I've created an analysis for this group outlining the differences between
HB491 and FERPA, complete with mappings to NIST 800-171 and NIST CSWP. The
reason for creating this is there seems to be significant pushback on our
fiscal impact statements with the claim that HB491 is less strict and has
less work involved than currently required. This is not true, and I
encourage everyone to not retract any pending requests just because the
fiscal analysts are not knowledgeable of privacy and security.
*1. HB491 Data Privacy Amendments Overview**[1]*
- *Key Provisions*: Defines terms, outlines governmental entity duties
around personal data privacy (breach notification, data collection/use
limits, data access/correction), creates state data privacy policy and
relevant governing bodies.
*2. FERPA Overview**[2]*
- *Key Provisions*: Protects the privacy of student education records,
provides rights for inspection and review, amendment, and has detailed
procedures around the disclosure of personally identifiable information.
*3. NIST Privacy Framework Overview (V1.0) **[3]*
- *Core Structure*: Identify (ID), Protect (PR), Control (CT), Inform
(IN), and Respond (RS)
*4. Comparison and Mapping*
*Identify (ID)*
- *HB491*: Duties related to managing personal data.
- *FERPA*: Identification of education records.
- *NIST 800-171 Control Mapping*: IA-1, Identification and
Authentication Policy and Procedures.
*Protect (PR)*
- *HB491*: Limits on data collection and use; Establishes the Office of
Data Privacy.
- *FERPA*: Limits on disclosure of personally identifiable information.
- *NIST 800-171 Control Mapping*: AC-1, Access Control Policy and
Procedures.
*Control (CT)*
- *HB491*: Ability to correct and access personal data.
- *FERPA*: Rights of inspection, review, and amendment of education
records.
- *NIST 800-171 Control Mapping*: AU-2, Audit Events.
*Inform (IN)*
- *HB491*: Breach notification.
- *FERPA*: Annual notification of rights.
- *NIST 800-171 Control Mapping*: IR-1, Incident Response Policy and
Procedures.
*Respond (RS)*
- *HB491*: Creation of bodies for policy recommendation and
implementation.
- *FERPA*: Enforcement procedures.
- *NIST 800-171 Control Mapping*: PE-1, Physical and Environmental
Protection Policy and Procedures.
*Specific Differences Requiring New Processes or Changes*
While FERPA is focused on educational records and student privacy, HB491
spans a broader range of personal data under governmental entity control,
introducing new processes around data privacy governance and breach
response not explicitly outlined in FERPA.
- *Data Governance*: HB491's creation of a privacy governance board and
an Office of Data Privacy introduces a need for structured governance
frameworks not specified in FERPA.
- *Breach Response*: HB491 specifies obligations around breach
notification tied to the assessment of risk, implicating the need for risk
assessment procedures that align more specifically with the NIST framework
as compared to FERPA's requirements.
This overview illustrates an initial mapping and comparison schema. Due to
the vast scope of each document and the specificity required for technical
and legal compliance, further detailed analysis is needed for each specific
provision and corresponding processes. Additionally, updates or
modifications to existing policies or procedures must be informed not only
by the outlined differences but also by the specific operational and legal
context of the institution or agency in question. This emphasizes the
importance of interdisciplinary collaboration between legal, IT, and data
privacy professionals during the compliance alignment process.
[1][2][3]
