On June 10, a bipartisan bill (co-sponsored by Sen. Jane Nelson [R], Sen. Royce West [D], Rep. Morgan Meyer [R], and Rep. James Talarico [D]) was signed by Governor Abbott to require Texas school districts to adopt a cybersecurity policy, effective September 1, 2019. In short, S.B. No. 820 requires school districts to:
- adopt a cybersecurity policy;
- designate a cybersecurity coordinator; and,
- report eligible security incidents (as defined by the bill) to the Texas Education Agency and the parent or guardian of affected students.
Absent such requirements, there has been no way for Texas policymakers or administrators in the state department of education to assess the frequency and scope of data security risks facing schools or to ensure that families of students affected by a security incident were informed of pertinent incidents in a timely manner (and hence are able to take action to protect themselves from identity theft or other risks).
Just as state student data privacy bills have become increasingly commonplace as federal law has shown its inadequacy in the face of evolving technology adoption, so too we should expect more states to take up school cybersecurity regulations (where federal education law is virtually silent). The Texas legislation is significant and its implementation will be important for policymakers and advocates to watch and learn from.
For reference, the full text of the Act follows: