•  Summary 
  •  
  •  Actions 
  •  
  •  Committee Votes 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 

AB8353 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                          8353
 
                   IN ASSEMBLY
 
                                     January 9, 2014
                                       ___________
 
        Introduced  by M. of A. NOLAN -- read once and referred to the Committee
          on Education
 
        AN ACT to amend the education law and the  penal  law,  in  relation  to
          establishing  penalties  for  the  unauthorized  release of personally
          identifiable information from student records and certain  records  of
          classroom teachers and building principals
 

          The  People of the State of New York, represented in Senate and Assem-
        bly, do enact as follows:
 
     1    Section 1. Section 305 of the education law is amended by adding a new
     2  subdivision 44 to read as follows:
     3    44. Unauthorized release of personally identifiable information.
     4    a. As used in this subdivision the  following  terms  shall  have  the
     5  following meanings:
     6    (1)  "Building principal" means a building principal subject to annual
     7  performance evaluation review under  the  provisions  of  section  three
     8  thousand twelve-c of this chapter.
     9    (2)  "Classroom teacher" means a teacher subject to annual performance
    10  evaluation  review  under  the  provisions  of  section  three  thousand
    11  twelve-c of this chapter.

    12    (3) "Educational agency" means a school district, board of cooperative
    13  educational  services,  school,  institution  of higher education or the
    14  education department.
    15    (4) "Institution of higher education" means an entity with a campus in
    16  New York that provides higher education, as defined in subdivision eight
    17  of section two of this title, that is subject to the requirements of the
    18  Family Educational Rights and Privacy Act, section twelve hundred  thir-
    19  ty-two-g of title twenty of the United States code.
    20    (5) "Personally identifiable information", as applied to student data,
    21  means  personally identifiable information as defined in section 99.3 of
    22  title thirty-four of the code of federal  regulations  implementing  the

    23  Family  Educational Rights and Privacy Act, section twelve hundred thir-
    24  ty-two-g of title twenty of the United States code, and, as  applied  to
    25  teacher or principal data, means "personally identifying information" as
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD13221-04-4

        A. 8353                             2
 
     1  such  term is used in subdivision ten of section three thousand twelve-c
     2  of this chapter.
     3    (6)  "School" means any public elementary or secondary school, charter
     4  school,  universal  pre-kindergarten  program  authorized  pursuant   to

     5  section  thirty-six  hundred two-e of this chapter, an approved provider
     6  of preschool special education, any other publicly funded pre-kindergar-
     7  ten program, an approved private school for the  education  of  students
     8  with disabilities, a state-supported school subject to the provisions of
     9  article  eighty-five of this chapter, a state-operated school subject to
    10  the provisions of article eighty-seven or eighty-eight of this chapter.
    11    (7) "Student" means any person attending or seeking to  enroll  in  an
    12  educational agency.
    13    (8)  "Eligible  student" means a student eighteen years or older or an
    14  emancipated minor. An emancipated minor as used in this  section  refers
    15  to  a student at least sixteen years or older who is no longer a depend-

    16  ent of or in the custody of a parent as defined in this section.
    17    (9) "Parent" means a parent, legal guardian,  or  person  in  parental
    18  relation to a student.
    19    (10)  "Student  data"  means  personally identifiable information from
    20  student records of an educational agency.
    21    (11) "Teacher or principal data" means personally identifiable  infor-
    22  mation  from the records of an educational agency relating to the annual
    23  professional performance reviews of  classroom  teachers  or  principals
    24  that  is confidential and not subject to release under the provisions of
    25  section three thousand twelve-c of this chapter.
    26    (12) "Third party contractor" shall mean any person or  entity,  other

    27  than  an  educational  agency,  that receives student data or teacher or
    28  principal data from an educational agency  pursuant  to  a  contract  or
    29  other  written  agreement  for  purposes  of  providing services to such
    30  educational agency, including but not  limited  to  data  management  or
    31  storage  services,  conducting  studies  for or on behalf of such educa-
    32  tional agency, or audit or evaluation of publicly funded programs.  Such
    33  term shall include an educational partnership organization that receives
    34  student and/or principal data from a school district to  carry  out  its
    35  responsibilities  pursuant to section two hundred eleven-e of this chap-
    36  ter and is not an educational agency as defined in subparagraph three of

    37  paragraph a of this subdivision, and  a  not-for-profit  corporation  or
    38  other  non-profit  organization,  other than an educational agency, or a
    39  for-profit corporation or business entity  that  is  affiliated  with  a
    40  charter  school and provides management and/or other services to support
    41  the charter school in accordance with a charter issued pursuant to arti-
    42  cle fifty-six of this chapter.
    43    b. (1) The commissioner shall appoint a chief privacy  officer  within
    44  the department. The chief privacy officer shall be qualified by training
    45  or  experience  in  state  and  federal education privacy laws and regu-
    46  lations,  civil  liberties,  annual  professional  performance  reviews,

    47  information  technology,  and  information  security.  The chief privacy
    48  officer shall report to the commissioner on  matters  affecting  privacy
    49  and the security of student, teacher, and principal data.
    50    (2)  The functions of the chief privacy officer shall include, but not
    51  be limited to:
    52    (i) Promoting the implementation of  fair  information  practices  for
    53  privacy and security of student data or teacher or principal data;
    54    (ii) Assisting the commissioner in handling instances of data breaches
    55  as well as assisting the commissioner in due process proceedings regard-
    56  ing any alleged breaches of student data or teacher or principal data;

        A. 8353                             3
 

     1    (iii) Providing assistance to educational agencies within the state on
     2  minimum  standards  and  best  practices associated with privacy and the
     3  security of student data or teacher or principal data;
     4    (iv)  Formulating  a  procedure within the department whereby parents,
     5  students, teachers, superintendents, school board  members,  principals,
     6  and  other  persons  or entities the chief privacy officer determines is
     7  appropriate, may request  information  pertaining  to  student  data  or
     8  teacher or principal data in a timely and efficient manner;
     9    (v)  Assisting  the  commissioner  in  establishing a protocol for the
    10  submission of complaints of possible breaches of student data or teacher
    11  or principal data;

    12    (vi) Making recommendations as needed regarding privacy and the  secu-
    13  rity  of  student  data on behalf of the department to the governor, the
    14  speaker of the assembly, the temporary president of the senate, and  the
    15  chairs of the senate and assembly education committees;
    16    (vii)  Developing,  with  input  from  the  New York state educational
    17  conference board and parents, the parents bill of rights for data priva-
    18  cy and security; and
    19    (viii) Any other functions that the commissioner shall deem  appropri-
    20  ate.
    21    (3) The chief privacy officer shall have the power to:
    22    (i)  access  all records, reports, audits, reviews, documents, papers,
    23  recommendations, and other materials maintained by an educational agency

    24  that relate to student data or teacher or principal data;
    25    (ii) to review and comment  upon  any  department  program,  proposal,
    26  grant,  or  contract  that  involves  the  processing of student data or
    27  teacher or principal data before the commissioner begins or  awards  the
    28  program, proposal, grant, or contract; and
    29    (iii) any other powers that the commissioner shall deem appropriate.
    30    (4) The chief privacy officer shall submit by January first, two thou-
    31  sand  fifteen,  and  each January first thereafter, a report outlining a
    32  summary of activities, recommendations, complaints, and statutory, regu-
    33  latory or departmental changes pertaining to the protection  of  student
    34  data  or  teacher  or  principal  data. The report shall be submitted on

    35  behalf of the department to the governor, the speaker of  the  assembly,
    36  the  temporary president of the senate, and the chairs of the senate and
    37  assembly education committees. The report shall also  be  made  publicly
    38  available on the department's website.
    39    (5)  The  chief privacy officer may hold more than one position within
    40  the department; provided  however,  that  no  additional  position  will
    41  interfere  with the duties of the chief privacy officer outlined in this
    42  paragraph.
    43    c. (1) The chief privacy officer shall develop, with  input  from  the
    44  New  York state educational conference board and parents, a parents bill
    45  of rights for data privacy and security. The parents bill of rights  for

    46  data  privacy  and  security  shall  be included with every contract the
    47  department or educational agency enters into with a third party contrac-
    48  tor where the third party contractor receives student data or teacher or
    49  principal data.   Every  third  party  contractor  that  enters  into  a
    50  contract  with  the  department or an educational agency where the third
    51  party contractor receives student data  or  teacher  or  principal  data
    52  shall  be  required  to  agree in writing to abide by the provisions set
    53  forth in the parents bill of rights for data privacy and security. At  a
    54  minimum,  the parents bill of rights for data privacy and security shall
    55  include:

        A. 8353                             4
 

     1    (i) who the exclusive persons or entities are  that  the  third  party
     2  contractor  will  share  the  student  data or teacher or principal data
     3  with, if any;
     4    (ii)  when  the agreement expires and what happens to the student data
     5  or teacher or principal data upon expiration of the agreement;
     6    (iii) if and how a parent, student, eligible student, teacher or prin-
     7  cipal may challenge the accuracy of the student data or teacher or prin-
     8  cipal data that is collected;
     9    (iv) where the student data or  teacher  or  principal  data  will  be
    10  stored,  and  the security protections taken to ensure such data will be
    11  protected, including whether such data will be encrypted; and

    12    (v) the exclusive purposes for which the student data  or  teacher  or
    13  principal data will be used.
    14    (2) The commissioner shall promulgate regulations for a comment period
    15  whereby parents may submit comments and suggestions to the chief privacy
    16  officer to be considered for inclusion in the parents bill of rights for
    17  student data privacy and security.
    18    (3)  The  department shall post the parents bill of rights for student
    19  data privacy and security on the department's website. Each  educational
    20  agency  that has an internet website shall also post the parents bill of
    21  rights for student data and security on its website.
    22    (4) The parents bill of rights for student data privacy  and  security

    23  shall  be  completed  within one hundred twenty days after the effective
    24  date of this subdivision.
    25    d. (1) Each educational agency shall be able to opt-out of having  the
    26  student  data  or  teacher  or  principal data that they are required to
    27  report to the department through state or federal law or regulation from
    28  being uploaded by the department to the  department's  educational  data
    29  portal.
    30    (2)  Nothing  in  this  paragraph shall allow an educational agency to
    31  fail to comply with any  student  data  or  teacher  or  principal  data
    32  reporting requirements to the department as required by state or federal
    33  law or regulation.
    34    e.  The  chief  privacy  officer  shall make publicly available on the

    35  department's website a complete list of all student or teacher or  prin-
    36  cipal  data elements collected with an explanation and/or legal or regu-
    37  latory authority outlining the reasons such data elements are collected.
    38    f. (1) Each third party  contractor  that  receives  student  data  or
    39  teacher or principal data pursuant to a contract or other written agree-
    40  ment  with an educational agency shall be required to notify such educa-
    41  tional agency of any breach of security  resulting  in  an  unauthorized
    42  release  of  such  data in violation of applicable state or federal law,
    43  the parents bill of rights for student data privacy  and  security,  the
    44  data  privacy  and  security  policies  of the educational agency and/or

    45  binding contractual obligations relating to data privacy  and  security,
    46  in  the  most  expedient  way possible and without reasonable delay. The
    47  educational agency shall, upon notification by the third party  contrac-
    48  tor,  be required to report to the chief privacy officer any such breach
    49  of security and unauthorized release of such data  and  to  report  such
    50  breach and unauthorized release to law enforcement in the most expedient
    51  way possible and without unreasonable delay.
    52    (2) In the case of an unauthorized release of student data, the educa-
    53  tional  agency, or the third party contractor involved, shall notify the
    54  parent or eligible student of the unauthorized release of  student  data

    55  that  includes  personally  identifiable  information  from  the student
    56  records of such student in the most expedient way possible  and  without

        A. 8353                             5
 
     1  unreasonable delay. In the case of an unauthorized release of teacher or
     2  principal  data,  the  educational agency, or the third party contractor
     3  involved, shall notify each affected teacher or principal of  the  unau-
     4  thorized  release of data that includes personally identifiable informa-
     5  tion from the teacher or  principal's  annual  professional  performance
     6  review  in  the  most  expedient  way  possible and without unreasonable
     7  delay.
     8    (3) Failure to  notify  against  public  policy.  (i)  A  third  party

     9  contractor  shall  not  fail to notify the educational agency or parent,
    10  eligible student, teacher or principal, as applicable, in the most expe-
    11  dient way possible and without unreasonable delay.
    12    (ii) Each violation of clause (i) of this subparagraph  shall  consti-
    13  tute a class E felony, and shall be punishable by a civil penalty of the
    14  greater  of  five  thousand dollars or up to ten dollars per instance of
    15  failed notification, provided that the latter amount  shall  not  exceed
    16  one hundred fifty thousand dollars.
    17    g. If the chief privacy officer determines that a third party contrac-
    18  tor,  in  violation of applicable state or federal law, the data privacy
    19  and security policies of the educational agency and/or binding  contrac-

    20  tual  obligations relating to data privacy and security, has re-released
    21  any student data or teacher or principal data received  from  an  educa-
    22  tional  agency  to any person or entity not authorized by law to receive
    23  such data pursuant to a lawful subpoena or otherwise, the chief  privacy
    24  officer,  after  affording the third party contractor with notice and an
    25  opportunity to be heard, shall be authorized to:
    26    (1) order that the third party contractor be precluded from  accessing
    27  student  data  or  teacher  or  principal  data, as applicable, from the
    28  educational agency from which the contractor obtained the data that  was
    29  improperly disclosed for a fixed period of up to five years; and/or

    30    (2)  order  that a third party contractor who knowingly and recklessly
    31  allows for the unauthorized release of student data or teacher or  prin-
    32  cipal  data be precluded from accessing student data or teacher or prin-
    33  cipal data from any educational agency in the state for a  fixed  period
    34  of up to five years; and/or
    35    (3) order, in the case of an educational agency that is a public agen-
    36  cy  subject  to  competitive  bidding  requirements,  that a third party
    37  contractor who knowingly and  recklessly  allows  for  the  unauthorized
    38  release  of  student  data  or teacher or principal data, that the third
    39  party contractor shall not be deemed a responsible bidder or offerer  on
    40  any  contract  with  the  educational  agency  from which the contractor

    41  obtained the data that was improperly disclosed that involves the  shar-
    42  ing  of  student  data  or  teacher or principal data, as applicable for
    43  purposes of the provisions of section one hundred three of  the  general
    44  municipal  law  or paragraph c of subdivision ten of section one hundred
    45  sixty-three of the state finance law, as applicable, for a fixed  period
    46  of up to five years; and/or
    47    (4)  require  the  third  party  contractor to provide training at the
    48  contractor's expense on the federal and state  law  governing  confiden-
    49  tiality  of  student  data  and/or  teacher  or  principal  data and the
    50  provisions of this subdivision to all its officers  and  employees  with
    51  access  to  such  data,  prior  to being permitted to receive subsequent

    52  access to such data from the educational agency from which the  contrac-
    53  tor  obtained  the data that was improperly disclosed or from any educa-
    54  tional agency; and/or
    55    (5) if it is determined that the unauthorized release of student  data
    56  or  teacher  or principal data on the part of the third party contractor

        A. 8353                             6
 
     1  was inadvertent and done without intent or gross negligence, the commis-
     2  sioner may determine that no penalty be  issued  upon  the  third  party
     3  contractor.
     4    h.  The  commissioner, in consultation with the chief privacy officer,
     5  shall promulgate regulations establishing procedures  to  implement  the

     6  provisions  of this subdivision, including but not limited to procedures
     7  for the submission of complaints from parents and/or persons in parental
     8  relation to students, classroom  teachers  or  building  principals,  or
     9  other  staff  of  an  educational agency, making allegations of improper
    10  disclosure of student data and/or teacher or principal data by  a  third
    11  party contractor or its officers or employees that may be subject to the
    12  sanctions  set forth in paragraph g of this subdivision. Upon receipt of
    13  a complaint or  other  information  indicating  that  such  an  improper
    14  disclosure  by  a  third  party  contractor may have occurred, the chief
    15  privacy officer shall be authorized to investigate, visit,  examine  and

    16  inspect  the  third  party contractor's facilities and records and issue
    17  any subpoenas deemed necessary to obtain documentation from, or  require
    18  the  testimony of, any party relating to the alleged improper disclosure
    19  of student data or teacher or principal data.
    20    i. The commissioner, in consultation with the chief  privacy  officer,
    21  shall  promulgate  regulations establishing minimum standards for educa-
    22  tional agency data security and privacy policies and shall  develop  one
    23  or more model policies for use by educational agencies. Each educational
    24  agency,  by  no  later than ninety days after the effective date of this
    25  subdivision, shall ensure that it has a  policy  on  data  security  and

    26  privacy  in  place  that is consistent with applicable state and federal
    27  laws and applies to student data and, where applicable,  to  teacher  or
    28  principal  data.  Such  policy  shall be published on the website of the
    29  educational agency, if such educational agency has an internet  website,
    30  and  notice of such policy shall be provided to all officers and employ-
    31  ees of the educational agency. As applied to student data,  such  policy
    32  shall  provide  all  protections  afforded  to  parents  and  persons in
    33  parental relationships, or students where applicable, required under the
    34  Family Educational Rights and Privacy Act, section twelve hundred  thir-
    35  ty-two-g of title twenty of the United States code, where applicable the

    36  Individuals  with Disabilities Education Act, sections fourteen hundred,
    37  et. seq. of title twenty of the United  States  code,  and  the  federal
    38  regulations  implementing  such  statutes. Each educational agency shall
    39  ensure that it has in place provisions in its contracts with third party
    40  contractors or in separate data sharing and  confidentiality  agreements
    41  that  require that confidentiality of the shared student data or teacher
    42  or principal data be maintained in accordance with federal and state law
    43  and the educational agency's policy on data security and privacy.
    44    j. Each educational agency that enters into a contract or other  writ-
    45  ten  agreement with a third party contractor under which the third party

    46  contractor will receive student data or teacher or principal data  shall
    47  ensure  that  such  contract  or  agreement  include a data security and
    48  privacy plan that outlines how all state, federal, and local data  secu-
    49  rity and privacy contract requirements will be implemented over the life
    50  of the contract, consistent with the educational agency's policy on data
    51  security  and privacy. Such plan shall include, but shall not be limited
    52  to, a signed copy of the parents bill of rights  for  data  privacy  and
    53  security,  and a requirement that any officers or employees of the third
    54  party contractor who have access to student data or teacher or principal
    55  data have received or will receive training on the federal and state law

    56  governing confidentiality of such data prior to receiving access.

        A. 8353                             7
 
     1    k. (1)(i) Each violation of any provision of this section by  a  third
     2  party  contractor  shall  be  punishable by a civil penalty of up to one
     3  thousand dollars; a second violation by the same third party  contractor
     4  involving  the  same  student data or teacher or principal data shall be
     5  punishable by a civil penalty of up to five thousand dollars; any subse-
     6  quent  violation  by  the same third party contractor involving the same
     7  student data or teacher or principal data shall be punishable by a civil
     8  penalty of up to ten thousand dollars.
     9    (ii) Each violation of this subdivision shall be considered a separate

    10  violation for purposes of civil penalties.
    11    (2) The attorney general shall have the authority to  enforce  compli-
    12  ance with this section by investigation and subsequent commencement of a
    13  civil action to seek civil penalties for violations of this section, and
    14  to  seek  appropriate  injunctive  relief. In carrying out such investi-
    15  gation and in maintaining such civil action local  law  enforcement  are
    16  authorized  to subpoena witnesses, compel their attendance, examine them
    17  under oath and require that any books, records,  documents,  papers,  or
    18  electronic  records  relevant  or material to the inquiry be turned over
    19  for inspection, examination or audit, pursuant to the civil practice law
    20  and rules.

    21    (3) Nothing contained in this subdivision shall be construed as creat-
    22  ing a private right of action against the department or  an  educational
    23  agency.
    24    l.  Nothing  in  this  section  shall  limit the administrative use of
    25  student data or teacher or principal data by a person acting exclusively
    26  in the person's capacity as an employee of an educational agency  or  of
    27  the state or any of its political subdivisions, any court or the federal
    28  government that is otherwise required by law.
    29    §  2.  Subdivision  7  of section 156.00 of the penal law, as added by
    30  chapter 558 of the laws of 2006, is amended and three  new  subdivisions
    31  10, 11 and 12 are added to read as follows:
    32    7.  "Access"  means  to  instruct,  communicate  with,  store data in,

    33  retrieve from, or otherwise make use of any  resources  of  a  computer,
    34  physically,  directly or by electronic means; including dissemination of
    35  data.
    36    10. "Educational agency" means an educational agency as such  term  is
    37  defined  in  subdivision forty-four of section three hundred five of the
    38  education law. An educational agency as so defined  shall  be  deemed  a
    39  governmental instrumentality for purposes of this article.
    40    11. "Third party contractor" means a third party contractor as defined
    41  in subdivision forty-four of section three hundred five of the education
    42  law.
    43    12.  "Educational  computer  material"  means  personally identifiable
    44  information from student records  or  confidential  annual  professional

    45  performance  reviews  of  classroom  teachers or principals, of a school
    46  district, board of cooperative educational services, school, institution
    47  of higher education, or the state education department.
    48    § 3. Section 156.30 of the penal law, as amended by chapter 590 of the
    49  laws of 2008, is amended to read as follows:
    50  § 156.30 Unlawful duplication of computer related material in the  first
    51             degree.
    52    A person is guilty of unlawful duplication of computer related materi-
    53  al  in  the first degree [material] when having no right to do so, he or
    54  she copies, reproduces or duplicates in any manner:

        A. 8353                             8
 
     1    1. any computer data or computer program and thereby intentionally and

     2  wrongfully deprives or appropriates from an owner  thereof  an  economic
     3  value or benefit in excess of two thousand five hundred dollars;[or]
     4    2.  any  computer data or computer program with an intent to commit or
     5  attempt to commit or further the commission of any felony[.]; or
     6    3. educational computer material with the  intent  to  disseminate  in
     7  violation of section three hundred five of the education law.
     8    Unlawful  duplication of computer related material in the first degree
     9  is a class E felony.
    10    § 4. Section 165.45 of the penal law is amended by adding a new subdi-
    11  vision 8 to read as follows:
    12    8. The property consists of educational computer material  as  defined
    13  in article one hundred fifty-six of this chapter.

    14    §  5.  This  act shall take effect on the ninetieth day after it shall
    15  have become a law, provided,  however,  the  commissioner  of  education
    16  shall  within  one  hundred  twenty days after it shall have become law,
    17  develop a parents bill of rights for student data privacy and security.
Go to top