K-12 Cybersecurity Act: Federal Government Seeks To Improve Security For America’s Educational Institutions – Technology – United States – Mondaq News Alerts
United States:
K-12 Cybersecurity Act: Federal Government Seeks To Improve Security For America’s Educational Institutions
10 December 2021
Taft Stettinius & Hollister
To print this article, all you need is to be registered or login on Mondaq.com.
On October 8, 2021, President Biden signed the bipartisan K-12 Cybersecurity Act of 2021
(the “Act”) in response to K-12 educational institutions
facing cyber-attacks across the United States. The types of cyber
incidents targeting K-12 information systems include denial of
service, phishing, ransomware and malware, and other unauthorized
disclosures of personal information.
While the Act itself does not detail specific requirements for
K-12 educational institutions, it seeks to address the increasing
risk of cybersecurity incidents by authorizing the director of the
Cybersecurity and Infrastructure Security Agency (CISA) to conduct
a study on the specific cybersecurity risks currently facing K-12
educational institutions. The director has 120 days from the
enactment of the Act to complete the study. The director will then
have an additional 60 days to issue recommendations that include
cybersecurity guidelines to assist K-12 educational institutions in
responding to the cybersecurity threats described in the
director’s study. In conjunction with cybersecurity
recommendations, CISA will be developing an online training toolkit
to educate school officials about the recommendations and to help
ease the implementation of the recommendations by providing
strategies for officials to take such action.
A major aspect of the Act is that it is not a requirement that
K-12 educational institutions follow the guidelines outlined by the
director, rather, the guidelines are only recommendations that K-12
educational institutions are encouraged to implement or utilize.
While the guidelines can be adopted by K-12 educational
institutions on a voluntary basis, K-12 educational institutions
should not take them lightly. According to the K-12 Cybersecurity Resource Center,
approximately 1,100 cybersecurity incidents have been publicly
reported by K-12 educational institutions since 2016. In 2020, over
400 cybersecurity incidents were publicly reported by K-12
educational institutions, which is an increase of 18 percent from
2019. Further, cybersecurity incidents or breaches can often be
time consuming and costly. The endgame of the Act will hopefully
mitigate potential risks by implementing programs and protocols to
attempt to thwart an incident or breach, as well as provide
education on the proper protocols to utilize when an incident or
breach occurs, thereby engaging in proactive cost management.
With the Act being signed by President Biden, and a general
increased focus on cybersecurity from state lawmakers (i.e. new
data breach notification laws enacted in Virginia and Colorado and a new bill in Ohio), school
districts and other educational institutions should review and
update their information security programs, including training and
educating staff and students …….