When Idaho legislators approved a student data security law in 2014 — without a single dissenting vote — they joined what could be a growing trend.
States appear to be moving aggressively into the data security issue, 40 years after Congress passed its centerpiece legislation on the matter, the Federal Educational Rights and Privacy Act, or FERPA.
In addition to Idaho, at least six other states have passed student data security laws since 2013, said Frank LoMonte, executive director of the Student Press Law Center, an Arlington, Va., group that provides legal advice to journalists covering public schools and higher education.
Colorado, Florida, Kansas, South Dakota, Wyoming and Oklahoma have passed state data security laws in the past two years, LoMonte said during a webinar hosted by the Education Writers Association.
Oklahoma figures prominently on this list. Its 2013 data security law is modeled after template legislation prepared by the American Legislative Exchange Council, a group that drafts legislation on dozens of topics, with a stated goal of advancing “limited government, free markets and federalism.” The ALEC template language limits states’ authority to share data with the federal government and other entities; requires states to prepare data security plans; and requires audits on state compliance with FERPA.
These features from the ALEC model appear in the new Idaho law, signed into law by Gov. Butch Otter on March 26. That’s not necessarily surprising; Senate Education Committee Chairman John Goedde, R-Coeur d’Alene, said he had modeled his language after the Oklahoma law.
States have jumped into data security at a time when Congress and the federal Education Department have not been very aggressive in enforcing FERPA, LoMonte said. And enforcement is a component of the Idaho law, at least on paper: A data breach may be punishable by a fine of up to $50,000.