Every state has its own parameters when it comes to data privacy, cybersecurity, and breach notification. But Texas? Yeah, don’t mess with it. (I know, I went there…)
Understanding the laws that regulate student data privacy is an important part of managing data at your school district. That’s why we’re here to help you out. Let’s explore the nitty gritty of Texas data privacy laws and what you can do to protect student data.
Texas data privacy: A wave of cyber incidents
In truth, cybercrime is a nationwide phenomenon in the United States — and it’s getting worse. According to a recent study, cyberattacks increased 57% in 2022. And the worst part? Cybercriminals targeted the education sector more than any other industry.
Suffice to say, the United States has a long way to go in improving cybersecurity, especially when it comes to K-12 education. After all, school districts collect, process, and store massive amounts of sensitive student data. It only takes one data breach to expose personal information which could be used for any number of nefarious purposes, including identity theft.
So, why the focus on Texas? For one, Texas is among the leaders in enacting stronger cybersecurity and student data privacy laws.
Unfortunately, the Lone Star State also has a storied history of data security and privacy incidents over the past few years. Here’s a look at some of the most pertinent cases of compromised student data:
- Dallas ISD: In August 2021, a Dallas Independent School District (ISD) suffered a data breach that exposed the personal data of over 800,000 individuals, including staff, students, and parents. Turns out, this case was fortunately just a mistake made by two students who unwittingly accessed their school’s sensitive information. This is just one of many, many examples across the country of why insider DLP risks are as important to manage than the more sensationalized cybersecurity incidents, like ransomware.
- Mansfield ISD: An August 2022 ransomware attack took Mansfield ISD’s most critical information systems offline. Once the attack happened, the school notified law enforcement and the appropriate authorities, but by that time, the damage had already been done. Luckily, it didn’t appear that any of Mansfield’s 35,000 students lost personal information during the breach.
- Judson ISD: Other districts weren’t so lucky. After a November 2021 attack, Judson ISD ultimately had to pay ransomware hackers over $547,000 — the largest known ransomware payment made by a school district in the US at the time. The hackers locked administrators out of computer systems for weeks and threatened to expose student data.
- Lancaster ISD: A June 2021 data breach leaked thousands of pages of sensitive personal information stolen from Lancaster ISD’s record systems. Hackers posted over 500 staff members’ personal data on the dark web for anyone to freely access it.
According to WFAA, the Texas Education Agency (TEA) released a list of over 70 districts that had experienced cyberattacks since 2019. However, this list was non-exhaustive. Why? Because per Texas law, schools aren’t required to report cyberattacks to the state agency as long as there’s no evidence that students’ personal information was stolen during the hack. In fact, the Texas legislature doesn’t require them to tell anybody whatsoever (but more on that later).
As the above examples indicate, data privacy is important. If your data security and privacy policies aren’t supported by ample cybersecurity measures every step of the way, your district runs the risk of falling victim in a similar fashion. Schools must also be aware of the Texas data privacy laws that impact them and their third-party technology vendors.
Understanding Texas data privacy legislation
Generally speaking, all districts are subject to federal data privacy laws such as the Children’s Online Privacy Protection Act (COPPA) and the Family Educational Rights and Privacy Act (FERPA). However, the U.S. leaves it up to the state governments to set their own specific cybersecurity and breach notification requirements.
Texas, in particular, has a series of important laws that schools must follow. Let’s take a closer look at each one in more detail:
You can’t have data privacy without data protection, which is exactly what Senate Bill 820 is all about. In June 2019, Governor Greg Abbott signed this bill that requires districts to adopt an effective cybersecurity policy. Specifically, the Texas law mandates all schools to:
- Adopt a cybersecurity framework
- Create a program to identify risk
- Develop a plan to mitigate critical risk areas
- Designate a Cybersecurity Coordinator to report all incidents
Notably, the bill only requires the Coordinator to report an incident to the Texas Education Agency and the parent or guardian of any student whose personal information has been compromised only if it constitutes a breach of security.
Texas Privacy Protection Act
Enacted in June 2019, this bill amended the state’s previous breach notification laws, requiring businesses to provide:
- Data breach notices to affected individuals within 60 days.
- Notice to the Texas Attorney General if the company experiences a data breach affecting 250 or more individuals (specifically Texas residents).
The bill also specifically requires that any “person who conducts business in this state and owns or licenses computerized data that includes sensitive personal information” must disclose a breach of security. Thus, this law also applies to Texas school districts.
Biometric Privacy Act
Originally enacted in 2009, this biometric privacy law prohibits the capture, sale or disclosure of a person’s biometric identifier without their consent. The law has largely lain dormant until recently when the Texas Attorney General brought a suit against Meta for allegedly collecting personal information via facial recognition.
How does this impact school districts? With smart home devices increasingly used in classrooms, one can only imagine the privacy implications in play if that information were to leak to the public.
Texas Student Privacy Act
Obviously, the Texas Student Privacy Act is the law that applies most directly to K-12 education. Enacted in 2017, this privacy legislation prohibits the sale of students’ personal data, bans advertisements to students based on the data they’ve shared with educational institutions or vendors, and broadly prohibits student data disclosure, with some limited exceptions.
What’s notable about this bill is that is defines multiple categories of protected information, including:
- Email addresses
- Physical addresses
- Educational records
- First and last names
- Telephone numbers
- Health information
- Social security numbers
- Political affiliations
- Religious beliefs
- Biometric information
- Discipline records
- Grades and evaluations
New laws on the horizon
In its Biennial Performance Report, the Texas Department of Information Resources asked the state legislature to consider new laws requiring schools to disclose cybersecurity incidents within a standard timeframe. Although nothing is set in stone, it’s worth mentioning that schools should be on the lookout for new Texas data privacy laws that could go into effect in the near future.
Protecting data with automated cloud security
Compliance is important, but what’s especially crucial is that your students’ sensitive personal information is kept under wraps and away from prying eyes. Question is: How do you make that happen?
That may seem like a complicated question, but the answer is just the opposite. When you squeeze an additional layer of cloud security between your district’s cloud domain and the threat vectors clawing at your data, you can simplify and streamline data protection — all in one dashboard.
Take ManagedMethods, for example. As a cloud security platform designed for Google Workspace and Microsoft 365, it automatically detects risks that could threaten your data, even the ones previously unseen. For instance, ManagedMethods can identify unauthorized third-party applications and help you remove any that pose a risk to your data. Not only does this help reduce your attack surface, but it also makes data security a painless, easy process.
But, don’t take it from us. Here’s what Cody Walker, director of technology at West Rusk County Consolidated ISD, had to say about the platform:
“ManagedMethods is going to be your best friend. In the beginning, it will relay more information to you than you want to know. But they have an awesome team that stands behind their product. I know a lot of vendors say that, but it’s the truth. From sales to support to the follow-up afterward, they’re committed to helping their customers.”
Want to learn more about how ManagedMethods can help you safeguard student data privacy? Request a free risk assessment today.