Today the Board of Regents formally adopted Part 121 to the Commissioner’s Regulations to implement Education Law § 2-d. The regulation will become effective January 29, 2020. This regulation primarily addresses the obligations that need to exist between software vendors or data processors and school districts; the need to implement the National Institute of Standards and Technology (NIST) Cybersecurity Framework; disclosure requirements to eligible students or parents; training requirements for individuals who are authorized to access student or teacher or principal data; and the appointment of a data protection officer to oversee all of these efforts. Under the regulation, schools have until July 1, 2020 to adopt and publish the data security and privacy policy.

See the full text of the final version of the regulation.

This regulation has been a long time in the making and is being implemented years after the passage of Education Law 2-d. We suspect that its passage reflects the intention of the New York State Education Department to verify compliance with this law and a potential emphasis that will be placed upon data privacy and cybersecurity, both at the districts and for the software companies that offer services to those districts. School districts have a large number of applications that potentially hold sensitive student and teacher or principal data; and addressing the contractual requirements and implementing the NIST framework are not trivial tasks.

To understand the potential magnitude of this regulation for school districts, it is likely that school districts may have more than 400 known applications that potentially hold protected information, with many more “dark” applications likely used by individual educators unknown to building or district administrators.

This regulation will also impact software vendors. They will now have to address numerous requests to amend contracts like the efforts seen in connection with the passage of the European Data Privacy laws. It will be important for these vendors to prepare for requests from each school district as they seek to comply with the terms of this regulation. Failure to comply may result in civil penalties, preclusion of the third-party from accessing student data or teacher or principal data or other ramifications.

Districts and vendors alike must address how to meet by July 1, 2020 the assessment requirements of the NIST CSF and how to verify vendor compliance with the security requirements of Part 121.

For more background, listen to our podcast on NYS Education Law Section 2-d.

This alert does not purport to be a substitute for advice of counsel on specific matters.

Harris Beach has offices throughout New York State, including Albany, Buffalo, Ithaca, Melville, New York City, Rochester, Saratoga Springs, Syracuse, Uniondale and White Plains, as well as New Haven, Connecticut and Newark, New Jersey.