•  Summary 
  •  
  •  Actions 
  •  
  •  Committee Votes 
  •  
  •  Floor Votes 
  •  
  •  Memo 
  •  
  •  Text 

S06007 Text:



 
                STATE OF NEW YORK
        ________________________________________________________________________
 
                                         6007--A
            Cal. No. 28
 
                               2013-2014 Regular Sessions
 
                    IN SENATE
 
                                    December 11, 2013
                                       ___________
 
        Introduced  by  Sens.  FLANAGAN,  RANZENHOFER,  ADDABBO, BONACIC, BOYLE,
          DeFRANCISCO,  FELDER,  HANNON,  LARKIN,  MARTINS,  MAZIARZ,   O'BRIEN,
          SEWARD, VALESKY -- read twice and ordered printed, and when printed to
          be committed to the Committee on Rules -- recommitted to the Committee

          on  Rules  in  accordance  with  Senate  Rule  6,  sec. 8 -- committee
          discharged and said bill committed to the Committee  on  Education  --
          reported  favorably  from  said  committee,  ordered  to first report,
          amended on first report,  ordered  to  a  second  report  and  ordered
          reprinted, retaining its place in the order of second report
 
        AN  ACT  to  amend  the  education law and the penal law, in relation to
          establishing penalties for  the  unauthorized  release  of  personally
          identifiable  information  from student records and certain records of
          classroom teachers and building principals
 
          The People of the State of New York, represented in Senate and  Assem-
        bly, do enact as follows:
 
     1    Section 1. Section 305 of the education law is amended by adding a new
     2  subdivision 44 to read as follows:

     3    44. Unauthorized release of personally identifiable information.
     4    a.  As  used  in  this  subdivision the following terms shall have the
     5  following meanings:
     6    (1) "Building principal" means a building principal subject to  annual
     7  performance  evaluation  review  under  the  provisions of section three
     8  thousand twelve-c of this chapter.
     9    (2) "Classroom teacher" means a teacher subject to annual  performance
    10  evaluation  review  under  the  provisions  of  section  three  thousand
    11  twelve-c of this chapter.
    12    (3) "Educational agency" means a school district, board of cooperative
    13  educational services, school, institution of  higher  education  or  the
    14  education department.

    15    (4) "Institution of higher education" means an entity with a campus in
    16  New York that provides higher education, as defined in subdivision eight
 
         EXPLANATION--Matter in italics (underscored) is new; matter in brackets
                              [ ] is old law to be omitted.
                                                                   LBD13221-05-4

        S. 6007--A                          2
 
     1  of section two of this title, that is subject to the requirements of the
     2  Family  Educational Rights and Privacy Act, section twelve hundred thir-
     3  ty-two-g of title twenty of the United States code.
     4    (5) "Personally identifiable information", as applied to student data,
     5  means  personally identifiable information as defined in section 99.3 of

     6  title thirty-four of the code of federal  regulations  implementing  the
     7  Family  Educational Rights and Privacy Act, section twelve hundred thir-
     8  ty-two-g of title twenty of the United States code, and, as  applied  to
     9  teacher or principal data, means "personally identifying information" as
    10  such  term is used in subdivision ten of section three thousand twelve-c
    11  of this chapter.
    12    (6) "School" means any public elementary or secondary school,  charter
    13  school,   universal  pre-kindergarten  program  authorized  pursuant  to
    14  section thirty-six hundred two-e of this chapter, an  approved  provider
    15  of preschool special education, any other publicly funded pre-kindergar-
    16  ten  program,  an  approved private school for the education of students

    17  with disabilities, a state-supported school subject to the provisions of
    18  article eighty-five of this chapter, a state-operated school subject  to
    19  the provisions of article eighty-seven or eighty-eight of this chapter.
    20    (7)  "Student"  means  any person attending or seeking to enroll in an
    21  educational agency.
    22    (8) "Eligible student" means a student eighteen years or older  or  an
    23  emancipated  minor.  An emancipated minor as used in this section refers
    24  to a student at least sixteen years or older who is no longer a  depend-
    25  ent of or in the custody of a parent as defined in this section.
    26    (9)  "Parent"  means  a  parent, legal guardian, or person in parental
    27  relation to a student.

    28    (10) "Student data" means  personally  identifiable  information  from
    29  student records of an educational agency.
    30    (11)  "Teacher or principal data" means personally identifiable infor-
    31  mation from the records of an educational agency relating to the  annual
    32  professional  performance  reviews  of  classroom teachers or principals
    33  that is confidential and not subject to release under the provisions  of
    34  section three thousand twelve-c of this chapter.
    35    (12)  "Third  party contractor" shall mean any person or entity, other
    36  than an educational agency, that receives student  data  or  teacher  or
    37  principal  data  from  an  educational  agency pursuant to a contract or
    38  other written agreement for  purposes  of  providing  services  to  such

    39  educational  agency,  including  but  not  limited to data management or
    40  storage services, conducting studies for or on  behalf  of  such  educa-
    41  tional agency, or audit or evaluation of publicly funded programs.  Such
    42  term shall include an educational partnership organization that receives
    43  student  and/or  principal  data from a school district to carry out its
    44  responsibilities pursuant to section two hundred eleven-e of this  chap-
    45  ter and is not an educational agency as defined in subparagraph three of
    46  paragraph  a  of  this  subdivision, and a not-for-profit corporation or
    47  other non-profit organization, other than an educational  agency,  or  a
    48  for-profit  corporation  or  business  entity  that is affiliated with a

    49  charter school and provides management and/or other services to  support
    50  the charter school in accordance with a charter issued pursuant to arti-
    51  cle fifty-six of this chapter.
    52    b.  (1)  The commissioner shall appoint a chief privacy officer within
    53  the department. The chief privacy officer shall be qualified by training
    54  or experience in state and federal  education  privacy  laws  and  regu-
    55  lations,  civil  liberties,  annual  professional  performance  reviews,
    56  information technology, and  information  security.  The  chief  privacy

        S. 6007--A                          3
 
     1  officer  shall  report  to the commissioner on matters affecting privacy
     2  and the security of student, teacher, and principal data.

     3    (2)  The functions of the chief privacy officer shall include, but not
     4  be limited to:
     5    (i) Promoting the implementation of  fair  information  practices  for
     6  privacy and security of student data or teacher or principal data;
     7    (ii) Assisting the commissioner in handling instances of data breaches
     8  as well as assisting the commissioner in due process proceedings regard-
     9  ing any alleged breaches of student data or teacher or principal data;
    10    (iii) Providing assistance to educational agencies within the state on
    11  minimum  standards  and  best  practices associated with privacy and the
    12  security of student data or teacher or principal data;
    13    (iv) Formulating a procedure within the  department  whereby  parents,

    14  students,  teachers,  superintendents, school board members, principals,
    15  and other persons or entities the chief privacy  officer  determines  is
    16  appropriate,  may  request  information  pertaining  to  student data or
    17  teacher or principal data in a timely and efficient manner;
    18    (v) Assisting the commissioner in  establishing  a  protocol  for  the
    19  submission of complaints of possible breaches of student data or teacher
    20  or principal data;
    21    (vi)  Making recommendations as needed regarding privacy and the secu-
    22  rity of student data on behalf of the department to  the  governor,  the
    23  speaker  of the assembly, the temporary president of the senate, and the
    24  chairs of the senate and assembly education committees;

    25    (vii) Developing, with input  from  the  New  York  state  educational
    26  conference board and parents, the parents bill of rights for data priva-
    27  cy and security; and
    28    (viii)  Any other functions that the commissioner shall deem appropri-
    29  ate.
    30    (3) The chief privacy officer shall have the power to:
    31    (i) access all records, reports, audits, reviews,  documents,  papers,
    32  recommendations, and other materials maintained by an educational agency
    33  that relate to student data or teacher or principal data;
    34    (ii)  to  review  and  comment  upon any department program, proposal,
    35  grant, or contract that involves  the  processing  of  student  data  or
    36  teacher  or  principal data before the commissioner begins or awards the

    37  program, proposal, grant, or contract; and
    38    (iii) any other powers that the commissioner shall deem appropriate.
    39    (4) The chief privacy officer shall submit by January first, two thou-
    40  sand fifteen, and each January first thereafter, a  report  outlining  a
    41  summary of activities, recommendations, complaints, and statutory, regu-
    42  latory  or  departmental changes pertaining to the protection of student
    43  data or teacher or principal data. The  report  shall  be  submitted  on
    44  behalf  of  the department to the governor, the speaker of the assembly,
    45  the temporary president of the senate, and the chairs of the senate  and
    46  assembly  education  committees.  The report shall also be made publicly
    47  available on the department's website.

    48    (5) The chief privacy officer may hold more than one  position  within
    49  the  department;  provided  however,  that  no  additional position will
    50  interfere with the duties of the chief privacy officer outlined in  this
    51  paragraph.
    52    c.  (1)  The  chief privacy officer shall develop, with input from the
    53  New York state educational conference board and parents, a parents  bill
    54  of  rights for data privacy and security. The parents bill of rights for
    55  data privacy and security shall be  included  with  every  contract  the
    56  department or educational agency enters into with a third party contrac-

        S. 6007--A                          4
 
     1  tor where the third party contractor receives student data or teacher or

     2  principal  data.    Every  third  party  contractor  that  enters into a
     3  contract with the department or an educational agency  where  the  third
     4  party  contractor  receives  student  data  or teacher or principal data
     5  shall be required to agree in writing to abide  by  the  provisions  set
     6  forth  in the parents bill of rights for data privacy and security. At a
     7  minimum, the parents bill of rights for data privacy and security  shall
     8  include:
     9    (i)  who  the  exclusive  persons or entities are that the third party
    10  contractor will share the student data  or  teacher  or  principal  data
    11  with, if any;
    12    (ii)  when  the agreement expires and what happens to the student data

    13  or teacher or principal data upon expiration of the agreement;
    14    (iii) if and how a parent, student, eligible student, teacher or prin-
    15  cipal may challenge the accuracy of the student data or teacher or prin-
    16  cipal data that is collected;
    17    (iv) where the student data or  teacher  or  principal  data  will  be
    18  stored,  and  the security protections taken to ensure such data will be
    19  protected, including whether such data will be encrypted; and
    20    (v) the exclusive purposes for which the student data  or  teacher  or
    21  principal data will be used.
    22    (2) The commissioner shall promulgate regulations for a comment period
    23  whereby parents may submit comments and suggestions to the chief privacy

    24  officer to be considered for inclusion in the parents bill of rights for
    25  student data privacy and security.
    26    (3)  The  department shall post the parents bill of rights for student
    27  data privacy and security on the department's website. Each  educational
    28  agency  that has an internet website shall also post the parents bill of
    29  rights for student data and security on its website.
    30    (4) The parents bill of rights for student data privacy  and  security
    31  shall  be  completed  within one hundred twenty days after the effective
    32  date of this subdivision.
    33    d. (1) Each educational agency shall be able to opt-out of having  the
    34  student  data  or  teacher  or  principal data that they are required to

    35  report to the department through state or federal law or regulation from
    36  being uploaded by the department to the  department's  educational  data
    37  portal.
    38    (2)  Nothing  in  this  paragraph shall allow an educational agency to
    39  fail to comply with any  student  data  or  teacher  or  principal  data
    40  reporting requirements to the department as required by state or federal
    41  law or regulation.
    42    e.  The  chief  privacy  officer  shall make publicly available on the
    43  department's website a complete list of all student or teacher or  prin-
    44  cipal  data elements collected with an explanation and/or legal or regu-
    45  latory authority outlining the reasons such data elements are collected.

    46    f. (1) Each third party  contractor  that  receives  student  data  or
    47  teacher or principal data pursuant to a contract or other written agree-
    48  ment  with an educational agency shall be required to notify such educa-
    49  tional agency of any breach of security  resulting  in  an  unauthorized
    50  release  of  such  data in violation of applicable state or federal law,
    51  the parents bill of rights for student data privacy  and  security,  the
    52  data  privacy  and  security  policies  of the educational agency and/or
    53  binding contractual obligations relating to data privacy  and  security,
    54  in  the  most  expedient  way possible and without reasonable delay. The
    55  educational agency shall, upon notification by the third party  contrac-

    56  tor,  be required to report to the chief privacy officer any such breach

        S. 6007--A                          5
 
     1  of security and unauthorized release of such data  and  to  report  such
     2  breach and unauthorized release to law enforcement in the most expedient
     3  way possible and without unreasonable delay.
     4    (2) In the case of an unauthorized release of student data, the educa-
     5  tional  agency, or the third party contractor involved, shall notify the
     6  parent or eligible student of the unauthorized release of  student  data
     7  that  includes  personally  identifiable  information  from  the student
     8  records of such student in the most expedient way possible  and  without

     9  unreasonable delay. In the case of an unauthorized release of teacher or
    10  principal  data,  the  educational agency, or the third party contractor
    11  involved, shall notify each affected teacher or principal of  the  unau-
    12  thorized  release of data that includes personally identifiable informa-
    13  tion from the teacher or  principal's  annual  professional  performance
    14  review  in  the  most  expedient  way  possible and without unreasonable
    15  delay.
    16    (3) Failure to  notify  against  public  policy.  (i)  A  third  party
    17  contractor  shall  not  fail to notify the educational agency or parent,
    18  eligible student, teacher or principal, as applicable, in the most expe-
    19  dient way possible and without unreasonable delay.

    20    (ii) Each violation of clause (i) of this subparagraph  shall  consti-
    21  tute a class E felony, and shall be punishable by a civil penalty of the
    22  greater  of  five  thousand dollars or up to ten dollars per instance of
    23  failed notification, provided that the latter amount  shall  not  exceed
    24  one hundred fifty thousand dollars.
    25    g. If the chief privacy officer determines that a third party contrac-
    26  tor,  in  violation of applicable state or federal law, the data privacy
    27  and security policies of the educational agency and/or binding  contrac-
    28  tual  obligations relating to data privacy and security, has re-released
    29  any student data or teacher or principal data received  from  an  educa-

    30  tional  agency  to any person or entity not authorized by law to receive
    31  such data pursuant to a lawful subpoena or otherwise, the chief  privacy
    32  officer,  after  affording the third party contractor with notice and an
    33  opportunity to be heard, shall be authorized to:
    34    (1) order that the third party contractor be precluded from  accessing
    35  student  data  or  teacher  or  principal  data, as applicable, from the
    36  educational agency from which the contractor obtained the data that  was
    37  improperly disclosed for a fixed period of up to five years; and/or
    38    (2)  order  that a third party contractor who knowingly and recklessly
    39  allows for the unauthorized release of student data or teacher or  prin-

    40  cipal  data be precluded from accessing student data or teacher or prin-
    41  cipal data from any educational agency in the state for a  fixed  period
    42  of up to five years; and/or
    43    (3) order, in the case of an educational agency that is a public agen-
    44  cy  subject  to  competitive  bidding  requirements,  that a third party
    45  contractor who knowingly and  recklessly  allows  for  the  unauthorized
    46  release  of  student  data  or teacher or principal data, that the third
    47  party contractor shall not be deemed a responsible bidder or offerer  on
    48  any  contract  with  the  educational  agency  from which the contractor
    49  obtained the data that was improperly disclosed that involves the  shar-
    50  ing  of  student  data  or  teacher or principal data, as applicable for

    51  purposes of the provisions of section one hundred three of  the  general
    52  municipal  law  or paragraph c of subdivision ten of section one hundred
    53  sixty-three of the state finance law, as applicable, for a fixed  period
    54  of up to five years; and/or
    55    (4)  require  the  third  party  contractor to provide training at the
    56  contractor's expense on the federal and state  law  governing  confiden-

        S. 6007--A                          6
 
     1  tiality  of  student  data  and/or  teacher  or  principal  data and the
     2  provisions of this subdivision to all its officers  and  employees  with
     3  access  to  such  data,  prior  to being permitted to receive subsequent
     4  access  to such data from the educational agency from which the contrac-

     5  tor obtained the data that was improperly disclosed or from  any  educa-
     6  tional agency; and/or
     7    (5)  if it is determined that the unauthorized release of student data
     8  or teacher or principal data on the part of the third  party  contractor
     9  was inadvertent and done without intent or gross negligence, the commis-
    10  sioner  may  determine  that  no  penalty be issued upon the third party
    11  contractor.
    12    h. The commissioner, in consultation with the chief  privacy  officer,
    13  shall  promulgate  regulations  establishing procedures to implement the
    14  provisions of this subdivision, including but not limited to  procedures
    15  for the submission of complaints from parents and/or persons in parental

    16  relation  to  students,  classroom  teachers  or building principals, or
    17  other staff of an educational agency,  making  allegations  of  improper
    18  disclosure  of  student data and/or teacher or principal data by a third
    19  party contractor or its officers or employees that may be subject to the
    20  sanctions set forth in paragraph g of this subdivision. Upon receipt  of
    21  a  complaint  or  other  information  indicating  that  such an improper
    22  disclosure by a third party contractor  may  have  occurred,  the  chief
    23  privacy  officer  shall be authorized to investigate, visit, examine and
    24  inspect the third party contractor's facilities and  records  and  issue
    25  any  subpoenas deemed necessary to obtain documentation from, or require

    26  the testimony of, any party relating to the alleged improper  disclosure
    27  of student data or teacher or principal data.
    28    i.  The  commissioner, in consultation with the chief privacy officer,
    29  shall promulgate regulations establishing minimum standards  for  educa-
    30  tional  agency  data security and privacy policies and shall develop one
    31  or more model policies for use by educational agencies. Each educational
    32  agency, by no later than ninety days after the effective  date  of  this
    33  subdivision,  shall  ensure  that  it  has a policy on data security and
    34  privacy in place that is consistent with applicable  state  and  federal
    35  laws  and  applies  to student data and, where applicable, to teacher or

    36  principal data. Such policy shall be published on  the  website  of  the
    37  educational  agency, if such educational agency has an internet website,
    38  and notice of such policy shall be provided to all officers and  employ-
    39  ees  of  the educational agency. As applied to student data, such policy
    40  shall provide  all  protections  afforded  to  parents  and  persons  in
    41  parental relationships, or students where applicable, required under the
    42  Family  Educational Rights and Privacy Act, section twelve hundred thir-
    43  ty-two-g of title twenty of the United States code, where applicable the
    44  Individuals with Disabilities Education Act, sections fourteen  hundred,
    45  et.  seq.  of  title  twenty  of the United States code, and the federal

    46  regulations implementing such statutes. Each  educational  agency  shall
    47  ensure that it has in place provisions in its contracts with third party
    48  contractors  or  in separate data sharing and confidentiality agreements
    49  that require that confidentiality of the shared student data or  teacher
    50  or principal data be maintained in accordance with federal and state law
    51  and the educational agency's policy on data security and privacy.
    52    j.  Each educational agency that enters into a contract or other writ-
    53  ten agreement with a third party contractor under which the third  party
    54  contractor  will receive student data or teacher or principal data shall
    55  ensure that such contract or  agreement  include  a  data  security  and

    56  privacy  plan that outlines how all state, federal, and local data secu-

        S. 6007--A                          7
 
     1  rity and privacy contract requirements will be implemented over the life
     2  of the contract, consistent with the educational agency's policy on data
     3  security and privacy. Such plan shall include, but shall not be  limited
     4  to,  a  signed  copy  of the parents bill of rights for data privacy and
     5  security, and a requirement that any officers or employees of the  third
     6  party contractor who have access to student data or teacher or principal
     7  data have received or will receive training on the federal and state law
     8  governing confidentiality of such data prior to receiving access.

     9    k.  (1)(i)  Each violation of any provision of this section by a third
    10  party contractor shall be punishable by a civil penalty  of  up  to  one
    11  thousand  dollars; a second violation by the same third party contractor
    12  involving the same student data or teacher or principal  data  shall  be
    13  punishable by a civil penalty of up to five thousand dollars; any subse-
    14  quent  violation  by  the same third party contractor involving the same
    15  student data or teacher or principal data shall be punishable by a civil
    16  penalty of up to ten thousand dollars.
    17    (ii) Each violation of this subdivision shall be considered a separate
    18  violation for purposes of civil penalties.
    19    (2) The attorney general shall have the authority to  enforce  compli-

    20  ance with this section by investigation and subsequent commencement of a
    21  civil action to seek civil penalties for violations of this section, and
    22  to  seek  appropriate  injunctive  relief. In carrying out such investi-
    23  gation and in maintaining such civil action local  law  enforcement  are
    24  authorized  to subpoena witnesses, compel their attendance, examine them
    25  under oath and require that any books, records,  documents,  papers,  or
    26  electronic  records  relevant  or material to the inquiry be turned over
    27  for inspection, examination or audit, pursuant to the civil practice law
    28  and rules.
    29    (3) Nothing contained in this subdivision shall be construed as creat-
    30  ing a private right of action against the department or  an  educational

    31  agency.
    32    l.  Nothing  in  this  section  shall  limit the administrative use of
    33  student data or teacher or principal data by a person acting exclusively
    34  in the person's capacity as an employee of an educational agency  or  of
    35  the state or any of its political subdivisions, any court or the federal
    36  government that is otherwise required by law.
    37    §  2.  Subdivision  7  of section 156.00 of the penal law, as added by
    38  chapter 558 of the laws of 2006, is amended and three  new  subdivisions
    39  10, 11 and 12 are added to read as follows:
    40    7.  "Access"  means  to  instruct,  communicate  with,  store data in,
    41  retrieve from, or otherwise make use of any  resources  of  a  computer,
    42  physically,  directly or by electronic means; including dissemination of
    43  data.

    44    10. "Educational agency" means an educational agency as such  term  is
    45  defined  in  subdivision forty-four of section three hundred five of the
    46  education law. An educational agency as so defined  shall  be  deemed  a
    47  governmental instrumentality for purposes of this article.
    48    11. "Third party contractor" means a third party contractor as defined
    49  in subdivision forty-four of section three hundred five of the education
    50  law.
    51    12.  "Educational  computer  material"  means  personally identifiable
    52  information from student records  or  confidential  annual  professional
    53  performance  reviews  of  classroom  teachers or principals, of a school
    54  district, board of cooperative educational services, school, institution

    55  of higher education, or the state education department.

        S. 6007--A                          8
 
     1    § 3. Section 156.30 of the penal law, as amended by chapter 590 of the
     2  laws of 2008, is amended to read as follows:
     3  § 156.30 Unlawful  duplication of computer related material in the first
     4             degree.
     5    A person is guilty of unlawful duplication of computer related materi-
     6  al in the first degree [material] when having no right to do so,  he  or
     7  she copies, reproduces or duplicates in any manner:
     8    1. any computer data or computer program and thereby intentionally and
     9  wrongfully  deprives  or  appropriates from an owner thereof an economic
    10  value or benefit in excess of two thousand five hundred dollars;[or]

    11    2. any computer data or computer program with an intent to  commit  or
    12  attempt to commit or further the commission of any felony[.]; or
    13    3.  educational  computer  material  with the intent to disseminate in
    14  violation of section three hundred five of the education law.
    15    Unlawful duplication of computer related material in the first  degree
    16  is a class E felony.
    17    § 4. Section 165.45 of the penal law is amended by adding a new subdi-
    18  vision 8 to read as follows:
    19    8.  The  property consists of educational computer material as defined
    20  in article one hundred fifty-six of this chapter.
    21    § 5. This act shall take effect on the ninetieth day  after  it  shall
    22  have  become  a  law,  provided,  however, the commissioner of education

    23  shall within one hundred twenty days after it  shall  have  become  law,
    24  develop a parents bill of rights for student data privacy and security.
Go to top