Board of Regents Extends Deadline to Comply with Commissioner’s Regulations on Cybersecurity and Data Privacy

Notable requirements for your school district and your business.

Due to the COVID-19 pandemic, school districts have more time to create and implement measures increasingly important in today’s tech-savvy and tech-reliant world:  cybersecurity and data privacy.   The Board of Regents extended the compliance deadline for educational agencies and their vendors to meet the terms of Commissioner’s regulation Part 121—which implements Education Law § 2-d’s protective requirements and expands upon them—to October 1, 2020.  Below we have outlined the noteworthy mandates under the Commissioner’s regulations to ensure your district or business meets them on time.

5 Notable Requirements

  1. Parents Bill of Rights.  The expanded Bill of Rights must include supplemental information about the exclusive purpose and use of the data, ensure non-disclosure, identify contract duration, identify how challenges to data accuracy are made, detail data storage and protection efforts, and address encryption.  It must be included with every vendor contract.
  2. Third-Party Contractor Agreements.  These agreements must ensure confidentiality in accordance with federal and state law, as well as the district’s data security and privacy policy.  Among others, vendor compliance with the applicable standard, compliance by its subcontractors, training, access limitations, breaches, encryption, and data disposal at the end of the contract are all required items to address with vendors.
  3. Data Privacy Officer. The Commissioner expects you to name a Data Protection Officer who will be responsible for implementing the policies and procedures required in Education Law § 2-d and Part 121, and who will serve as the contact person on data security and privacy.   This person must have the requisite knowledge, training, and experience expected of the position.
  4. Data Privacy Plan and Policy.  You must adopt a policy and privacy plan that aligns with the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Security Version 1.1 (NIST).  NYSED has identified this as the gold standard for cybersecurity and data privacy.
  5. Employee Training.  Yes, another unfunded mandate.  Districts must provide annual training to officers and employees who have access to personally identifiable information, that includes training on the underlying laws and how to meet their requirements.

How to Prepare

There are many steps school districts and third-party contractors can take now to prepare for the October 1, 2020 deadline.  Because Education Law § 2-d has been in place for more than five years, most districts have policies and regulations to work from, and personnel in place already.  A good starting point is to review your existing contracts, policies, and regulations to see how they can be updated or modified.  Planning for required training can begin now, too.  Further, personnel can become familiar with or review anew the standards employed under NIST to ensure compliance this fall.

We are Here to Help

It is likely that NYSED will be auditing districts to verify their compliance, as conformity with Education Law § 2-d’s basic requirements since its implementation in 2014 has been inconsistent.  We can help your school district or business comply with these regulations.  We have extensive experience in preparing contracts, policies, and plans related to data privacy.  We are able to advise you on best practices.  We can also provide remote or in-person training for your employees.  The penalties for violating the requirements are too great not to undertake these steps; it’s important to demonstrate compliance from the outset and to set an unambiguous understanding as soon as possible, internally and externally.  Please reach out to Jill Yonkers, Greg Gaglione, or the Rupp Baase attorney with whom you most often work with to help your organization meet the requirements under 8 NYCRR Part 121 and Education Law § 2-d.