8635 Information Breach and Notification Policy and Regulation

ICHABOD CRANE 8635

INFORMATION SECURITY BREACH AND NOTIFICATION 

The Board of Education acknowledges the heightened concern regarding the rise in identity theft and the need for secure networks and prompt notification when security breaches occur. The Board adopts the National Institute for Standards and Technology Cybersecurity Framework Version 1.1 (NIST CSF) for data security and protection. The insert title, such as Superintendent or Data Privacy Officer] is responsible for ensuring the district’s systems follow NIST CSF and adopt technologies, safeguards and practices which align with it. This will include an assessment of the district’s current cybersecurity state, their target future cybersecurity state, opportunities for improvement, progress toward the target state, and communication about cyber security risk. 

The Board will designate a Data Protection Officer to be responsible for the implementation of the policies and procedures required in Education Law §2-d and its accompanying regulations, and to serve as the point of contact for data security and privacy district. optional language: This appointment will be made at the annual organizational meeting] 

The Board directs the Superintendent of Schools, in accordance with appropriate business and technology personnel, and the Data Protection Officer (where applicable) to establish regulations which address: 

  • the protections of “personally identifiable information” of student and teachers/principal under Education Law §2-d and Part 121 of the Commissioner of Education; the protections of “private information” under State Technology Law §208 and the NY SHIELD Act; and
  • procedures to notify persons affected by breaches or unauthorized access of protected information.

I. Student and Teacher/Principal “Personally Identifiable Information” under Education Law §2d

A. General Provisions

PII as applied to student data is as defined in Family Educational Rights and Privacy Act (Policy 5500), which includes certain types of information that could identify a student, and is listed in the accompanying regulation 8635-R. PII as applied to teacher and principal data, means results of Annual Professional Performance Reviews that identify the individual teachers and principals, which are confidential under Education Law §§3012-c and 3012-d, except where required to be disclosed under state law and regulations. 

The Data Protection Officer [or insert other title will see that every use and disclosure of personally identifiable information (PII) by the district benefits students and the district (e.g., improve academic achievement, empower parents and students with information, and/or advance efficient and effective school operations). However, PII will not be included in public reports or other documents.

The district will protect the confidentiality of student and teacher/principal PII while stored or transferred using industry standard safeguards and best practices, such as encryption, firewalls, and passwords. The district will monitor its data systems, develop incident response plans, limit access to PII to district employees and third-party contractors who need such access to fulfill their professional responsibilities or contractual obligations, and destroy PII when it is no longer needed. 

Certain federal laws and regulations provide additional rights regarding confidentiality of and access to student records, as well as permitted disclosures without consent, which are addressed in policy and regulation 5500, Student Records. 

Under no circumstances will the district sell PII. It will not disclose PII for any marketing or commercial purpose, facilitate its use or disclosure by any other party for any marketing or commercial purpose, or permit another party to do so. Further, the district will take steps to minimize the collection, processing, and transmission of PII. 

Except as required by law or in the case of enrollment data, the district will not report the following student data to the State Education Department: 

  1. juvenile delinquency records; 
  2. criminal records; 
  3. medical and health records; and 
  4. student biometric information. 

The district has created and adopted a Parent’s Bill of Rights for Data Privacy and Security. It has been published on the district’s website and can be requested from the district clerk.

B. Third-party Contractors

The district will ensure that contracts with third-party contractors reflect that confidentiality of any student and/or teacher or principal PII be maintained in accordance with federal and state law and the district’s data security and privacy policy. 

Each third-party contractor that will receive student data or teacher or principal data must:

  • adopt technologies, safeguards and practices that align with the NIST CSF;
  • comply with the district’s data security and privacy policy and applicable laws impacting the district; 
  • limit internal access to PII to only those employees or sub-contractors that need access to provide the contracted services; 
  • not use the PII for any purpose not explicitly authorized in its contract; 5. not disclose any PII to any other party without the prior written consent of the parent or eligible student (i.e., students who are eighteen years old or older): 
    • except for authorized representatives of the third-party contractor to the extent they are carrying out the contract; or 
    • unless required by statute or court order and the third party contractor provides notice of disclosure to the district, unless expressly prohibited. 
  • maintain reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of PII in its custody;
  • use encryption to protect PII in its custody; and 
  • not sell, use, or disclose PII for any marketing or commercial purpose, facilitate its use or disclosure by others for marketing or commercial purpose, or permit another party to do so. Third party contractors may release PII to subcontractors engaged to perform the contractor’s obligations, but such subcontractors must abide by data protection obligations of state and federal law, and the contract with the district. 

If the third-party contractor has a breach or unauthorized release of PII, it will promptly notify the district in the most expedient way possible without unreasonable delay but no more than seven calendar days after the breach’s discovery.

C. Third-Party Contractors’ Data Security and Privacy Plan

The district will ensure that contracts with all third-party contractors include the third-party contractor’s data security and privacy plan. This plan must be accepted by the district. 

At a minimum, each plan will: 

  • outline how all state, federal, and local data security and privacy contract requirements over the life of the contract will be met, consistent with this policy;
  • specify the safeguards and practices it has in place to protect PII;
  • demonstrate that it complies with the requirements of Section 121.3(c) of this Part; specify how those who have access to student and/or teacher or principal data receive or will receive training on the federal and state laws governing confidentiality of such data prior to receiving access;
  • specify if the third-party contractor will utilize sub-contractors and how it will manage those relationships and contracts to ensure personally identifiable information is protected; specify how the third-party contractor will manage data security and privacy incidents that implicate personally identifiable information including specifying any plans to identify breaches and unauthorized disclosures, and to promptly notify the district;
  • describe if, how and when data will be returned to the district, transitioned to a successor contractor, at the district’s direction, deleted or destroyed by the third-party contractor when the contract is terminated or expires.

D. Training 

The district will provide annual training on data privacy and security awareness to all employees who have access to student and teacher/principal PII.

E. Reporting

Any breach of the district’s information storage or computerized data which compromises the security, confidentiality, or integrity of student or teacher/principal PII maintained by the district will be promptly reported to the Data Protection Officer, the Superintendent and the Board of Education.

F. Notifications

The Data Privacy Officer or insert appropriate title will report every discovery or report of a breach or unauthorized release of student, teacher or principal PII to the State’s Chief Privacy Officer without unreasonable delay, but no more than 10 calendar days after such discovery. 

The district will notify affected parents, eligible students, teachers and/or principals in the most expedient way possible and without unreasonable delay, but no more than 60 calendar days after the discovery of a breach or unauthorized release or third-party contractor notification. 

However, if notification would interfere with an ongoing law enforcement investigation, or cause further disclosure of PII by disclosing an unfixed security vulnerability, the district will notify parents, eligible students, teachers and/or principals within seven calendar days after the security vulnerability has been remedied, or the risk of interference with the law enforcement investigation ends. 

The Superintendent or insert appropriate title, in consultation with the Data Protection Officer, will establish procedures to provide notification of a breach or unauthorized release of student, teacher or principal PII, and establish and communicate to parents, eligible students, and district staff a process for filing complaints about breaches or unauthorized releases of student and teacher/principal PII.

II. “Private Information” under State Technology Law §208

“Private information” is defined in State Technology Law §208, and includes certain types of information, outlined in the accompanying regulation, which would put an individual at risk for identity theft or permit access to private accounts. “Private information” does not include information that can lawfully be made available to the general public pursuant to federal or state law or regulation. 

Any breach of the district’s information storage or computerized data which compromises the security, confidentiality, or integrity of “private information” maintained by the district must be promptly reported to the Superintendent and the Board of Education. 

The Board directs the Superintendent of Schools, in accordance with appropriate business and technology personnel, to establish regulations which: 

  • Identify and/or define the types of private information that is to be kept secure; Include procedures to identify any breaches of security that result in the release of private information; and
  • Include procedures to notify persons affected by the security breach as required by law.

 

III. Employee “Personal Identifying Information” under Labor Law § 203-d

Pursuant to Labor Law §203-d, the district will not communicate employee “personal identifying information” to the general public. This includes: 

  • social security number; 
  • home address or telephone number; 
  • personal email address;
  • Internet identification name or password; 
  • parent’s surname prior to marriage; and 
  • drivers’ license number. 

In addition, the district will protect employee social security numbers in that such numbers will not be: 

  • publicly posted or displayed; 
  • visibly printed on any ID badge, card or time card;
  • placed in files with unrestricted access; or
  • used for occupational licensing purposes. 

Employees with access to such information will be notified of these prohibitions and their obligations. 

Cross-ref: 

1120, District Records 5500, Student Records 

8630, Computer Resources and Data Management 

Ref: 

State Technology Law §§201-208 

Labor Law §203-d 

Education Law §2-d 

8 NYCRR Part 121 

Effective Date: February 2, 2021


ICHABOD CRANE 8635-R

INFORMATION SECURITY BREACH AND NOTIFICATION REGULATION 

This regulation addresses information and data privacy, security, breach and notification requirements for student and teacher/principal personally identifiable information under Education Law §2-d, as well as private information under State Technology Law §208. 

The district will inventory its computer programs and electronic files to determine the types of information that is maintained or used by the district, and review the safeguards in effect to secure and protect that information.

I. Student and Teacher/Principal “Personally Identifiable Information” under Education Law §2-d

A. Definitions

Biometric record,” as applied to student PII, means one or more measurable biological or behavioral characteristics that can be used for automated recognition of person, which includes fingerprints, retina and iris patterns, voiceprints, DNA sequence, facial characteristics, and handwriting. 

Breach” means the unauthorized acquisition, access, use, or disclosure of student PII and/or teacher or principal PII by or to a person not authorized to acquire, access, use, or receive the student and/or teacher or principal PII. 

Discloseor Disclosure mean to permit access to, or the release, transfer, or other communication of PII by any means, including oral, written, or electronic, whether intended or unintended. 

Personally Identifiable Information” (PII) as applied to students means the following information for district students: 

  1. the student’s name; 
  2. the name of the student’s parent or other family members; 
  3. the address of the student or student’s family; 
  4. a personal identifier, such as the student’s social security number, student number, or biometric record; 
  5. other indirect identifiers, such as the student’s date of birth, place of birth, and mother’s maiden name; 
  6. other information that, alone or in combination, is linked or linkable to a specific student that would allow a reasonable person in the school community, who does not have personal knowledge of the relevant circumstances, to identify the student with reasonable certainty; or 
  7. information requested by a person who the district reasonably believes knows the identity of the student to whom the education record relates.

Personally Identifiable Information” (PII) as applied to teachers and principals means results of Annual Professional Performance Reviews that identify the individual teachers and principals, which are confidential under Education Law §§3012-c and 3012-d, except where required to be disclosed under state law and regulations. 

Third-Party Contractor” means any person or entity, other than an educational agency (i.e., a school, school district, BOCES or State Education Department), that receives student or teacher/principal PII from the educational agency pursuant to a contract or other written agreement for purposes of providing services to such educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of the educational agency, or audit or evaluation of publicly funded programs. This includes an educational partnership organization that and receives student and/or teacher/principal PII from a school district to carry out its responsibilities pursuant to Education Law §211-e (for persistently lowest-achieving schools or schools under registration review) and is not an educational agency. This also includes a not-for-profit corporation or other nonprofit organization, other than an educational agency.

B. Complaints of Breaches or Unauthorized Releases of PII

If a parent/guardian. eligible student, teacher, principal or other district employee believes or has evidence that student or teacher/principal PII has been breached or released without authorization, they must submit this complaint in writing to the district. Complaints may be received by the Data Privacy Officer, but may also be received by any district employee, who must immediately notify the Data Privacy Officer. The complaint process is available on the District website for parents, eligible students, teachers, principals, and other district employees. 

The district will acknowledge receipt of complaints promptly, commence an investigation, and take the necessary precautions to protect personally identifiable information. 

Following its investigation of the complaint, the district will provide the individual who filed a complaint with its findings within a reasonable period of time. This period of time will be no more than 60 calendar days from the receipt of the complaint. 

If the district requires additional time, or if the response may compromise security or impede a law enforcement investigation, the district will provide individual who filed a complaint with a written explanation that includes the approximate date when the district will respond to the complaint. 

The district will maintain a record of all complaints of breaches or unauthorized releases of student data and their disposition in accordance with applicable data retention policies, including the Records Retention and Disposition Schedule ED-1.

C. Notification of Student and Teacher/Principal PII Breaches

If a third-party contractor has a breach or unauthorized release of PII, it will promptly notify the Data Privacy Officer in the most expedient way possible, without unreasonable delay, but no more than seven calendar days after the breach’s discovery. 

The Data Privacy Officer will then notify the State Chief Privacy Officer of the breach or unauthorized release no more than 10 calendar days after it receives the third-party contractor’s notification using a form or format prescribed by the State Education Department. 

The Data Privacy Officer will report every discovery or report of a breach or unauthorized release of student, teacher or principal data to the Chief Privacy Officer without unreasonable delay, but no more than 10 calendar days after such discovery. 

The district will notify affected parents, eligible students, teachers and/or principals in the most expedient way possible and without unreasonable delay, but no more than 60 calendar days after the discovery of a breach or unauthorized release or third-party contractor notification. 

However, if notification would interfere with an ongoing law enforcement investigation or cause further disclosure of PII by disclosing an unfixed security vulnerability, the district will notify parents, eligible students, teachers and/or principals within seven calendar days after the security vulnerability has been remedied or the risk of interference with the law enforcement investigation ends. 

Notifications will be clear, concise, use language that is plain and easy to understand, and to the extent available, include: 

  • a brief description of the breach or unauthorized release, 
  • the dates of the incident and the date of discovery, if known; 
  • a description of the types of PII affected; 
  • an estimate of the number of records affected; 
  • a brief description of the district’s investigation or plan to investigate; and contact information for representatives who can assist parents or eligible students with additional questions. 

Notification must be directly provided to the affected parent, eligible student, teacher or principal by first-class mail to their last known address; by email; or by telephone. 

Where a breach or unauthorized release is attributed to a third-party contractor, the third-party contractor will pay for or promptly reimburse the district for the full cost of such notification. 

The unauthorized acquisition of student social security numbers, student ID numbers, or biometric records, when in combination with personal information such as names or other identifiers, may also constitute a breach under State Technology Law §208 if the information is not encrypted, and the acquisition compromises the security, confidentiality, or integrity of personal information maintained by the district. In that event, the district is not required to notify affected people twice, but must follow the procedures to notify state agencies under State Technology Law §208 outlined in section II of this regulation.

II. “Private Information” under State Technology Law §208

A. Definitions

Private information” means either: 

  1. personal information consisting of any information in combination with any one or more of the following data elements, when either the data element or the personal information plus the data element is not encrypted or encrypted with an encryption key that has also been accessed or acquired: 

Social security number; 

Driver’s license number or non-driver identification card number; 

Account number, credit or debit card number, in combination with any required security code, access code, password or other information which would permit access to an individual’s financial account; 

account number or credit or debit card number, if that number could be used to access a person’s financial account without other information such as a password or code; or biometric information (data generated by electronic measurements of a person’s physical characteristics, such as fingerprint, voice print, or retina or iris image) used to authenticate or ascertain a person’s identity; or 

  1. a user name or email address, along with a password, or security question and answer, that would permit access to an online account. 

“Private information” does not include information that can lawfully be made available to the general public pursuant to federal or state law or regulation; 

Breach of the security of the system” means unauthorized acquisition or acquisition without valid authorization of physical or computerized data which compromises the security, confidentiality, or integrity of personal information maintained by the district. Good faith acquisition of personal information by an officer or employee or agent of the district for the purposes of the district is not a breach of the security of the system, provided that the private information is not used or subject to unauthorized disclosure.

B. Procedure for Identifying Security Breaches

In determining whether information has been acquired, or is reasonably believed to have been acquired, by an unauthorized person or a person without valid authorization, the district will consider: 

  1. indications that the information is in the physical possession and control of an unauthorized person, such as removal of lost or stolen computer, or other device containing information; 
  2. indications that the information has been downloaded or copied; 
  3. indications that the information was used by an unauthorized person, such as fraudulent accounts opened or instances of identity theft reported; and/or
  4. any other factors which the district shall deem appropriate and relevant to such determination.

C. Notification of Breaches to Affected Persons

Once it has been determined that a security breach has occurred, the district will take the following steps: 

  1. If the breach involved computerized data owned or licensed by the district, the district will notify those New York State residents whose private information was, or is reasonably believed to have been accessed or acquired by a person without valid authorization. The disclosure to affected individuals will be made in the most expedient time possible and without unreasonable delay, consistent with the legitimate needs of law enforcement, or any measures necessary to determine the scope of the breach and to restore the integrity of the system. The district will consult with the New York State Office of Information Technology Services to determine the scope of the breach and restoration measures. 
  2. If the breach involved computer data maintained by the district, the district will notify the owner or licensee of the information of the breach immediately following discovery, if the private information was or is reasonably believed to have been accessed or acquired by a person without valid authorization. 

The required notice will include (a) district contact information, (b) a description of the categories information that were or are reasonably believed to have been accessed or acquired without authorization, (c) which specific elements of personal or private information were or are reasonably believed to have been acquired and (d) the telephone number and website of relevant state and federal agencies that provide information on security breach response and identity theft protection and prevention. This notice will be directly provided to the affected individuals by either: 

  1. Written notice 
  2. Electronic notice, provided that the person to whom notice is required has expressly consented to receiving the notice in electronic form; and that the district keeps a log of each such electronic notification. In no case, however, will the district require a person to consent to accepting such notice in electronic form as a condition of establishing a business relationship or engaging in any transaction. 
  3. Telephone notification, provided that the district keeps a log of each such telephone notification. 

However, if the district can demonstrate to the State Attorney General that (a) the cost of providing notice would exceed $250,000; or (b) that the number of persons to be notified exceeds 500,000; or (c) that the district does not have sufficient contact information, substitute notice may be provided. Substitute notice would consist of all of the following steps: 

  1. E-mail notice when the district has such address for the affected individual;
  2. Conspicuous posting on the district’s website, if they maintain one; and 3. Notification to major media. 

However, the district is not required to notify individuals if the breach was inadvertently made by individuals authorized to access the information, and the district reasonably determines the 

breach will not result in misuse of the information, or financial or emotional harm to the affected persons. The district will document its determination in writing and maintain it for at least five years, and will send it to the State Attorney General within ten days of making the determination. 

Additionally, if the district has already notified affected persons under any other federal or state laws or regulations regarding data breaches, including the federal Health Insurance Portability and Accountability Act, the federal Health Information Technology for Economic and Clinical Health (HI TECH) Act, or New York State Education Law §2-d, it is not required to notify them again. Notification to state and other agencies is still required.

D. Notification to State Agencies and Other Entities

Once notice has been made to affected New York State residents, the district shall notify the State Attorney General, the State Department of State, and the State Office of Information Technology Services as to the timing, content, and distribution of the notices and approximate number of affected persons. 

If more than 5,000 New York State residents are to be notified at one time, the district will also notify consumer reporting agencies as to the timing, content and distribution of the notices and the approximate number of affected individuals. A list of consumer reporting agencies will be furnished, upon request, by the Office of the State Attorney General. 

If the district is required to notify the U.S. Secretary of Health and Human Services of a breach of unsecured protected health information under the federal Health Insurance Portability and Accountability Act (HIPAA) or the federal Health Information Technology for Economic and Clinical Health (HI TECH) Act, it will also notify the State Attorney General within five business days of notifying the Secretary. 

Effective Date: February 2, 2021