On October 8, 2021, President Biden signed the bipartisan K-12 Cybersecurity Act of 2021 (the “Act”) in response to K-12 educational institutions facing cyber-attacks across the United States. The types of cyber incidents targeting K-12 information systems include denial of service, phishing, ransomware and malware, and other unauthorized disclosures of personal information.

While the Act itself does not detail specific requirements for K-12 educational institutions, it seeks to address the increasing risk of cybersecurity incidents by authorizing the director of the Cybersecurity and Infrastructure Security Agency (CISA) to conduct a study on the specific cybersecurity risks currently facing K-12 educational institutions. The director has 120 days from the enactment of the Act to complete the study. The director will then have an additional 60 days to issue recommendations that include cybersecurity guidelines to assist K-12 educational institutions in responding to the cybersecurity threats described in the director’s study. In conjunction with cybersecurity recommendations, CISA will be developing an online training toolkit to educate school officials about the recommendations and to help ease the implementation of the recommendations by providing strategies for officials to take such action.

A major aspect of the Act is that it is not a requirement that K-12 educational institutions follow the guidelines outlined by the director, rather, the guidelines are only recommendations that K-12 educational institutions are encouraged to implement or utilize. While the guidelines can be adopted by K-12 educational institutions on a voluntary basis, K-12 educational institutions should not take them lightly. According to the K-12 Cybersecurity Resource Center, approximately 1,100 cybersecurity incidents have been publicly reported by K-12 educational institutions since 2016. In 2020, over 400 cybersecurity incidents were publicly reported by K-12 educational institutions, which is an increase of 18 percent from 2019. Further, cybersecurity incidents or breaches can often be time consuming and costly. The endgame of the Act will hopefully mitigate potential risks by implementing programs and protocols to attempt to thwart an incident or breach, as well as provide education on the proper protocols to utilize when an incident or breach occurs, thereby engaging in proactive cost management.

With the Act being signed by President Biden, and a general increased focus on cybersecurity from state lawmakers (i.e. new data breach notification laws enacted in Virginia and Colorado and a new bill in Ohio), school districts and other educational institutions should review and update their information security programs, including training and educating staff and students on current cybersecurity risks, updating incident response plans, and implementing necessary administrative, technical, and physical safeguards to their information systems, in addition to prioritizing endpoint security on property, such as, laptops, tablets, and other online learning systems, especially given the social climate that is increasingly moving online in light of the COVID-19 pandemic.

Taft will continue to monitor the director’s progress on its study and its future guidelines and will keep you updated on such developments right here on Taft’s Privacy and Data Security Insights blog. For more information on the K-12 Cybersecurity Act of 2021, state data breach notification laws, and other data privacy questions, please contact Taft’s Privacy and Data Security Team.