On the heels of Ransomware Awareness Month and the White House’s recent summit on cybersecurity, W/A Research is digging into the escalating threats and state legislative trends.

Recent statistics paint a dire picture of cybersecurity in K-12 schools: attacks continue to surge, with data from 650,000 students exposed in 2021 alone. Major districts across the U.S., from Minneapolis Public Schools to Los Angeles Unified, and Chicago Public Schools have experienced breaches.. 

In response, a growing number of states passed laws or put policy into effect, with the goal of bolstering oversight and increasing transparency in the handling and protection of student data.

  • Incident Reporting: CA, FL, NH, NY, and VA have added requirements for incident reporting to state agencies when schools experience cyberattacks, ransomware, or data breaches.
  • Auditing and Risk Assessment: MD, MA, and UT have expanded auditing and risk assessments mandated at the state level to evaluate school cybersecurity postures.
  • State Role: AZ, HI, MD, and UT have instituted new governance structures, such as state-level Chief Information Security Officers and cybersecurity commissions to provide guidance and support for local school efforts
  • Workforce: CA, MD, and MA have developed initiatives to expand cybersecurity workforce pipelines to supply school IT security staffing needs.

In North Carolina, new Third Party Integration Requirements go into effect January 1, 2024 (postponed from August 1, 2023) and outline extensive new standards, which we expect other states to emulate. Under the new requirements:

  • School districts must publish a list of all third party entities receiving student data along with specific fields/elements disclosed.
  • Vendors must complete a Third Party Data Collection Reporting Worksheet detailing data practices, security controls, and justification for requested data.

Vendors undergo state security assessments involving vulnerability scanning and must align with NIST Cybersecurity Frameworks.