Texas Senate Bill 820: New Regulation Takes Aim at Cyber Threats in Education Sector

Schools and colleges are facing an alarming increase in cybersecurity incidents. Some hackers seek ransoms while others see value in scooping up personally identifiable information to sell to identity thieves.

In July 2019, Louisiana’s governor was forced to issue a statewide emergency declaration after several school systems reported a malware attack. The same month, the Syracuse school district in New York state paid a cyber insurance policy deductible of $50,000 to cover a ransomware demand. Meanwhile, in Houston, TX, the county school system experienced downed servers and was forced to delay the start of the fall semester in order to reconfigure 4,000 computers infected with malware.

School districts are particularly attractive to hackers because of the vast amount of private data they hold and their lack of resources to fend off intruders. “Nearly two-thirds of school districts in the United States serve fewer than 2,500 students, and many do not have a staff member dedicated solely to cybersecurity,” says The New York Times.

While many school districts follow industry standards for cybersecurity risk management and controls, there have been no laws in place to protect student data in the education sector – until now.

Texas takes steps to fight cyber risks in education

Effective September 1, 2019, Texas Senate Bill 820mandates cybersecurity and data protection policies for Texas school districts.

While other sectors, including healthcare, financial services, and government, have long been subject to cybersecurity regulations, Senate Bill 820 is the first-of-its-kind to be implemented in the education sector and is likely to blaze a trail for others.

What is Texas Senate Bill 820?

Under Senate Bill 820, Texas school districts are now required to initiate three critical cybersecurity measures:

1) Adopt a cybersecurity policy. A policy must be devised to secure district infrastructure against cyber-attacks and incidents. Districts must also institute a plan for determining cyber risk and implement plans to mitigate that risk.

2) Designate a cybersecurity coordinator. Each district superintendent must appoint a coordinator to serve as a liaison between the district and the Texas Education Agency (TEA).

3) Report any breaches. The coordinator must report any cybersecurity incident to the agency as soon as it is discovered and notify parents or guardians of any breach of personally identifiable information.

While the bill itself is light on details, it is likely to align to the Texas Cybersecurity Framework. Still, it raises many questions. For example, how will IT administrators balance the usability of IT in the classroom and devices that are used at home with tighter security controls? What penalties will be enforced for non-compliance? Will school districts receive additional budget to fund the mandate? And, what role will IT vendors, such as laptop and device manufacturers, play in compliance?

The stage is set for more cyber legislation in the education sector

This legislation may be the the beginning of a new wave of cybersecurity regulations aimed at protecting the education sector. It also highlights a growing need in cyber risk management -- the need to demonstrate a standard of care with security performance. As IT leaders, school trustees and directors face the emergence of a potential patchwork of regulations, increased focus must be placed on demonstrating an acceptable standard of care as it pertains to cyber risk management and compliance.

Although there are no published penalties associated with non-compliance with Senate Bill 820 (yet), at a minimum, it’s likely that TEA will require baseline, data-driven performance metrics from each district on their adherence to the bill.

Indeed, security performance management will likely take on a central role as the education sector becomes more proactive in protecting against risk. School districts will seek to communicate effectively on security and risk, identify gaps in their cybersecurity programs, and determine where to focus investments for the highest impact on security program performance.

Whatever transpires as Senate Bill 820 unfolds, its significance can’t be underestimated. This is the beginning of a new era for cybersecurity in the education sector, one which will see school districts and their IT vendors answerable to stringent cybersecurity mandates that are typically reserved for highly regulated private enterprise industries.