Technology

Data Security Best Practice Guidelines

Published: 12/20/2018 10:23 AM

Data Breach Best Practice Guidelines

In 2006, the Kentucky General Assembly passed House Bill 341, which mandated the Kentucky Department of Education (KDE) to conduct a study of the requirements for data security and a notification process when a data breach occurs.   Since that legislation, the threat and occurrence of data breaches has only increased.

While the House Bill 341 study has remained an effective cornerstone of guidance, new legislation (KRS 61.931, et seq. or "House Bill 5") has added clarity, definition, and direction.

This Act concerns the protections of personal information and applies to every state agency, including KDE, every public school district, and every vendor with which we have contracts.   While this document incorporates best practice that we are all encouraged to follow, it as incorporates the "have to" actions from KRS 61.931, et seq. (HB5)
Data Security and Breach Notification Best Practice Guide.doc 

The Trusted Learning Environment Seal
Developed by the Consortium for School Networking (CoSN), the Trusted Learning Environment (TLE) seal defines many characteristics of a secure learning environment and provides a way for school districts to demonstrate the efforts they take to protect student data. These characteristics cover leadership, the business and technology offices, the classroom and professional development. These characteristics will be added to the Data Security and Breach Notification Best Practice Guide at its next update.

To download a document from the TLE website listing the best practices and examples of evidence required to obtain the seal click here.

To learn more about the TLE seal click here.
 

Updates to the Data Breach Best Practice Guide

The Data Security and Breach Notification Best Practice Guide has been incorporated by reference to 702 KAR 1:170. Because of this, any changes or updates to the guide are restricted unless the KAR is formally opened for revision. Because the revision process typically takes several months, potential updates to the guide will collected on this webpage and added at the time of the next revision.

  

Agency Data Breach Contact (last updated August, 2016)

When a data breach notification form is sent to the KDE Data Breach Notification distribution list, the following agencies and contact receive the form: 
  1. ​Kentucky Department of Education
    Hackworth, Robert robert.hackworth@education.ky.gov
  2. Attorney General's Office
    Winstead, Kevin (KYOAG) kevin.winstead@ky.gov
  3. Auditor of Public Accounts
     (APA) Carlin, Libby (APA) libby.carlin@ky.gov
  4. Finance and Administration Cabinet
    Bishop, Cary (Finance OGC) cary.bishop@ky.gov
  5. Kentucky State Police
    Bradly, John (KSP) john.bradley@ky.gov
  6. Kentucky Department of Library and Archives
    Casey-Goode, Georgiana (KDLA) georgiana.casey-good@ky.gov
  7. Commonwealth Office of Technology
    Carter, David (COT) DavidJ.Carter@ky.gov 

Guide to Top Secret Personal Information and Data Breach Awareness

Created in response to district requests, this short guide provides a brief description of how Kentucky’s recent privacy and data breach laws define personal information as well as the four most common data breaches and how to prevent them.

Top Secret Information and Data Breach Awareness for Teachers 3.0

Security Guideline for Kentucky K-12 School Districts

This document establishes a standard Security guideline for Kentucky K-12 School districts. 

Security Best Practice.doc  Security Best Practices.pdf

District Planning Guide for Disaster Recovery

This Planning Guide is a high-level checklist intended to assist Kentucky’s public schools create effective disaster recovery plans.
 


Robert Hackworth
Office of Knowledge, Information and Data Services
Division of Engineering and Management Services
300 Sower Blvd., 4th Floor
Frankfort, KY 40601
502-564-2020 ext. 2436
Fax: 502-564-1519
 
Studnet using a tablet device in a classroom setting

​What is Personal Information (PI)?

KRS 61.931 (HB5) states "Personal Information" means an individual's first name or first initial​ and last name; personal mark; or unique biometric or genetic print or image, in combination with one (1) or more of the following data elements:
 
  • ​An account number, credit card number, or debit card number that, in combination with any required security code, access code, or password, would permit access to an account;
  • A Social Security number;
  • A taxpayer identification number that incorporates a Social Security number;
  • A driver's license number, state identification card, or other individual identification number issued by any agency;
  • A passport number or other identification number issued by the United States government; or
  • Individually identifiable health information as defined in 45 C.F.R. sec. 160.103 except for education records covered by the Family Educational Rights and Privacy Act, as amended 20 U.S.C. sec. 1232g.

 

 

Are State Student Identifiers (SSID) Confidential?

An SSID is generated when a “new” student is enrolled at the local school district to ensure a unique identifier exists between district instances of the Kentucky Student Information System (KSIS). As such, it does not provide additional value outside of being a unique identifier, unlike multi-use IDs, such as Social Security Numbers, credit card numbers, or taxpayer ID numbers. Exposure of an SSID, while not encouraged, is not expected to result in the likelihood of harm to a person, even when combined with a name.
The Family Policy Compliance Office, which is responsible for administering FERPA, has stated that a student identification number can be considered directory information, “but only if the electronic identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student’s identity, such as a personal identification number (PIN), password, or other factor known or possess only by the student or authorized user.”
If using the SSID to request assistance, KDE still encourages its use without other identifiers if at all possible. 

  • Normal Font Size