|
The Privacy Office has received numerous questions regarding reporting and notification requirements under Education Law § 2-d. For a deep dive, please refer to section 121.10 of the Commissioner’s regulations, which covers reports and notifications of breach and unauthorized release.
Incident Reporting
Under Education Law § 2-d, educational agencies must report to the NYSED Chief Privacy Officer (CPO) any cases of unauthorized acquisition, access, use, or disclosure of student data and/or teacher or principal APPR data by or to a person not authorized to acquire, access, use, or receive it. Reports are required within 10 calendar days of “discovery or report of a breach or unauthorized release” (8 NYCRR 121.10[d]). Accidental disclosures such as clerical errors and vendor breaches must be reported. There is a single incident reporting form to be completed for all incidents. You will be emailed a copy of the completed form upon submission.
Do I need to report unsuccessful phishing attempts to NYSED? You do not have to report the receipt of a phishing email. If the phishing email leads to the installation of malware that compromises the security of the educational agency’s network and/or the personally identifiable information it contains, the incident must be reported to the CPO. You may need to review the requirements for reporting to the Division of Homeland Security and Emergency Services.
Do I need to report an event where no covered data was accessible, accessed, or disclosed? No. If no data covered by Education Law § 2-d was accessible, accessed, used, or disclosed, the incident does not need to be reported to the CPO. You are always welcome to email the Privacy Office at privacy@nysed.gov about any privacy concerns, even if a data incident did not technically occur.
Notification to affected individuals
For notification, Education Law 2-d states: “In the case of an unauthorized release of student data, the educational agency shall notify the parent or eligible student of the unauthorized release of student data that includes personally identifiable information from the student records of such student in the most expedient way possible and without unreasonable delay.” Section 121.10(e) of the Commissioner’s regulations states, “Educational agencies shall notify affected parents, eligible students, teachers and/or principals in the most expedient way possible and without unreasonable delay, but no more than 60 calendar days after the discovery of a breach or unauthorized release by an educational agency or the receipt of a notification of a breach or unauthorized release from a third-party contractor unless that notification would interfere with an ongoing investigation by law enforcement or cause further disclosure of personally identifiable information by disclosing an unfixed security vulnerability.”
Similar to reporting requirements, notification requirements are triggered by the discovery of an unauthorized disclosure. If an educational agency is unsure whether an unauthorized disclosure of covered data occurred, it should investigate and reach out to vendors as necessary to obtain critical information about the scope of a suspected breach. Educational agencies may choose to notify potentially affected individuals of a suspected breach if they believe this will best serve the needs of their community. For vendor breaches affecting multiple educational agencies, please know that the NYSED CPO urges such vendors to provide information about the scope of a breach to New York educational agencies expediently.
Links to Additional Guidance about Incident Reporting and Notification:
| 
