New Regulations. Education Vendors.

Where: New York

What new requirements are being placed on education vendors?

  • Contracts with vendors who receive PII must state that the vendor will maintain all information in accordance with federal and state law and the school’s security and privacy policy.
  • Parent’s Bill of Rights in every contract with vendors who receive PII.
  • National Institute for Standards and Technology Cybersecurity Framework (“NIST CSF”) is the standard for data security and privacy.
  • July 1, 2020 deadline for all schools to adopt a data security and privacy policy
  • Online Privacy Policies. Schools must publish their data security and privacy policies on their websites.
  • Schools Must Train Staff. Schools must provide data privacy and security awareness training to officers and employees with access to PII.
  • Designate a Data Protection Officer (“DPO”) at each school to be responsible for the compliance program and to otherwise serve as a point of contact for the schools on data security and privacy matters.
  • Vendor Notification. Vendors that suffer a breach of PII must notify the affected schools within 7 calendar days
  • School Notification. schools must in turn notify within 10 calendar days of receipt of notification of a breach from the vendor & the schools must notify affected individuals without unreasonable delay but in no case later than sixty (60) days of discovery or receipt of breach notification from the vendor.

Jackson Lewis | New York Adopts New Data Security And Privacy Regulations For Schools And Their Vendors

image



Thank you for subscribing to our newsletter.
Great things are just around the corner!