I've created an analysis for this group outlining the differences between HB491 and FERPA, complete with mappings to NIST 800-171 and NIST CSWP. The reason for creating this is there seems to be significant pushback on our fiscal impact statements with the claim that HB491 is less strict and has less work involved than currently required. This is not true, and I encourage everyone to not retract any pending requests just because the fiscal analysts are not knowledgeable of privacy and security.
*1. HB491 Data Privacy Amendments Overview**[1]*
- *Key Provisions*: Defines terms, outlines governmental entity duties around personal data privacy (breach notification, data collection/use limits, data access/correction), creates state data privacy policy and relevant governing bodies.
*2. FERPA Overview**[2]*
- *Key Provisions*: Protects the privacy of student education records, provides rights for inspection and review, amendment, and has detailed procedures around the disclosure of personally identifiable information.
*3. NIST Privacy Framework Overview (V1.0) **[3]*
- *Core Structure*: Identify (ID), Protect (PR), Control (CT), Inform (IN), and Respond (RS)
*4. Comparison and Mapping*
*Identify (ID)*
- *HB491*: Duties related to managing personal data. - *FERPA*: Identification of education records. - *NIST 800-171 Control Mapping*: IA-1, Identification and Authentication Policy and Procedures.
*Protect (PR)*
- *HB491*: Limits on data collection and use; Establishes the Office of Data Privacy. - *FERPA*: Limits on disclosure of personally identifiable information. - *NIST 800-171 Control Mapping*: AC-1, Access Control Policy and Procedures.
*Control (CT)*
- *HB491*: Ability to correct and access personal data. - *FERPA*: Rights of inspection, review, and amendment of education records. - *NIST 800-171 Control Mapping*: AU-2, Audit Events.
*Inform (IN)*
- *HB491*: Breach notification. - *FERPA*: Annual notification of rights. - *NIST 800-171 Control Mapping*: IR-1, Incident Response Policy and Procedures.
*Respond (RS)*
- *HB491*: Creation of bodies for policy recommendation and implementation. - *FERPA*: Enforcement procedures. - *NIST 800-171 Control Mapping*: PE-1, Physical and Environmental Protection Policy and Procedures.
*Specific Differences Requiring New Processes or Changes*
While FERPA is focused on educational records and student privacy, HB491 spans a broader range of personal data under governmental entity control, introducing new processes around data privacy governance and breach response not explicitly outlined in FERPA.
- *Data Governance*: HB491's creation of a privacy governance board and an Office of Data Privacy introduces a need for structured governance frameworks not specified in FERPA. - *Breach Response*: HB491 specifies obligations around breach notification tied to the assessment of risk, implicating the need for risk assessment procedures that align more specifically with the NIST framework as compared to FERPA's requirements.
This overview illustrates an initial mapping and comparison schema. Due to the vast scope of each document and the specificity required for technical and legal compliance, further detailed analysis is needed for each specific provision and corresponding processes. Additionally, updates or modifications to existing policies or procedures must be informed not only by the outlined differences but also by the specific operational and legal context of the institution or agency in question. This emphasizes the importance of interdisciplinary collaboration between legal, IT, and data privacy professionals during the compliance alignment process.
[1][2][3]