On June 10, 2019, Senate Bill 820 was signed into law by Governor Greg Abbott. This law requires that all Texas school districts adopt a cybersecurity policy.
The new law is in response to the rise in K-12 cybersecurity incidents.
According to a recent report from the K-12 Cybersecurity Resource Center and the K12 Security Information Exchange, cybersecurity incidents rose by 18 percent in 2020. Among the incidents included data breaches, phishing attacks, ransomware, and denial-of-service attacks.
As part of the new cybersecurity policies, school districts must implement new security measures, designate a security coordinator, and devise a plan for reporting breaches of personally identifiable student data. Senate Bill 820 lays out the framework for each.
Implementing new security measures
The primary purpose of Senate Bill 820 is to prompt school districts to implement new security measures designed to protect against cybersecurity attacks and breaches.
K-12 schools have prepared for many challenging threats over the years, including natural and biological hazards. New on their list of things to safeguard against are cybersecurity threats.
In addition to the provisions in Senate Bill 820, a separate piece of legislation requires state and local government employees to complete a certified cybersecurity training program once a year.
House Bill 3834 tasks the Texas Department of Information Resources (DIR) to certify at least five cybersecurity training programs that meet the prerequisites spelled out in HB 3834.
How to designate a security coordinator
Appointing a security coordinator is an important provision within Senate Bill 820.
The security coordinator plays a crucial role in managing a K-12 school district’s cybersecurity policy. They are responsible for reporting any cyberattack against the school district’s cyberinfrastructure.
To meet Texas Education Agency guidelines for a reportable offense, cyberattacks must breach system security or compromise the personal information of students or staff.
Before Senate Bill 820 was signed into law, there was no reliable way for Texas policymakers and education administrators to determine the frequency and scope of cybersecurity attacks and data breaches among K-12 schools.
Adopting a cybersecurity policy
There are several steps K-12 school districts can take to protect against cyber threats. Likewise, there are ways to mitigate the effects of cyberattacks and promote a quicker recovery if protective measures fail.
Adopting a cybersecurity policy that identifies risks and provides a clear roadmap for handling them is a requirement of the new law.
Here are steps for effectively identifying cybersecurity threats:
- Isolate and document vulnerabilities. What makes your school district attractive to cybercriminals? Looking at the kind of information your district collects is a great first step in understanding your weaknesses. Once you identify why your district is a target, you can uncover your main vulnerabilities.
- Identify internal and external threats. It is important to remember that threats are not just external. While cyber thieves are always looking for their next target, disgruntled employees can do damage internally as well.
- Classify potential impacts. What are the financial, operational, and reputational ramifications of a cyberattack on your school district? Who is likely to be affected? Creating a continuity or resilience plan can help guide you through the process.
How to report breaches involving personally identifiable data on students
Data breaches that involve personally identifiable information about students must be reported immediately to the Texas Department of Information Resources (DIR).
School districts that need to report an urgent cybersecurity incident can call the Cybersecurity Incident Response and Assistance hotline at 877-347-2476.
How CTSI can help
CTSI has a cybersecurity training and solution platform that meets the requirements laid out in Senate Bill 820.
For the second consecutive year, CTSI’s cybersecurity training program has been certified by the Texas Department of Information Resources, which means they recognize our training program as eligible to meet the requirements in both SB 820 and HB 3834.
K-12 school districts can rely on our continuous monitoring, security expertise, end-user training, and compliance support to fulfill all new law requirements.