Comptroller Audit Reveals Lack of Compliance with Data Security and Privacy Laws and Regulations by SED and School Districts

The COVID-19 pandemic accelerated the use of educational software to deliver hybrid or remote educational services. This widespread use of technology and the sharing of electronic student data resulted in a steep increase in cybersecurity threats for schools. A recent audit of the New York State Education Department revealed that there has not been adequate oversight of school districts’ compliance with student data privacy and security laws, including the reporting of data breach incidents. The audit report, released by the New York State Comptroller’s Office, also described technical weaknesses in school district and BOCES computer systems that leave them vulnerable to cyberattacks or inadvertent disclosures of student data. Based upon the Comptroller’s recommendations, districts should expect heightened scrutiny of their cybersecurity practices and policies during this upcoming school year and beyond.

The report provides several important lessons for school districts with regards to management of student data protected by state and federal laws. First, the audit found that school districts were not fully complying with the requirements of Education Law Section 2-d and Part 121 of the Commissioner’s Regulations. Approximately one-third of the schools reviewed in the audit did not have the required data security and privacy Board of Education policy posted on their webpages, and fifteen percent were missing the Parents’ Bill of Rights for Data Privacy and Security. Nearly half of the school districts reviewed in the audit failed to post the supplemental information required for third-party contracts. Several school districts had not appointed a Data Privacy Officer or provided annual data privacy training to staff. These omissions are a violation of the law on their own. Further, such non-compliance may also signal to parents a lack of concern and transparency with regards to how their children’s data is managed and protected.

In addition, the report indicates that many school districts failed to properly report data security incidents to SED and failed to appropriately disclose such incidents to affected students and parents. It is important for staff members to be familiar with the types of breaches or data disclosures that trigger these reporting requirements. It is also imperative that administrators be aware of the specific timeframe for reporting and the detailed information that must be provided to SED and to the affected parties in the event of such an incident.

Finally, as part of the audit, the Comptroller’s Office conducted site visits to several school districts, where they administered vulnerability scans and identified weaknesses in school computer systems. The school districts visited had not performed any such testing of their own systems, even though such testing is required by the Part 121 regulations as part of alignment with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).

In response to the audit’s findings, SED committed to developing a protocol to monitor school district compliance, and to begin implementing this compliance monitoring protocol in the second half of 2023. SED’s Chief Privacy Officer sent a memo to the field on July 19 advising that, beginning in the fall of 2023, the Privacy Office will begin monitoring educational agencies’ websites for compliance with Education Law § 2-d and the Family Educational Rights and Privacy Act (FERPA). This memo recommends as a best practice that educational agencies maintain a page on their websites dedicated to data privacy and security information. The memo also highlights the requirement that educational agencies provide annual data privacy and security awareness training to staff, and indicates that SED may request information related to such trainings, including sign-in sheets or certifications of completion, dates of training, and training materials..

Although the Comptroller’s audit focused on SED’s enforcement of the law, SED’s response suggests that school districts should expect additional scrutiny from SED in the upcoming school year and, therefore, may wish to review their existing policies and procedures related to student data privacy and security and maintain documentation of compliance with related legal requirements.

If you have any questions or concerns about your school district’s compliance with applicable legal requirements related to data privacy and security, please contact Lindsay Plantholt.