In public education, cybersecurity policy can feel like the Wild West. At the federal level, you have FERPA, HIPAA, and COPPA, which are pretty straightforward regulations. But at the state and local levels, things get increasingly fragmented: Every state has its own data privacy regulations (or lack thereof). Every district has its own budget and priorities. Every school has its own staffing resources and resident technology expertise.
It's a tricky landscape to navigate. Yet, the fact remains that schools are responsible for protecting a wealth of highly sensitive information: Student and faculty PII, PHI, and family details — not to mention things like individualized education plans (IEPs) and sensitive information related to social work cases.
Many states — including New York, Illinois, Utah, and Texas — are realizing that federal regulations are not sufficient to secure this ever-growing ecosystem of sensitive student data. So, state legislatures are enacting laws that take student data security a step further.
One of those laws is Texas Senate Bill 820 (SB 820) — and here's what that means for school districts across the state of Texas.
What is Texas Senate Bill 820?
Texas Senate Bill 820 (SB 820) was introduced in 2019 and marks a pivotal shift in student data protection for Texas schools. This legislation mandates enhanced cybersecurity measures for each district, including the creation of a cybersecurity policy to prevent cyber attacks and mitigate cybersecurity incidents. It also requires each district to appoint a point of contact for cybersecurity responsibility and communications.
Key Aspects of Texas SB 820
There are three key components of Texas SB 820 that schools need to implement.
1. Adopt a Cybersecurity Policy
This is broad, but it's a starting point: Texas SB 820 requires each school district to "adopt a cybersecurity policy to secure district infrastructure against cyber attacks and other cybersecurity incidents; and determine cybersecurity risk and implement mitigation planning." It's a requirement that is flexible in nature but does require that school districts put a policy in place. Thankfully, NIST cybersecurity frameworks provide templates and best practices for schools to model their cybersecurity strategies after.
2. Appoint a Cybersecurity Coordinator
The superintendent of each Texas school district must designate a cybersecurity coordinator to oversee data protection efforts for their district. This individual is responsible for communications between the district and the Texas Education Agency (TEA) regarding cybersecurity matters.
3. Report Data Breaches and Cybersecurity Incidents
SB 820 requires the Cybersecurity Coordinator to report any cybersecurity incidents affecting student data to the TEA "as soon as is practicable after the discovery of the attack or incident." This also requires the district to notify the parent or guardian of each student whose data is included in such a cybersecurity incident.
As a result, Texas school districts will now have clearer accountability for student data, as well as a plan of action when a cybersecurity incident occurs.
Is Texas SB 820 Different from FERPA?
Fortify School Cybersecurity and Data Privacy with Virtru
Whether it's FERPA or Texas SB 820, these regulations ultimately aim to protect the data — and it's critical that school districts and their cybersecurity coordinators have tools in place to protect that sensitive data everywhere it's created, stored, and shared.
Showkat Choudhury, CIO at Central State University, said it well in the Central State University Virtru Voice of the Customer case study:
“These students are... just starting their lives. At this early age, if they lost their most securely held information — date of birth, health records, social security numbers — if it’s compromised just one time, that information may float on the web for decades.”
Student data privacy is a big deal, and Virtru's data security software can help school districts quickly and easily address the goals of Texas SB 820:
- End-to-end encryption: Ensuring student data remains protected throughout its lifecycle, meeting SB 820's stringent data security standards. This applies to sensitive school files like medical records, vaccine information, and individualized education plans (IEPs) for special education needs.
- Granular access controls: Allowing cybersecurity coordinators to set specific permissions, aligning with SB 820's emphasis on controlled access to student information. With Virtru, these access controls can be changed at any time, so if an administrator accidentally sends a student's health record to the wrong person, they can revoke access to that data at any time — protecting that student's private information from falling into the wrong hands.
- Audit capabilities and admin controls: Providing the tracking features necessary for monitoring data access and detecting potential breaches, as required by SB 820. Continuing that example of an admin sending student data to the wrong person: If that happens with Virtru, the admin (or Cybersecurity Coordinator) can not just revoke access, but also see whether or not that information was accessed by the recipient. This helps the
- User-friendly interface: Virtru is remarkably simple to use, helping to ensure quick adoption by Texas school staff, minimizing disruption while enhancing cybersecurity. Virtru is also easy for external data sharing, so parents, guardians, and other school districts can easily access shared information without creating new accounts or passwords.
- Google award-winning education products: Virtru won the 2024 Google Technology Partner of the Year Award for Education, and with so many education success stories, it's easy to see why.
The Outcome for Texas Schools and Families
By implementing Virtru, Texas school districts can:
- Quickly strengthen compliance with SB 820 requirements
- Demonstrate commitment to student data privacy
- Build trust with Texas families concerned about their students' data security
- Prepare students for a future where data protection is increasingly critical
Another Virtru education customer, Sunshine Miller, is the Director of Technology for Newfield Central School District in New York — another state with advanced school cybersecurity measures (New York Ed Law 2-D). She highlights why K-12 schools must prioritize protecting student data:
“Our team is working hard to ensure the entire district is protecting students’ data. We're hyper focused on protecting our students' data, privacy, and their livelihoods for when they graduate and leave our halls.”
Texas SB 820 represents a significant step towards comprehensive student data protection in the Lone Star State. By leveraging Virtru's powerful, yet user-friendly cybersecurity tools, Texas schools can not only meet SB 820 requirements but also set a new standard for student data privacy in digital education.
Ready to learn more about how Virtru can help bolster your school district's security? Contact us for a demo. We'd love to show you what our software can do.
