Your team just uncovered a data breach.
And during those frightful first moments, when you should be focused on your incident response plan, you look at your Fitbit because you must document the time of breach discovery.
And start your stopwatch.
"I've got 23 hours and 59 minutes until I have to notify on this. How much can we learn by then?"
24-hour data breach notification proposed
The Mississippi Department of Education (MDE) is proposing an unusually strict 24-hour notification for school districts that have a cybersecurity or privacy incident.
Attorneys from law firm Adams and Reese blogged about the proposal and the notification issue:
"The time for notification of an incident is very short, and far shorter than the time contained in most laws and regulations (including Mississippi's own data breach notification law).
It is often unclear whether or to what extent an incident has actually occurred, and therefore, districts will need to be prepared to give notification even before all facts are gathered.
Also, the proposed rule would require notification of many types of incidents, not just ransomware attacks or data breaches."
It's hard to imagine how this notification burden would work for school districts. For many, cybersecurity is the responsibility of IT teams that are stretched thin.
22 cybersecurity and privacy requirements proposed
The notification timeline is only a small part of a significant and sweeping cybersecurity proposal for Mississippi school districts. The state's Department of Education is proposing the following 22 requirements for what each district must have:
- Access, Account Management, and Password Policy
- Annual State of Security, Privacy and Data Governance Report for the State Superintendent of Public Education
- Best Practices Guidelines
- Data Classification Framework
- Data Collection, Quality and Matching Standards and Procedures
- Data Destruction Policy
- Data Dictionary and Standards
- Data Sharing and Public Request Procedure
- Disaster Recovery and Continuity Policy
- Email and Electronic Communications Policy
- Incident Response Policy
- Information Technology Security Policy
- LEA Security and Privacy Notification Procedures
- Mandatory Annual Training Program, including Security Awareness and FERPA Training
- Safe, Appropriate, and Acceptable Use Policy
- Security and Privacy Processes and Procedures
- Security and Privacy Violation Reporting Procedure
- Security Assessment and Compliance Policy
- Separation of Duties Standards
- Student and Parent's Rights
- Systems Capacity Planning Policy
- Vendor and Third-Party Control Policy
Does your organization have all of these plans and policies in place?
Cyber incident and privacy incident reporting: big brother is watching
Attorneys writing about the proposal noted another interesting twist:
"The rule also requires each district to allow MDE to investigate any incident. It is not clear to what extent MDE's investigation would be in the nature of an enforcement action versus assisting the district."
And when will that investigation happen? Will it be during the district's incident response phase or afterward? These are valid questions about the proposed policy.
How do you approach evolving cyberlaw and privacy law landscape?
While this proposal only applies to school districts within a single state, we know that keeping up with state-by-state privacy and cyberlaw changes is like a game of whack-a-mole.
At SecureWorld New York, we interviewed Jordan Fischer of XPAN Law Group. Listen to that interview about cybersecurity and privacy law strategy here, or on any podcast platform: