Forty-eight US states have laws on data breach reporting, but few specifically address the issue of reporting data loss for children. Last month, the Missouri state legislature considered a bill that would require schools to inform breach victims of any data loss…even victims under the age of 18.
Most Missouri parents might be stunned to learn that the personally identifiable information (PII) of minors did not trigger an automatic notification. After all, child identity theft is a serious problem. Parents in other states could face the same jolt after a student data breach because many statutes do not clearly address the age question.
Schools Slow to Develop Data Security Plans
Missouri State Auditor Nicole Galloway released a report last October that indicated schools in her state were often slow to develop data security plans. Some had no plan.
“Missouri schools have access to a lot of information on students and their families, which means they have a responsibility to keep that information protected,” Galloway said.
Galloway has made data security a key focus and this new legislation, if signed into law, could clarify expectations regarding school data leaks. The bill states that in the event of a data breach that includes the personal information of a student, the school district must send written notification to the parent or legal guardian.
Nation Has Patchwork of Data Protection Laws
The nation’s patchwork of data protection laws is far from uniform. Each of the 48 states has independently defined how data should be protected, but a comparison of those statutes shows that each state has its own idea of what constitutes PII.
In Colorado, for example, email addresses are not included in the definition of PII although the loss of an email address puts the owner at high risk for treacherous phishing scams. After 2013’s breach of the Vendini events ticketing network compromised over 3 million users, Colorado users didn’t receive notification because their state considers email addresses personal information protected under state law. Across the state line in Nebraska, email addresses are defined as protected data.
For parents, this crazy quilt of laws creates serious concerns. When a thief steals a youngster’s ID, it often takes years to learn of the theft and then more time to undo the damage. Educators have a habit of keeping data indefinitely. Often, the parents’ only dependable defense is to restrict the data they share with schools.
Learn how your state defines PII with this link. New Mexico just became the 48th state covered by a state law. South Dakota and Alabama do not have data breach protection laws.