From Arizona to Wyoming: An Inventory of State Laws
What do you need to be compliant in your state?
An article review.
One subprocess to incident response many of our banking Clients are currently wrestling with is how to address customers living in “other states.” If we’re on the border between Indiana and Ohio, we already know the laws of these two states and have incorporated these laws into our incident response plans (and fortunately both states exempt banks from compliance.) But what if we have one customer who resides in Florida? Alaska? Rhode Island?
We have found an inventory of state laws that seems to be rather current. It is actually a subset of a larger guidance document about FERPA, something our school Clients are concerned with, so we have excerpted just the inventory for our bank Clients:
Arizona: SB1450, HB2088, SB1314 – Requires consent from students before providing information to military recruiters, and prohibits targeted advertising based on student data.
Arkansas: HB1241, HB1961 – Prohibits massing public school student profiles for certain purposes, or selling covered information.
California: SB1177, SB244 – Prohibits the collection of personally identifiable information for advertising purposes, and specifies requirements for disclosing data breaches.
Colorado: HB1294, HB1423 – Requires the state to create a data security plan, prohibits the collection of health records and biometric information.
Connecticut: HB5469, HB7207, HB5170, HB5444 – Prohibits school employees for taking custody of a student’s mobile electronic device to access data, requires breach notification procedures.
Delaware: SB79, SB208 – Requires service providers to implement security procedures, and limits disclosure of student records.
Florida: SB188, HB501, HB731 – Prohibits storing personally identifiable information for home schooled students, prohibits including social security numbers or other personal information in school databases.
Georgia: SB89 – Prohibits service providers from using data for commercial purposes.
Hawaii: SB2607 – Limits the way providers who work with the Department of Education can store and use student data.
Idaho: SB1372 – Requires the state to develop a data security policy, and limits the disclosure of student records.
Indiana: HB 1003 – Requires compliance with FERPA and implements a data security plan including breach, retention and disposition procedures.
Illinois: SB 887, SB 1796 – Prohibits providing personally identifiable information on individual students, except in specific cases as specified by FERPA.
Iowa: HF2354 – Prohibits targeted advertising of students, and the sale of personal information.
Kansas: SB367, HB2008, HB2209 – Requires the state to purchase cybersecurity insurance, prohibits targeted advertising and the disclosure of personal information to third parties.
Kentucky: HB 232 – Requires notification of any breach of personally identifiable information, limits data storage in the cloud and prohibits use of student data for advertising or other commercial purposes.
Louisiana: HB340 – Prohibits schools from requesting login information from students for social media and other sites.
Maine: LD678, LD1616 – Regulates the use of social security numbers and other personal information, requires disclosure of breaches.
Maryland: SB1165, HB568 – Requires the Board of Education to create best practices regarding the use of student data.
Michigan: S33, SB510 – Prohibits the use of targeted advertising at students, prohibits the sale of information from the permanent records of students.
Missouri: HB1490 – Mandates the state create rules on data accessibility and accountability, and requires compliance with FERPA.
Montana: HB745 – Places restrictions on how student data can be used and disclosed, by school districts and third parties.
Nebraska: LB262, LB512 – Regulates access to student records and mandates the destruction of discipline data after graduation.
Nevada: SB463, AB221 – Regulates targeted advertising to students, and the release of student records and other personal information.
New Hampshire: HB1587, HB206 – Regulates release of student data to testing agencies and other third parties, requires the disclosure of breaches.
New York: SB6356 – Regulates the storage and disclosure of personally identifiable information, and establishes a parents’ bill of rights regarding student records.
North Carolina: SB815, HB1030 – Establishes penalties for education institutions that misuse personal data, and requires compliance with FERPA.
North Dakota: SB2295 – Requires data inventories and regulations on what data is collected and how it can be accessed.
Ohio: HB 487 – Requires annual reporting of breach related incidents, safeguards for confidentiality and allows for sanctions against districts which fail to protect personally identifiable information.
Oregon: HB2655, SB187 – Requires rules to be developed regarding when records can be transferred by a school, prohibits the use of student data for commercial or other secondary purposes.
Rhode Island: HB7124 – Prohibits schools from requiring students to provide login data for social media and other sites, requires compliance with FERPA.
South Dakota: SB63 – Mandates the creation of a uniform system to report on the use of educational data, prohibits the collection of lifestyle data on students.
Tennessee: SB1835, HB4046 – Regulates the use of data collected for standardized testing, regulates the disclosure of personally identifiable information and prohibits targeted advertising.
Texas: HB4046, HB2087 – Restricts the use of student records, and requires school districts to create a cybersecurity infrastructure. Requires compliance with FERPA.
Utah: HB163, SB204 – Requires notification in the event of a breach of personally identifiable information, requires schools to establish cybersecurity and data security policies.
Washington: SB5419 – Requires service providers to have clear privacy policies and requires notification of policy changes.
West Virginia: HB4316, HB4261 – Prohibits the transfer or sale of student records to a third party, requires compliance with FERPA and mandates the creation of a cybersecurity policy.
Wyoming: HB0008, HB0009 – Establishes an expectation of privacy act for student records, limits the transfer or disclosure of student data.
2 Responses to “From Arizona to Wyoming: An Inventory of State Laws”
Another awareness poster for YOUR customers (and users). Now that we have our own employees aware, maybe it’s time to start posting content for our customers! Download the large versions here: Awareness Poster (Portrait) Awareness Poster (Landscape) You are welcome to print out and distribute this around your office.
Intelligence agencies from five nations contributed to the new advisory… An article review. For the first time, the cybersecurity divisions of the nations in the “Five Eyes” alliance (The United States, United Kingdom, Canada, Australia and New Zealand) have released a joint advisory concerning incident response. The report, available here, does not provide a complete […]
PRESS RELEASE – FOR IMMEDIATE RELEASE BUSINESS NEWS NEW EMPLOYEE FOR INFOTEX infotex has just hired Nathan Harrell, to be a new Engagement Coordinator to assist with all communications between both current and prospective Clients. “We’re really excited to have Nate joining the team to help us keep the channels of communication open!” says Bryan […]
A Webinar-Movie Short Back by popular demand! Our Board Awareness Training program continues with this movie, entitled Vulnerability Management for Directors, that can be presented directly to your board of directors.
Nearly half of all companies expect a security issue due to telecommuting… An article review. A few months ago we discussed a warning from the Department of Homeland Security regarding hackers taking advantage of the business disruptions caused by COVID-19, and according to an article shared with us by our friend Wes Pollard it appears […]