The New York Board of Regents approved regulations for Education Law §2-d. The law was passed in March 2014 introducing contract requirements between schools and vendors, security standards when handling student data, and financial penalties for vendors if found out of compliance. The regulations go into effect on January 29, 2020.The full summary on the original law is available to SIIA members here. Some important components of the law include:
- The New York Education Commissioner will appoint a Chief Privacy Officer that will take the lead in developing standards and model policies for data security and privacy.
- The development of a statewide “Parents’ Bill of Rights for Data Privacy and Security” which outlines parent rights and is to be included in contracts between education technology companies and schools.
- A number of requirements on education technology vendors including staff and contractor privacy training and specific data security requirements.
- An education technology company could be subject to civil penalties of up to $250,000 for non-compliance.
The new regulations were developed with select stakeholders on the New York Data Privacy Advisory Council. Earlier regulatory proposals to the Board of Regents note that industry participated in the DPAC yet there was no industry voice on the list of advisory council members. SIIA weighed in throughout the regulatory process submitting comments at each step (comment 1, comment 2, comment 3). The final regulations include but are not limited to:
- Clarification on a number of terms left undefined by the 2014 law including “encryption” and “commercial or marketing purpose.”
- Outlines a specific process for the filing of complaints about breaches and other authorized releases of student, teacher, or principal data.
- Adopts the National Institute for Standards and Technology Framework for Improving Critical Infrastructure Cybersecurity Version 1.1 (NIST Cybersecurity Framework or NIST CSF) as the standard for data security and privacy for educational agencies.
- Requires education technology companies to include a data security and privacy plan in contracts with schools that includes a number of things outlined in §121.6 of the regulations and comply with the data security and privacy plan of the school.
- Requires that education technology companies not sell, use, or disclose personally identifiable information for any marketing or commercial purpose.
Education technology companies may begin hearing from schools and districts as they look to adopt and publish new privacy and security policies which are required to be updated by July 1, 2020.
This post should not substitute for a detailed review of the new laws and regulations nor should it be taken as formal legal guidance.