Cybersecurity Legislation

New California Law Requires Schools to Report All Cyberattacks Impacting 500 or More

Mandate is the Nation's First to Require Tracking of Cyber Incidents at K-12 Schools

California Gov. Gavin Newsom has signed into a law a new requirement for K–12 schools in that state to report any cyberattack impacting more than 500 pupils or personnel, becoming the first in the nation to require disclosure even if a data breach has not occurred.

Assembly Bill 2355, introduced in February by Democratic legislator Rudy Salas, requires every California school district, county office of education, or charter school to report to the California Cybersecurity Integration Center any “alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by unauthorized access” or any “unauthorized denial of access to legitimate users of a computer system, computer network, computer program, or data” if such incident impacts 500 or more students or staff, according to the text of the legislation.

Codified by the governor’s signature on Sept. 23, the new law does not address whether the reports will be made public at any point, but it does require Cal-CSIC, the state’s cybersecurity oversight agency, to track reports of cyberattacks at K–12 schools and to annually report to the governor and legislature a summary of the cybersecurity incidents reported by the state’s public schools.

The bill enjoyed unanimous approval in several committees in both houses before being passed with no opposition by the California Assembly in May and by the California Senate in late August — a week before California’s largest school district, Los Angeles Unified, suffered a ransomware attack that made headlines around the world.

While ransomware attacks even against small school districts usually — eventually — are disclosed either by school leaders, staff members, or the press, there are no federal requirements for public schools to tell anyone about cyberattacks or even breaches of minor students’ private information.

In several recent reports from national cybersecurity nonprofits and the private sector, IT professionals have called for greater transparency and accountability from school districts in their cybersecurity efforts — including mandated public disclosure when student or staff data has been breached. Existing California law requires notification to the state’s Attorney General of any unauthorized access to private data stored by a business or agency, but sometimes the breach of data is not discovered for months after a cyber incident — if it is discovered at all.

In March, a national nonprofit dedicated to public schools’ cybersecurity, K–12 Security Information Exchange, reported statistics showing that ransomware — where a school’s student and/or staff data is stolen and a ransom is demanded — has become the most common type of publicly disclosed cyber incident at U.S. schools, but many districts impacted by cyber incidents share little or no information to the community stakeholders affected by those incidents.

K–12 schools are not required to publicly disclose or report cyber incidents, and requirements for vendors to disclose incidents — where mandates exist — are weak and rarely enforced, said K12SIX’s State of K–12 Cybersecurity Year in Review report. Vendor data breaches tend to impact scores, if not hundreds, of schools at a time, the report noted, and companies can face fines and lawsuits if they decline to disclose such incidents.

Public K–12 schools, however, are not overseen by any regulations requiring disclosure of cyber incidents or data breaches. Higher education institutions are required to report data breaches of any size, under a 2018 U.S. Department of Education rule affecting any college or university that accepts federal student aid funds.

“There’s no question schools should be disclosing these incidents to their communities,” K12SIX National Director Doug Levin told THE Journal. “Maybe they think they can avoid backlash from the community if they don’t disclose a cyber incident. But these schools are spending the community’s tax dollars. School board members and those with oversight of the school budget need all the information to do their jobs appropriately, and the community needs to know whether the district’s resources are being spent on the right things.”

Every public school impacted by a cyber incident should be disclosing basic information such as the fact an incident occurred; who was affected in a potential data breach; the amount of money recovery will cost the district; and recommended steps those affected should take to protect themselves, he argued.

Levin, as national director at K12SIX, is tasked with tracking all publicly disclosed cyberattacks at K–12 schools in the United States. He helps school district IT leaders across the country to improve their protections, and he advocates for more resources and stronger security standards alongside cybersecurity officials at the state and national level as well as with tech companies whose IT and security products are used in public school districts.

He told THE Journal that he has concluded from his many discussions with tech and IT professionals across the K–12 sector that “cyber incidents at K–12 schools are being kept secret all the time” — including incidents where student and staff data has been compromised.

“In our State of K–12 Cybersecurity report, we featured some investigative journalism where cyber attacks were not disclosed until the journalists began looking into them or published documentation of them; they wouldn’t disclose it at all unless they were called on it,” he said. “Then there’s another set of schools that didn’t even know they had a cyber incident or data breach: There are plenty of examples of security researchers finding student data on the dark web and when they reached out to the district, the district apparently had no idea that it had happened.”

Another recent report from education advocates at Project Tomorrow calling for “greater awareness and action on K–12 cybersecurity” is the National K–12 Education Cybersecurity Research Study, for which Project Tomorrow and cloud software provider iboss surveyed 600 K–12 administrators and IT leaders nationwide.

The survey showed that most school IT leaders do not feel they have adequate resources to protect their districts’ data or networks. The responses also showed that IT leaders at K–12 schools don’t think their district leaders are paying enough attention to cybersecurity.

Earlier this year, SETDA, a national association of U.S. ed tech and IT leaders, released its first Cybersecurity and Privacy Collaborative “landscape scan” calling on federal policymakers and state and local education leaders to work together to increase information sharing and to commit significant, sustained resources and training to improving cybersecurity across the nation’s K–12 schools.

The new California law is a “step in the right direction,” Levin told THE Journal this week, though it remains to be seen whether the Cal-CSIC annual summary of K–12 cyberattacks will be shared with the public. The law does not address whether the information will be exempt from the Freedom of Information Act.

Levin’s advocacy and the K12SIX report was cited several times during committee hearings on the California legislation.

The Senate Committee on Governmental Organization report, in the “Need for the Bill” analysis, cited both K12SIX’s statistics about the rise of ransomware targeting public schools and Seculore Solutions’ reporting that since 2016, California school districts have experienced at least 26 cyberattacks “at a minimum.”

“In both of these groups’ research, they noted that their findings would be the minimum number of attacks,” the California Senate committee report said. “The lack of federal and state reporting requirements means much of the data on cyberattacks are incomplete. There is no archive for cyber-attacks in California. This bill will help ensure schools collect consistent data regarding cyberattacks to ensure further transparency and protection against breaches. There needs to be data and information to begin with so that the scope of attacks can be better understood.”

The bill’s sponsor, Salas, wrote in his statement for the committee hearing: “We need to take action to protect our children’s personal information and prevent future cyberattacks on our schools. Schools have to spend hundreds of thousands of dollars on ransomware attacks, funding that could be better spent on our students’ education. AB 2326 is focused on understanding the cyber threats that our schools face and ensuring that children’s private information is protected.”

The Senate Education Committee’s analysis of the bill noted that the interpretation of what is meant by "any cyberattack impacting 500 or more pupils or personnel” may be unclear, but its members passed the measure anyway.

“If, for instance, a school of 800 students falls victim to a ransomware attack that temporarily shuts down the school’s computer system but does not require the school to close, it is not clear how to determine the number of pupils and personnel affected,” said the Senate Education Committee’s report. “Would impacted parties be only those who needed to access the computer system during that time? Or would it include anyone whose PI was contained on that system? Similarly, if the school’s website is hacked and defaced with lewd images, would the number of pupils and personnel affected be limited to those who viewed the hacked website before it was remediated?

“Despite this shortcoming, the disclosure and reporting requirements in this bill arguably provide necessary insight into the cybersecurity status of California’s educational institutions at a time when cyberattacks on schools are increasingly common. The information gleaned from this reporting, and the establishment of the requisite database at Cal-CSIC, has the potential to inform best practices undertaken by schools to mitigate cyber incidents and to identify policies for consideration by this Legislature to protect the integrity of the state’s educational infrastructure.”

The new law remains in effect until Jan. 1, 2027.

Levin said he hopes the annual reports on the number of cyberattacks targeting public schools will be shared with taxpayers and will lead to the appropriation of more resources to improve schools’ cybersecurity posture.

“The devil is in the details of how this will be implemented, but the public has a right to know when these incidents occur so resources are spent appropriately and so districts are held accountable to take the necessary steps to protect themselves from cyber threats,” he said.