TX SB 820 Compliance: Cybersecurity for Texas School Districts

Cybersecurity regulations in the education sector can be challenging due to complex layers of both federal and state requirements. Federal laws like the Family Educational Rights and Privacy Act (FERPA), Health Insurance Portability and Accountability Act (HIPAA), and Freedom of Information Act (FOIA) govern the protection of student data at a national level. However, at the state level, school districts face additional responsibilities, particularly in Texas, where Senate Bill 820 (SB 820) outlines specific data governance, compliance, and retention requirements for personally identifiable information (PII), protected health information (PHI), and individualized education program (IEP) data.

Failure to comply with these regulations can result in significant legal and financial consequences, including penalties, loss of funding, and reputational damage. Complying with SB 820 not only safeguards sensitive data but also positions Texas school districts for long-term success by creating a more resilient cybersecurity framework that can adapt to future threats.

What is Texas Senate Bill 820 (SB820)?   

Texas Senate Bill 820, which went into effect September 2019, mandates improved cybersecurity policies for all school districts within Texas. It can be summarized in three key pillars:

• Adopt a cybersecurity framework
  •  Under Texas SB 820, all school districts are required to adopt a cybersecurity framework. This framework can either align with federal standards, such as the National Institute of Standards and Technology (NIST) Cybersecurity Framework, or follow guidelines provided by the Texas Education Agency (TEA). The goal of this framework is to prevent cyberattacks and other security incidents from disrupting critical infrastructure, while also focusing on cybersecurity risk assessments and mitigation planning.
• Adopting a framework like NIST or a TEA-approved alternative not only ensures compliance with SB 820 but also helps districts protect sensitive data and enhance their overall security posture. This proactive approach positions school districts to better handle evolving cybersecurity threats.

Why TX SB820?

Cyberattacks on the education sector are rapidly increasing. Verizon’s 2024 Data Breach Investigations Report highlighted that the educational services sector experienced 1,780 cyber incidents in 2023, with 1,537 involving confirmed data disclosure. This underscores the vulnerabilities that educational institutions face, particularly in managing sensitive data like personally identifiable information (PII).

Additionally, a report from ThreatDown titled the 2024 State of Ransomware in Education, showed a 92% spike in K-12 cyberattacks compared to the previous year, making 2023 one of the most challenging years on record for schools dealing with cyberthreats.

Read more about the increase in cyberattacks against schools and colleges here.

Explore the details of the ransomware surge in K-12 schools.

These statistics highlight the urgent need for a robust cybersecurity framework. By complying with Texas SB 820, school districts can better protect their critical data infrastructure, ensuring the safety of student and staff information.

The Importance of Compliance with Texas SB 820

Complying with Texas SB 820 is important for school districts to not only meet legal obligations but to protect their students and staff from the escalating threat of cyberattacks. Here are some key benefits of compliance:

• Legal and Financial Protection: Failure to comply with SB 820 can lead to hefty fines, legal action, and reputational damage. Ensuring compliance safeguards districts against these risks.
• Data Security: By adopting a cybersecurity framework as mandated by SB 820, schools can better secure their PII, PHI, and IEP data.
• Resilience Against Future Threats: Implementing the right frameworks and policies now positions school districts to handle future cyberthreats effectively, ensuring ongoing safety for their data infrastructure.

Why Are Schools a Prime Target for Cyberattacks?

Educational institutions, especially K-12 schools, have become increasingly vulnerable to cyberattacks. This is largely due to outdated infrastructure, underfunded IT departments, and the large amounts of personally identifiable information (PII) they store. Hackers often target school districts for the following reasons:

• Valuable Data: Schools house sensitive data like student records, health information, and financial details, which can be exploited for identity theft or sold on the dark web.
• Weak Security Measures: Many school districts lack advanced security protocols, making it easier for cybercriminals to breach their systems.
• Remote Learning and Digital Expansion: The rise of remote learning during the pandemic opened new vulnerabilities, with more devices accessing school networks from outside secure locations.

Veeam Data Platform can help school districts quickly and easily address cybersecurity goals, including those of Texas SB 820.

• Multi-factor Authentication: provide a more secure environment and secures user accounts from being compromised
• Monitoring: Veeam provides the ability to alert you to suspicious activity occurring within your network and infrastructure. This includes malware detection, backup anomalies and more.

• End-to-end encryption: Enabling Veeam’s AES 256-bit Encryption ensures that student and staff data is protected across the entire district, whether the data is in transit or stored. This protection spans the entire data lifecycle — from the moment data is created, through storage, backups, and eventual deletion. Veeam’s encryption applies to all environments, whether physical, virtual, or cloud-based, ensuring district-wide data security.
• Security based access controls: Veeam’s RBAC (Role Based Access Controls) allows district IT Staff to set specific permissions around data accessibility, aligning with SB 820’s guidelines.
• Automated Testing and Application Verification: Conduct non-disruptive disaster recovery tests, scheduled on-demand, to make sure your desired RTOs and RPOs are achievable and confirm that your common enterprise applications are functioning correctly post-recovery.
• Readiness Checks: Ensure backup data is accessible and recoverable by validating the backup infrastructure, connectivity, and dependencies for a reliable recovery process.
• Dynamic Documentation: Generate and create disaster recovery documentation automatically to prove readiness and compliance.
• Audit capabilities: Audit reports contain records of user activity performed including Date, Time, User Name, SID, operation initiated and more.

Veeam provides cost-effective, scalable, and reliable data security, recovery, and mobility solutions to safeguard sensitive student and staff data. Learn more about out solutions.