Skip To Content

Cybersecurity Regulations You Need To Know About

Article

The education sector is a top target for cybercrime. Communities look to your leadership team to keep sensitive data and school funds out of hackers’ hands. Here is an overview of state cybersecurity laws that schools must comply with.

Cybersecurity Plan

School districts are required to adopt a cybersecurity plan consistent with the Texas Cybersecurity Framework (TCF). By using the TCF as a guide, the law provides districts of all sizes and resources with flexibility in developing their cybersecurity plans.

The TCF includes five key cybersecurity functions:

  1. Identify. Which processes and assets do you need to protect?
  2. Protect. Which safeguards are available?
  3. Detect. How will you know when incidents happen?
  4. Respond. How will you contain the impact of incidents?
  5. Recover. How will you restore your systems in the wake of an incident?

For more information about developing your cybersecurity plan, download this guide.

Cybersecurity Coordinator

Every school district must designate a cybersecurity coordinator who serves as a liaison between the district and the Texas Education Agency (TEA) (see “Report data breaches” below). It would be beneficial if your coordinator brought a basic understanding of network security and information technology to the job, but non-technical staff can also fill the role. Your district is required to visit the AskTED portal and submit its cybersecurity coordinator’s name and contact information to the TEA.

Data Breach Reports

Organizations are responsible for reporting incidents that meet the definition of a system security breach under two separate government codes:

  • The law requires districts and open enrollment charter schools to report system or data breaches that meet the criteria detailed in the Texas Education Code. Any employee can report breaches to the TEA. The cybersecurity coordinator must report breaches to parents if students’ sensitive information is compromised.
  • Separately, districts must report breaches that meet the criteria under the Business and Commerce Code to the attorney general.

For more information about reporting breaches, read this TASB Legal Services article.

Cybersecurity Training

Your designated cybersecurity coordinator must complete annual training from a Department of Information Resources-approved program. The training requirement also applies to board members who have access to a district computer system or database and use a computer to perform at least 25 percent of their duties.

Your district, in consultation with the cybersecurity coordinator, may determine how often other employees need to be trained.

The cybersecurity training your district provides must:

  • Promote information security habits and procedures that protect information resources
  • Teach best practices for detecting, assessing, reporting, and addressing information security threats

After verifying employee training records, all school districts are required to submit the cybersecurity training certification for local governments form acknowledging district-wide compliance.

Fund members with Privacy and Information Security coverage benefit from a state-approved cybersecurity course, at no additional charge. 

Digital Device Integration

Every school district must adopt a policy for effective digital device integration. The Texas Education Agency and Health and Human Services Commission developed model guidelines that districts may use in their policies. For more information, see this Texas School Safety Center toolkit.

SCOPE Act

The Texas Education Agency and Department of Information Resources released standards intended to help districts comply with the Securing Children Online through Parental Empowerment (SCOPE) Act. The standards could fit comfortably in your district's acceptable use policy. According to DIR, if districts are following COPPA (Children's Online Privacy Protection) and CIPA (Children's Internet Protection Act), they are likely in compliance with SCOPE. Still,  standard nine, which addresses student exposure to inappropriate content, reaches beyond COPPA and CIPA and merits careful consideration by districts.

Have Cybersecurity Questions?

Members with Privacy and Information Security coverage can request training and support from our Privacy and Cyber Risk Consultant Lucas Anderson at 800-482-7276, x2893 or lucas.anderson@tasb.org.

Lucas Anderson headshot
Lucas Anderson
Privacy and Cyber Risk Consultant

Lucas Anderson joined TASB Risk Management Services in 2019, bringing more than a decade of experience in cybersecurity, network administration, and information technology. He advises districts on preemptive mitigation against ongoing and emerging cybercriminal threats targeting the education sector, as well as cybersecurity-related regulatory compliance. 

Over his career, Anderson has supported public and private organizations, including Booz Allen Hamilton, the White House Office of Management and Budget, the Department of Defense, and the Texas Association of Counties. 

Get the Inside Scoop

Want to receive our newsletter and training emails? Sign up to get the latest risk management information that will help you succeed.