Education Technology

Data Breach Best Practice Guidelines

Published: 6/6/2024 8:05 AM

​​In 2006, the Kentucky General Assembly passed House Bill 341, which mandated the Kentucky Department of Education (KDE) to conduct a study of the requirements for data security and a notification process when a data breach occurs. Since that legislation, the threat and occurrence of data breaches has only increased.

While the House Bill 341 study has remained an effective cornerstone of guidance, KRS 61.931, et seq. or House Bill 5 from 2015 added clarity, definition, and direction. The 2015 legislation concerns the protections of personal information and applies to every state agency, including KDE, every public school district, and every vendor with which state or local education agencies have contracts. The Data Breach Best Practice Guidelines document incorporates best practices and the "have to" actions from KRS 61.931, et seq. (HB5).

​Data breach guidance and training
  • Was that a Data Breach?​ (17 min.)
  • Data Security and Breach Notification Best Practice Guide - In addition to the legal requirements, this document makes recommendations based on research a​nd experience (best practice) for actions prior to and following a suspected or confirmed data breach.. 
  • Notifying Agency Contacts and KDE of a Data Breach (Rev. 2/2022) – To submit a FAC-001 data breach notification form to Commonwealth government agencies and KDE as required by law, the Finance and Administration Cabinet has created a distribution list. In order for KDE to receive your FAC-001, please add KDE’s Chief Information Security Officer (CISO), Robert Hackworth to the Cc line.​ ​​
    1. Commonwealth Data breach DL​
    2. ​Kentucky Department of Education CISO Hackworth, Robert
Are state student identifiers (SSIDs) confidential? 

An SSID is generated when a "new" student is enrolled at the local school district to ensure a unique identifier exists among district instances of the Kentucky Student Information System (KSIS). As such, it does not provide additional value outside of being a unique identifier, and is unlike multi-use IDs such as Social Security Numbers, credit card numbers, or taxpayer ID numbers. Exposure of an SSID, while not encouraged, is not expected to result in the likelihood of harm to a person, even when combined with a name.

More information about data privacy and security - The Family Policy Compliance Office​, which is responsible for administering FERPA, has stated in the Family Educational Rights and Privacy Act Regulations that a student identification number can be considered directory information, “but only if the electronic identifier cannot be used to gain access to education records except when used in conjunction with one or more factors that authenticate the student’s identity, such as a personal identification number (PIN), password, or other factor known or possess only by the student or authorized user.”

KDE recommends that districts not include additional identifiers if at all possible when using the SSID to request assistance.

Security Guidelines for Kentucky K-12 School Districts webpage

See the Security Guidelines for Kentucky K-12 School Districts webpage for data security guidelines and resources.

KDE Data Privacy and Security webpage 

See the KDE Data Privacy and Security webpage for more information.

Studnet using a tablet device in a classroom setting

​What is Personal Information (PI)?
KRS 61.931 (HB5) states "Personal Information" means an individual's first name or first initial​ and last name; personal mark; or unique biometric or genetic print or image, in combination with one (1) or more of the following data elements:
  • ​An account number, credit card number, or debit card number that, in combination with any required security code, access code, or password, would permit access to an account;
  • A Social Security number;
  • A taxpayer identification number that incorporates a Social Security number;
  • A driver's license number, state identification card, or other individual identification number issued by any agency;
  • A passport number or other identification number issued by the United States government; or
  • Individually identifiable health information as defined in 45 C.F.R. sec. 160.103 except for education records covered by the Family Educational Rights and Privacy Act, as amended 20 U.S.C. sec. 1232g. 

Office of Education Technology
Division of School Technology Planning and Project Management
300 Sower Blvd., 4th Floor
Frankfort, KY 40601
(502) 564-2020
Fax (502) 564-1519
  • Normal Font Size