Live Threat Map
Cybersecurity & Data Privacy
Texas CIO Report Calls for New Law Requiring K–12 Schools to Report All Cyber Incidents
Expansion of Digital Signatures, Regional Joint IT Operations for Local, State Agencies Also Proposed
The Texas Department of Information Resources, in its newly released Biennial Performance Report, has asked the state legislature to require Texas school districts to report cybersecurity incidents to its office within a minimum reporting timeframe.
Currently, public schools in Texas are required to notify the Texas Education Agency of cyber incidents that result in unauthorized theft, duplication, transmission, use, or viewing of student information that is “sensitive, protected, or confidential as provided by state or federal law.” And the Texas Business and Commerce Code says that includes encrypted data, too, if the threat actor has the decryption key.
But, as the Texas Association of School Board discusses at length in several website guides for districts, neither of those laws explain much beyond that — and neither law requires the TEA to publish or share any accounting of the cyber incidents that are reported by school districts. Historically, the TEA has considered such data to be exempt from Freedom of Information laws.
The BPR, released Nov. 16, also requested legislative action to expand DIR’s pilot program with Angelo State University in West Texas that established a Regional Security Operations Center to provide university students with hands-on cybersecurity experience and give boots-on-the-ground support to local taxpayer-funded agencies — including K–12 school districts — that need assistance with major cybersecurity incidents.
The BPR tracks state-funded agencies’ technology progress in fiscal years 2021 and 2022; highlights their technology accomplishments; lists areas of concern; and recommends policy and legislative changes to improve the effectiveness of IT operations at state and taxpayer-funded agencies.
“Over the past two years, state agencies in Texas showed significant progress in delivering secure, innovative technology that makes government more efficient, effective, transparent, and accountable,” said Amanda Crawford, DIR’s executive director and Texas’ Chief Information Officer, in a statement announcing the report’s release. “I applaud the hard work and effort of state agencies which, along with the support of the Texas Legislature, drive the state of Texas to lead the nation in delivering a secure, digital government through well-designed, innovative, and efficient technology solutions.”
The 2022 BPR is available on the DIR website at https://dir.texas.gov/strategic-planning-and-reporting/biennial-performance-report.
Other legislative recommendations relevant to public schools included in the new BPR:
- Enable private sector peer-to-peer payment solutions commonly used by the public to provide additional payment methods for government services
- Enable broader access to digital government services, streamlined processes, and digitization by expanding the use of digital signatures
In discussing the need for better, thorough incident reporting, the BPR states:
“Sharing information is essential for protecting public sector assets, personal or sensitive information, and critical infrastructure. State agencies and institutions of higher education are required to report certain types of security incidents to DIR within a minimum timeframe … suspected cybersecurity incidents, including breaches and ransomware attacks, to DIR. School districts report cybersecurity incidents to the Texas Education Agency and county election officials are required to notify the Secretary of State,” the report reads.
“Also, Texas law does not set a standard timeframe for local governments to report cyberattacks. This incongruent reporting of cybersecurity incidents may hinder Texas in tracking trends and understanding the scope and complexity of cyberattacks as well as how they may be related to another cyberattack. By requiring municipalities, school districts, and counties to report cybersecurity incidents to DIR, the state will have a more complete picture of potential threats and may be able to prevent future attacks, avoiding costly response and recovery efforts.”
Growing National Push for Mandated, Broader Incident Reporting, Transparency
Nationally, while ransomware attacks even against small school districts usually — eventually — are disclosed either by school leaders, staff members, or the press, there are no federal requirements for public schools to tell anyone about cyberattacks or even breaches of minor students’ private information.
Several national cybersecurity nonprofits, private sector risk-management leaders, and education IT professionals have called for greater transparency and accountability from school districts in their cybersecurity efforts — including mandated public disclosure when student or staff data has been breached.
In March, a national nonprofit dedicated to public schools’ cybersecurity, K–12 Security Information Exchange, reported statistics showing that ransomware — where a school’s student and/or staff data is stolen and a ransom is demanded — has become the most common type of publicly disclosed cyber incident at U.S. schools, but many districts impacted by cyber incidents share little or no information to the community stakeholders affected by those incidents.
K–12 schools are not required to publicly disclose or report cyber incidents, and requirements for vendors to disclose incidents — where mandates exist — are weak and rarely enforced, said K12SIX’s State of K–12 Cybersecurity Year in Review report. Vendor data breaches tend to impact scores, if not hundreds, of schools at a time, the report noted, and companies can face fines and lawsuits if they decline to disclose such incidents.
Public K–12 schools, however, are not overseen by any regulations requiring disclosure of cyber incidents or data breaches. Higher education institutions are required to report data breaches of any size, under a 2018 U.S. Department of Education rule affecting any college or university that accepts federal student aid funds.
Read the full article here