Technology

Data Breach Best Practice Guidelines

Published: 4/28/2021 9:58 AM

In 2006, the Kentucky General Assembly passed House Bill 341, which mandated the Kentucky Department of Education (KDE) to conduct a study of the requirements for data security and a notification process when a data breach occurs. Since that legislation, the threat and occurrence of data breaches has only increased.

While the House Bill 341 study has remained an effective cornerstone of guidance, KRS 61.931, et seq. or House Bill 5 from 2015 added clarity, definition, and direction. The 2015 legislation concerns the protections of personal information and applies to every state agency, including KDE, every public school district, and every vendor with which state or local education agencies have contracts. The Data Breach Best Practice Guidelines document incorporates best practices and the "have to" actions from KRS 61.931, et seq. (HB5).

​Data breach guidance

  • Data Security and Breach Notification Best Practice Guide - In addition to the legal requirements, this document makes recommendations based on research and experience (best practice) for actions prior to and following a suspected or confirmed data breach.. 
  • Agency Data Breach Contacts (Rev. 1/2020) - When a data breach notification form is sent to the KDE Data Breach Notification distribution list, the following agencies and contacts receive the notification: 
    1. ​Kentucky Department of Education - Hackworth, Robert
    2. Attorney General's Office - Winstead, Kevin (KYOAG)
    3. Auditor of Public Accounts - Schachtner, Andrew (APA)
    4. Finance and Administration Cabinet - Bishop, Cary (Finance OGC)
    5. Kentucky State Police - Marshall, Lucille (KSP)
    6. Kentucky Department of Library and Archives - Thomas, Charles E. (KDLA) 
    7. Commonwealth Office of Technology - Carter, David (COT) 

Are state student identifiers (SSIDs) confidential? 

An SSID is generated when a "new" student is enrolled at the local school district to ensure a unique identifier exists among district instances of the Kentucky Student Information System (KSIS). As such, it does not provide additional value outside of being a unique identifier, and is unlike multi-use IDs such as Social Security Numbers, credit card numbers, or taxpayer ID numbers. Exposure of an SSID, while not encouraged, is not expected to result in the likelihood of harm to a person, even when combined with a name.

More information about data privacy and security - The Family Policy Compliance Office, which is responsible for administering FERPA, has stated in the Family Educational Rights and Privacy Act Regulations that a student identification number can be considered directory information, “but only if the electronic identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student’s identity, such as a personal identification number (PIN), password, or other factor known or possess only by the student or authorized user.”

KDE recommends that districts not include additional identifiers if at all possible when using the SSID to request assistance.

Security Guidelines for Kentucky K-12 School Districts webpage

See the Security Guidelines for Kentucky K-12 School Districts webpage for data security guidelines and resources.

KDE Data Privacy and Security webpage 

See the KDE Data Privacy and Security webpage for more information.

Studnet using a tablet device in a classroom setting

​What is Personal Information (PI)?

KRS 61.931 (HB5) states "Personal Information" means an individual's first name or first initial​ and last name; personal mark; or unique biometric or genetic print or image, in combination with one (1) or more of the following data elements:
 
  • ​An account number, credit card number, or debit card number that, in combination with any required security code, access code, or password, would permit access to an account;
  • A Social Security number;
  • A taxpayer identification number that incorporates a Social Security number;
  • A driver's license number, state identification card, or other individual identification number issued by any agency;
  • A passport number or other identification number issued by the United States government; or
  • Individually identifiable health information as defined in 45 C.F.R. sec. 160.103 except for education records covered by the Family Educational Rights and Privacy Act, as amended 20 U.S.C. sec. 1232g. 

Robert Hackworth
Office of Education Technology
Division of Engineering and Management Services
300 Sower Blvd., 4th Floor
Frankfort, KY 40601
502-564-2020 ext. 2436
Fax: 502-564-1519
 
  • Normal Font Size