New York Board of Regents Approves Part 121 Regulations Required by Education Law § 2-d

Harris Beach PLLC

January 14, 2020, the Board of Regents formally adopted Part 121 to the Commissioner’s Regulations to implement Education Law § 2-d. The regulation will become effective January 29, 2020. This regulation primarily addresses the obligations that need to exist between software vendors or data processors and school districts; the need to implement the National Institute of Standards and Technology (NIST) Cybersecurity Framework; disclosure requirements to eligible students or parents; training requirements for individuals who are authorized to access student or teacher or principal data; and the appointment of a data protection officer to oversee all of these efforts. Under the regulation, schools have until July 1, 2020 to adopt and publish the data security and privacy policy.

See the full text of the final version of the regulation.

This regulation has been a long time in the making and is being implemented years after the passage of Education Law 2-d. We suspect that its passage reflects the intention of the New York State Education Department to verify compliance with this law and a potential emphasis that will be placed upon data privacy and cybersecurity, both at the districts and for the software companies that offer services to those districts. School districts have a large number of applications that potentially hold sensitive student and teacher or principal data; and addressing the contractual requirements and implementing the NIST framework are not trivial tasks.

To understand the potential magnitude of this regulation for school districts, it is likely that school districts may have more than 400 known applications that potentially hold protected information, with many more “dark” applications likely used by individual educators unknown to building or district administrators.

This regulation will also impact software vendors. They will now have to address numerous requests to amend contracts like the efforts seen in connection with the passage of the European Data Privacy laws. It will be important for these vendors to prepare for requests from each school district as they seek to comply with the terms of this regulation. Failure to comply may result in civil penalties, preclusion of the third-party from accessing student data or teacher or principal data or other ramifications.

Districts and vendors alike must address how to meet by July 1, 2020 the assessment requirements of the NIST CSF and how to verify vendor compliance with the security requirements of Part 121.

DISCLAIMER: Because of the generality of this update, the information provided herein may not be applicable in all situations and should not be acted upon without specific legal advice based on particular situations.

© Harris Beach PLLC | Attorney Advertising

Written by:

Harris Beach PLLC

Harris Beach PLLC on:

Reporters on Deadline

"My best business intelligence, in one easy email…"

Your first step to building a free, personalized, morning email brief covering pertinent authors and topics on JD Supra:
*By using the service, you signify your acceptance of JD Supra's Privacy Policy.
Custom Email Digest
- hide
- hide

This website uses cookies to improve user experience, track anonymous site usage, store authorization tokens and permit sharing on social media networks. By continuing to browse this website you accept the use of cookies. Click here to read more about how we use cookies.