Q: The district received notification from a vendor of a potential cybersecurity breach involving confidential student information. Do we have a policy addressing next steps?
A: Yes, look to policy CQ (LEGAL) and (LOCAL) for your district’s internal response procedures, as well as any provisions set forth in the data protection agreement with the vendor.
Note that your obligations concerning response to cybersecurity breaches will change, however, starting September 1, 2019 in light of the legislature’s recent passage of Senate Bill 820 (“SB 820”). SB 820 adds Section 11.175 to the Texas Education Code, which will require districts to: (1) adopt a cybersecurity policy; (2) designate a cybersecurity coordinator; and (3) report cybersecurity incidents to the Texas Education Agency (“TEA”) and to parents of impacted students beginning with the upcoming school year.
SB 820 tasks the superintendent with responsibility for appointing a cybersecurity coordinator to serve as the liaison between the district and TEA and to fulfill certain reporting obligations. In particular, SB 820 requires the cybersecurity coordinator to report to TEA “any cyber attack or other cybersecurity incident against the district cyber infrastructure that constitutes a breach of system security as soon as practicable after the discovery of the attack or incident.” Tex. Educ. Code § 11.175(e). Additionally, for any incident requiring a report to TEA, the coordinator must also “provide notice to a parent of or person standing in parental relation to a student enrolled in the district of an attack or incident…involving the student’s information.” Tex. Educ. Code § 11.175(f).
Be on the lookout for upcoming TASB policy updates and seek assistance from your school district’s attorney regarding required TEA and parent notification should a cybersecurity breach occur compromising personal information.