On June 10, Texas Senate Bill 820 was signed by Governor Abbott to require Texas school districts to adopt a cybersecurity policy, effective September 1, 2019. In short, TX SB 820 requires school districts to:
- Adopt a cybersecurity framework
- Create a program to identify risk
- Develop a plan to mitigate critical areas of risk
- Designate a Cybersecurity Coordinator to report all incidents
The Coordinator will report any cyberattack against the district’s cyberinfrastructure that constitutes a breach of system security to the Texas Education Agency (TEA) and the parent or guardian of any students whose personal information has been affected, in an incident report.
Prior to June 10, there has not been a way for Texas policymakers or education administrators to assess the frequency and scope of data security risks facing schools, or to ensure that families of students affected by a security incident were informed of impactful cyber-related incidents in a timely manner.
This Texas legislation is significant and its implementation will have strategic importance for policymakers and advocates as they continue to progress the state’s ability to improve overall cybersecurity measures.
SB 820 Justification
K-12 cybersecurity incidents are on the rise. On July 24, 2019, Louisiana Governor John Bel Edwards issued a state-wide Emergency Declaration in response to an ongoing cybersecurity incident that is affecting several local government agencies. The declaration makes available state resources ranging from cybersecurity experts to the Office of Technology Services to assist local governments in responding to and preventing future data loss.
Additionally, a report released by the K-12 Cybersecurity Resource Center catalogued 122 publicly-reported cyberattacks on school systems across 38 states in 2018. This amounts to roughly one cyberattack every three days, suggesting that school systems across the country have sufficient reason to ramp up cybersecurity initiatives. It is imperative that school systems adequately protect their data.
The most common form of K-12 cyber-attacks are data breaches. Due to the prevalence of these attacks and the sensitivity of the data at risk, it is imperative school districts in Texas meet or exceed compliance with TX SB 820 and implement the robust associated security practices that protect the information of students and the district network infrastructure.
TX SB820 will go into effect on September 1, 2019.
What does this mean for school districts?
TX SB 820 means that school districts are now responsible for handling their own cybersecurity measures, including the identification and reporting of breaches.
While the terms of what this new law entails and what specific components the law will require are still being clarified, our industry experience and understanding of cybersecurity in Texas lead us to three estimations:
- Creation: School district security policies will likely align with existing Texas cybersecurity framework solution sets.
- Testing: The school district cybersecurity policy implementation will likely be required by this law.
- Demonstration of effectiveness: It will be important to not only meet the policy to ensure compliance, but to also consider the actual effectiveness of the cybersecurity framework program. These security measures should be practical and effective.
How can Red River help?
Red River has proven experience in the university and education system with the creation and implementation of extensive security policies and control programs, including:
- Cybersecurity and compliance frameworks (NIST 800 series, ISO 27001, HIPAA, PCI, GDPR, CCPA)
- Network, application, information and operational readiness security assessments
- Risk management and remediation programs
- Formal security awareness and the protection of personal privacy as well as critical information assets.
Red River has developed a proven risk-based methodology for assessing, developing, implementing and optimizing security solutions for government agencies and educational institutions.
Red River’s security practice engineers are highly-certified and equipped with the expertise and solutions needed to help school districts in Texas establish cybersecurity policies that satisfy the requirements of TX SB 820, while protecting the sensitive data of students, the district cybernetwork, faculty and staff.