In 2006, the Kentucky General Assembly passed House Bill 341, which mandated the Kentucky Department of Education (KDE) to conduct a study of the requirements for data security and a notification process when a data breach occurs. Since that legislation, the threat and occurrence of data breaches has only increased.
While the House Bill 341 study has remained an effective cornerstone of guidance, KRS 61.931, et seq. or House Bill 5 from 2015 added clarity, definition, and direction. The 2015 legislation concerns the protections of personal information and applies to every state agency, including KDE, every public school district, and every vendor with which state or local education agencies have contracts. The Data Breach Best Practice Guidelines document incorporates best practices and the "have to" actions from KRS 61.931, et seq. (HB5).
Data breach guidance and training
- Was that a Data Breach? (17 min.)
- Data Security and Breach Notification Best Practice Guide - In addition to the legal requirements, this document makes recommendations based on research and experience (best practice) for actions prior to and following a suspected or confirmed data breach..
- Notifying Agency Contacts and KDE of a Data Breach (Rev. 2/2022) – To submit a FAC-001 data breach notification form to Commonwealth government agencies and KDE as required by law, the Finance and Administration Cabinet has created a distribution list. In order for KDE to receive your FAC-001, please add KDE’s Chief Information Security Officer (CISO), Robert Hackworth to the Cc line.
- Commonwealth Data breach DL
- Kentucky Department of Education CISO - Hackworth, Robert
Are state student identifiers (SSIDs) confidential?
An SSID is generated when a "new" student is enrolled at the local school district to ensure a unique identifier exists among district instances of the Kentucky Student Information System (KSIS). As such, it does not provide additional value outside of being a unique identifier, and is unlike multi-use IDs such as Social Security Numbers, credit card numbers, or taxpayer ID numbers. Exposure of an SSID, while not encouraged, is not expected to result in the likelihood of harm to a person, even when combined with a name.
More information about data privacy and security - The Family Policy Compliance Office, which is responsible for administering FERPA, has stated in the Family Educational Rights and Privacy Act Regulations that a student identification number can be considered directory information, “but only if the electronic identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student’s identity, such as a personal identification number (PIN), password, or other factor known or possess only by the student or authorized user.”
KDE recommends that districts not include additional identifiers if at all possible when using the SSID to request assistance.
See the Security Guidelines for Kentucky K-12 School Districts webpage for data security guidelines and resources.
See the KDE Data Privacy and Security webpage for more information.