Senate Bill 820 was introduced in February of 2019 and signed into law June 10, 2019. The basic concept of SB820 is to mandate cybersecurity policies for Texas ISDs. The bill itself is not very verbose and amends current Education Code specifically by adding the language to Section 11.175.
The bill was uncontroversial as it passed the Senate Education Committee unamiously and passed the House by a margin of 139 "Yeas" to 10 "Nays". It would seem the Texas Legislature understands what we have known for at least 3 years. Cyber Attacks and data breaches for Texas ISDs have become an epidemic.
It appears the the bill is an unfunded mandate and as written, does not appear to carry any sort of non-compliance liability.
The text of the bill states that each school district shall adopt a cybersecurity policy to secure the district against cyber attacks and other cybersecurity incidents. It also states that the district will determine the cybersecurity risk to the district and impliment mitigation planning.
In addition the bill states:
"A school district's cybersecurity policy may not conflict with the information security standards for institutions of higher education adopted by the Department of Information Resources under Chapters 2054 and 2059, Government Code."
The bill goes on to mandate that the superintendent designate a cybersecurity coordinator and that coordinator is to report any cyber attack or other cybersecurity incident to the TEA.
The bill also mandates that the cybersecurity coordinator shall provide notice to a parent or guardian in which student's regulatory protected information may have been compromised.
At this point we do not know what TEA will require in regards to the new legislation. However, based on a similar mandate to the Educational Service Centers (ESCs) we can make a couple of educated guesses.
The cybersecurity policies the ISD enacts will most likely need to align to the Texas Cybersecurity Framework. That framework was developed by DIR and aligns to the federal standard (NIST 800-53). The framework is also required to be followed by institutions of higher education that are funded by the State. Most importantly, it is required to followed by all State administrative agencies, including the TEA. We believe this framework will be the basis for whatever TEA decides in regards to the legislation.
We also believe that the TEA will want some sort of baseline metrics over the next 2 years from the ISDs as to their adherence to SB820. Those metrics may even be mapped to the Texas Cybersecurity Framework.
Whatever the course of action by the legislature and the TEA, Texas ISDs can be assured that this is the beginning, and not the end of the regulatory requirements.
We have crafted an offering based on our deep understanding of the Texas Cybersecurity Framework and all of its components.
This offering takes the framework's 5 domains and related 40 security objectives and gets you on the path to security and compliance. Everything from policy development to managed detection response is included in the package.
The package is priced to be affordable and scalable so that every ISD has an opportunity to enjoy the assurance that security and compliance provide.
means an incident in which student information that is sensitive, protected, or confidential, as provided by state or federal law, is stolen or copied, transmitted, viewed, or used by a person unauthorized to engage in that action.
means an attempt to damage, disrupt, or gain unauthorized access to a computer, computer network, or computer system
means the measures taken to protect a computer, computer network, or computer system against unauthorized use or access.