Evolving a Cybersecurity Plan Under Texas Senate Bill 820
Texas Senate Bill 820 (SB-820) was supposed to go into effect in September 2019. Although the cybersecurity regulation has been enforceable by law for about a year, compliance may have gone by the wayside somewhere between COVID-19 and remote learning. With schools planning to return to in-person learning by September 2021, however, enforcing this new cybersecurity legislation will most likely become a priority once again.
What Does Texas Senate Bill 820 Entail?The provisions of Texas Senate Bill 820 are relatively simple, at least if you have an enterprise background. There are three in total.
- Adopt a Cybersecurity Policy Vague, right? The legislation specifies that the cybersecurity policy must prevent cyber-attacks and other security incidents from affecting infrastructure, like databases containing student information. Achieving this involves determining which risks could allow attackers to commit a breach and then move to mitigate these risks.
- Appoint a Cybersecurity Coordinator The cybersecurity coordinator is the designated liaison between the school district and the Texas Education Agency (TEA). Their two jobs are to report any data breaches to the TEA and report breaches affecting students' personal information to their parents or guardians.
- Report Information Security Breaches Per the above, any time an attacker unlawfully accesses a student's personally identifying data, the cybersecurity coordinator must report this data breach to the TEA.
Texas House Bill 3834 Interlocks with SB-820 to Create Cybersecurity GovernanceIn June 2019, the Texas House of Representatives passed a complementary bill to SB-820. Known as House Bill 3834 or HB-3834, the law created an additional standard of governance for cybersecurity. Whereas SB-820 mandates a cybersecurity plan and a reporting structure for security incidents, HB-3834 focuses on training. While SB-820 focuses narrowly on schools, HB-3834 focuses on all government employees and contractors with access to sensitive systems and databases. That focus applies to school officials and school employees. The substance of the law is that any government employee or contractor must take an annual cybersecurity training course if they have access to a sensitive database or application. That includes school administrators and IT personnel with access to databases and applications containing students' personal information. By combining SB-820 and HB-3834 mandates, schools have access to more effective cyber defenses. Now that SB-820 requires schools to have a cybersecurity plan, HB-3834 enables schools to train those who must take part in this plan effectively. For example, IT staff who might not have IT security training can learn some fundamentals to help them secure student data.
Should You Care About SB-820 if You Are Not in Texas?If you are not living in Texas, Senate Bill 820 does not affect your school—but you should still look at what it says. Similar laws might come to your state if they have not already. First, there is an obvious need for schools to establish mandatory reporting practices regarding cybersecurity. Apart from media reports, there is no way to know how many student records have been breached annually or how many breaches occur. Research from a nonprofit known as the Privacy Rights Clearinghouse (PRC) estimates that 788 data breaches have affected grade schools since 2005, leading to the theft of over 14 million records. Second, the actual number of breaches could be far higher than this figure. That is because schools often do not have the cybersecurity tools necessary to understand whether they have been breached. We need some mandatory reporting laws to get a handle on the scope of the problem. Third, the number of data breaches affecting schools has increased dramatically over the last few years. Estimates suggest that cyber incidents involving schools increased nearly 20% in 2020 alone. Cyberattacks do not just steal students' personal information—they also delete records, forcing schools to restore them from backups or using paper records. If ransomware is involved, then schools face the irreparable loss of all their computing infrastructure and databases unless they pay up. Last, the increase in data breaches in K-12 schools is prompting national legislators to think about overarching solutions. In the coming weeks and months, House Homeland Security Committee chairwoman Yvette Clarke plans to introduce legislation designating $500 million annually to defend local government institutions—emphasizing schools—from the increase in ransomware. Meanwhile, House of Representatives members plan to reintroduce a bill that would create a $400 million program to increase K-12 cyber defense infrastructure. Any grant program aiming to help schools defend themselves should also contain guardrails directing how schools should spend the money, train their personnel, and report data breaches. In addition, if a national cybersecurity bill applies more regulations to schools, then it may take Texas' SB-820 as a model. In short, if you like SB-820 (or if you think it does not go far enough), then you must pay attention to it because legislators may soon pay attention to it as well.
How to Defend Your School Under SB-820—With GradientOne aspect potentially concerning aspect of SB-820 is that it mandates that schools must have a cybersecurity policy, but it gives them somewhat open-ended instructions about implementation. That means a school could technically satisfy SB-820 with a cybersecurity program that might not cover all the bases. Because schools do not have huge budgets or a workforce for information security, administrators must focus on the basics. Monitoring, firewall, patch management, phishing protection, and security awareness—you should have a good starting point for mitigating attacks if you have these five security program elements.
- Monitoring helps to alert you to suspicious activity occurring on your perimeter or in your network.
- Patch management helps you avoid application vulnerabilities that attackers can exploit.
- Firewalls blacklist suspicious web traffic and visitors from known bad domains.
- Phishing protection—email filtering—mitigates emails with links to suspicious websites, language matching known phishing campaigns, or emails known to be carrying malware.
- Security awareness prevents employees from clicking on phishing emails that get through your filters and help them avoid responding to social engineering attempts.