See the full text of the final version of the regulation.
This regulation has been a long time in the making and is being implemented years after the passage of Education Law 2-d. We suspect that its passage reflects the intention of the New York State Education Department to verify compliance with this law and a potential emphasis that will be placed upon data privacy and cybersecurity, both at the districts and for the software companies that offer services to those districts. School districts have a large number of applications that potentially hold sensitive student and teacher or principal data; and addressing the contractual requirements and implementing the NIST framework are not trivial tasks.
To understand the potential magnitude of this regulation for school districts, it is likely that school districts may have more than 400 known applications that potentially hold protected information, with many more “dark” applications likely used by individual educators unknown to building or district administrators.
This regulation will also impact software vendors. They will now have to address numerous requests to amend contracts like the efforts seen in connection with the passage of the European Data Privacy laws. It will be important for these vendors to prepare for requests from each school district as they seek to comply with the terms of this regulation. Failure to comply may result in civil penalties, preclusion of the third-party from accessing student data or teacher or principal data or other ramifications.
Districts and vendors alike must address how to meet by July 1, 2020 the assessment requirements of the NIST CSF and how to verify vendor compliance with the security requirements of Part 121.