The education sector is a top target for cybercrime. Communities look to your leadership team to keep sensitive data and school funds out of hackers’ hands. Here is an overview of state cybersecurity laws that schools must comply with. We invite Fund members with Privacy and Information Security Coverage to take a deeper dive into cybersecurity legislation passed in 2021 during Education Cybersecurity Summit.
1. Develop a cybersecurity plan
School districts are required to adopt a cybersecurity plan consistent with the Texas Cybersecurity Framework (TCF). By using the TCF as a guide, the law provides districts of all sizes and resources with flexibility in developing their cybersecurity plans.
The TCF includes five key cybersecurity functions:
- Identify. Which processes and assets do you need to protect?
- Protect. Which safeguards are available?
- Detect. How will you know when incidents happen?
- Respond. How will you contain the impact of incidents?
- Recover. How will you restore your systems in the wake of an incident?
For more information about developing your cybersecurity plan, download this guide.
2. Appoint a cybersecurity coordinator
Every school district must designate a cybersecurity coordinator who serves as a liaison between the district and the Texas Education Agency (TEA) (see “Report data breaches” below). It would be beneficial if your coordinator brought a basic understanding of network security and information technology to the job, but non-technical staff can also fill the role. Your district is required to visit the AskTED portal and submit its cybersecurity coordinator’s name and contact information to the TEA.
3. Report data breaches
Organizations are responsible for reporting incidents that meet the definition of a system security breach under two separate government codes:
- The law requires districts and open enrollment charter schools to report system or data breaches that meet the criteria detailed in the Texas Education Code. Any employee can report breaches to the TEA. The cybersecurity coordinator must report breaches to parents if students’ sensitive information is compromised.
- Separately, districts must report breaches that meet the criteria under the Business and Commerce Code to the attorney general.
For more information about reporting breaches, read this TASB Legal Services article.
4. Provide cybersecurity training
Your designated cybersecurity coordinator must complete annual training from a Department of Information Resources-approved program. The training requirement also applies to board members who have access to a district computer system or database and use a computer to perform at least 25 percent of their duties.
Your district, in consultation with the cybersecurity coordinator, may determine how often other employees need to be trained.
The cybersecurity training your district provides must:
- Promote information security habits and procedures that protect information resources
- Teach best practices for detecting, assessing, reporting, and addressing information security threats
After verifying employee training records, all school districts are required to submit the cybersecurity training certification for local governments form acknowledging district-wide compliance.
If you’re interested in the legislation behind the cybersecurity requirements explained in this article, see Senate Bill 820, Senate Bill 1267, Senate Bill 1696, House Bill 1118, and House Bill 3834. Fund members with Privacy and Information Security coverage can contact TASB Privacy and Cyber Risk Consultant Lucas Anderson for advice on complying with their regulatory obligations. Any district can leverage these TEA on-demand webinars for regulatory guidance, as well as other cybersecurity topics relevant to schools.
About the author
Lucas Anderson brings 15 years’ experience to his role as TASB Privacy and Cyber Risk Consultant. He advises Fund members on defending against cybercrime and navigating the cybersecurity regulatory landscape. Members benefit from Lucas’ training services at no additional cost.