What do you need to be compliant in your state?

An article review.

One subprocess to incident response many of our banking Clients are currently wrestling with is how to address customers living in “other states.” If we’re on the border between Indiana and Ohio, we already know the laws of these two states and have incorporated these laws into our incident response plans (and fortunately both states exempt banks from compliance.) But what if we have one customer who resides in Florida? Alaska? Rhode Island?

We have found an inventory of state laws that seems to be rather current. It is actually a subset of a larger guidance document about FERPA, something our school Clients are concerned with, so we have excerpted just the inventory for our bank Clients:

Arizona: SB1450, HB2088, SB1314 – Requires consent from students before providing information to military recruiters, and prohibits targeted advertising based on student data.
Arkansas: HB1241, HB1961 – Prohibits massing public school student profiles for certain purposes, or selling covered information.
California: SB1177, SB244 – Prohibits the collection of personally identifiable information for advertising purposes, and specifies requirements for disclosing data breaches.
Colorado: HB1294, HB1423 – Requires the state to create a data security plan, prohibits the collection of health records and biometric information.
Connecticut: HB5469, HB7207, HB5170, HB5444 – Prohibits school employees for taking custody of a student’s mobile electronic device to access data, requires breach notification procedures.
Delaware: SB79, SB208 – Requires service providers to implement security procedures, and limits disclosure of student records.
Florida: SB188, HB501, HB731 – Prohibits storing personally identifiable information for home schooled students, prohibits including social security numbers or other personal information in school databases.
Georgia: SB89 – Prohibits service providers from using data for commercial purposes.
Hawaii: SB2607 – Limits the way providers who work with the Department of Education can store and use student data.
Idaho: SB1372 – Requires the state to develop a data security policy, and limits the disclosure of student records.
Indiana: HB 1003 – Requires compliance with FERPA and implements a data security plan including breach, retention and disposition procedures.
Illinois: SB 887, SB 1796 – Prohibits providing personally identifiable information on individual students, except in specific cases as specified by FERPA.
Iowa: HF2354 – Prohibits targeted advertising of students, and the sale of personal information.
Kansas: SB367, HB2008, HB2209 – Requires the state to purchase cybersecurity insurance, prohibits targeted advertising and the disclosure of personal information to third parties. 
Kentucky: HB 232 – Requires notification of any breach of personally identifiable information, limits data storage in the cloud and prohibits use of student data for advertising or other commercial purposes.
Louisiana: HB340 – Prohibits schools from requesting login information from students for social media and other sites.
Maine: LD678, LD1616 – Regulates the use of social security numbers and other personal information, requires disclosure of breaches.
Maryland: SB1165, HB568 – Requires the Board of Education to create best practices regarding the use of student data.
Michigan: S33, SB510 – Prohibits the use of targeted advertising at students, prohibits the sale of information from the permanent records of students.
Missouri: HB1490 – Mandates the state create rules on data accessibility and accountability, and requires compliance with FERPA.
Montana: HB745 – Places restrictions on how student data can be used and disclosed, by school districts and third parties.
Nebraska: LB262, LB512 – Regulates access to student records and mandates the destruction of discipline data after graduation.
Nevada: SB463, AB221 – Regulates targeted advertising to students, and the release of student records and other personal information.
New Hampshire: HB1587, HB206 – Regulates release of student data to testing agencies and other third parties, requires the disclosure of breaches.
New York: SB6356 – Regulates the storage and disclosure of personally identifiable information, and establishes a parents’ bill of rights regarding student records.
North Carolina: SB815, HB1030 – Establishes penalties for education institutions that misuse personal data, and requires compliance with FERPA.
North Dakota: SB2295 – Requires data inventories and regulations on what data is collected and how it can be accessed.
Ohio: HB 487 – Requires annual reporting of breach related incidents, safeguards for confidentiality and allows for sanctions against districts which fail to protect personally identifiable information.
Oregon: HB2655, SB187 – Requires rules to be developed regarding when records can be transferred by a school, prohibits the use of student data for commercial or other secondary purposes.
Rhode Island: HB7124 – Prohibits schools from requiring students to provide login data for social media and other sites, requires compliance with FERPA.
South Dakota: SB63 – Mandates the creation of a uniform system to report on the use of educational data, prohibits the collection of lifestyle data on students.
Tennessee: SB1835, HB4046 – Regulates the use of data collected for standardized testing, regulates the disclosure of personally identifiable information and prohibits targeted advertising.
Texas: HB4046, HB2087 – Restricts the use of student records, and requires school districts to create a cybersecurity infrastructure. Requires compliance with FERPA.
Utah: HB163, SB204 – Requires notification in the event of a breach of personally identifiable information, requires schools to establish cybersecurity and data security policies.
Washington: SB5419 – Requires service providers to have clear privacy policies and requires notification of policy changes.
West Virginia: HB4316, HB4261 – Prohibits the transfer or sale of student records to a third party, requires compliance with FERPA and mandates the creation of a cybersecurity policy.
Wyoming: HB0008, HB0009 – Establishes an expectation of privacy act for student records, limits the transfer or disclosure of student data.

Original article by FERPA Sherpa, a project of the Future of Privacy Forum.