The Mississippi Department of Education (MDE) is seeking public comment on a proposed rule pertaining to cybersecurity that will require Mississippi public school districts to take substantial actions to prepare. The rule would require each district to:
- Implement 22 enumerated policies related to the privacy and security of data
- Give written notification to MDE of any cyber incident or violation of state or federal security or privacy laws and regulations within 24 hours of the district becoming aware of the incident, breach, or violation
- Cooperate with MDE in investigating incidents, including sharing with MDE any post-incident reports
The Proposed Rule
MDE recently posted the APA notice below:
Administrative Procedures Act (APA) Notice
Office of Technology and Strategic Services Mississippi Seeks Public Comment on State Board Policy Chapter 55, Rule 55.1, Office of Technology and Strategic Services
On January 16, 2020, the State Board of Education (SBE) granted approval to begin the Administrative Procedures Act (APA) process to revise the following Policy:
The proposed revision will provide guidance to the MDE regarding its operational responsibilities as it relates to Data Governance, Security, and Privacy, and the role of the Office of Technology and Strategic Services (OTSS) in meeting those operational responsibilities. The proposed revision will further provide guidance to OTSS regarding its role is supporting Local Educational Agencies as they address their local Data Governance, Security, and Privacy responsibilities.
The proposed rule includes requirements on the MDE Office of Technology and Strategic Services (OTSS), none of which appear to directly impact school districts (see sections 1–8). However, section 9 is addressed specifically at public school districts, and imposes three new requirements on them. Each is discussed further below.
Creation of Policies, Standards and Procedures
The proposed rule requires districts to create numerous policies, standards and procedures, such as:
- Access, Account Management, and Password Policy
- Annual State of Security, Privacy and Data Governance Report for the State Superintendent of Public Education
- Best Practices Guidelines
- Data Classification Framework
- Data Collection, Quality and Matching Standards and Procedures
- Data Destruction Policy
- Data Dictionary and Standards
- Data Sharing and Public Request Procedure
- Disaster Recovery and Continuity Policy
- Email and Electronic Communications Policy
- Incident Response Policy
- Information Technology Security Policy
- LEA Security and Privacy Notification Procedures
- Mandatory Annual Training Program, including Security Awareness and FERPA Training
- Safe, Appropriate, and Acceptable Use Policy
- Security and Privacy Processes and Procedures
- Security and Privacy Violation Reporting Procedure
- Security Assessment and Compliance Policy
- Separation of Duties Standards
- Student and Parent’s Rights
- Systems Capacity Planning Policy
- Vendor and Third-Party Control Policy
Most districts do not have policies in place covering all such issues. Notably, the proposed rule provides no time period for implementation, so districts should consider having policies prepared now in anticipation of complying with these obligations.
Of note, the proposed rule contains strict standards as to what each policy will consist of, stating:
The requirements and standards shall adhere to ITS’ Enterprise Security Policy and shall not be less than those established by the MDE and OTSS. The more restrictive policy shall take precedence in the event of a conflict between the LEA’s policy and MDE’s policy.
Therefore, each district would need to prepare its 22 policies with these restrictions in mind.
Immediate Breach Notification
A written notification to MDE of any cyber incident or violation of state or federal security or privacy laws and regulations is required within 24 hours of the district becoming aware of the cyber incident, breach or violation.
The time for notification of an incident is very short, and far shorter than the time contained in most laws and regulations (including Mississippi’s own data breach notification law). It is often unclear whether or to what extent an incident has actually occurred, and therefore, districts will need to be prepared to give notification even before all facts are gathered.
Also, the proposed rule would require notification of many types of incidents, not just ransomware attacks or data breaches. The rule uses the term “incident of cyber-attack,” and defines the word “incident” as:
[A]n occurrence that potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security policies, security procedures, or acceptable use policies.
This broad definition could be construed to include any incident involving a virus or malware infection, and could place a substantial reporting obligation on school districts.
Districts should consider this notification requirement in preparing their policies, including their incident response policy.
Cooperation with MDE in Investigating Incidents, Including Sharing with MDE any Post-Incident Reports
The rule also requires each district to allow MDE to investigate any incident. It is not clear to what extent MDE’s investigation would be in the nature of an enforcement action versus assisting the district.
The district would also have to share any post-incident reports. Such reports are often prepared by vendors retained by and acting at the direction of counsel, which could create some issues if the reports were subsequently disclosed. Again, this should be considered in the preparation of policies by the district.
As discussed in the APA, written comments on the proposed rule can be made to John Kraman, Chief Information Officer, Office of Technology and Strategic Services, via email at firstname.lastname@example.org or postal mail to 359 North West Street, Post Office Box 771, Jackson, MS 39205-0771, on or before 5:00 p.m., on February 19, 2020.