We observed in a post on this blog that government agencies, businesses, hospitals, universities and school districts are frequent targets of data breaches that can affect millions of individuals. Cyberattacks on school districts continue to appear in the news. In January, students in the Pittsburg Unified School District (California) were left without internet access as a result of a ransomware attack, which compromised the schools’ servers and email. The Richmond Community Schools in Michigan suffered a similar cyber attack when threat actors infiltrated and locked down the schools’ servers and demanded a $10,000 ransom to return control of those servers.
The cyberattacks are compromising school vendors, too. In December, a student hacker committed a “brute force” attack on Naviance, an ed-tech provider that collects sensitive information on behalf of school districts throughout the United States. The attack on Naviance exposed the personal information of approximately 6,000 students. There are countless stories of other ed-tech providers sustaining similar cyberattacks.
It comes as no surprise in face of these cyberattacks that New York State regulators are taking action to protect personal information that schools and their vendors collect and maintain. We reported on this blog that the New York State Department of Education (“SED”) proposed new regulations (“Regulations”) to require school districts and state-supported schools to develop and implement robust data security and privacy programs to protect any personally identifiable information (“PII”) relating to students, teachers and principals. On January 14, 2020, the Board of Regents formally adopted the Regulations (which were modified since their initial publication). The Regulations were effective January 29, 2020.
While broad in scope, the Regulations include several requirements that are particularly noteworthy for schools and their vendors. They include:
-
School contracts – including “click wrap” agreements — with vendors who receive PII must state that the vendor will maintain all information in accordance with federal and state law and the school’s security and privacy policy.
-
Schools must include a Parent’s Bill of Rights in every contract with vendors who receive PII.
-
All schools must follow the National Institute for Standards and Technology Cybersecurity Framework (“NIST CSF”) as the standard for data security and privacy.
-
All schools must adopt by July 1, 2020 a data security and privacy policy that implements the requirements of the Regulations and aligns with NIST CSF.
-
Schools must publish their data security and privacy policies on their websites.
-
Schools must provide data privacy and security awareness training to officers and employees with access to PII.
-
Schools must designate a Data Protection Officer (“DPO”) who is responsible for the compliance program and to otherwise serve as a point of contact for the schools on data security and privacy matters.
-
Vendors that suffer a breach of PII must notify the affected schools within seven (7) calendar days; the schools must in turn notify SED within ten (10) calendar days of receipt of notification of a breach from the vendor; and the schools must notify the affected individuals of the breach without unreasonable delay but in no case later than sixty (60) days of discovery or receipt of breach notification from the vendor.
These Regulations certainly impose many new obligations on schools. Schools are urged to contact qualified legal counsel as they begin to develop and implement a comprehensive data security and privacy compliance program to comply with the mandates of the new Regulations.