Cybersecurity & Data Privacy
Texas CIO Report Calls for New Law Requiring K–12 Schools to Report All Cyber Incidents
Expansion of Digital Signatures, Regional Joint IT Operations for Local, State Agencies Also Proposed
- By Kristal Kuykendall
The Texas Department of Information Resources, in its newly released Biennial Performance Report, has asked the state legislature to require Texas school districts to report cybersecurity incidents to its office within a minimum reporting timeframe.
Currently, public schools in Texas are required to notify the Texas Education Agency of cyber incidents that result in unauthorized theft, duplication, transmission, use, or viewing of student information that is “sensitive, protected, or confidential as provided by state or federal law.” And the Texas Business and Commerce Code says that includes encrypted data, too, if the threat actor has the decryption key.
But, as the Texas Association of School Board discusses at length in several website guides for districts, neither of those laws explain much beyond that — and neither law requires the TEA to publish or share any accounting of the cyber incidents that are reported by school districts. Historically, the TEA has considered such data to be exempt from Freedom of Information laws.
The BPR, released Nov. 16, also requested legislative action to expand DIR’s pilot program with Angelo State University in West Texas that established a Regional Security Operations Center to provide university students with hands-on cybersecurity experience and give boots-on-the-ground support to local taxpayer-funded agencies — including K–12 school districts — that need assistance with major cybersecurity incidents.
The BPR tracks state-funded agencies’ technology progress in fiscal years 2021 and 2022; highlights their technology accomplishments; lists areas of concern; and recommends policy and legislative changes to improve the effectiveness of IT operations at state and taxpayer-funded agencies.
“Over the past two years, state agencies in Texas showed significant progress in delivering secure, innovative technology that makes government more efficient, effective, transparent, and accountable,” said Amanda Crawford, DIR's executive director and Texas’ Chief Information Officer, in a statement announcing the report's release. “I applaud the hard work and effort of state agencies which, along with the support of the Texas Legislature, drive the state of Texas to lead the nation in delivering a secure, digital government through well-designed, innovative, and efficient technology solutions.”
The 2022 BPR is available on the DIR website at https://dir.texas.gov/strategic-planning-and-reporting/biennial-performance-report.
Other legislative recommendations relevant to public schools included in the new BPR:
- Enable private sector peer-to-peer payment solutions commonly used by the public to provide additional payment methods for government services
- Enable broader access to digital government services, streamlined processes, and digitization by expanding the use of digital signatures
In discussing the need for better, thorough incident reporting, the BPR states:
“Sharing information is essential for protecting public sector assets, personal or sensitive information, and critical infrastructure. State agencies and institutions of higher education are required to report certain types of security incidents to DIR within a minimum timeframe … suspected cybersecurity incidents, including breaches and ransomware attacks, to DIR. School districts report cybersecurity incidents to the Texas Education Agency and county election officials are required to notify the Secretary of State,” the report reads.
“Also, Texas law does not set a standard timeframe for local governments to report cyberattacks. This incongruent reporting of cybersecurity incidents may hinder Texas in tracking trends and understanding the scope and complexity of cyberattacks as well as how they may be related to another cyberattack. By requiring municipalities, school districts, and counties to report cybersecurity incidents to DIR, the state will have a more complete picture of potential threats and may be able to prevent future attacks, avoiding costly response and recovery efforts.”
Growing National Push for Mandated, Broader Incident Reporting, Transparency
Nationally, while ransomware attacks even against small school districts usually — eventually — are disclosed either by school leaders, staff members, or the press, there are no federal requirements for public schools to tell anyone about cyberattacks or even breaches of minor students’ private information.
Several national cybersecurity nonprofits, private sector risk-management leaders, and education IT professionals have called for greater transparency and accountability from school districts in their cybersecurity efforts — including mandated public disclosure when student or staff data has been breached.
In March, a national nonprofit dedicated to public schools’ cybersecurity, K–12 Security Information Exchange, reported statistics showing that ransomware — where a school’s student and/or staff data is stolen and a ransom is demanded — has become the most common type of publicly disclosed cyber incident at U.S. schools, but many districts impacted by cyber incidents share little or no information to the community stakeholders affected by those incidents.
K–12 schools are not required to publicly disclose or report cyber incidents, and requirements for vendors to disclose incidents — where mandates exist — are weak and rarely enforced, said K12SIX’s State of K–12 Cybersecurity Year in Review report. Vendor data breaches tend to impact scores, if not hundreds, of schools at a time, the report noted, and companies can face fines and lawsuits if they decline to disclose such incidents.
Public K–12 schools, however, are not overseen by any regulations requiring disclosure of cyber incidents or data breaches. Higher education institutions are required to report data breaches of any size, under a 2018 U.S. Department of Education rule affecting any college or university that accepts federal student aid funds.
“There’s no question schools should be disclosing these incidents to their communities,” K12SIX National Director Doug Levin told THE Journal, when the Year in Review report was released. “Maybe they think they can avoid backlash from the community if they don’t disclose a cyber incident. But these schools are spending the community’s tax dollars. School board members and those with oversight of the school budget need all the information to do their jobs appropriately, and the community needs to know whether the district’s resources are being spent on the right things.”
Every public school impacted by a cyber incident should be disclosing basic information such as the fact an incident occurred; who was affected in a potential data breach; the amount of money recovery will cost the district; and recommended steps those affected should take to protect themselves, he argued.
Levin, as national director at K12SIX, is tasked with tracking all publicly disclosed cyberattacks at K–12 schools in the United States. He helps school district IT leaders across the country to improve their protections, and he advocates for more resources and stronger security standards alongside cybersecurity officials at the state and national level as well as with tech companies whose IT and security products are used in public school districts.
He told THE Journal that he has concluded from his many discussions with tech and IT professionals across the K–12 sector that “cyber incidents at K–12 schools are being kept secret all the time” — including incidents where student and staff data has been compromised.
Also earlier this year, SETDA, a national association of U.S. ed tech and IT leaders, released its first Cybersecurity and Privacy Collaborative “landscape scan” calling on federal policymakers and state and local education leaders to work together to increase information sharing and to commit significant, sustained resources and training to improving cybersecurity across the nation’s K–12 schools.
California Gov. Gavin Newsom in September signed into a law a new requirement for K–12 schools in that state to report any cyberattack impacting more than 500 pupils or personnel, becoming the first in the nation to require disclosure even if a data breach has not occurred.
Assembly Bill 2355, introduced early this year by Democratic legislator Rudy Salas, requires every California school district, county office of education, or charter school to report to the California Cybersecurity Integration Center any “alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by unauthorized access” or any “unauthorized denial of access to legitimate users of a computer system, computer network, computer program, or data” if such incident impacts 500 or more students or staff, according to the text of the legislation.
The new California law — which gained final approval from the legislature a week before Los Angeles Unified School District fell victim to a ransomware attack — does not address whether the school cyber incident data will be made public at any point, but it does require Cal-CSIC, the state’s cybersecurity oversight agency, to track reports of cyberattacks at K–12 schools and to annually report to the governor and legislature a summary of the cybersecurity incidents reported by the state’s public schools.
Levin’s advocacy and the K12SIX Year in Review report was cited several times during committee hearings on the California legislation.
“In both of these groups’ research, they noted that their findings would be the minimum number of attacks,” the California Senate committee report said. “The lack of federal and state reporting requirements means much of the data on cyberattacks are incomplete. There is no archive for cyber-attacks in California. This bill will help ensure schools collect consistent data regarding cyberattacks to ensure further transparency and protection against breaches. There needs to be data and information to begin with so that the scope of attacks can be better understood.”
Levin said he hopes the annual reports on the number of cyberattacks targeting public schools will be shared with taxpayers and will lead to the appropriation of more resources to improve schools’ cybersecurity posture.
“The devil is in the details of how this will be implemented, but the public has a right to know when these incidents occur so resources are spent appropriately and so districts are held accountable to take the necessary steps to protect themselves from cyber threats,” he said.
Additional Legislative Recommendations and Reasoning
The Texas CIO’s report hinted at potential help-on-the-way for understaffed K–12 IT and cybersecurity budgets, in its request for state funds to expand the RSOC pilot program:
The law authorizing the RSOC pilot program states the RSOC “may offer network security infrastructure that local governments can utilize and provide real-time network security monitoring; network security alerts; incident response; and cybersecurity educational services. Eligible customers of the RSOC include counties, local governments, school districts, water districts, and hospital districts,” according to the BPR summary.
“DIR’s vision for the RSOC initiative is to partner with additional public universities and establish RSOCs throughout the state to serve local entities and assist in protecting the state from cyber threats,” Crawford wrote in the report. “This vision aligns with a whole-of-state approach to cybersecurity that increases the threat protection and cyber maturity of all of Texas through collaboration and partnerships. DIR is requesting funding from the 88th Legislature to establish two additional RSOCs including one in the Rio Grande Valley and one in central Texas.”
Another DIR recommendation that would impact public schools, if lawmakers act, is for new legislation to enable broader access to digital government services, streamlined processes, and digitization by expanding the use of digital signatures.
“Currently, a digital signature can be used to authenticate a written electronic communication sent by an individual to a state agency or local government if the signature complies with DIR’s rules as well as rules adopted by the state agency or local government,” the BPR explained. “Allowing more digital signatures in lieu of handwritten signatures, without additional rule-making, could lead to improved administrative efficiency and reduced costs.”
A final recommendation for lawmakers spelled out in the BPR is “provide guidance for distributed ledger and blockchain technology best practices.”
Nationally, a handful of U.S. universities have piloted using blockchain technology to store and share digital credentials such as academic records; although widespread adoption of blockchain for academic records isn’t seen as likely in the next year or two, the DIR noted that 10% of state agencies have said they’re considering adopting distributed ledger-based systems.
View or download the full 2022 BPR at https://dir.texas.gov/strategic-planning-and-reporting/biennial-performance-report.