Cybersecurity Framework for EdLaw 2D Explained - Sedara Whiteboard Series

Show Notes

What is Education Law 2-d?

Education Law 2-d is a new section to NYS Education Law that was added in early 2020. This section covers various aspects of data privacy for school districts in New York State.

It identifies data that exists, how it’s handled, what you’re allowed to do with it, and defines additional security requirements. Ed Law 2-d provides a clear description of student data and personally identifiable information (PII).

What are the requirements of Ed Law 2-d?

Ed Law 2-d creates specific regulations and controls that school districts are required to abide by. According to the New York State Regional Information Centers and the Ed Law 2-d/Part 121 of the Commissioner’s Regulations outline, schools must follow a multi-faceted approach to information governance, including:

The protection of PII:

PII for teachers, students, and principals must be protected

Parent’s Bill of Rights for Data Privacy and Security:

Districts must develop and share this information on their website with supplemental information regarding every agreement with a third-party contractor involving the disclosure of PII

Data Security and Privacy Policy:

Districts are required to adopt a Data Security and Privacy Policy that adheres to the NIST Cybersecurity Framework (NIST CSF)

Data Protection Officer:

It is mandatory to appoint a Data Protection Officer to oversee the execution of Ed Law 2-d responsibilities.

It is also mandatory to have a complaint process, incident reporting/notification process, annual employee training, and most importantly, map everything back to NIST Cybersecurity Framework.

NIST CSF is a set of controls that governs aspects of the law and is a risk management program that identifies 1) where there are risks within an organization and 2) the ability to respond and prioritize those risks.

NIST is a comprehensive United States program that Sedara has been implementing in school districts for years.

The Sedara Approach:

Sedara has spent the last couple of years developing the Cybersecurity Development Program (CDP). A CDP encompasses controls such as NIST and is approachable, scalable, and specific for school districts to obtain and maintain compliance while keeping their data safe.

The method is designed to understand and factor in the needs, resources, and the existing operations of school districts.

Sedara’s CDP includes technical and non-technical approaches, and is effective in keeping student data safe This can include incident response, data loss and privacy controls, protection against ransomware, and much more.

CDP is not designed to replace an existing system - it is designed to augment the investments that have already been made and right-size a program that's appropriate for a particular school district. CDP brings in the resources - both technical and non-technical - to help deliver on an ongoing basis, making it a cost-effective approach.

How Sedara Can Help

Sedara has worked with school districts all over New York State to help them protect the PII of students, teachers, and staff. We’re experienced with Ed Law 2-d and can help make sure school districts are compliant.

Don’t take our word for it - check out what other school districts had to say about their experience with the program.