States going beyond federal regulations covering student data privacy
Federal data security and privacy laws like FERPA, COPPA, CIPA, PPRA, and others provide a layer of protection for students and minors. But most people agree that these regulations are outdated and don’t go far enough to protect student data privacy and security in schools.
Given the reports of ransomware, cyber attacks, and EdTech security risks exposing student data, most states are no longer wondering why student data privacy laws are important. Instead of waiting for Congress to take action, state student data privacy laws are protecting student identities and taxpayer funds. As of 2019, 40 states had passed 116 laws since 2013 regarding data privacy and data loss prevention regulations in K-12 schools.
Resources for State Student Data Privacy Laws
The Student Privacy Compass website, formerly known as FERPA Sherpa, is an excellent resource for finding student data privacy information. The site publishes a report called the State Student Privacy Report Card authored by the Parent Coalition for Student Privacy and The Network for Public Education.
The Student Privacy Compass website also provides detailed information concerning state student data privacy laws on a per-state basis.
State Laws that are Leading the Way
This is not a comprehensive list of all states that have passed their own student data privacy and security regulations. But, we believe, these are four states that are leading the way in terms of state student data privacy laws.
Texas Student Data Privacy
Texas passed Senate Bill 820 in 2019. It is a sweeping piece of legislation that describes a structure school districts must develop to ensure cyber safety and student data privacy. To maintain compliance, school districts must develop and maintain a cybersecurity framework that will:
- Secure the district’s infrastructure against cyberattacks and/or incidents, with details following the NIST Cybersecurity Framework
- Establish a framework that meets standards set out by the Department of Information Resources (DIR)
- Establish risk assessment and mitigation planning
- Assign a Cybersecurity Coordinator to coordinate between the district and the DIR
- Report any cyberattack or incident as soon as possible after discovery to the DIR
New York Student Data Privacy
In January 2020, the New York State Education Department adopted regulations to implement the New York State Education Law Section 2-d. The regulations guide schools and their third-party contractors to strengthen data privacy and security to protect student data.
These regulations cover a variety of topics including:
- Restricting the disclosure and use of personally identifiable data
- Minimizing collection of personally identifiable data
- Requiring schools to publish a parents’ bill of rights for data privacy on its website
- Requiring schools to have contracts with third-party contractors that specifically require the contractors to protect shared student/teacher/principal data, to define how and where data will be stored, to encrypt the data as provided by New York law, to include the bill of rights, and to define what will happen to the data when the contract expires
- Requiring the establishment of a procedure for parents and students to file complaints about breaches or unauthorized releases of student data.
- Establish a framework for data security and privacy following the NIST Cybersecurity Framework
- Include a data security and privacy plan in each contract with a third-party contractor
- Providing annual information privacy and security awareness training to their employees who have access to personally identifiable data
- Designating a data protection officer(s) to implement these requirements
Virginia Student Data Privacy
In 2015, the state of Virginia passed HB 2350. This bill requires that the Department of Education work with the Virginia Information Technologies Agency to develop a model data security plan. The plan would be used by school districts to implement policies and procedures to protect student data and data systems.
The Department of Education was also tasked with designating a chief data security officer to work with local school divisions as they developed and implemented policies to protect student and district data.
California Student Data Privacy
No article on state student data privacy laws would be complete without a discussion of laws in the state of California. In 2014, California passed the Student Online Personal Information Protection Act (SOPIPA), also known as SB 1177. It was widely considered to be the first in the nation for states enacting contemporary student privacy regulations. California lawmakers’ concern over student data privacy has prompted them to pass six related bills between 2014 and 2018.
The SOPIPA law focuses on student data privacy and 3rd party apps. It governs the way in which online service providers and apps can collect and use student data. Service providers:
- Must not collect, use, or disclose student data for advertising purposes
- Must implement and maintain reasonable security procedures to keep student data safe from unauthorized access, use, modification, or disclosure
- Must delete student data upon request from the school or district
- Must provide protected data as required by state or federal laws
- May use de-identified student data to improve their service
The issue of cyber safety and student data privacy is always an important one for K-12 school districts. Today, the issue is made more complex when you consider ensuring student data privacy in remote learning.
There is no student data privacy without data security. One area of privacy and security that is a great concern for school technology staff is the district’s use of 3rd party applications. While schools are using more and more EdTech and cloud apps to innovate learning, OAuth EdTech security risks expose data in a number of ways.
Some states, as mentioned above, have passed laws requiring schools to vet 3rd party apps and vendors for security and data privacy compliance. Other school IT teams are taking that responsibility on whether or not they’re required to.
Here, you can download our EdTech Vendor Security & Compliance Evaluation Checklist to help you evaluate third-party apps and other types of EdTech your teachers or students request. The checklist also provides standards that you can use in your evaluation along with your own requirements.