Get Ready for New CyberSecurity Requirements
With the recent passage of SB 820 and HB 3834 in the Texas legislature, school districts need to ensure they are compliant with the new laws, parts of which went into effect on September 1 and need to be addressed as soon as possible.
1. Designate a Security Coordinator for Your District
SB 820, which went into effect September 1, 2019, requires that: "(d) The superintendent of each school district shall designate a cybersecurity coordinator to serve as a liaison between the district and the agency in cybersecurity matters."
Each district should determine who is the best person to oversee the district's security matters. Districts will report their designee to TEA through the AskTed system, as soon as TEA has finished adding the role of Cybersecurity Coordinator to that application.
2. Report CyberSecurity Breaches to TEA
Under SB 820, the security coordinator "(e) . . . shall report to the agency any cyber-attack or other cybersecurity incident against the district cyberinfrastrucure that constitutes a breach of system security as soon as practicable after the discovery of the attack or incident."
In SB 820, the definition of "breach" reads as follows:
(1) Breach of system security means an incident in which student information that is sensitive, protected, or confidential, as provided by state or federal law, is stolen or copied, transmitted, viewed, or used by a person unauthorized to engage in that action.
If a breach occurs, your district security coordinator should file an incident report with TEA via this specially created email at email@example.com.
3. Notify Parents of Cyber Attacks
As with any security incident, districts are responsible for notifying parents as soon as possible about student data breaches.
SB 820 states:
(f) The district’s cybersecurity coordinator shall provide notice to a parent of or person standing in parental relation to a student enrolled in the district of an attack or incident for which a report is required under Subsection (e) involving the student’s information.
Districts should follow their local policy about the procedures and format for notifying parents of such attacks.
4. Provide Cybersecurity Training
The new HB 3834 mandates that certain employees of government entities be required to take cybersecurity training. The law states:
(a-1) At least once each year, a local government shall identify local government employees who have access to a local government computer system or database and require those employees and elected officials of the local government to complete a cybersecurity training program certified under Section 2054.519 or offered under Section 2054.519(f).
Local governments have been defined to include school districts. The Department of Information Resources (DIR) will be the entity responsible for certifying training programs for state and local government employees. Once the programs have been established, districts will be required to report their training. HB 3834 states:
(b) The governing body of a local government may select the most appropriate cybersecurity training program certified under Section 2054.519 or offered under Section 2054.519(f) for employees of the local government to complete. The governing body shall:
(1) verify and report on the completion of a cybersecurity training program by employees of the local government to the department (DIR); and
(2) require periodic audits to ensure compliance with this section.
How Texas K-12 CTO Council Can Help
The Texas K-12 CTO Council, in partnership with our parent organization the Consortium of School Networking (CoSN), has numerous resources to support districts as they work to provide the best possible protection for their systems. Last summer, our CTO Clinic focused on building a trusted learned environment through physical, network, and data security. We will continue that conversation at our Fall Technical Summit to be held in Aldine ISD on October 18.
In addition, we are hosting a Trusted Learning Environment (TLE) cohort this fall which will help districts become aware of and address their security vulnerabilities. Districts may want to consider working toward achieving the TLE national seal of approval from CoSN as a way of demonstrating to their communities that they are meeting the standards for secure environments.
Security will always be a hot topic for CTOs and our organization will continue to provide this key training for our members. Mark your calendars for our Winter Leadership Summit on January 26, 2020, at the Hilton Hotel in Austin, in conjunction with the TASA MidWinter Conference, and our summer CTO Clinic 2020 on June 17-18, 2020, at the Sheraton Hotel in Georgetown. We welcome and encourage technology leaders and other staff members to attend all our meetings and get involved in these important security conversations affecting your students and your schools.
I look forward to seeing you soon!
Alice Owen, Ph.D., CAE, CETL