Cybersecurity Regulations You Need To Know About
The education sector is a top target for cybercrime. Communities look to your leadership team to keep sensitive data and school funds out of hackers’ hands. Here is an overview of state cybersecurity laws that schools must comply with.
Cybersecurity Plan
School districts are required to adopt a cybersecurity plan consistent with the Texas Cybersecurity Framework (TCF). By using the TCF as a guide, the law provides districts of all sizes and resources with flexibility in developing their cybersecurity plans.
The TCF includes five key cybersecurity functions:
- Identify. Which processes and assets do you need to protect?
- Protect. Which safeguards are available?
- Detect. How will you know when incidents happen?
- Respond. How will you contain the impact of incidents?
- Recover. How will you restore your systems in the wake of an incident?
For more information about developing your cybersecurity plan, download this guide.
Cybersecurity Coordinator
Every school district must designate a cybersecurity coordinator who serves as a liaison between the district and the Texas Education Agency (TEA) (see “Report data breaches” below). It would be beneficial if your coordinator brought a basic understanding of network security and information technology to the job, but non-technical staff can also fill the role. Your district is required to visit the AskTED portal and submit its cybersecurity coordinator’s name and contact information to the TEA.
Data Breach Reports
Organizations are responsible for reporting incidents that meet the definition of a system security breach under two separate government codes:
- The law requires districts and open enrollment charter schools to report system or data breaches that meet the criteria detailed in the Texas Education Code. Any employee can report breaches to the TEA. The cybersecurity coordinator must report breaches to parents if students’ sensitive information is compromised.
- Separately, districts must report breaches that meet the criteria under the Business and Commerce Code to the attorney general.
For more information about reporting breaches, read this TASB Legal Services article.
Cybersecurity Training
Your designated cybersecurity coordinator must complete annual training from a Department of Information Resources-approved program. The training requirement also applies to board members who have access to a district computer system or database and use a computer to perform at least 25 percent of their duties.
Your district, in consultation with the cybersecurity coordinator, may determine how often other employees need to be trained.
The cybersecurity training your district provides must:
- Promote information security habits and procedures that protect information resources
- Teach best practices for detecting, assessing, reporting, and addressing information security threats
After verifying employee training records, all school districts are required to submit the cybersecurity training certification for local governments form acknowledging district-wide compliance.
Fund members with Privacy and Information Security coverage benefit from a state-approved cybersecurity course, at no additional charge.
Digital Device Integration
Every school district must adopt a policy for effective digital device integration. The Texas Education Agency and Health and Human Services Commission developed model guidelines that districts may use in their policies. For more information, see this Texas School Safety Center toolkit.
SCOPE Act
The Texas Education Agency and Department of Information Resources released standards intended to help districts comply with the Securing Children Online through Parental Empowerment (SCOPE) Act. The standards could fit comfortably in your district's acceptable use policy. According to DIR, if districts are following COPPA (Children's Online Privacy Protection) and CIPA (Children's Internet Protection Act), they are likely in compliance with SCOPE. Still, standard nine, which addresses student exposure to inappropriate content, reaches beyond COPPA and CIPA and merits careful consideration by districts.
Have Cybersecurity Questions?
Members with Privacy and Information Security coverage can request training and support from our Privacy and Cyber Risk Consultant Lucas Anderson at 800-482-7276, x2893 or lucas.anderson@tasb.org.
Lucas Anderson
Lucas Anderson joined TASB Risk Management Services in 2019, bringing more than a decade of experience in cybersecurity, network administration, and information technology. He advises districts on preemptive mitigation against ongoing and emerging cybercriminal threats targeting the education sector, as well as cybersecurity-related regulatory compliance.
Over his career, Anderson has supported public and private organizations, including Booz Allen Hamilton, the White House Office of Management and Budget, the Department of Defense, and the Texas Association of Counties.
You May Also Like…
View All Related Insights
Cybersecurity Is Not Just an IT Thing
Cybersecurity culture is built on every employee embracing their role in keeping criminals at bay. Here are seven tips to help you get there.
Want to Worry Less About Data Breaches?
The accidental release of sensitive information can tarnish your organization’s reputation. Data loss prevention tools help ensure that when employees make mistakes, technology has your back.
Tax Season Tips for Avoiding Cyber Scams
During tax season, cybercriminals are looking to claim their own returns. Stay up to date on this season's scams to protect your organization and employees.
State Directs Schools to Complete Security Initiatives
Schools must confirm they completed state-mandated security initiatives. The initiatives include targeted, partial safety audits.