[BreachExchange] New York Adopts New Data Security and Privacy Regulations for Schools and Their Vendors

[Destry Winant]

https://www.natlawreview.com/article/new-york-adopts-new-data-security-and-privacy-regulations-schools-and-their-vendors

We observed in a post on this blog that government agencies,
businesses, hospitals, universities and school districts are frequent
targets of data breaches that can affect millions of individuals.
Cyberattacks on school districts continue to appear in the news. In
January, students in the Pittsburg Unified School District
(California) were left without internet access as a result of a
ransomware attack, which compromised the schools’ servers and email.
The Richmond Community Schools in Michigan suffered a similar cyber
attack when threat actors infiltrated and locked down the schools’
servers and demanded a $10,000 ransom to return control of those
servers.

The cyberattacks are compromising school vendors, too. In December, a
student hacker committed a “brute force” attack on Naviance, an
ed-tech provider that collects sensitive information on behalf of
school districts throughout the United States. The attack on Naviance
exposed the personal information of approximately 6,000 students.
There are countless stories of other ed-tech providers sustaining
similar cyberattacks.

It comes as no surprise in face of these cyberattacks that New York
State regulators are taking action to protect personal information
that schools and their vendors collect and maintain. We reported on
this blog that the New York State Department of Education (“SED”)
proposed new regulations (“Regulations”) to require school districts
and state-supported schools to develop and implement robust data
security and privacy programs to protect any personally identifiable
information (“PII”) relating to students, teachers and principals. On
January 14, 2020, the Board of Regents formally adopted the
Regulations (which were modified since their initial publication). The
Regulations were effective January 29, 2020.

While broad in scope, the Regulations include several requirements
that are particularly noteworthy for schools and their vendors. They
include:

- School contracts – including “click wrap” agreements — with vendors
who receive PII must state that the vendor will maintain all
information in accordance with federal and state law and the school’s
security and privacy policy.

- Schools must include a Parent’s Bill of Rights in every contract
with vendors who receive PII.

- All schools must follow the National Institute for Standards and
Technology Cybersecurity Framework (“NIST CSF”) as the standard for
data security and privacy.

- All schools must adopt by July 1, 2020 a data security and privacy
policy that implements the requirements of the Regulations and aligns
with NIST CSF.

- Schools must publish their data security and privacy policies on
their websites.

- Schools must provide data privacy and security awareness training to
officers and employees with access to PII.

- Schools must designate a Data Protection Officer (“DPO”) who is
responsible for the compliance program and to otherwise serve as a
point of contact for the schools on data security and privacy matters.

- Vendors that suffer a breach of PII must notify the affected schools
within seven (7) calendar days; the schools must in turn notify SED
within ten (10) calendar days of receipt of notification of a breach
from the vendor; and the schools must notify the affected individuals
of the breach without unreasonable delay but in no case later than
sixty (60) days of discovery or receipt of breach notification from
the vendor.

These Regulations certainly impose many new obligations on schools.
Schools are urged to contact qualified legal counsel as they begin to
develop and implement a comprehensive data security and privacy
compliance program to comply with the mandates of the new Regulations.