The state of New Hampshire recently enacted House Bill 322 (“HB 322”), which requires the Department of Education (“DOE”) to implement additional procedures to protect student and teacher data from security breaches. Those procedures now include a breach notification requirement.
Effective August 11, 2015, the DOE must develop a detailed security plan that requires notification to any teacher or student whose personally identifiable information could reasonably be assumed to have been part of a data security breach. RSA 189:66(III)(A)(1). The notification must be made as soon as practicable, but consistent with the legitimate needs of law enforcement or as necessary to determine the scope of the breach and restore the integrity of the data systems. Id. Surprisingly, HB 322 also requires the DOE to notify an entire host of government officials, including the governor, state board, senate president, speaker of the house of representatives, chairperson of the senate committee with primary jurisdiction over education, chairperson of the house committee with primary jurisdiction over education, legislative oversight committee, and commissioner of the department of information technology. RSA 189:66(III)(A)(2).
HB 322 comes in the wake of additional legislation last May that required operators of websites, online platforms, and mobile apps targeting students to create and maintain reasonable security procedures. See House Bill 520 (“HB 520”). Similar to California’s Student Online Personal Information Protection Act, HB 520 prohibits companies from using student information to target advertisements to students. Both HB 322 and HB 520 appear to be part of a coordinated effort by New Hampshire’s legislature to increase the protections afforded to student data.