In public education, cybersecurity policy can feel like the Wild West. At the federal level, you have FERPA, HIPAA, and COPPA, which are pretty straightforward regulations. But at the state and local levels, things get increasingly fragmented: Every state has its own data privacy regulations (or lack thereof). Every district has its own budget and priorities. Every school has its own staffing resources and resident technology expertise.
It's a tricky landscape to navigate. Yet, the fact remains that schools are responsible for protecting a wealth of highly sensitive information: Student and faculty PII, PHI, and family details — not to mention things like individualized education plans (IEPs) and sensitive information related to social work cases.
Many states — including New York, Illinois, Utah, and Texas — are realizing that federal regulations are not sufficient to secure this ever-growing ecosystem of sensitive student data. So, state legislatures are enacting laws that take student data security a step further.
One of those laws is Texas Senate Bill 820 (SB 820) — and here's what that means for school districts across the state of Texas.
Texas Senate Bill 820 (SB 820) was introduced in 2019 and marks a pivotal shift in student data protection for Texas schools. This legislation mandates enhanced cybersecurity measures for each district, including the creation of a cybersecurity policy to prevent cyber attacks and mitigate cybersecurity incidents. It also requires each district to appoint a point of contact for cybersecurity responsibility and communications.
There are three key components of Texas SB 820 that schools need to implement.
This is broad, but it's a starting point: Texas SB 820 requires each school district to "adopt a cybersecurity policy to secure district infrastructure against cyber attacks and other cybersecurity incidents; and determine cybersecurity risk and implement mitigation planning." It's a requirement that is flexible in nature but does require that school districts put a policy in place. Thankfully, NIST cybersecurity frameworks provide templates and best practices for schools to model their cybersecurity strategies after.
The superintendent of each Texas school district must designate a cybersecurity coordinator to oversee data protection efforts for their district. This individual is responsible for communications between the district and the Texas Education Agency (TEA) regarding cybersecurity matters.
SB 820 requires the Cybersecurity Coordinator to report any cybersecurity incidents affecting student data to the TEA "as soon as is practicable after the discovery of the attack or incident." This also requires the district to notify the parent or guardian of each student whose data is included in such a cybersecurity incident.
As a result, Texas school districts will now have clearer accountability for student data, as well as a plan of action when a cybersecurity incident occurs.
Yes, Texas SB 820 is different from FERPA. Whereas Texas SB 820 addresses Texas school district cybersecurity practices and incident response, FERPA is a federal regulation that applies in all states and focuses on the management of student data.
FERPA, The Family Educational Rights and Privacy Act, is a federal law that grants rights to parents to have access to their children’s educational records. FERPA also awards parents control over the disclosure of PII (personally identifiable information) as well as the right to request amendment to some records. So, while it instills some requirements for managing student data, it doesn't necessarily address specific cybersecurity measures.
Whether it's FERPA or Texas SB 820, these regulations ultimately aim to protect the data — and it's critical that school districts and their cybersecurity coordinators have tools in place to protect that sensitive data everywhere it's created, stored, and shared.
Showkat Choudhury, CIO at Central State University, said it well in the Central State University Virtru Voice of the Customer case study:
“These students are... just starting their lives. At this early age, if they lost their most securely held information — date of birth, health records, social security numbers — if it’s compromised just one time, that information may float on the web for decades.”
Student data privacy is a big deal, and Virtru's data security software can help school districts quickly and easily address the goals of Texas SB 820:
By implementing Virtru, Texas school districts can:
Another Virtru education customer, Sunshine Miller, is the Director of Technology for Newfield Central School District in New York — another state with advanced school cybersecurity measures (New York Ed Law 2-D). She highlights why K-12 schools must prioritize protecting student data:
“Our team is working hard to ensure the entire district is protecting students’ data. We're hyper focused on protecting our students' data, privacy, and their livelihoods for when they graduate and leave our halls.”
Texas SB 820 represents a significant step towards comprehensive student data protection in the Lone Star State. By leveraging Virtru's powerful, yet user-friendly cybersecurity tools, Texas schools can not only meet SB 820 requirements but also set a new standard for student data privacy in digital education.
Ready to learn more about how Virtru can help bolster your school district's security? Contact us for a demo. We'd love to show you what our software can do.