•  Summary 
  •  
  •  Actions 
  •  
  •  Votes 
  •  
  •  Memo 
  •  
  •  Text 

AB8353 Text:

                           S T A T E   O F   N E W   Y O R K
       ________________________________________________________________________

                                         8353

                                 I N  A S S E M B L Y

                                    January 9, 2014
                                      ___________

       Introduced  by M. of A. NOLAN -- read once and referred to the Committee
         on Education

       AN ACT to amend the education law and the  penal  law,  in  relation  to
         establishing  penalties  for  the  unauthorized  release of personally
         identifiable information from student records and certain  records  of
         classroom teachers and building principals

         THE  PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND ASSEM-
       BLY, DO ENACT AS FOLLOWS:

    1    Section 1. Section 305 of the education law is amended by adding a new
    2  subdivision 44 to read as follows:
    3    44. UNAUTHORIZED RELEASE OF PERSONALLY IDENTIFIABLE INFORMATION.
    4    A. AS USED IN THIS SUBDIVISION THE  FOLLOWING  TERMS  SHALL  HAVE  THE
    5  FOLLOWING MEANINGS:
    6    (1)  "BUILDING PRINCIPAL" MEANS A BUILDING PRINCIPAL SUBJECT TO ANNUAL
    7  PERFORMANCE EVALUATION REVIEW UNDER  THE  PROVISIONS  OF  SECTION  THREE
    8  THOUSAND TWELVE-C OF THIS CHAPTER.
    9    (2)  "CLASSROOM TEACHER" MEANS A TEACHER SUBJECT TO ANNUAL PERFORMANCE
   10  EVALUATION  REVIEW  UNDER  THE  PROVISIONS  OF  SECTION  THREE  THOUSAND
   11  TWELVE-C OF THIS CHAPTER.
   12    (3) "EDUCATIONAL AGENCY" MEANS A SCHOOL DISTRICT, BOARD OF COOPERATIVE
   13  EDUCATIONAL  SERVICES,  SCHOOL,  INSTITUTION  OF HIGHER EDUCATION OR THE
   14  EDUCATION DEPARTMENT.
   15    (4) "INSTITUTION OF HIGHER EDUCATION" MEANS AN ENTITY WITH A CAMPUS IN
   16  NEW YORK THAT PROVIDES HIGHER EDUCATION, AS DEFINED IN SUBDIVISION EIGHT
   17  OF SECTION TWO OF THIS TITLE, THAT IS SUBJECT TO THE REQUIREMENTS OF THE
   18  FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT, SECTION TWELVE HUNDRED  THIR-
   19  TY-TWO-G OF TITLE TWENTY OF THE UNITED STATES CODE.
   20    (5) "PERSONALLY IDENTIFIABLE INFORMATION", AS APPLIED TO STUDENT DATA,
   21  MEANS  PERSONALLY IDENTIFIABLE INFORMATION AS DEFINED IN SECTION 99.3 OF
   22  TITLE THIRTY-FOUR OF THE CODE OF FEDERAL  REGULATIONS  IMPLEMENTING  THE
   23  FAMILY  EDUCATIONAL RIGHTS AND PRIVACY ACT, SECTION TWELVE HUNDRED THIR-
   24  TY-TWO-G OF TITLE TWENTY OF THE UNITED STATES CODE, AND, AS  APPLIED  TO
   25  TEACHER OR PRINCIPAL DATA, MEANS "PERSONALLY IDENTIFYING INFORMATION" AS

        EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                             [ ] is old law to be omitted.
                                                                  LBD13221-04-4
       A. 8353                             2

    1  SUCH  TERM IS USED IN SUBDIVISION TEN OF SECTION THREE THOUSAND TWELVE-C
    2  OF THIS CHAPTER.
    3    (6)  "SCHOOL" MEANS ANY PUBLIC ELEMENTARY OR SECONDARY SCHOOL, CHARTER
    4  SCHOOL,  UNIVERSAL  PRE-KINDERGARTEN  PROGRAM  AUTHORIZED  PURSUANT   TO
    5  SECTION  THIRTY-SIX  HUNDRED TWO-E OF THIS CHAPTER, AN APPROVED PROVIDER
    6  OF PRESCHOOL SPECIAL EDUCATION, ANY OTHER PUBLICLY FUNDED PRE-KINDERGAR-
    7  TEN PROGRAM, AN APPROVED PRIVATE SCHOOL FOR THE  EDUCATION  OF  STUDENTS
    8  WITH DISABILITIES, A STATE-SUPPORTED SCHOOL SUBJECT TO THE PROVISIONS OF
    9  ARTICLE  EIGHTY-FIVE OF THIS CHAPTER, A STATE-OPERATED SCHOOL SUBJECT TO
   10  THE PROVISIONS OF ARTICLE EIGHTY-SEVEN OR EIGHTY-EIGHT OF THIS CHAPTER.
   11    (7) "STUDENT" MEANS ANY PERSON ATTENDING OR SEEKING TO  ENROLL  IN  AN
   12  EDUCATIONAL AGENCY.
   13    (8)  "ELIGIBLE  STUDENT" MEANS A STUDENT EIGHTEEN YEARS OR OLDER OR AN
   14  EMANCIPATED MINOR. AN EMANCIPATED MINOR AS USED IN THIS  SECTION  REFERS
   15  TO  A STUDENT AT LEAST SIXTEEN YEARS OR OLDER WHO IS NO LONGER A DEPEND-
   16  ENT OF OR IN THE CUSTODY OF A PARENT AS DEFINED IN THIS SECTION.
   17    (9) "PARENT" MEANS A PARENT, LEGAL GUARDIAN,  OR  PERSON  IN  PARENTAL
   18  RELATION TO A STUDENT.
   19    (10)  "STUDENT  DATA"  MEANS  PERSONALLY IDENTIFIABLE INFORMATION FROM
   20  STUDENT RECORDS OF AN EDUCATIONAL AGENCY.
   21    (11) "TEACHER OR PRINCIPAL DATA" MEANS PERSONALLY IDENTIFIABLE  INFOR-
   22  MATION  FROM THE RECORDS OF AN EDUCATIONAL AGENCY RELATING TO THE ANNUAL
   23  PROFESSIONAL PERFORMANCE REVIEWS OF  CLASSROOM  TEACHERS  OR  PRINCIPALS
   24  THAT  IS CONFIDENTIAL AND NOT SUBJECT TO RELEASE UNDER THE PROVISIONS OF
   25  SECTION THREE THOUSAND TWELVE-C OF THIS CHAPTER.
   26    (12) "THIRD PARTY CONTRACTOR" SHALL MEAN ANY PERSON OR  ENTITY,  OTHER
   27  THAN  AN  EDUCATIONAL  AGENCY,  THAT RECEIVES STUDENT DATA OR TEACHER OR
   28  PRINCIPAL DATA FROM AN EDUCATIONAL AGENCY  PURSUANT  TO  A  CONTRACT  OR
   29  OTHER  WRITTEN  AGREEMENT  FOR  PURPOSES  OF  PROVIDING SERVICES TO SUCH
   30  EDUCATIONAL AGENCY, INCLUDING BUT NOT  LIMITED  TO  DATA  MANAGEMENT  OR
   31  STORAGE  SERVICES,  CONDUCTING  STUDIES  FOR OR ON BEHALF OF SUCH EDUCA-
   32  TIONAL AGENCY, OR AUDIT OR EVALUATION OF PUBLICLY FUNDED PROGRAMS.  SUCH
   33  TERM SHALL INCLUDE AN EDUCATIONAL PARTNERSHIP ORGANIZATION THAT RECEIVES
   34  STUDENT AND/OR PRINCIPAL DATA FROM A SCHOOL DISTRICT TO  CARRY  OUT  ITS
   35  RESPONSIBILITIES  PURSUANT TO SECTION TWO HUNDRED ELEVEN-E OF THIS CHAP-
   36  TER AND IS NOT AN EDUCATIONAL AGENCY AS DEFINED IN SUBPARAGRAPH THREE OF
   37  PARAGRAPH A OF THIS SUBDIVISION, AND  A  NOT-FOR-PROFIT  CORPORATION  OR
   38  OTHER  NON-PROFIT  ORGANIZATION,  OTHER THAN AN EDUCATIONAL AGENCY, OR A
   39  FOR-PROFIT CORPORATION OR BUSINESS ENTITY  THAT  IS  AFFILIATED  WITH  A
   40  CHARTER  SCHOOL AND PROVIDES MANAGEMENT AND/OR OTHER SERVICES TO SUPPORT
   41  THE CHARTER SCHOOL IN ACCORDANCE WITH A CHARTER ISSUED PURSUANT TO ARTI-
   42  CLE FIFTY-SIX OF THIS CHAPTER.
   43    B. (1) THE COMMISSIONER SHALL APPOINT A CHIEF PRIVACY  OFFICER  WITHIN
   44  THE DEPARTMENT. THE CHIEF PRIVACY OFFICER SHALL BE QUALIFIED BY TRAINING
   45  OR  EXPERIENCE  IN  STATE  AND  FEDERAL EDUCATION PRIVACY LAWS AND REGU-
   46  LATIONS,  CIVIL  LIBERTIES,  ANNUAL  PROFESSIONAL  PERFORMANCE  REVIEWS,
   47  INFORMATION  TECHNOLOGY,  AND  INFORMATION  SECURITY.  THE CHIEF PRIVACY
   48  OFFICER SHALL REPORT TO THE COMMISSIONER ON  MATTERS  AFFECTING  PRIVACY
   49  AND THE SECURITY OF STUDENT, TEACHER, AND PRINCIPAL DATA.
   50    (2)  THE FUNCTIONS OF THE CHIEF PRIVACY OFFICER SHALL INCLUDE, BUT NOT
   51  BE LIMITED TO:
   52    (I) PROMOTING THE IMPLEMENTATION OF  FAIR  INFORMATION  PRACTICES  FOR
   53  PRIVACY AND SECURITY OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA;
   54    (II) ASSISTING THE COMMISSIONER IN HANDLING INSTANCES OF DATA BREACHES
   55  AS WELL AS ASSISTING THE COMMISSIONER IN DUE PROCESS PROCEEDINGS REGARD-
   56  ING ANY ALLEGED BREACHES OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA;
       A. 8353                             3

    1    (III) PROVIDING ASSISTANCE TO EDUCATIONAL AGENCIES WITHIN THE STATE ON
    2  MINIMUM  STANDARDS  AND  BEST  PRACTICES ASSOCIATED WITH PRIVACY AND THE
    3  SECURITY OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA;
    4    (IV)  FORMULATING  A  PROCEDURE WITHIN THE DEPARTMENT WHEREBY PARENTS,
    5  STUDENTS, TEACHERS, SUPERINTENDENTS, SCHOOL BOARD  MEMBERS,  PRINCIPALS,
    6  AND  OTHER  PERSONS  OR ENTITIES THE CHIEF PRIVACY OFFICER DETERMINES IS
    7  APPROPRIATE, MAY REQUEST  INFORMATION  PERTAINING  TO  STUDENT  DATA  OR
    8  TEACHER OR PRINCIPAL DATA IN A TIMELY AND EFFICIENT MANNER;
    9    (V)  ASSISTING  THE  COMMISSIONER  IN  ESTABLISHING A PROTOCOL FOR THE
   10  SUBMISSION OF COMPLAINTS OF POSSIBLE BREACHES OF STUDENT DATA OR TEACHER
   11  OR PRINCIPAL DATA;
   12    (VI) MAKING RECOMMENDATIONS AS NEEDED REGARDING PRIVACY AND THE  SECU-
   13  RITY  OF  STUDENT  DATA ON BEHALF OF THE DEPARTMENT TO THE GOVERNOR, THE
   14  SPEAKER OF THE ASSEMBLY, THE TEMPORARY PRESIDENT OF THE SENATE, AND  THE
   15  CHAIRS OF THE SENATE AND ASSEMBLY EDUCATION COMMITTEES;
   16    (VII)  DEVELOPING,  WITH  INPUT  FROM  THE  NEW YORK STATE EDUCATIONAL
   17  CONFERENCE BOARD AND PARENTS, THE PARENTS BILL OF RIGHTS FOR DATA PRIVA-
   18  CY AND SECURITY; AND
   19    (VIII) ANY OTHER FUNCTIONS THAT THE COMMISSIONER SHALL DEEM  APPROPRI-
   20  ATE.
   21    (3) THE CHIEF PRIVACY OFFICER SHALL HAVE THE POWER TO:
   22    (I)  ACCESS  ALL RECORDS, REPORTS, AUDITS, REVIEWS, DOCUMENTS, PAPERS,
   23  RECOMMENDATIONS, AND OTHER MATERIALS MAINTAINED BY AN EDUCATIONAL AGENCY
   24  THAT RELATE TO STUDENT DATA OR TEACHER OR PRINCIPAL DATA;
   25    (II) TO REVIEW AND COMMENT  UPON  ANY  DEPARTMENT  PROGRAM,  PROPOSAL,
   26  GRANT,  OR  CONTRACT  THAT  INVOLVES  THE  PROCESSING OF STUDENT DATA OR
   27  TEACHER OR PRINCIPAL DATA BEFORE THE COMMISSIONER BEGINS OR  AWARDS  THE
   28  PROGRAM, PROPOSAL, GRANT, OR CONTRACT; AND
   29    (III) ANY OTHER POWERS THAT THE COMMISSIONER SHALL DEEM APPROPRIATE.
   30    (4) THE CHIEF PRIVACY OFFICER SHALL SUBMIT BY JANUARY FIRST, TWO THOU-
   31  SAND  FIFTEEN,  AND  EACH JANUARY FIRST THEREAFTER, A REPORT OUTLINING A
   32  SUMMARY OF ACTIVITIES, RECOMMENDATIONS, COMPLAINTS, AND STATUTORY, REGU-
   33  LATORY OR DEPARTMENTAL CHANGES PERTAINING TO THE PROTECTION  OF  STUDENT
   34  DATA  OR  TEACHER  OR  PRINCIPAL  DATA. THE REPORT SHALL BE SUBMITTED ON
   35  BEHALF OF THE DEPARTMENT TO THE GOVERNOR, THE SPEAKER OF  THE  ASSEMBLY,
   36  THE  TEMPORARY PRESIDENT OF THE SENATE, AND THE CHAIRS OF THE SENATE AND
   37  ASSEMBLY EDUCATION COMMITTEES. THE REPORT SHALL ALSO  BE  MADE  PUBLICLY
   38  AVAILABLE ON THE DEPARTMENT'S WEBSITE.
   39    (5)  THE  CHIEF PRIVACY OFFICER MAY HOLD MORE THAN ONE POSITION WITHIN
   40  THE DEPARTMENT; PROVIDED  HOWEVER,  THAT  NO  ADDITIONAL  POSITION  WILL
   41  INTERFERE  WITH THE DUTIES OF THE CHIEF PRIVACY OFFICER OUTLINED IN THIS
   42  PARAGRAPH.
   43    C. (1) THE CHIEF PRIVACY OFFICER SHALL DEVELOP, WITH  INPUT  FROM  THE
   44  NEW  YORK STATE EDUCATIONAL CONFERENCE BOARD AND PARENTS, A PARENTS BILL
   45  OF RIGHTS FOR DATA PRIVACY AND SECURITY. THE PARENTS BILL OF RIGHTS  FOR
   46  DATA  PRIVACY  AND  SECURITY  SHALL  BE INCLUDED WITH EVERY CONTRACT THE
   47  DEPARTMENT OR EDUCATIONAL AGENCY ENTERS INTO WITH A THIRD PARTY CONTRAC-
   48  TOR WHERE THE THIRD PARTY CONTRACTOR RECEIVES STUDENT DATA OR TEACHER OR
   49  PRINCIPAL DATA.   EVERY  THIRD  PARTY  CONTRACTOR  THAT  ENTERS  INTO  A
   50  CONTRACT  WITH  THE  DEPARTMENT OR AN EDUCATIONAL AGENCY WHERE THE THIRD
   51  PARTY CONTRACTOR RECEIVES STUDENT DATA  OR  TEACHER  OR  PRINCIPAL  DATA
   52  SHALL  BE  REQUIRED  TO  AGREE IN WRITING TO ABIDE BY THE PROVISIONS SET
   53  FORTH IN THE PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY. AT  A
   54  MINIMUM,  THE PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY SHALL
   55  INCLUDE:
       A. 8353                             4

    1    (I) WHO THE EXCLUSIVE PERSONS OR ENTITIES ARE  THAT  THE  THIRD  PARTY
    2  CONTRACTOR  WILL  SHARE  THE  STUDENT  DATA OR TEACHER OR PRINCIPAL DATA
    3  WITH, IF ANY;
    4    (II)  WHEN  THE AGREEMENT EXPIRES AND WHAT HAPPENS TO THE STUDENT DATA
    5  OR TEACHER OR PRINCIPAL DATA UPON EXPIRATION OF THE AGREEMENT;
    6    (III) IF AND HOW A PARENT, STUDENT, ELIGIBLE STUDENT, TEACHER OR PRIN-
    7  CIPAL MAY CHALLENGE THE ACCURACY OF THE STUDENT DATA OR TEACHER OR PRIN-
    8  CIPAL DATA THAT IS COLLECTED;
    9    (IV) WHERE THE STUDENT DATA OR  TEACHER  OR  PRINCIPAL  DATA  WILL  BE
   10  STORED,  AND  THE SECURITY PROTECTIONS TAKEN TO ENSURE SUCH DATA WILL BE
   11  PROTECTED, INCLUDING WHETHER SUCH DATA WILL BE ENCRYPTED; AND
   12    (V) THE EXCLUSIVE PURPOSES FOR WHICH THE STUDENT DATA  OR  TEACHER  OR
   13  PRINCIPAL DATA WILL BE USED.
   14    (2) THE COMMISSIONER SHALL PROMULGATE REGULATIONS FOR A COMMENT PERIOD
   15  WHEREBY PARENTS MAY SUBMIT COMMENTS AND SUGGESTIONS TO THE CHIEF PRIVACY
   16  OFFICER TO BE CONSIDERED FOR INCLUSION IN THE PARENTS BILL OF RIGHTS FOR
   17  STUDENT DATA PRIVACY AND SECURITY.
   18    (3)  THE  DEPARTMENT SHALL POST THE PARENTS BILL OF RIGHTS FOR STUDENT
   19  DATA PRIVACY AND SECURITY ON THE DEPARTMENT'S WEBSITE. EACH  EDUCATIONAL
   20  AGENCY  THAT HAS AN INTERNET WEBSITE SHALL ALSO POST THE PARENTS BILL OF
   21  RIGHTS FOR STUDENT DATA AND SECURITY ON ITS WEBSITE.
   22    (4) THE PARENTS BILL OF RIGHTS FOR STUDENT DATA PRIVACY  AND  SECURITY
   23  SHALL  BE  COMPLETED  WITHIN ONE HUNDRED TWENTY DAYS AFTER THE EFFECTIVE
   24  DATE OF THIS SUBDIVISION.
   25    D. (1) EACH EDUCATIONAL AGENCY SHALL BE ABLE TO OPT-OUT OF HAVING  THE
   26  STUDENT  DATA  OR  TEACHER  OR  PRINCIPAL DATA THAT THEY ARE REQUIRED TO
   27  REPORT TO THE DEPARTMENT THROUGH STATE OR FEDERAL LAW OR REGULATION FROM
   28  BEING UPLOADED BY THE DEPARTMENT TO THE  DEPARTMENT'S  EDUCATIONAL  DATA
   29  PORTAL.
   30    (2)  NOTHING  IN  THIS  PARAGRAPH SHALL ALLOW AN EDUCATIONAL AGENCY TO
   31  FAIL TO COMPLY WITH ANY  STUDENT  DATA  OR  TEACHER  OR  PRINCIPAL  DATA
   32  REPORTING REQUIREMENTS TO THE DEPARTMENT AS REQUIRED BY STATE OR FEDERAL
   33  LAW OR REGULATION.
   34    E.  THE  CHIEF  PRIVACY  OFFICER  SHALL MAKE PUBLICLY AVAILABLE ON THE
   35  DEPARTMENT'S WEBSITE A COMPLETE LIST OF ALL STUDENT OR TEACHER OR  PRIN-
   36  CIPAL  DATA ELEMENTS COLLECTED WITH AN EXPLANATION AND/OR LEGAL OR REGU-
   37  LATORY AUTHORITY OUTLINING THE REASONS SUCH DATA ELEMENTS ARE COLLECTED.
   38    F. (1) EACH THIRD PARTY  CONTRACTOR  THAT  RECEIVES  STUDENT  DATA  OR
   39  TEACHER OR PRINCIPAL DATA PURSUANT TO A CONTRACT OR OTHER WRITTEN AGREE-
   40  MENT  WITH AN EDUCATIONAL AGENCY SHALL BE REQUIRED TO NOTIFY SUCH EDUCA-
   41  TIONAL AGENCY OF ANY BREACH OF SECURITY  RESULTING  IN  AN  UNAUTHORIZED
   42  RELEASE  OF  SUCH  DATA IN VIOLATION OF APPLICABLE STATE OR FEDERAL LAW,
   43  THE PARENTS BILL OF RIGHTS FOR STUDENT DATA PRIVACY  AND  SECURITY,  THE
   44  DATA  PRIVACY  AND  SECURITY  POLICIES  OF THE EDUCATIONAL AGENCY AND/OR
   45  BINDING CONTRACTUAL OBLIGATIONS RELATING TO DATA PRIVACY  AND  SECURITY,
   46  IN  THE  MOST  EXPEDIENT  WAY POSSIBLE AND WITHOUT REASONABLE DELAY. THE
   47  EDUCATIONAL AGENCY SHALL, UPON NOTIFICATION BY THE THIRD PARTY  CONTRAC-
   48  TOR,  BE REQUIRED TO REPORT TO THE CHIEF PRIVACY OFFICER ANY SUCH BREACH
   49  OF SECURITY AND UNAUTHORIZED RELEASE OF SUCH DATA  AND  TO  REPORT  SUCH
   50  BREACH AND UNAUTHORIZED RELEASE TO LAW ENFORCEMENT IN THE MOST EXPEDIENT
   51  WAY POSSIBLE AND WITHOUT UNREASONABLE DELAY.
   52    (2) IN THE CASE OF AN UNAUTHORIZED RELEASE OF STUDENT DATA, THE EDUCA-
   53  TIONAL  AGENCY, OR THE THIRD PARTY CONTRACTOR INVOLVED, SHALL NOTIFY THE
   54  PARENT OR ELIGIBLE STUDENT OF THE UNAUTHORIZED RELEASE OF  STUDENT  DATA
   55  THAT  INCLUDES  PERSONALLY  IDENTIFIABLE  INFORMATION  FROM  THE STUDENT
   56  RECORDS OF SUCH STUDENT IN THE MOST EXPEDIENT WAY POSSIBLE  AND  WITHOUT
       A. 8353                             5

    1  UNREASONABLE DELAY. IN THE CASE OF AN UNAUTHORIZED RELEASE OF TEACHER OR
    2  PRINCIPAL  DATA,  THE  EDUCATIONAL AGENCY, OR THE THIRD PARTY CONTRACTOR
    3  INVOLVED, SHALL NOTIFY EACH AFFECTED TEACHER OR PRINCIPAL OF  THE  UNAU-
    4  THORIZED  RELEASE OF DATA THAT INCLUDES PERSONALLY IDENTIFIABLE INFORMA-
    5  TION FROM THE TEACHER OR  PRINCIPAL'S  ANNUAL  PROFESSIONAL  PERFORMANCE
    6  REVIEW  IN  THE  MOST  EXPEDIENT  WAY  POSSIBLE AND WITHOUT UNREASONABLE
    7  DELAY.
    8    (3) FAILURE TO  NOTIFY  AGAINST  PUBLIC  POLICY.  (I)  A  THIRD  PARTY
    9  CONTRACTOR  SHALL  NOT  FAIL TO NOTIFY THE EDUCATIONAL AGENCY OR PARENT,
   10  ELIGIBLE STUDENT, TEACHER OR PRINCIPAL, AS APPLICABLE, IN THE MOST EXPE-
   11  DIENT WAY POSSIBLE AND WITHOUT UNREASONABLE DELAY.
   12    (II) EACH VIOLATION OF CLAUSE (I) OF THIS SUBPARAGRAPH  SHALL  CONSTI-
   13  TUTE A CLASS E FELONY, AND SHALL BE PUNISHABLE BY A CIVIL PENALTY OF THE
   14  GREATER  OF  FIVE  THOUSAND DOLLARS OR UP TO TEN DOLLARS PER INSTANCE OF
   15  FAILED NOTIFICATION, PROVIDED THAT THE LATTER AMOUNT  SHALL  NOT  EXCEED
   16  ONE HUNDRED FIFTY THOUSAND DOLLARS.
   17    G. IF THE CHIEF PRIVACY OFFICER DETERMINES THAT A THIRD PARTY CONTRAC-
   18  TOR,  IN  VIOLATION OF APPLICABLE STATE OR FEDERAL LAW, THE DATA PRIVACY
   19  AND SECURITY POLICIES OF THE EDUCATIONAL AGENCY AND/OR BINDING  CONTRAC-
   20  TUAL  OBLIGATIONS RELATING TO DATA PRIVACY AND SECURITY, HAS RE-RELEASED
   21  ANY STUDENT DATA OR TEACHER OR PRINCIPAL DATA RECEIVED  FROM  AN  EDUCA-
   22  TIONAL  AGENCY  TO ANY PERSON OR ENTITY NOT AUTHORIZED BY LAW TO RECEIVE
   23  SUCH DATA PURSUANT TO A LAWFUL SUBPOENA OR OTHERWISE, THE CHIEF  PRIVACY
   24  OFFICER,  AFTER  AFFORDING THE THIRD PARTY CONTRACTOR WITH NOTICE AND AN
   25  OPPORTUNITY TO BE HEARD, SHALL BE AUTHORIZED TO:
   26    (1) ORDER THAT THE THIRD PARTY CONTRACTOR BE PRECLUDED FROM  ACCESSING
   27  STUDENT  DATA  OR  TEACHER  OR  PRINCIPAL  DATA, AS APPLICABLE, FROM THE
   28  EDUCATIONAL AGENCY FROM WHICH THE CONTRACTOR OBTAINED THE DATA THAT  WAS
   29  IMPROPERLY DISCLOSED FOR A FIXED PERIOD OF UP TO FIVE YEARS; AND/OR
   30    (2)  ORDER  THAT A THIRD PARTY CONTRACTOR WHO KNOWINGLY AND RECKLESSLY
   31  ALLOWS FOR THE UNAUTHORIZED RELEASE OF STUDENT DATA OR TEACHER OR  PRIN-
   32  CIPAL  DATA BE PRECLUDED FROM ACCESSING STUDENT DATA OR TEACHER OR PRIN-
   33  CIPAL DATA FROM ANY EDUCATIONAL AGENCY IN THE STATE FOR A  FIXED  PERIOD
   34  OF UP TO FIVE YEARS; AND/OR
   35    (3) ORDER, IN THE CASE OF AN EDUCATIONAL AGENCY THAT IS A PUBLIC AGEN-
   36  CY  SUBJECT  TO  COMPETITIVE  BIDDING  REQUIREMENTS,  THAT A THIRD PARTY
   37  CONTRACTOR WHO KNOWINGLY AND  RECKLESSLY  ALLOWS  FOR  THE  UNAUTHORIZED
   38  RELEASE  OF  STUDENT  DATA  OR TEACHER OR PRINCIPAL DATA, THAT THE THIRD
   39  PARTY CONTRACTOR SHALL NOT BE DEEMED A RESPONSIBLE BIDDER OR OFFERER  ON
   40  ANY  CONTRACT  WITH  THE  EDUCATIONAL  AGENCY  FROM WHICH THE CONTRACTOR
   41  OBTAINED THE DATA THAT WAS IMPROPERLY DISCLOSED THAT INVOLVES THE  SHAR-
   42  ING  OF  STUDENT  DATA  OR  TEACHER OR PRINCIPAL DATA, AS APPLICABLE FOR
   43  PURPOSES OF THE PROVISIONS OF SECTION ONE HUNDRED THREE OF  THE  GENERAL
   44  MUNICIPAL  LAW  OR PARAGRAPH C OF SUBDIVISION TEN OF SECTION ONE HUNDRED
   45  SIXTY-THREE OF THE STATE FINANCE LAW, AS APPLICABLE, FOR A FIXED  PERIOD
   46  OF UP TO FIVE YEARS; AND/OR
   47    (4)  REQUIRE  THE  THIRD  PARTY  CONTRACTOR TO PROVIDE TRAINING AT THE
   48  CONTRACTOR'S EXPENSE ON THE FEDERAL AND STATE  LAW  GOVERNING  CONFIDEN-
   49  TIALITY  OF  STUDENT  DATA  AND/OR  TEACHER  OR  PRINCIPAL  DATA AND THE
   50  PROVISIONS OF THIS SUBDIVISION TO ALL ITS OFFICERS  AND  EMPLOYEES  WITH
   51  ACCESS  TO  SUCH  DATA,  PRIOR  TO BEING PERMITTED TO RECEIVE SUBSEQUENT
   52  ACCESS TO SUCH DATA FROM THE EDUCATIONAL AGENCY FROM WHICH THE  CONTRAC-
   53  TOR  OBTAINED  THE DATA THAT WAS IMPROPERLY DISCLOSED OR FROM ANY EDUCA-
   54  TIONAL AGENCY; AND/OR
   55    (5) IF IT IS DETERMINED THAT THE UNAUTHORIZED RELEASE OF STUDENT  DATA
   56  OR  TEACHER  OR PRINCIPAL DATA ON THE PART OF THE THIRD PARTY CONTRACTOR
       A. 8353                             6

    1  WAS INADVERTENT AND DONE WITHOUT INTENT OR GROSS NEGLIGENCE, THE COMMIS-
    2  SIONER MAY DETERMINE THAT NO PENALTY BE  ISSUED  UPON  THE  THIRD  PARTY
    3  CONTRACTOR.
    4    H.  THE  COMMISSIONER, IN CONSULTATION WITH THE CHIEF PRIVACY OFFICER,
    5  SHALL PROMULGATE REGULATIONS ESTABLISHING PROCEDURES  TO  IMPLEMENT  THE
    6  PROVISIONS  OF THIS SUBDIVISION, INCLUDING BUT NOT LIMITED TO PROCEDURES
    7  FOR THE SUBMISSION OF COMPLAINTS FROM PARENTS AND/OR PERSONS IN PARENTAL
    8  RELATION TO STUDENTS, CLASSROOM  TEACHERS  OR  BUILDING  PRINCIPALS,  OR
    9  OTHER  STAFF  OF  AN  EDUCATIONAL AGENCY, MAKING ALLEGATIONS OF IMPROPER
   10  DISCLOSURE OF STUDENT DATA AND/OR TEACHER OR PRINCIPAL DATA BY  A  THIRD
   11  PARTY CONTRACTOR OR ITS OFFICERS OR EMPLOYEES THAT MAY BE SUBJECT TO THE
   12  SANCTIONS  SET FORTH IN PARAGRAPH G OF THIS SUBDIVISION. UPON RECEIPT OF
   13  A COMPLAINT OR  OTHER  INFORMATION  INDICATING  THAT  SUCH  AN  IMPROPER
   14  DISCLOSURE  BY  A  THIRD  PARTY  CONTRACTOR MAY HAVE OCCURRED, THE CHIEF
   15  PRIVACY OFFICER SHALL BE AUTHORIZED TO INVESTIGATE, VISIT,  EXAMINE  AND
   16  INSPECT  THE  THIRD  PARTY CONTRACTOR'S FACILITIES AND RECORDS AND ISSUE
   17  ANY SUBPOENAS DEEMED NECESSARY TO OBTAIN DOCUMENTATION FROM, OR  REQUIRE
   18  THE  TESTIMONY OF, ANY PARTY RELATING TO THE ALLEGED IMPROPER DISCLOSURE
   19  OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA.
   20    I. THE COMMISSIONER, IN CONSULTATION WITH THE CHIEF  PRIVACY  OFFICER,
   21  SHALL  PROMULGATE  REGULATIONS ESTABLISHING MINIMUM STANDARDS FOR EDUCA-
   22  TIONAL AGENCY DATA SECURITY AND PRIVACY POLICIES AND SHALL  DEVELOP  ONE
   23  OR MORE MODEL POLICIES FOR USE BY EDUCATIONAL AGENCIES. EACH EDUCATIONAL
   24  AGENCY,  BY  NO  LATER THAN NINETY DAYS AFTER THE EFFECTIVE DATE OF THIS
   25  SUBDIVISION, SHALL ENSURE THAT IT HAS A  POLICY  ON  DATA  SECURITY  AND
   26  PRIVACY  IN  PLACE  THAT IS CONSISTENT WITH APPLICABLE STATE AND FEDERAL
   27  LAWS AND APPLIES TO STUDENT DATA AND, WHERE APPLICABLE,  TO  TEACHER  OR
   28  PRINCIPAL  DATA.  SUCH  POLICY  SHALL BE PUBLISHED ON THE WEBSITE OF THE
   29  EDUCATIONAL AGENCY, IF SUCH EDUCATIONAL AGENCY HAS AN INTERNET  WEBSITE,
   30  AND  NOTICE OF SUCH POLICY SHALL BE PROVIDED TO ALL OFFICERS AND EMPLOY-
   31  EES OF THE EDUCATIONAL AGENCY. AS APPLIED TO STUDENT DATA,  SUCH  POLICY
   32  SHALL  PROVIDE  ALL  PROTECTIONS  AFFORDED  TO  PARENTS  AND  PERSONS IN
   33  PARENTAL RELATIONSHIPS, OR STUDENTS WHERE APPLICABLE, REQUIRED UNDER THE
   34  FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT, SECTION TWELVE HUNDRED  THIR-
   35  TY-TWO-G OF TITLE TWENTY OF THE UNITED STATES CODE, WHERE APPLICABLE THE
   36  INDIVIDUALS  WITH DISABILITIES EDUCATION ACT, SECTIONS FOURTEEN HUNDRED,
   37  ET. SEQ. OF TITLE TWENTY OF THE UNITED  STATES  CODE,  AND  THE  FEDERAL
   38  REGULATIONS  IMPLEMENTING  SUCH  STATUTES. EACH EDUCATIONAL AGENCY SHALL
   39  ENSURE THAT IT HAS IN PLACE PROVISIONS IN ITS CONTRACTS WITH THIRD PARTY
   40  CONTRACTORS OR IN SEPARATE DATA SHARING AND  CONFIDENTIALITY  AGREEMENTS
   41  THAT  REQUIRE THAT CONFIDENTIALITY OF THE SHARED STUDENT DATA OR TEACHER
   42  OR PRINCIPAL DATA BE MAINTAINED IN ACCORDANCE WITH FEDERAL AND STATE LAW
   43  AND THE EDUCATIONAL AGENCY'S POLICY ON DATA SECURITY AND PRIVACY.
   44    J. EACH EDUCATIONAL AGENCY THAT ENTERS INTO A CONTRACT OR OTHER  WRIT-
   45  TEN  AGREEMENT WITH A THIRD PARTY CONTRACTOR UNDER WHICH THE THIRD PARTY
   46  CONTRACTOR WILL RECEIVE STUDENT DATA OR TEACHER OR PRINCIPAL DATA  SHALL
   47  ENSURE  THAT  SUCH  CONTRACT  OR  AGREEMENT  INCLUDE A DATA SECURITY AND
   48  PRIVACY PLAN THAT OUTLINES HOW ALL STATE, FEDERAL, AND LOCAL DATA  SECU-
   49  RITY AND PRIVACY CONTRACT REQUIREMENTS WILL BE IMPLEMENTED OVER THE LIFE
   50  OF THE CONTRACT, CONSISTENT WITH THE EDUCATIONAL AGENCY'S POLICY ON DATA
   51  SECURITY  AND PRIVACY. SUCH PLAN SHALL INCLUDE, BUT SHALL NOT BE LIMITED
   52  TO, A SIGNED COPY OF THE PARENTS BILL OF RIGHTS  FOR  DATA  PRIVACY  AND
   53  SECURITY,  AND A REQUIREMENT THAT ANY OFFICERS OR EMPLOYEES OF THE THIRD
   54  PARTY CONTRACTOR WHO HAVE ACCESS TO STUDENT DATA OR TEACHER OR PRINCIPAL
   55  DATA HAVE RECEIVED OR WILL RECEIVE TRAINING ON THE FEDERAL AND STATE LAW
   56  GOVERNING CONFIDENTIALITY OF SUCH DATA PRIOR TO RECEIVING ACCESS.
       A. 8353                             7

    1    K. (1)(I) EACH VIOLATION OF ANY PROVISION OF THIS SECTION BY  A  THIRD
    2  PARTY  CONTRACTOR  SHALL  BE  PUNISHABLE BY A CIVIL PENALTY OF UP TO ONE
    3  THOUSAND DOLLARS; A SECOND VIOLATION BY THE SAME THIRD PARTY  CONTRACTOR
    4  INVOLVING  THE  SAME  STUDENT DATA OR TEACHER OR PRINCIPAL DATA SHALL BE
    5  PUNISHABLE BY A CIVIL PENALTY OF UP TO FIVE THOUSAND DOLLARS; ANY SUBSE-
    6  QUENT  VIOLATION  BY  THE SAME THIRD PARTY CONTRACTOR INVOLVING THE SAME
    7  STUDENT DATA OR TEACHER OR PRINCIPAL DATA SHALL BE PUNISHABLE BY A CIVIL
    8  PENALTY OF UP TO TEN THOUSAND DOLLARS.
    9    (II) EACH VIOLATION OF THIS SUBDIVISION SHALL BE CONSIDERED A SEPARATE
   10  VIOLATION FOR PURPOSES OF CIVIL PENALTIES.
   11    (2) THE ATTORNEY GENERAL SHALL HAVE THE AUTHORITY TO  ENFORCE  COMPLI-
   12  ANCE WITH THIS SECTION BY INVESTIGATION AND SUBSEQUENT COMMENCEMENT OF A
   13  CIVIL ACTION TO SEEK CIVIL PENALTIES FOR VIOLATIONS OF THIS SECTION, AND
   14  TO  SEEK  APPROPRIATE  INJUNCTIVE  RELIEF. IN CARRYING OUT SUCH INVESTI-
   15  GATION AND IN MAINTAINING SUCH CIVIL ACTION LOCAL  LAW  ENFORCEMENT  ARE
   16  AUTHORIZED  TO SUBPOENA WITNESSES, COMPEL THEIR ATTENDANCE, EXAMINE THEM
   17  UNDER OATH AND REQUIRE THAT ANY BOOKS, RECORDS,  DOCUMENTS,  PAPERS,  OR
   18  ELECTRONIC  RECORDS  RELEVANT  OR MATERIAL TO THE INQUIRY BE TURNED OVER
   19  FOR INSPECTION, EXAMINATION OR AUDIT, PURSUANT TO THE CIVIL PRACTICE LAW
   20  AND RULES.
   21    (3) NOTHING CONTAINED IN THIS SUBDIVISION SHALL BE CONSTRUED AS CREAT-
   22  ING A PRIVATE RIGHT OF ACTION AGAINST THE DEPARTMENT OR  AN  EDUCATIONAL
   23  AGENCY.
   24    L.  NOTHING  IN  THIS  SECTION  SHALL  LIMIT THE ADMINISTRATIVE USE OF
   25  STUDENT DATA OR TEACHER OR PRINCIPAL DATA BY A PERSON ACTING EXCLUSIVELY
   26  IN THE PERSON'S CAPACITY AS AN EMPLOYEE OF AN EDUCATIONAL AGENCY  OR  OF
   27  THE STATE OR ANY OF ITS POLITICAL SUBDIVISIONS, ANY COURT OR THE FEDERAL
   28  GOVERNMENT THAT IS OTHERWISE REQUIRED BY LAW.
   29    S  2.  Subdivision  7  of section 156.00 of the penal law, as added by
   30  chapter 558 of the laws of 2006, is amended and three  new  subdivisions
   31  10, 11 and 12 are added to read as follows:
   32    7.  "Access"  means  to  instruct,  communicate  with,  store data in,
   33  retrieve from, or otherwise make use of any  resources  of  a  computer,
   34  physically,  directly or by electronic means; INCLUDING DISSEMINATION OF
   35  DATA.
   36    10. "EDUCATIONAL AGENCY" MEANS AN EDUCATIONAL AGENCY AS SUCH  TERM  IS
   37  DEFINED  IN  SUBDIVISION FORTY-FOUR OF SECTION THREE HUNDRED FIVE OF THE
   38  EDUCATION LAW. AN EDUCATIONAL AGENCY AS SO DEFINED  SHALL  BE  DEEMED  A
   39  GOVERNMENTAL INSTRUMENTALITY FOR PURPOSES OF THIS ARTICLE.
   40    11. "THIRD PARTY CONTRACTOR" MEANS A THIRD PARTY CONTRACTOR AS DEFINED
   41  IN SUBDIVISION FORTY-FOUR OF SECTION THREE HUNDRED FIVE OF THE EDUCATION
   42  LAW.
   43    12.  "EDUCATIONAL  COMPUTER  MATERIAL"  MEANS  PERSONALLY IDENTIFIABLE
   44  INFORMATION FROM STUDENT RECORDS  OR  CONFIDENTIAL  ANNUAL  PROFESSIONAL
   45  PERFORMANCE  REVIEWS  OF  CLASSROOM  TEACHERS OR PRINCIPALS, OF A SCHOOL
   46  DISTRICT, BOARD OF COOPERATIVE EDUCATIONAL SERVICES, SCHOOL, INSTITUTION
   47  OF HIGHER EDUCATION, OR THE STATE EDUCATION DEPARTMENT.
   48    S 3. Section 156.30 of the penal law, as amended by chapter 590 of the
   49  laws of 2008, is amended to read as follows:
   50  S 156.30 Unlawful duplication of computer related material in the  first
   51             degree.
   52    A person is guilty of unlawful duplication of computer related MATERI-
   53  AL  in  the first degree [material] when having no right to do so, he or
   54  she copies, reproduces or duplicates in any manner:
       A. 8353                             8

    1    1. any computer data or computer program and thereby intentionally and
    2  wrongfully deprives or appropriates from an owner  thereof  an  economic
    3  value or benefit in excess of two thousand five hundred dollars;[or]
    4    2.  any  computer data or computer program with an intent to commit or
    5  attempt to commit or further the commission of any felony[.]; OR
    6    3. EDUCATIONAL COMPUTER MATERIAL WITH THE  INTENT  TO  DISSEMINATE  IN
    7  VIOLATION OF SECTION THREE HUNDRED FIVE OF THE EDUCATION LAW.
    8    Unlawful  duplication of computer related material in the first degree
    9  is a class E felony.
   10    S 4. Section 165.45 of the penal law is amended by adding a new subdi-
   11  vision 8 to read as follows:
   12    8. THE PROPERTY CONSISTS OF EDUCATIONAL COMPUTER MATERIAL  AS  DEFINED
   13  IN ARTICLE ONE HUNDRED FIFTY-SIX OF THIS CHAPTER.
   14    S  5.  This  act shall take effect on the ninetieth day after it shall
   15  have become a law, provided,  however,  the  commissioner  of  education
   16  shall  within  one  hundred  twenty days after it shall have become law,
   17  develop a parents bill of rights for student data privacy and security.
Go to top
Page display time = 0.1088 sec