- Floor Votes
Go to top
STATE OF NEW YORK ________________________________________________________________________ 6007--A Cal. No. 28 2013-2014 Regular Sessions IN SENATE December 11, 2013 ___________ Introduced by Sens. FLANAGAN, RANZENHOFER, ADDABBO, BONACIC, BOYLE, DeFRANCISCO, FELDER, HANNON, LARKIN, MARTINS, MAZIARZ, O'BRIEN, SEWARD, VALESKY -- read twice and ordered printed, and when printed to be committed to the Committee on Rules -- recommitted to the Committee on Rules in accordance with Senate Rule 6, sec. 8 -- committee discharged and said bill committed to the Committee on Education -- reported favorably from said committee, ordered to first report, amended on first report, ordered to a second report and ordered reprinted, retaining its place in the order of second report AN ACT to amend the education law and the penal law, in relation to establishing penalties for the unauthorized release of personally identifiable information from student records and certain records of classroom teachers and building principals The People of the State of New York, represented in Senate and Assem- bly, do enact as follows: 1 Section 1. Section 305 of the education law is amended by adding a new 2 subdivision 44 to read as follows: 3 44. Unauthorized release of personally identifiable information. 4 a. As used in this subdivision the following terms shall have the 5 following meanings: 6 (1) "Building principal" means a building principal subject to annual 7 performance evaluation review under the provisions of section three 8 thousand twelve-c of this chapter. 9 (2) "Classroom teacher" means a teacher subject to annual performance 10 evaluation review under the provisions of section three thousand 11 twelve-c of this chapter. 12 (3) "Educational agency" means a school district, board of cooperative 13 educational services, school, institution of higher education or the 14 education department. 15 (4) "Institution of higher education" means an entity with a campus in 16 New York that provides higher education, as defined in subdivision eight EXPLANATION--Matter in italics (underscored) is new; matter in brackets [ ] is old law to be omitted. LBD13221-05-4S. 6007--A 2 1 of section two of this title, that is subject to the requirements of the 2 Family Educational Rights and Privacy Act, section twelve hundred thir- 3 ty-two-g of title twenty of the United States code. 4 (5) "Personally identifiable information", as applied to student data, 5 means personally identifiable information as defined in section 99.3 of 6 title thirty-four of the code of federal regulations implementing the 7 Family Educational Rights and Privacy Act, section twelve hundred thir- 8 ty-two-g of title twenty of the United States code, and, as applied to 9 teacher or principal data, means "personally identifying information" as 10 such term is used in subdivision ten of section three thousand twelve-c 11 of this chapter. 12 (6) "School" means any public elementary or secondary school, charter 13 school, universal pre-kindergarten program authorized pursuant to 14 section thirty-six hundred two-e of this chapter, an approved provider 15 of preschool special education, any other publicly funded pre-kindergar- 16 ten program, an approved private school for the education of students 17 with disabilities, a state-supported school subject to the provisions of 18 article eighty-five of this chapter, a state-operated school subject to 19 the provisions of article eighty-seven or eighty-eight of this chapter. 20 (7) "Student" means any person attending or seeking to enroll in an 21 educational agency. 22 (8) "Eligible student" means a student eighteen years or older or an 23 emancipated minor. An emancipated minor as used in this section refers 24 to a student at least sixteen years or older who is no longer a depend- 25 ent of or in the custody of a parent as defined in this section. 26 (9) "Parent" means a parent, legal guardian, or person in parental 27 relation to a student. 28 (10) "Student data" means personally identifiable information from 29 student records of an educational agency. 30 (11) "Teacher or principal data" means personally identifiable infor- 31 mation from the records of an educational agency relating to the annual 32 professional performance reviews of classroom teachers or principals 33 that is confidential and not subject to release under the provisions of 34 section three thousand twelve-c of this chapter. 35 (12) "Third party contractor" shall mean any person or entity, other 36 than an educational agency, that receives student data or teacher or 37 principal data from an educational agency pursuant to a contract or 38 other written agreement for purposes of providing services to such 39 educational agency, including but not limited to data management or 40 storage services, conducting studies for or on behalf of such educa- 41 tional agency, or audit or evaluation of publicly funded programs. Such 42 term shall include an educational partnership organization that receives 43 student and/or principal data from a school district to carry out its 44 responsibilities pursuant to section two hundred eleven-e of this chap- 45 ter and is not an educational agency as defined in subparagraph three of 46 paragraph a of this subdivision, and a not-for-profit corporation or 47 other non-profit organization, other than an educational agency, or a 48 for-profit corporation or business entity that is affiliated with a 49 charter school and provides management and/or other services to support 50 the charter school in accordance with a charter issued pursuant to arti- 51 cle fifty-six of this chapter. 52 b. (1) The commissioner shall appoint a chief privacy officer within 53 the department. The chief privacy officer shall be qualified by training 54 or experience in state and federal education privacy laws and regu- 55 lations, civil liberties, annual professional performance reviews, 56 information technology, and information security. The chief privacyS. 6007--A 3 1 officer shall report to the commissioner on matters affecting privacy 2 and the security of student, teacher, and principal data. 3 (2) The functions of the chief privacy officer shall include, but not 4 be limited to: 5 (i) Promoting the implementation of fair information practices for 6 privacy and security of student data or teacher or principal data; 7 (ii) Assisting the commissioner in handling instances of data breaches 8 as well as assisting the commissioner in due process proceedings regard- 9 ing any alleged breaches of student data or teacher or principal data; 10 (iii) Providing assistance to educational agencies within the state on 11 minimum standards and best practices associated with privacy and the 12 security of student data or teacher or principal data; 13 (iv) Formulating a procedure within the department whereby parents, 14 students, teachers, superintendents, school board members, principals, 15 and other persons or entities the chief privacy officer determines is 16 appropriate, may request information pertaining to student data or 17 teacher or principal data in a timely and efficient manner; 18 (v) Assisting the commissioner in establishing a protocol for the 19 submission of complaints of possible breaches of student data or teacher 20 or principal data; 21 (vi) Making recommendations as needed regarding privacy and the secu- 22 rity of student data on behalf of the department to the governor, the 23 speaker of the assembly, the temporary president of the senate, and the 24 chairs of the senate and assembly education committees; 25 (vii) Developing, with input from the New York state educational 26 conference board and parents, the parents bill of rights for data priva- 27 cy and security; and 28 (viii) Any other functions that the commissioner shall deem appropri- 29 ate. 30 (3) The chief privacy officer shall have the power to: 31 (i) access all records, reports, audits, reviews, documents, papers, 32 recommendations, and other materials maintained by an educational agency 33 that relate to student data or teacher or principal data; 34 (ii) to review and comment upon any department program, proposal, 35 grant, or contract that involves the processing of student data or 36 teacher or principal data before the commissioner begins or awards the 37 program, proposal, grant, or contract; and 38 (iii) any other powers that the commissioner shall deem appropriate. 39 (4) The chief privacy officer shall submit by January first, two thou- 40 sand fifteen, and each January first thereafter, a report outlining a 41 summary of activities, recommendations, complaints, and statutory, regu- 42 latory or departmental changes pertaining to the protection of student 43 data or teacher or principal data. The report shall be submitted on 44 behalf of the department to the governor, the speaker of the assembly, 45 the temporary president of the senate, and the chairs of the senate and 46 assembly education committees. The report shall also be made publicly 47 available on the department's website. 48 (5) The chief privacy officer may hold more than one position within 49 the department; provided however, that no additional position will 50 interfere with the duties of the chief privacy officer outlined in this 51 paragraph. 52 c. (1) The chief privacy officer shall develop, with input from the 53 New York state educational conference board and parents, a parents bill 54 of rights for data privacy and security. The parents bill of rights for 55 data privacy and security shall be included with every contract the 56 department or educational agency enters into with a third party contrac-S. 6007--A 4 1 tor where the third party contractor receives student data or teacher or 2 principal data. Every third party contractor that enters into a 3 contract with the department or an educational agency where the third 4 party contractor receives student data or teacher or principal data 5 shall be required to agree in writing to abide by the provisions set 6 forth in the parents bill of rights for data privacy and security. At a 7 minimum, the parents bill of rights for data privacy and security shall 8 include: 9 (i) who the exclusive persons or entities are that the third party 10 contractor will share the student data or teacher or principal data 11 with, if any; 12 (ii) when the agreement expires and what happens to the student data 13 or teacher or principal data upon expiration of the agreement; 14 (iii) if and how a parent, student, eligible student, teacher or prin- 15 cipal may challenge the accuracy of the student data or teacher or prin- 16 cipal data that is collected; 17 (iv) where the student data or teacher or principal data will be 18 stored, and the security protections taken to ensure such data will be 19 protected, including whether such data will be encrypted; and 20 (v) the exclusive purposes for which the student data or teacher or 21 principal data will be used. 22 (2) The commissioner shall promulgate regulations for a comment period 23 whereby parents may submit comments and suggestions to the chief privacy 24 officer to be considered for inclusion in the parents bill of rights for 25 student data privacy and security. 26 (3) The department shall post the parents bill of rights for student 27 data privacy and security on the department's website. Each educational 28 agency that has an internet website shall also post the parents bill of 29 rights for student data and security on its website. 30 (4) The parents bill of rights for student data privacy and security 31 shall be completed within one hundred twenty days after the effective 32 date of this subdivision. 33 d. (1) Each educational agency shall be able to opt-out of having the 34 student data or teacher or principal data that they are required to 35 report to the department through state or federal law or regulation from 36 being uploaded by the department to the department's educational data 37 portal. 38 (2) Nothing in this paragraph shall allow an educational agency to 39 fail to comply with any student data or teacher or principal data 40 reporting requirements to the department as required by state or federal 41 law or regulation. 42 e. The chief privacy officer shall make publicly available on the 43 department's website a complete list of all student or teacher or prin- 44 cipal data elements collected with an explanation and/or legal or regu- 45 latory authority outlining the reasons such data elements are collected. 46 f. (1) Each third party contractor that receives student data or 47 teacher or principal data pursuant to a contract or other written agree- 48 ment with an educational agency shall be required to notify such educa- 49 tional agency of any breach of security resulting in an unauthorized 50 release of such data in violation of applicable state or federal law, 51 the parents bill of rights for student data privacy and security, the 52 data privacy and security policies of the educational agency and/or 53 binding contractual obligations relating to data privacy and security, 54 in the most expedient way possible and without reasonable delay. The 55 educational agency shall, upon notification by the third party contrac- 56 tor, be required to report to the chief privacy officer any such breachS. 6007--A 5 1 of security and unauthorized release of such data and to report such 2 breach and unauthorized release to law enforcement in the most expedient 3 way possible and without unreasonable delay. 4 (2) In the case of an unauthorized release of student data, the educa- 5 tional agency, or the third party contractor involved, shall notify the 6 parent or eligible student of the unauthorized release of student data 7 that includes personally identifiable information from the student 8 records of such student in the most expedient way possible and without 9 unreasonable delay. In the case of an unauthorized release of teacher or 10 principal data, the educational agency, or the third party contractor 11 involved, shall notify each affected teacher or principal of the unau- 12 thorized release of data that includes personally identifiable informa- 13 tion from the teacher or principal's annual professional performance 14 review in the most expedient way possible and without unreasonable 15 delay. 16 (3) Failure to notify against public policy. (i) A third party 17 contractor shall not fail to notify the educational agency or parent, 18 eligible student, teacher or principal, as applicable, in the most expe- 19 dient way possible and without unreasonable delay. 20 (ii) Each violation of clause (i) of this subparagraph shall consti- 21 tute a class E felony, and shall be punishable by a civil penalty of the 22 greater of five thousand dollars or up to ten dollars per instance of 23 failed notification, provided that the latter amount shall not exceed 24 one hundred fifty thousand dollars. 25 g. If the chief privacy officer determines that a third party contrac- 26 tor, in violation of applicable state or federal law, the data privacy 27 and security policies of the educational agency and/or binding contrac- 28 tual obligations relating to data privacy and security, has re-released 29 any student data or teacher or principal data received from an educa- 30 tional agency to any person or entity not authorized by law to receive 31 such data pursuant to a lawful subpoena or otherwise, the chief privacy 32 officer, after affording the third party contractor with notice and an 33 opportunity to be heard, shall be authorized to: 34 (1) order that the third party contractor be precluded from accessing 35 student data or teacher or principal data, as applicable, from the 36 educational agency from which the contractor obtained the data that was 37 improperly disclosed for a fixed period of up to five years; and/or 38 (2) order that a third party contractor who knowingly and recklessly 39 allows for the unauthorized release of student data or teacher or prin- 40 cipal data be precluded from accessing student data or teacher or prin- 41 cipal data from any educational agency in the state for a fixed period 42 of up to five years; and/or 43 (3) order, in the case of an educational agency that is a public agen- 44 cy subject to competitive bidding requirements, that a third party 45 contractor who knowingly and recklessly allows for the unauthorized 46 release of student data or teacher or principal data, that the third 47 party contractor shall not be deemed a responsible bidder or offerer on 48 any contract with the educational agency from which the contractor 49 obtained the data that was improperly disclosed that involves the shar- 50 ing of student data or teacher or principal data, as applicable for 51 purposes of the provisions of section one hundred three of the general 52 municipal law or paragraph c of subdivision ten of section one hundred 53 sixty-three of the state finance law, as applicable, for a fixed period 54 of up to five years; and/or 55 (4) require the third party contractor to provide training at the 56 contractor's expense on the federal and state law governing confiden-S. 6007--A 6 1 tiality of student data and/or teacher or principal data and the 2 provisions of this subdivision to all its officers and employees with 3 access to such data, prior to being permitted to receive subsequent 4 access to such data from the educational agency from which the contrac- 5 tor obtained the data that was improperly disclosed or from any educa- 6 tional agency; and/or 7 (5) if it is determined that the unauthorized release of student data 8 or teacher or principal data on the part of the third party contractor 9 was inadvertent and done without intent or gross negligence, the commis- 10 sioner may determine that no penalty be issued upon the third party 11 contractor. 12 h. The commissioner, in consultation with the chief privacy officer, 13 shall promulgate regulations establishing procedures to implement the 14 provisions of this subdivision, including but not limited to procedures 15 for the submission of complaints from parents and/or persons in parental 16 relation to students, classroom teachers or building principals, or 17 other staff of an educational agency, making allegations of improper 18 disclosure of student data and/or teacher or principal data by a third 19 party contractor or its officers or employees that may be subject to the 20 sanctions set forth in paragraph g of this subdivision. Upon receipt of 21 a complaint or other information indicating that such an improper 22 disclosure by a third party contractor may have occurred, the chief 23 privacy officer shall be authorized to investigate, visit, examine and 24 inspect the third party contractor's facilities and records and issue 25 any subpoenas deemed necessary to obtain documentation from, or require 26 the testimony of, any party relating to the alleged improper disclosure 27 of student data or teacher or principal data. 28 i. The commissioner, in consultation with the chief privacy officer, 29 shall promulgate regulations establishing minimum standards for educa- 30 tional agency data security and privacy policies and shall develop one 31 or more model policies for use by educational agencies. Each educational 32 agency, by no later than ninety days after the effective date of this 33 subdivision, shall ensure that it has a policy on data security and 34 privacy in place that is consistent with applicable state and federal 35 laws and applies to student data and, where applicable, to teacher or 36 principal data. Such policy shall be published on the website of the 37 educational agency, if such educational agency has an internet website, 38 and notice of such policy shall be provided to all officers and employ- 39 ees of the educational agency. As applied to student data, such policy 40 shall provide all protections afforded to parents and persons in 41 parental relationships, or students where applicable, required under the 42 Family Educational Rights and Privacy Act, section twelve hundred thir- 43 ty-two-g of title twenty of the United States code, where applicable the 44 Individuals with Disabilities Education Act, sections fourteen hundred, 45 et. seq. of title twenty of the United States code, and the federal 46 regulations implementing such statutes. Each educational agency shall 47 ensure that it has in place provisions in its contracts with third party 48 contractors or in separate data sharing and confidentiality agreements 49 that require that confidentiality of the shared student data or teacher 50 or principal data be maintained in accordance with federal and state law 51 and the educational agency's policy on data security and privacy. 52 j. Each educational agency that enters into a contract or other writ- 53 ten agreement with a third party contractor under which the third party 54 contractor will receive student data or teacher or principal data shall 55 ensure that such contract or agreement include a data security and 56 privacy plan that outlines how all state, federal, and local data secu-S. 6007--A 7 1 rity and privacy contract requirements will be implemented over the life 2 of the contract, consistent with the educational agency's policy on data 3 security and privacy. Such plan shall include, but shall not be limited 4 to, a signed copy of the parents bill of rights for data privacy and 5 security, and a requirement that any officers or employees of the third 6 party contractor who have access to student data or teacher or principal 7 data have received or will receive training on the federal and state law 8 governing confidentiality of such data prior to receiving access. 9 k. (1)(i) Each violation of any provision of this section by a third 10 party contractor shall be punishable by a civil penalty of up to one 11 thousand dollars; a second violation by the same third party contractor 12 involving the same student data or teacher or principal data shall be 13 punishable by a civil penalty of up to five thousand dollars; any subse- 14 quent violation by the same third party contractor involving the same 15 student data or teacher or principal data shall be punishable by a civil 16 penalty of up to ten thousand dollars. 17 (ii) Each violation of this subdivision shall be considered a separate 18 violation for purposes of civil penalties. 19 (2) The attorney general shall have the authority to enforce compli- 20 ance with this section by investigation and subsequent commencement of a 21 civil action to seek civil penalties for violations of this section, and 22 to seek appropriate injunctive relief. In carrying out such investi- 23 gation and in maintaining such civil action local law enforcement are 24 authorized to subpoena witnesses, compel their attendance, examine them 25 under oath and require that any books, records, documents, papers, or 26 electronic records relevant or material to the inquiry be turned over 27 for inspection, examination or audit, pursuant to the civil practice law 28 and rules. 29 (3) Nothing contained in this subdivision shall be construed as creat- 30 ing a private right of action against the department or an educational 31 agency. 32 l. Nothing in this section shall limit the administrative use of 33 student data or teacher or principal data by a person acting exclusively 34 in the person's capacity as an employee of an educational agency or of 35 the state or any of its political subdivisions, any court or the federal 36 government that is otherwise required by law. 37 § 2. Subdivision 7 of section 156.00 of the penal law, as added by 38 chapter 558 of the laws of 2006, is amended and three new subdivisions 39 10, 11 and 12 are added to read as follows: 40 7. "Access" means to instruct, communicate with, store data in, 41 retrieve from, or otherwise make use of any resources of a computer, 42 physically, directly or by electronic means; including dissemination of 43 data. 44 10. "Educational agency" means an educational agency as such term is 45 defined in subdivision forty-four of section three hundred five of the 46 education law. An educational agency as so defined shall be deemed a 47 governmental instrumentality for purposes of this article. 48 11. "Third party contractor" means a third party contractor as defined 49 in subdivision forty-four of section three hundred five of the education 50 law. 51 12. "Educational computer material" means personally identifiable 52 information from student records or confidential annual professional 53 performance reviews of classroom teachers or principals, of a school 54 district, board of cooperative educational services, school, institution 55 of higher education, or the state education department.S. 6007--A 8 1 § 3. Section 156.30 of the penal law, as amended by chapter 590 of the 2 laws of 2008, is amended to read as follows: 3 § 156.30 Unlawful duplication of computer related material in the first 4 degree. 5 A person is guilty of unlawful duplication of computer related materi- 6 al in the first degree [ material] when having no right to do so, he or 7 she copies, reproduces or duplicates in any manner: 8 1. any computer data or computer program and thereby intentionally and 9 wrongfully deprives or appropriates from an owner thereof an economic 10 value or benefit in excess of two thousand five hundred dollars;[ or] 11 2. any computer data or computer program with an intent to commit or 12 attempt to commit or further the commission of any felony[ .]; or 13 3. educational computer material with the intent to disseminate in 14 violation of section three hundred five of the education law. 15 Unlawful duplication of computer related material in the first degree 16 is a class E felony. 17 § 4. Section 165.45 of the penal law is amended by adding a new subdi- 18 vision 8 to read as follows: 19 8. The property consists of educational computer material as defined 20 in article one hundred fifty-six of this chapter. 21 § 5. This act shall take effect on the ninetieth day after it shall 22 have become a law, provided, however, the commissioner of education 23 shall within one hundred twenty days after it shall have become law, 24 develop a parents bill of rights for student data privacy and security.