New California cybersecurity laws impacting education

California was among 18 states to adopt laws related to cybersecurity that directly or indirectly apply to the education sector in 2022, according to the report “State and Federal Education Cybersecurity Policy Developments 2022,” published by Consortium for School Networking (CoSN) in January.

“Cyberattacks are among the leading operational and privacy threats facing the nation’s schools. Routinely, cyberattacks compromise confidential student and employee information, disrupt classroom instruction and administrative functions, and rob taxpayers,” the report states. “The problem plagues the entire education sector, including schools located in the smallest rural communities and the most sprawling suburban and urban areas.”

Organizations including the federal government’s Cybersecurity and Infrastructure Security Agency (CISA) and Microsoft Security Intelligence have warned that schools are under attack with CISA cautioning about the increasing risks of ransomware attacks for K-12 institutions and Microsoft Security Intelligence identifying education as a sector that is among the most affected by encounters with malware.

To address cyberthreats, the report asserts that significant coordination, strong public–private partnerships and increases to financial and technical assistance from the government, “especially for the nation’s lowest wealth school districts,” will be needed.

“Fortunately, a growing cadre of state and federal policymakers better recognize the serious, and sometimes long term, consequences that cyberattacks can have on students, employees, and schools. The policy response, as measured by bills introduced and laws enacted the past three years, is growing but still insufficient. Government is acting, but many new laws do not address the challenge comprehensively (across all policy needs) or at scale,” according to the report.

New laws

Overall, 2022 laws “largely focus on policy changes targeted across state and local government, not just on education entities, and they address a range of cybersecurity policy areas and strategies including governance improvements, mandatory incident reporting, required prevention and contingency planning, expanding the available cyber workforce, and security investments targeting state agencies, local agencies, and higher education institutions,” the report states.

Other notable themes for proposed legislation were around cybersecurity insurance requirements, affirmative defenses regarding cybersecurity plans and student information.

Laws enacted in California include Assembly Bills 183, 2355 and 2750 and Senate Bills 154 and 844.

AB 183 calls for the creation of the Cybersecurity Regional Alliances and Multistakeholder Partnerships Pilot Program aimed at addressing the workforce gap in cybersecurity, while AB 2355 requires that cyberattacks that effect more than 500 people be reported by school districts to the California Cybersecurity Integration Center (Cal-CSIC). Cal-CSIC track the reports in a new database. AB 2750 “requires the Department of Technology, within the Government Operations Agency, to develop a state digital equity plan. This plan must include awareness and use of measures to secure the online privacy and cybersecurity of an individual,” according to the report.

SB 154 gives funding to community college districts for implementing technology and data security measures in support of improved oversight of mitigation, online learning quality and cybersecurity efforts.

SB 844 requires Cal-CSIC to draft four reports over the course of several years that detail “all expenditures made by the state within a single fiscal year pursuant to the federal State and Local Cybersecurity Improvement Act.” The State and Local Cybersecurity Improvement Act authorizes grants for eligible entities to be used to address cybersecurity risks and threats to information systems owned or operated by or on behalf of local, state or tribal governments.

Additional bills around K-12 and postsecondary education, cybersecurity training requirements, ransomware and general government cybersecurity that were introduced in 2022 but not adopted are explored in the report as well.

At the federal level, 22 cybersecurity bills that impact education were introduced by members of Congress, however, “none of the education-focused federal cybersecurity measures became law, but that outcome is not a complete surprise given the general cybersecurity investments that Congress approved as part of the Infrastructure Investment and Jobs Act in late 2021, which included the Digital Equity Act (H.R.1841 & S.2018),” according to the report. “Given that a new Congress will begin in January 2023, legislators must reintroduce any bills that contain strategies that they want to continue championing during the 118th Congress.”

In 2023, CoSN is calling for those “tasked with making cybersecurity policy improvements” to consider ideas based on its analysis of changes in the state policy landscape including cybersecurity workforce; prevention and planning; and incident reporting, contingency planning and coordination.

A collection of resources have been made available for local educational agencies on CoSN’s website here.