Adam V. Griffin and James A. Keith of Adams and Reese LLP explain:
The Mississippi Department of Education (MDE) is seeking public comment on a proposed rule pertaining to cybersecurity that will require Mississippi public school districts to take substantial actions to prepare. The rule would require each district to:
- Implement 22 enumerated policies related to the privacy and security of data
- Give written notification to MDE of any cyber incident or violation of state or federal security or privacy laws and regulations within 24 hours of the district becoming aware of the incident, breach, or violation
- Cooperate with MDE in investigating incidents, including sharing with MDE any post-incident reports
The Proposed Rule
MDE recently posted the APA notice below:
Administrative Procedures Act (APA) Notice Office of Technology and Strategic Services Mississippi Seeks Public Comment on State Board Policy Chapter 55, Rule 55.1, Office of Technology and Strategic Services
On January 16, 2020, the State Board of Education (SBE) granted approval to begin the Administrative Procedures Act (APA) process to revise the following Policy:
§ Miss. Admin. Code 7-3:55.1, State Board Policy Chapter 55, Rule 55.1
The proposed revision will provide guidance to the MDE regarding its operational responsibilities as it relates to Data Governance, Security, and Privacy, and the role of the Office of Technology and Strategic Services (OTSS) in meeting those operational responsibilities. The proposed revision will further provide guidance to OTSS regarding its role is supporting Local Educational Agencies as they address their local Data Governance, Security, and Privacy responsibilities. Please submit written comments to John Kraman, Chief Information Officer, Office of Technology and Strategic Services, via email at [email protected] or postal mail to 359 North West Street, Post Office Box 771, Jackson, MS 39205-0771, on or before 5:00 p.m., on February 19, 2020.
The proposed rule includes requirements on the MDE Office of Technology and Strategic Services (OTSS), none of which appear to directly impact school districts (see sections 1–8). However, section 9 is addressed specifically at public school districts, and imposes three new requirements on them. Each is discussed further below.
Creation of Policies, Standards and Procedures
The proposed rule requires districts to create numerous policies, standards and procedures, such as:
- Access, Account Management, and Password Policy
- Annual State of Security, Privacy and Data Governance Report for the State Superintendent of Public Education
- Best Practices Guidelines
- Data Classification Framework
- Data Collection, Quality and Matching Standards and Procedures
- Data Destruction Policy
- Data Dictionary and Standards
- Data Sharing and Public Request Procedure
- Disaster Recovery and Continuity Policy
- Email and Electronic Communications Policy
- Incident Response Policy
- Information Technology Security Policy
- LEA Security and Privacy Notification Procedures
- Mandatory Annual Training Program, including Security Awareness and FERPA Training
- Safe, Appropriate, and Acceptable Use Policy
- Security and Privacy Processes and Procedures
- Security and Privacy Violation Reporting Procedure
- Security Assessment and Compliance Policy
- Separation of Duties Standards
- Student and Parent’s Rights
- Systems Capacity Planning Policy
- Vendor and Third-Party Control Policy
Most districts do not have policies in place covering all such issues. Notably, the proposed rule provides no time period for implementation, so districts should consider having policies prepared now in anticipation of complying with these obligations.
Read more of their analysis and commentary Lexology.