During the last legislative session, Texas lawmakers passed two cybersecurity-related bills school districts need to know about. House Bill 3834 and Senate Bill 820 have set new standards and requirements that strengthen districts’ ability to protect sensitive data. At TASB, we are monitoring the legislation’s rollout and preparing our members to fulfill their obligations. We encourage you to share this snapshot of the latest developments with your leadership and information technology teams.
Annual Cybersecurity Training Requirement
Under HB 3834, employees and board members who have access to district computers and databases are required to receive annual cybersecurity training. The training must focus on forming information security habits and procedures that protect information resources. It must also teach best practices for detecting, assessing, reporting, and addressing information security threats. The Department of Information Resources (DIR) has been vetting and certifying training programs to ensure they meet the bill’s requirements.
HB 3834 created an exception for districts that employ a “dedicated information resources cybersecurity officer.” These districts may provide cybersecurity training of their choice, either in-house or from a third-party vendor, as long as it meets the requirements. Interested districts must file for an exception with the DIR.
- Board members and employees who have access to a district computer system or database must complete the training by June 14 of ever year.
- Through our SafeSchools partnership with Vector Solutions, members in the Fund’s Liability program can access a new DIR-certified training program at no cost. The program, which is eligible for school board continuing education credit, consists of several mini courses that need to be completed to meet the requirements. Your organization must enroll in SafeSchools in order for staff to complete the course:
- If you are already enrolled in SafeSchools, log into the training site and search for the Texas Cybersecurity Awareness for Employees course.
- To enroll in SafeSchools, call 800.434.0154 or fill out the enrollment form.
- After verifying employee training records, all school districts will be required to submit the cybersecurity training certification for local governments form acknowledging district-wide compliance. This form is due by June 15, 2020.
- The DIR website provides a list of certified programs that meet legislative requirements. (The training provider for the Texas Cybersecurity Awareness for Employees course is Vector Solutions.)
- The DIR launched a portal for program certification. Certified training programs must reapply annually.
District Cybersecurity Coordinator and Cybersecurity Plan
SB 820 requires Texas school districts to designate a cybersecurity coordinator, create and maintain a cybersecurity plan, and report cyberattacks that compromise students’ sensitive information such as birthdates and Social Security numbers. The bill does not require your district cybersecurity coordinator to be a trained information technology professional. The coordinator is simply responsible for reporting cyber incidents that meet the criteria to the Texas Education Agency (TEA) and notifying parents or other responsible parties.
The district cybersecurity plan must be consistent with the Texas Cybersecurity Framework, which addresses 46 key security objectives. By using the framework as a guide, the Legislature provided districts of all sizes and resources with significant flexibility in developing their cybersecurity plans.
- There is still no deadline for districts to implement a compliant cybersecurity plan.
- TEA created a dedicated email address for reporting cyberattacks in which student data is compromised.
- Districts can visit the DIR website to review the Texas Cybersecurity Framework security objectives and access information for building a cybersecurity plan.
- TEA offers recorded webinars to help districts comply with the bill’s reporting requirements.
- The Fund is creating a member-exclusive resource that shares best practices for creating a cybersecurity plan.
Although there is currently no deadline for implementing your district cybersecurity plan, it is a worthwhile exercise that will enhance your district’s overall cybersecurity.
There is, however, a deadline for the HB 3834 training requirement: June 14, 2020. Keep that deadline in mind as your district selects a program and begins training staff.
Some districts reported vendors approaching them to offer certified cybersecurity training before the DIR approved any programs. Please make sure the program you choose is listed on the DIR website.
Expert Help from the Fund
The Fund provides cybersecurity and data incident response coverage to members of our Property and Liability programs. Members that suspect they have been the target of cybercrime should call the Fund immediately at 855.295.8344 to report a claim. Members that have questions about cybersecurity education or consultation should contact TASB Privacy and Cyber Risk Consultant Lucas Anderson at firstname.lastname@example.org or 512.505.2893.
Editor's note: This article was originally published in January 2020 and has been updated for accuracy and comprehensiveness.