Texas Law Requires Districts to Plan for Cyberattacks. Will Other States Follow?
A new Texas law will require school districts to take steps to guard against cyberattacks, in what is one of the few state-level policies put in place to guard against the growing online threat.
The law, which takes effect Sept. 1, requires districts to develop plans to protect online infrastructure from attacks, make determinations of cybersecurity risk and respond accordingly, and designate a cybersecurity coordinator who will be a liaison between the Texas Education Agency and the district.
Joy Baskin, director of legal services of Texas Association of School Boards, said the new law will push K-12 systems toward having a basic understanding about the need for effective practices in cybersecurity.
"The goal, of course, is to raise awareness among school districts and other local government entities about the need to have cybersecurity policies and to have...somebody on staff who is dedicated to keeping up with and overseeing cybersecurity within the school district," Baskin said
A number of K-12 organizations, like the Consortium for School Networking, have sought to spread the word on cybersecurity best practices in school districts.
Yet even as cyberattacks and ransomware affecting K-12 systems have become more common, few states have approved legislation aimed at combatting the threat, leaving it in most cases to districts to develop protections, said Doug Levin, president of EdTech Strategies, LLC, a consulting firm.
Some states, like Arkansas, New York, Indiana, Missouri, and North Dakota, have begun taking steps towards better training and support for districts, he noted. Louisiana even declared a state of emergency following malware attacks on three school districts.
The Texas law is "common-sense legislation in that it tries to build the foundation for being able to make better decisions in the future," Levin said.
Yet while the new policy provides important guidance to districts, it should have gone further in defining what classifies as a cybersecurity incident, argued Levin.
As it now stands, districts could be inclined to report minor cyber incidents and blow them out of proportion, for fear of being penalized for not notifying the state. Or they could choose not to report attacks because they're afraid of having a stigma attached to their school system.
"It's going to be important for the state to settle on a definition of what a significant incident is," Levin said.
Where Are the Resources?
Levin also believes the law falls short when it comes to providing financial resources for districts to pay for cybersecurity needs, expertise, and access to information about real-time threats.
According to Baskin, one benefit of the legislation is that the Texas Education Agency will be able to push out specialized content for districts about cybersecurity because of its connection with district coordinators charged with overseeing the issue.
Some federal laws focus on protecting students' online privacy, most notably the Family Educational Rights and Privacy Act, or FERPA. But the law makes has no mention of cybersecurity practices.
Levin says he would like to see federal guidance or legislation for schools that "sets a floor for cybersecurity practices."
Baskin hopes the Texas law encourages districts to use existing resources on cybersecurity practices made available through the state, such as through the Texas Department of Information Resources, so districts can get training and guidance on safeguards that should be in place.
"It's just a matter of facilitating, trickling that information down to the local level," she said.
The goal "is not necessarily more mandates from the legislature," she added, "but more technical support from the state wherever possible."