About Us | Contact Us
View Cart

From Arizona to Wyoming: An Inventory of State Laws

By Vigilize | Monday, February 17, 2020 - 2 Comments

What do you need to be compliant in your state?


An article review.


ServIcons_ITAudit_01

One subprocess to incident response many of our banking Clients are currently wrestling with is how to address customers living in “other states.” If we’re on the border between Indiana and Ohio, we already know the laws of these two states and have incorporated these laws into our incident response plans (and fortunately both states exempt banks from compliance.) But what if we have one customer who resides in Florida? Alaska? Rhode Island?

We have found an inventory of state laws that seems to be rather current. It is actually a subset of a larger guidance document about FERPA, something our school Clients are concerned with, so we have excerpted just the inventory for our bank Clients:

Arizona: SB1450, HB2088, SB1314 – Requires consent from students before providing information to military recruiters, and prohibits targeted advertising based on student data.
Arkansas: HB1241, HB1961 – Prohibits massing public school student profiles for certain purposes, or selling covered information.
California: SB1177, SB244 – Prohibits the collection of personally identifiable information for advertising purposes, and specifies requirements for disclosing data breaches.
Colorado: HB1294, HB1423 – Requires the state to create a data security plan, prohibits the collection of health records and biometric information.
Connecticut: HB5469, HB7207, HB5170, HB5444 – Prohibits school employees for taking custody of a student’s mobile electronic device to access data, requires breach notification procedures.
Delaware: SB79, SB208 – Requires service providers to implement security procedures, and limits disclosure of student records.
Florida: SB188, HB501, HB731 – Prohibits storing personally identifiable information for home schooled students, prohibits including social security numbers or other personal information in school databases.
Georgia: SB89 – Prohibits service providers from using data for commercial purposes.
Hawaii: SB2607 – Limits the way providers who work with the Department of Education can store and use student data.
Idaho: SB1372 – Requires the state to develop a data security policy, and limits the disclosure of student records.
Indiana: 
HB 1003 – Requires compliance with FERPA and implements a data security plan including breach, retention and disposition procedures.
Illinois: SB 887, SB 1796 – Prohibits providing personally identifiable information on individual students, except in specific cases as specified by FERPA.
Iowa: HF2354 – Prohibits targeted advertising of students, and the sale of personal information.
Kansas: SB367, HB2008, HB2209 – Requires the state to purchase cybersecurity insurance, prohibits targeted advertising and the disclosure of personal information to third parties. 
Kentucky:
HB 232 – Requires notification of any breach of personally identifiable information, limits data storage in the cloud and prohibits use of student data for advertising or other commercial purposes.
Louisiana: HB340 – Prohibits schools from requesting login information from students for social media and other sites.
Maine: LD678, LD1616 – Regulates the use of social security numbers and other personal information, requires disclosure of breaches.
Maryland: SB1165, HB568 – Requires the Board of Education to create best practices regarding the use of student data.
Michigan: S33, SB510 – Prohibits the use of targeted advertising at students, prohibits the sale of information from the permanent records of students.
Missouri: HB1490 – Mandates the state create rules on data accessibility and accountability, and requires compliance with FERPA.
Montana: HB745 – Places restrictions on how student data can be used and disclosed, by school districts and third parties.
Nebraska: LB262, LB512 – Regulates access to student records and mandates the destruction of discipline data after graduation.
Nevada: SB463, AB221 – Regulates targeted advertising to students, and the release of student records and other personal information.
New Hampshire: HB1587, HB206 – Regulates release of student data to testing agencies and other third parties, requires the disclosure of breaches.
New York: SB6356 – Regulates the storage and disclosure of personally identifiable information, and establishes a parents’ bill of rights regarding student records.
North Carolina: SB815, HB1030 – Establishes penalties for education institutions that misuse personal data, and requires compliance with FERPA.
North Dakota: SB2295 – Requires data inventories and regulations on what data is collected and how it can be accessed.
Ohio:
 HB 487 – Requires annual reporting of breach related incidents, safeguards for confidentiality and allows for sanctions against districts which fail to protect personally identifiable information.
Oregon: HB2655, SB187 – Requires rules to be developed regarding when records can be transferred by a school, prohibits the use of student data for commercial or other secondary purposes.
Rhode Island: HB7124 – Prohibits schools from requiring students to provide login data for social media and other sites, requires compliance with FERPA.
South Dakota: SB63 – Mandates the creation of a uniform system to report on the use of educational data, prohibits the collection of lifestyle data on students.
Tennessee: SB1835, HB4046 – Regulates the use of data collected for standardized testing, regulates the disclosure of personally identifiable information and prohibits targeted advertising.
Texas: HB4046, HB2087 – Restricts the use of student records, and requires school districts to create a cybersecurity infrastructure. Requires compliance with FERPA.
Utah: HB163, SB204 – Requires notification in the event of a breach of personally identifiable information, requires schools to establish cybersecurity and data security policies.
Washington: SB5419 – Requires service providers to have clear privacy policies and requires notification of policy changes.
West Virginia: HB4316, HB4261 – Prohibits the transfer or sale of student records to a third party, requires compliance with FERPA and mandates the creation of a cybersecurity policy.
Wyoming: HB0008, HB0009 – Establishes an expectation of privacy act for student records, limits the transfer or disclosure of student data.

 


Original article by FERPA Sherpa, a project of the Future of Privacy Forum.


same_strip_012513


 

2 Responses to “From Arizona to Wyoming: An Inventory of State Laws”

Comment from Roger Chalkley
Time 02/18/2020 at 3:11 pm

Please find a listing for your financial bank customers! This list would be fantastic!

Comment from Roger Chalkley
Time 02/21/2020 at 1:54 pm

I would be afraid to use this listing from states that only talks about student privacy. Are you saying what schools need to do is identical to financial banks?

Latest News
    You’ve heard it from every MSSP you’ve met: the definition of a SIEM is in the eye of the beholder. But at infotex, we are not talking about the database – an asset whose definition is continuously evolving. We’re talking about the way three teams collaborate in an overall Technology Risk Monitoring process. And whether […]
    A new study shows organizations are responding to cyber attacks faster than ever, so why is that bad news? An article review. When it comes to cyber attacks, the sooner an organization can begin to respond to an attack the better, so the results of a new study showing a drop in the amount of […]
    …a Crash Course of Security Measures The first article by Sara Fultz, Creative Assistant of infotex! Introduction: As the managing partner of infotex, I am proud to introduce the “debut article” for Sara Fultz.  I told Sara “write an article showing us what you’ve learned that the technical staff will appreciate.” As I read her […]
    infotex Programming Coordinator, Michael Hartke, introduces a high level overview of the upcoming update to the infotex SIEM. Look for more movies in the coming months informing our Clients, and those just now learning about us, about the SIEM and its features and functions.
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around your office.  
    As the investigation of the SolarWinds Hack was ongoing, another hack stole some of the limelight… This is the final update on the SolarWinds hack unless a major development comes to light. You can see the previous article here: “Autopsy of the SolarWinds Hack Update“. One of the largest cyber-espionage campaigns in the history of […]
    Employees working from home may find it more difficult to follow security policies… An article review. The surge in employees working from home during the pandemic created many headaches for IT departments around the world, many of whom had no telecommuting policies or procedures before the start… but what about the employees who had to […]
    A Webinar-Movie infotex presents the 2021 update of a previously released webinar presented by our Lead Non-Technical Auditor, Adam Reynolds. This movie-short is intended for those who are planning to participate in an infotex Incident Response Test. Not sure about the importance of an Incident Response Test? Check out onetest.infotex.com for more information! Please let […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS INFOTEX PROMOTES BRYAN BONNELL TO DIGITAL MEDIA MANAGER infotex, the Managed Security Service Provider, announced Bryan Bonnell’s promotion from Senior Data Security Analyst to Digital Media Manager.  “He will continue his normal DSA duties on a limited basis, because we want everybody to stay in touch with […]
    PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS RYAN HENSLER OF INFOTEX, EARNS CISSP CERTIFICATE Ryan Hensler, Senior NOC Associate of infotex, Inc., recently received the CISSP certification. “Ryan has proven himself to be a seasoned security professional both in his work for infotex and now through achieving this certification.” said Sean Waugh, Information Security Officer. […]