In early 2020, The New York State Department of Education adopted a new law focused on the privacy and security of student and staff personally identifiable information (PII). The Educational Law Section 2-d, known amongst NY schools as EdLaw 2-d, provides “guidance to educational agencies and their third-party contractors on ways to strengthen data privacy and security to protect student data and annual professional performance review data.”
Based on security and privacy best practices, we’ve developed this checklist to be used to build or update a data security program that meets the demands of today’s privacy regulations and educational agencies.Download Now
NY EdLaw 2-d Definitions
Educational Agencies: A school district, board of cooperative educational services, school, or the education department.
PII: Information that can be used to identify an individual whether directly (e.g.
student’s name, parents’ name, address, or social security number) or indirectly when linked with other information (e.g., date of birth and mother’s maiden name).
Student Data: PII from student records of an educational agency.
Third-Party Contractor: Any person or entity, other than an educational agency, that receives student data from an educational agency for the purpose of providing services to such educational agency, including but not limited to data management or storage services, conducting studies for or on behalf of such educational agency, or audit or evaluation of publicly funded programs.
NY EdLaw 2-d Security Requirements
In order to strengthen data security and privacy, the New York State Education Department (NYSED), now requires the following of all educational agencies:
- Appoint a Data Protection Officer with appropriate knowledge, training, and experience to oversee data security and privacy.
- Conduct security training for educational agency employees.
- Publish a Parent’s Bill of Rights and include it in every contract with a third-party contractor that receives PII.
- Mandate that all third-party contractors submit a Data Security and Privacy Plan for each contract to demonstrate how they will protect PII.
- Adopt the NIST Cybersecurity Framework as the standard for data privacy and security and meet the requirements to ensure they are adequately protecting PII.
Encryption’s Role in NY EdLaw 2-d Compliance
Despite having implemented NY EdLaw 2-d before the current pandemic, the regulation contains recommendations and requirements for data security that are particularly relevant in today’s new normal of distance learning and digital workflows. Digital tools allow teachers to improve reporting on student progress and provide better transparency to all stakeholders, specifically parents who can more easily communicate with teachers to monitor the status of their child’s learning and development.
The guidance provided by NY EdLaw 2-d seeks to address the risks that digital workflows have introduced. Following the NIST Cybersecurity Framework, NY EdLaw 2-d explicitly states that a data security program should include “data security protections, including data systems monitoring, data encryption, incident response plans, limitations on access to personally identifiable information, safeguards to ensure personally identifiable information is not accessed by unauthorized persons when transmitted over communication networks, and destruction of personally identifiable information when no longer needed.”
Further, the regulation requires that all third-party contractors who receive PII, or any subcontractee engaged by a third-party contractor, must “use encryption technology to protect data while in motion or in its custody from unauthorized disclosure using a technology or methodology specified by the secretary of the United States department of health and human services in guidance issued under Section 13402(H)(2) of Public Law 111-5.
And finally, when a parent or student requests education records, “safeguards associated with industry standards and best practices, including but not limited to, encryption, firewalls, and password protection must be in place when data is stored or transferred.”
A Compliant Encryption Solution from Virtru
Like most security-conscious providers, Google uses Transport Layer Security (TLS) to encrypt emails in transit. It provides an encrypted pipe through which your emails can travel. But TLS depends on both the sender’s and recipient’s email provider, so it doesn’t always work.
When you send a Gmail-encrypted email, your browser contacts Google’s server and creates a secure connection. The message is encrypted, sent to the server and decrypted. The server repeats the process with the next server, until it reaches your recipient’s server. However, if your recipient’s email service doesn’t use TLS, messages won’t be encrypted, and in some cases, the message simply won’t be sent.
Unlike Gmail’s native TLS, where encryption cannot be guaranteed, Virtru offers true end-to-end encryption and helps educational agencies modernize their security program to meet NY EdLaw 2-d compliance requirements by ensuring sensitive data is protected and under your control at all times. Integrated with the applications you already use like Gmail, Google Drive, and Microsoft Outlook, Virtru gives educational agencies the ability to share sensitive data and PII with ease, while keeping student records and sensitive communications private and compliant. With data-centric security in place, protection, control, and visibility persist throughout the full data lifecycle, enabling more rapid, efficient services that ensure parent engagement and student development, without sacrificing privacy or risking non-compliance violations.