns a student and is created or provided by the student in the course of the student’s use of cloud computing services, or by an agent or employee of the educational institution in connection with the cloud computing services.” This data includes the student’s personally identifying information, as well as documents and photos. As educational institutions and their service providers digest the new law, they may need to make changes in their service delivery to maintain compliance.