 |
New York Codes Rules Regulations (Last Updated: March 27,2024) |
 |
TITLE 8. Education Department |
|
Chapter II. Regulations of the Commissioner |
|
Subchapter E. Elementary and Secondary Education |
|
Part 121. Strengthening Data Privacy and Security in NY State Educational Agencies to Protect Personally Identifiable Information |
Sec. 121.11. Third-party contractor civil penalties
Latest version.
- (a) Each third-party contractor that receives student data or teacher or principal data pursuant to a contract or other written agreement with an educational agency shall be required to notify such educational agency of any breach of security resulting in an unauthorized release of such data by the third-party contractor or its assignees in violation of applicable State or Federal law, the parents bill of rights for student data privacy and security, the data privacy and security policies of the educational agency and/or binding contractual obligations relating to data privacy and security, in the most expedient way possible and without unreasonable delay. Each violation of this paragraph by a third-party contractor shall be punishable by a civil penalty of the greater of $5,000 or up to $10 per student, teacher, and principal whose data was released, provided that the latter amount shall not exceed the maximum penalty imposed under General Business Law section 899-aa(6)(a).(b) Except as otherwise provided in subdivision (a) of this section each violation of Education Law section 2-d by a third-party contractor or its assignee shall be punishable by a civil penalty of up to $1,000; a second violation by the same third-party contractor involving the same data shall be punishable by a civil penalty of up to $5,000; any subsequent violation by the same third-party contractor involving the same data shall be punishable by a civil penalty of up to $10,000. Each violation shall be considered a separate violation for purposes of civil penalties and the total penalty shall not exceed the maximum penalty imposed under General Business Law section 899-aa(6)(a).(c) The chief privacy officer shall investigate reports of breaches or unauthorized releases of student data or teacher or principal data by third-party contractors. As part of an investigation, the chief privacy officer may require that the parties submit documentation, provide testimony, and may visit, examine and/or inspect the third-party contractor’s facilities and records.(d) Upon conclusion of an investigation, if the chief privacy officer determines that a third-party contractor has through its actions or omissions caused student data or teacher or principal data to be breached or released to any person or entity not authorized by law to receive such data in violation of applicable State or Federal law, the data and security policies of the educational agency, and/or any binding contractual obligations, the chief privacy officer shall notify the third-party contractor of such finding and give the third-party contractor no more than 30 days to submit a written response.(e) If after reviewing the third-party contractor’s written response, the chief privacy officer determines the incident to be a violation of Education Law section 2-d, the chief privacy officer shall be authorized to:(1) order the third-party contractor be precluded from accessing personally identifiable information from the affected educational agency for a fixed period of up to five years; and/or(2) order that a third-party contractor or assignee who knowingly or recklessly allowed for the breach or unauthorized release of student data or teacher or principal data be precluded from accessing student data or teacher or principal data from any educational agency in the State for a fixed period of up to five years; and/or(3) order that a third party contractor who knowingly or recklessly allowed for the breach or unauthorized release of student data or teacher or principal data shall not be deemed a responsible bidder or offeror on any contract with an educational agency that involves the sharing of student data or teacher or principal data, as applicable for purposes of the provisions of General Municipal Law section 103 or State Finance Law section 163(10)(c), as applicable, for a fixed period of up to five years;(4) require the third-party contractor to provide additional training governing confidentiality of student data and/or teacher or principal data to all its officers and employees with reasonable access to such data and certify that it has been performed, at the contractor's expense. Such additional training must be performed immediately and include a review of Federal and State laws, rules, regulations, including Education Law section 2-d and this Part.(f) If the chief privacy officer determines that the breach or unauthorized release of student data or teacher or principal data on the part of the third-party contractor or assignee was inadvertent and done without intent, knowledge, recklessness or gross negligence, the chief privacy officer would make a recommendation to the commissioner that no penalty be issued upon the third-party contractor. The commissioner would then make a final determination as to whether the breach or unauthorized release of student data or teacher or principal data on the part of the third-party contractor or assignee was inadvertent and done without intent, knowledge, recklessness or gross negligence and whether or not a penalty should be issued.