The guidance provided by NY EdLaw 2-D seeks to address the risks that digital workflows have introduced. Following the NIST Cybersecurity Framework, NY EdLaw 2-D explicitly states that a data security program should include “data security protections, including data systems monitoring, data encryption, incident response plans, limitations on access to personally identifiable information, safeguards to ensure personally identifiable information is not accessed by unauthorized persons when transmitted over communication networks, and destruction of personally identifiable information when no longer needed.”
Further, the regulation requires that when a parent or student requests education records, “safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection must be in place when data is stored or transferred”. Also, all third-party contractors who receive PII, or any subcontractee engaged by a third-party contractor, must “use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the United States department of health and human services in guidance issued under Section 13402(H)(2) of Public Law 111-5.
Click here to learn more.