STATE OF NEW YORK
________________________________________________________________________
6007--A
Cal. No. 28
2013-2014 Regular Sessions
IN SENATE
December 11, 2013
___________
Introduced by Sens. FLANAGAN, RANZENHOFER, ADDABBO, BONACIC, BOYLE,
DeFRANCISCO, FELDER, HANNON, LARKIN, MARTINS, MAZIARZ, O'BRIEN,
SEWARD, VALESKY -- read twice and ordered printed, and when printed to
be committed to the Committee on Rules -- recommitted to the Committee
on Rules in accordance with Senate Rule 6, sec. 8 -- committee
discharged and said bill committed to the Committee on Education --
reported favorably from said committee, ordered to first report,
amended on first report, ordered to a second report and ordered
reprinted, retaining its place in the order of second report
AN ACT to amend the education law and the penal law, in relation to
establishing penalties for the unauthorized release of personally
identifiable information from student records and certain records of
classroom teachers and building principals
The People of the State of New York, represented in Senate and Assem-bly, do enact as follows:
1 Section 1. Section 305 of the education law is amended by adding a new
2 subdivision 44 to read as follows:
3 44. Unauthorized release of personally identifiable information.
4 a. As used in this subdivision the following terms shall have the
5 following meanings:
6 (1) "Building principal" means a building principal subject to annual
7 performance evaluation review under the provisions of section three
8 thousand twelve-c of this chapter.
9 (2) "Classroom teacher" means a teacher subject to annual performance
10 evaluation review under the provisions of section three thousand
11 twelve-c of this chapter.
12 (3) "Educational agency" means a school district, board of cooperative
13 educational services, school, institution of higher education or the
14 education department.
15 (4) "Institution of higher education" means an entity with a campus in
16 New York that provides higher education, as defined in subdivision eight
EXPLANATION--Matter in italics (underscored) is new; matter in brackets
[] is old law to be omitted.
LBD13221-05-4
S. 6007--A 2
1 of section two of this title, that is subject to the requirements of the
2 Family Educational Rights and Privacy Act, section twelve hundred thir-
3 ty-two-g of title twenty of the United States code.
4 (5) "Personally identifiable information", as applied to student data,
5 means personally identifiable information as defined in section 99.3 of
6 title thirty-four of the code of federal regulations implementing the
7 Family Educational Rights and Privacy Act, section twelve hundred thir-
8 ty-two-g of title twenty of the United States code, and, as applied to
9 teacher or principal data, means "personally identifying information" as
10 such term is used in subdivision ten of section three thousand twelve-c
11 of this chapter.
12 (6) "School" means any public elementary or secondary school, charter
13 school, universal pre-kindergarten program authorized pursuant to
14 section thirty-six hundred two-e of this chapter, an approved provider
15 of preschool special education, any other publicly funded pre-kindergar-
16 ten program, an approved private school for the education of students
17 with disabilities, a state-supported school subject to the provisions of
18 article eighty-five of this chapter, a state-operated school subject to
19 the provisions of article eighty-seven or eighty-eight of this chapter.
20 (7) "Student" means any person attending or seeking to enroll in an
21 educational agency.
22 (8) "Eligible student" means a student eighteen years or older or an
23 emancipated minor. An emancipated minor as used in this section refers
24 to a student at least sixteen years or older who is no longer a depend-
25 ent of or in the custody of a parent as defined in this section.
26 (9) "Parent" means a parent, legal guardian, or person in parental
27 relation to a student.
28 (10) "Student data" means personally identifiable information from
29 student records of an educational agency.
30 (11) "Teacher or principal data" means personally identifiable infor-
31 mation from the records of an educational agency relating to the annual
32 professional performance reviews of classroom teachers or principals
33 that is confidential and not subject to release under the provisions of
34 section three thousand twelve-c of this chapter.
35 (12) "Third party contractor" shall mean any person or entity, other
36 than an educational agency, that receives student data or teacher or
37 principal data from an educational agency pursuant to a contract or
38 other written agreement for purposes of providing services to such
39 educational agency, including but not limited to data management or
40 storage services, conducting studies for or on behalf of such educa-
41 tional agency, or audit or evaluation of publicly funded programs. Such
42 term shall include an educational partnership organization that receives
43 student and/or principal data from a school district to carry out its
44 responsibilities pursuant to section two hundred eleven-e of this chap-
45 ter and is not an educational agency as defined in subparagraph three of
46 paragraph a of this subdivision, and a not-for-profit corporation or
47 other non-profit organization, other than an educational agency, or a
48 for-profit corporation or business entity that is affiliated with a
49 charter school and provides management and/or other services to support
50 the charter school in accordance with a charter issued pursuant to arti-
51 cle fifty-six of this chapter.
52 b. (1) The commissioner shall appoint a chief privacy officer within
53 the department. The chief privacy officer shall be qualified by training
54 or experience in state and federal education privacy laws and regu-
55 lations, civil liberties, annual professional performance reviews,
56 information technology, and information security. The chief privacy
S. 6007--A 3
1 officer shall report to the commissioner on matters affecting privacy
2 and the security of student, teacher, and principal data.
3 (2) The functions of the chief privacy officer shall include, but not
4 be limited to:
5 (i) Promoting the implementation of fair information practices for
6 privacy and security of student data or teacher or principal data;
7 (ii) Assisting the commissioner in handling instances of data breaches
8 as well as assisting the commissioner in due process proceedings regard-
9 ing any alleged breaches of student data or teacher or principal data;
10 (iii) Providing assistance to educational agencies within the state on
11 minimum standards and best practices associated with privacy and the
12 security of student data or teacher or principal data;
13 (iv) Formulating a procedure within the department whereby parents,
14 students, teachers, superintendents, school board members, principals,
15 and other persons or entities the chief privacy officer determines is
16 appropriate, may request information pertaining to student data or
17 teacher or principal data in a timely and efficient manner;
18 (v) Assisting the commissioner in establishing a protocol for the
19 submission of complaints of possible breaches of student data or teacher
20 or principal data;
21 (vi) Making recommendations as needed regarding privacy and the secu-
22 rity of student data on behalf of the department to the governor, the
23 speaker of the assembly, the temporary president of the senate, and the
24 chairs of the senate and assembly education committees;
25 (vii) Developing, with input from the New York state educational
26 conference board and parents, the parents bill of rights for data priva-
27 cy and security; and
28 (viii) Any other functions that the commissioner shall deem appropri-
29 ate.
30 (3) The chief privacy officer shall have the power to:
31 (i) access all records, reports, audits, reviews, documents, papers,
32 recommendations, and other materials maintained by an educational agency
33 that relate to student data or teacher or principal data;
34 (ii) to review and comment upon any department program, proposal,
35 grant, or contract that involves the processing of student data or
36 teacher or principal data before the commissioner begins or awards the
37 program, proposal, grant, or contract; and
38 (iii) any other powers that the commissioner shall deem appropriate.
39 (4) The chief privacy officer shall submit by January first, two thou-
40 sand fifteen, and each January first thereafter, a report outlining a
41 summary of activities, recommendations, complaints, and statutory, regu-
42 latory or departmental changes pertaining to the protection of student
43 data or teacher or principal data. The report shall be submitted on
44 behalf of the department to the governor, the speaker of the assembly,
45 the temporary president of the senate, and the chairs of the senate and
46 assembly education committees. The report shall also be made publicly
47 available on the department's website.
48 (5) The chief privacy officer may hold more than one position within
49 the department; provided however, that no additional position will
50 interfere with the duties of the chief privacy officer outlined in this
51 paragraph.
52 c. (1) The chief privacy officer shall develop, with input from the
53 New York state educational conference board and parents, a parents bill
54 of rights for data privacy and security. The parents bill of rights for
55 data privacy and security shall be included with every contract the
56 department or educational agency enters into with a third party contrac-
S. 6007--A 4
1 tor where the third party contractor receives student data or teacher or
2 principal data. Every third party contractor that enters into a
3 contract with the department or an educational agency where the third
4 party contractor receives student data or teacher or principal data
5 shall be required to agree in writing to abide by the provisions set
6 forth in the parents bill of rights for data privacy and security. At a
7 minimum, the parents bill of rights for data privacy and security shall
8 include:
9 (i) who the exclusive persons or entities are that the third party
10 contractor will share the student data or teacher or principal data
11 with, if any;
12 (ii) when the agreement expires and what happens to the student data
13 or teacher or principal data upon expiration of the agreement;
14 (iii) if and how a parent, student, eligible student, teacher or prin-
15 cipal may challenge the accuracy of the student data or teacher or prin-
16 cipal data that is collected;
17 (iv) where the student data or teacher or principal data will be
18 stored, and the security protections taken to ensure such data will be
19 protected, including whether such data will be encrypted; and
20 (v) the exclusive purposes for which the student data or teacher or
21 principal data will be used.
22 (2) The commissioner shall promulgate regulations for a comment period
23 whereby parents may submit comments and suggestions to the chief privacy
24 officer to be considered for inclusion in the parents bill of rights for
25 student data privacy and security.
26 (3) The department shall post the parents bill of rights for student
27 data privacy and security on the department's website. Each educational
28 agency that has an internet website shall also post the parents bill of
29 rights for student data and security on its website.
30 (4) The parents bill of rights for student data privacy and security
31 shall be completed within one hundred twenty days after the effective
32 date of this subdivision.
33 d. (1) Each educational agency shall be able to opt-out of having the
34 student data or teacher or principal data that they are required to
35 report to the department through state or federal law or regulation from
36 being uploaded by the department to the department's educational data
37 portal.
38 (2) Nothing in this paragraph shall allow an educational agency to
39 fail to comply with any student data or teacher or principal data
40 reporting requirements to the department as required by state or federal
41 law or regulation.
42 e. The chief privacy officer shall make publicly available on the
43 department's website a complete list of all student or teacher or prin-
44 cipal data elements collected with an explanation and/or legal or regu-
45 latory authority outlining the reasons such data elements are collected.
46 f. (1) Each third party contractor that receives student data or
47 teacher or principal data pursuant to a contract or other written agree-
48 ment with an educational agency shall be required to notify such educa-
49 tional agency of any breach of security resulting in an unauthorized
50 release of such data in violation of applicable state or federal law,
51 the parents bill of rights for student data privacy and security, the
52 data privacy and security policies of the educational agency and/or
53 binding contractual obligations relating to data privacy and security,
54 in the most expedient way possible and without reasonable delay. The
55 educational agency shall, upon notification by the third party contrac-
56 tor, be required to report to the chief privacy officer any such breach
S. 6007--A 5
1 of security and unauthorized release of such data and to report such
2 breach and unauthorized release to law enforcement in the most expedient
3 way possible and without unreasonable delay.
4 (2) In the case of an unauthorized release of student data, the educa-
5 tional agency, or the third party contractor involved, shall notify the
6 parent or eligible student of the unauthorized release of student data
7 that includes personally identifiable information from the student
8 records of such student in the most expedient way possible and without
9 unreasonable delay. In the case of an unauthorized release of teacher or
10 principal data, the educational agency, or the third party contractor
11 involved, shall notify each affected teacher or principal of the unau-
12 thorized release of data that includes personally identifiable informa-
13 tion from the teacher or principal's annual professional performance
14 review in the most expedient way possible and without unreasonable
15 delay.
16 (3) Failure to notify against public policy. (i) A third party
17 contractor shall not fail to notify the educational agency or parent,
18 eligible student, teacher or principal, as applicable, in the most expe-
19 dient way possible and without unreasonable delay.
20 (ii) Each violation of clause (i) of this subparagraph shall consti-
21 tute a class E felony, and shall be punishable by a civil penalty of the
22 greater of five thousand dollars or up to ten dollars per instance of
23 failed notification, provided that the latter amount shall not exceed
24 one hundred fifty thousand dollars.
25 g. If the chief privacy officer determines that a third party contrac-
26 tor, in violation of applicable state or federal law, the data privacy
27 and security policies of the educational agency and/or binding contrac-
28 tual obligations relating to data privacy and security, has re-released
29 any student data or teacher or principal data received from an educa-
30 tional agency to any person or entity not authorized by law to receive
31 such data pursuant to a lawful subpoena or otherwise, the chief privacy
32 officer, after affording the third party contractor with notice and an
33 opportunity to be heard, shall be authorized to:
34 (1) order that the third party contractor be precluded from accessing
35 student data or teacher or principal data, as applicable, from the
36 educational agency from which the contractor obtained the data that was
37 improperly disclosed for a fixed period of up to five years; and/or
38 (2) order that a third party contractor who knowingly and recklessly
39 allows for the unauthorized release of student data or teacher or prin-
40 cipal data be precluded from accessing student data or teacher or prin-
41 cipal data from any educational agency in the state for a fixed period
42 of up to five years; and/or
43 (3) order, in the case of an educational agency that is a public agen-
44 cy subject to competitive bidding requirements, that a third party
45 contractor who knowingly and recklessly allows for the unauthorized
46 release of student data or teacher or principal data, that the third
47 party contractor shall not be deemed a responsible bidder or offerer on
48 any contract with the educational agency from which the contractor
49 obtained the data that was improperly disclosed that involves the shar-
50 ing of student data or teacher or principal data, as applicable for
51 purposes of the provisions of section one hundred three of the general
52 municipal law or paragraph c of subdivision ten of section one hundred
53 sixty-three of the state finance law, as applicable, for a fixed period
54 of up to five years; and/or
55 (4) require the third party contractor to provide training at the
56 contractor's expense on the federal and state law governing confiden-
S. 6007--A 6
1 tiality of student data and/or teacher or principal data and the
2 provisions of this subdivision to all its officers and employees with
3 access to such data, prior to being permitted to receive subsequent
4 access to such data from the educational agency from which the contrac-
5 tor obtained the data that was improperly disclosed or from any educa-
6 tional agency; and/or
7 (5) if it is determined that the unauthorized release of student data
8 or teacher or principal data on the part of the third party contractor
9 was inadvertent and done without intent or gross negligence, the commis-
10 sioner may determine that no penalty be issued upon the third party
11 contractor.
12 h. The commissioner, in consultation with the chief privacy officer,
13 shall promulgate regulations establishing procedures to implement the
14 provisions of this subdivision, including but not limited to procedures
15 for the submission of complaints from parents and/or persons in parental
16 relation to students, classroom teachers or building principals, or
17 other staff of an educational agency, making allegations of improper
18 disclosure of student data and/or teacher or principal data by a third
19 party contractor or its officers or employees that may be subject to the
20 sanctions set forth in paragraph g of this subdivision. Upon receipt of
21 a complaint or other information indicating that such an improper
22 disclosure by a third party contractor may have occurred, the chief
23 privacy officer shall be authorized to investigate, visit, examine and
24 inspect the third party contractor's facilities and records and issue
25 any subpoenas deemed necessary to obtain documentation from, or require
26 the testimony of, any party relating to the alleged improper disclosure
27 of student data or teacher or principal data.
28 i. The commissioner, in consultation with the chief privacy officer,
29 shall promulgate regulations establishing minimum standards for educa-
30 tional agency data security and privacy policies and shall develop one
31 or more model policies for use by educational agencies. Each educational
32 agency, by no later than ninety days after the effective date of this
33 subdivision, shall ensure that it has a policy on data security and
34 privacy in place that is consistent with applicable state and federal
35 laws and applies to student data and, where applicable, to teacher or
36 principal data. Such policy shall be published on the website of the
37 educational agency, if such educational agency has an internet website,
38 and notice of such policy shall be provided to all officers and employ-
39 ees of the educational agency. As applied to student data, such policy
40 shall provide all protections afforded to parents and persons in
41 parental relationships, or students where applicable, required under the
42 Family Educational Rights and Privacy Act, section twelve hundred thir-
43 ty-two-g of title twenty of the United States code, where applicable the
44 Individuals with Disabilities Education Act, sections fourteen hundred,
45 et. seq. of title twenty of the United States code, and the federal
46 regulations implementing such statutes. Each educational agency shall
47 ensure that it has in place provisions in its contracts with third party
48 contractors or in separate data sharing and confidentiality agreements
49 that require that confidentiality of the shared student data or teacher
50 or principal data be maintained in accordance with federal and state law
51 and the educational agency's policy on data security and privacy.
52 j. Each educational agency that enters into a contract or other writ-
53 ten agreement with a third party contractor under which the third party
54 contractor will receive student data or teacher or principal data shall
55 ensure that such contract or agreement include a data security and
56 privacy plan that outlines how all state, federal, and local data secu-
S. 6007--A 7
1 rity and privacy contract requirements will be implemented over the life
2 of the contract, consistent with the educational agency's policy on data
3 security and privacy. Such plan shall include, but shall not be limited
4 to, a signed copy of the parents bill of rights for data privacy and
5 security, and a requirement that any officers or employees of the third
6 party contractor who have access to student data or teacher or principal
7 data have received or will receive training on the federal and state law
8 governing confidentiality of such data prior to receiving access.
9 k. (1)(i) Each violation of any provision of this section by a third
10 party contractor shall be punishable by a civil penalty of up to one
11 thousand dollars; a second violation by the same third party contractor
12 involving the same student data or teacher or principal data shall be
13 punishable by a civil penalty of up to five thousand dollars; any subse-
14 quent violation by the same third party contractor involving the same
15 student data or teacher or principal data shall be punishable by a civil
16 penalty of up to ten thousand dollars.
17 (ii) Each violation of this subdivision shall be considered a separate
18 violation for purposes of civil penalties.
19 (2) The attorney general shall have the authority to enforce compli-
20 ance with this section by investigation and subsequent commencement of a
21 civil action to seek civil penalties for violations of this section, and
22 to seek appropriate injunctive relief. In carrying out such investi-
23 gation and in maintaining such civil action local law enforcement are
24 authorized to subpoena witnesses, compel their attendance, examine them
25 under oath and require that any books, records, documents, papers, or
26 electronic records relevant or material to the inquiry be turned over
27 for inspection, examination or audit, pursuant to the civil practice law
28 and rules.
29 (3) Nothing contained in this subdivision shall be construed as creat-
30 ing a private right of action against the department or an educational
31 agency.
32 l. Nothing in this section shall limit the administrative use of
33 student data or teacher or principal data by a person acting exclusively
34 in the person's capacity as an employee of an educational agency or of
35 the state or any of its political subdivisions, any court or the federal
36 government that is otherwise required by law.
37 § 2. Subdivision 7 of section 156.00 of the penal law, as added by
38 chapter 558 of the laws of 2006, is amended and three new subdivisions
39 10, 11 and 12 are added to read as follows:
40 7. "Access" means to instruct, communicate with, store data in,
41 retrieve from, or otherwise make use of any resources of a computer,
42 physically, directly or by electronic means; including dissemination of
43 data.
44 10. "Educational agency" means an educational agency as such term is
45 defined in subdivision forty-four of section three hundred five of the
46 education law. An educational agency as so defined shall be deemed a
47 governmental instrumentality for purposes of this article.
48 11. "Third party contractor" means a third party contractor as defined
49 in subdivision forty-four of section three hundred five of the education
50 law.
51 12. "Educational computer material" means personally identifiable
52 information from student records or confidential annual professional
53 performance reviews of classroom teachers or principals, of a school
54 district, board of cooperative educational services, school, institution
55 of higher education, or the state education department.
S. 6007--A 8
1 § 3. Section 156.30 of the penal law, as amended by chapter 590 of the
2 laws of 2008, is amended to read as follows:
3 § 156.30 Unlawful duplication of computer related material in the first
4 degree.
5 A person is guilty of unlawful duplication of computer related materi-
6 al in the first degree [material] when having no right to do so, he or
7 she copies, reproduces or duplicates in any manner:
8 1. any computer data or computer program and thereby intentionally and
9 wrongfully deprives or appropriates from an owner thereof an economic
10 value or benefit in excess of two thousand five hundred dollars;[or]
11 2. any computer data or computer program with an intent to commit or
12 attempt to commit or further the commission of any felony[.]; or
13 3. educational computer material with the intent to disseminate in
14 violation of section three hundred five of the education law.
15 Unlawful duplication of computer related material in the first degree
16 is a class E felony.
17 § 4. Section 165.45 of the penal law is amended by adding a new subdi-
18 vision 8 to read as follows:
19 8. The property consists of educational computer material as defined
20 in article one hundred fifty-six of this chapter.
21 § 5. This act shall take effect on the ninetieth day after it shall
22 have become a law, provided, however, the commissioner of education
23 shall within one hundred twenty days after it shall have become law,
24 develop a parents bill of rights for student data privacy and security.