About Us | Contact Us
View Cart

From Arizona to Wyoming: An Inventory of State Laws

By Vigilize | Monday, February 17, 2020 - 2 Comments

What do you need to be compliant in your state?


An article review.


ServIcons_ITAudit_01

One subprocess to incident response many of our banking Clients are currently wrestling with is how to address customers living in “other states.” If we’re on the border between Indiana and Ohio, we already know the laws of these two states and have incorporated these laws into our incident response plans (and fortunately both states exempt banks from compliance.) But what if we have one customer who resides in Florida? Alaska? Rhode Island?

We have found an inventory of state laws that seems to be rather current. It is actually a subset of a larger guidance document about FERPA, something our school Clients are concerned with, so we have excerpted just the inventory for our bank Clients:

Arizona: SB1450, HB2088, SB1314 – Requires consent from students before providing information to military recruiters, and prohibits targeted advertising based on student data.
Arkansas: HB1241, HB1961 – Prohibits massing public school student profiles for certain purposes, or selling covered information.
California: SB1177, SB244 – Prohibits the collection of personally identifiable information for advertising purposes, and specifies requirements for disclosing data breaches.
Colorado: HB1294, HB1423 – Requires the state to create a data security plan, prohibits the collection of health records and biometric information.
Connecticut: HB5469, HB7207, HB5170, HB5444 – Prohibits school employees for taking custody of a student’s mobile electronic device to access data, requires breach notification procedures.
Delaware: SB79, SB208 – Requires service providers to implement security procedures, and limits disclosure of student records.
Florida: SB188, HB501, HB731 – Prohibits storing personally identifiable information for home schooled students, prohibits including social security numbers or other personal information in school databases.
Georgia: SB89 – Prohibits service providers from using data for commercial purposes.
Hawaii: SB2607 – Limits the way providers who work with the Department of Education can store and use student data.
Idaho: SB1372 – Requires the state to develop a data security policy, and limits the disclosure of student records.
Indiana: 
HB 1003 – Requires compliance with FERPA and implements a data security plan including breach, retention and disposition procedures.
Illinois: SB 887, SB 1796 – Prohibits providing personally identifiable information on individual students, except in specific cases as specified by FERPA.
Iowa: HF2354 – Prohibits targeted advertising of students, and the sale of personal information.
Kansas: SB367, HB2008, HB2209 – Requires the state to purchase cybersecurity insurance, prohibits targeted advertising and the disclosure of personal information to third parties. 
Kentucky:
HB 232 – Requires notification of any breach of personally identifiable information, limits data storage in the cloud and prohibits use of student data for advertising or other commercial purposes.
Louisiana: HB340 – Prohibits schools from requesting login information from students for social media and other sites.
Maine: LD678, LD1616 – Regulates the use of social security numbers and other personal information, requires disclosure of breaches.
Maryland: SB1165, HB568 – Requires the Board of Education to create best practices regarding the use of student data.
Michigan: S33, SB510 – Prohibits the use of targeted advertising at students, prohibits the sale of information from the permanent records of students.
Missouri: HB1490 – Mandates the state create rules on data accessibility and accountability, and requires compliance with FERPA.
Montana: HB745 – Places restrictions on how student data can be used and disclosed, by school districts and third parties.
Nebraska: LB262, LB512 – Regulates access to student records and mandates the destruction of discipline data after graduation.
Nevada: SB463, AB221 – Regulates targeted advertising to students, and the release of student records and other personal information.
New Hampshire: HB1587, HB206 – Regulates release of student data to testing agencies and other third parties, requires the disclosure of breaches.
New York: SB6356 – Regulates the storage and disclosure of personally identifiable information, and establishes a parents’ bill of rights regarding student records.
North Carolina: SB815, HB1030 – Establishes penalties for education institutions that misuse personal data, and requires compliance with FERPA.
North Dakota: SB2295 – Requires data inventories and regulations on what data is collected and how it can be accessed.
Ohio:
 HB 487 – Requires annual reporting of breach related incidents, safeguards for confidentiality and allows for sanctions against districts which fail to protect personally identifiable information.
Oregon: HB2655, SB187 – Requires rules to be developed regarding when records can be transferred by a school, prohibits the use of student data for commercial or other secondary purposes.
Rhode Island: HB7124 – Prohibits schools from requiring students to provide login data for social media and other sites, requires compliance with FERPA.
South Dakota: SB63 – Mandates the creation of a uniform system to report on the use of educational data, prohibits the collection of lifestyle data on students.
Tennessee: SB1835, HB4046 – Regulates the use of data collected for standardized testing, regulates the disclosure of personally identifiable information and prohibits targeted advertising.
Texas: HB4046, HB2087 – Restricts the use of student records, and requires school districts to create a cybersecurity infrastructure. Requires compliance with FERPA.
Utah: HB163, SB204 – Requires notification in the event of a breach of personally identifiable information, requires schools to establish cybersecurity and data security policies.
Washington: SB5419 – Requires service providers to have clear privacy policies and requires notification of policy changes.
West Virginia: HB4316, HB4261 – Prohibits the transfer or sale of student records to a third party, requires compliance with FERPA and mandates the creation of a cybersecurity policy.
Wyoming: HB0008, HB0009 – Establishes an expectation of privacy act for student records, limits the transfer or disclosure of student data.

 


Original article by FERPA Sherpa, a project of the Future of Privacy Forum.


same_strip_012513


 

2 Responses to “From Arizona to Wyoming: An Inventory of State Laws”

Comment from Roger Chalkley
Time 02/18/2020 at 3:11 pm

Please find a listing for your financial bank customers! This list would be fantastic!

Comment from Roger Chalkley
Time 02/21/2020 at 1:54 pm

I would be afraid to use this listing from states that only talks about student privacy. Are you saying what schools need to do is identical to financial banks?

Latest News
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    The joint cybersecurity advisory includes the 15 most exploited vulnerabilities reported in 2021… An article review.  While a lot of attention is focused on previously undisclosed or “zero day” attacks, some of the most likely attack vectors are vulnerabilities that have been widely known for weeks or even months.  That’s according to a new joint […]
    Threats are changing, EDR can help us adapt . . . Today’s advanced persistent threat (APT) understands that the IT landscape has changed. In the post-COVID age, more and more organizations have adopted some form of work from home.  While WFH offers many conveniences, it also imparts increased risks. BitSight conducted a 2021 study of […]
    The Five Precepts of IT Vendor Management Webinar-Movie We’re going back to basics on Vendor Management. This webinar will give you a training tool to help out that new person that is starting to take on the gargantuan task that is Vendor Management.
    A new way of helping people “read” new guidance… Look for more in the future! To save you time, we are proud to present “Adam Reads” . . . recorded versions of our Guidance Summaries! Below you can find an embedded player for the audio file. If you are having issues with that working, you […]
    You think you’ve finally found stability in your to-do list. Your goals are set, and you’re even making great progress on them all. Audit findings: all addressed. Management requests: Under control. Heck, you might even be able to leave the office five minutes early at least once this year. Then BAM! A press release from […]
    Software Bill of Materials (SBOMs) are becoming more and more important. . . We are all very familiar with one aspect of the software supply chain – updates.  New features, bug fixes, and performance upgrades are a regular occurrence to any device’s lifecycle, however what if these kinds of updates also include deliberately malicious code? […]
    Another awareness poster for YOUR customers (and users).  Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Check out posters.infotex.com for the whole collection! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape)   You are welcome to print out and distribute this around […]
    According to a new survey, more organizations than ever are reporting problems with cybersecurity staffing… An article review. While pandemic related mandates and restrictions are gradually being lifted across the country, many organizations are still feeling the effects in one important area: staffing.  That’s according to ISACA’s annual State of Cybersecurity survey, which asked over […]
    Understanding Banking Trojans… Another Technical Article by Tanvee Dhir! What are Banking Trojans? A trojan is a malicious program that masquerades as a genuine one. They are often designed to steal sensitive information from users (login passwords, account numbers, financial information, credit card information, etc.). A banking trojan is a malicious computer program designed to […]