Local Educational Agencies (LEAs) must report cybersecurity attacks.
Incidents of cyber attacks on LEAs had already been increasing in recent years, but the COVID-19 Pandemic (and, more specifically, the rapid deployment of remote/online learning) only served to make schools more vulnerable to cyber events. Even as children have returned to in-classroom learning, news of increasingly concerning cyber incidents have continued to surface. Just last month (September, 2022) the Los Angeles Unified School District (LAUSD) suffered a major ransomeware attack – a version of cyberattack where data is stolen and then ransomed for some form of payment – and student and staff information was likely compromised.
Due in no small part to events like the one experienced at LAUSD, now more than ever, policymakers in Sacramento have taken an interest in school cybersecurity. To that end, this year, Assemblymember Rudy Salas (D-Bakersfield) authored AB 2355. The bill, which sunsets on January 1, 2027, requires LEAs to report cyberattacks that affect more than 500 pupils or personnel to the California Cybersecurity Integration Center (Cal-CSIC). It further defines a “cyberattack” to mean either:
- Any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by unauthorized access.
- The unauthorized denial of access to legitimate users of a computer system, computer network, computer program, or data.
The provisions of the bill also include a requirement for Cal-CSIC to establish a database that tracks reports of cyberattacks submitted by LEAs, and further requires Cal-CSIC to annually, by January 1, provide a report to the Governor and the relevant policy committees of the Legislature summarizing the types and number of cyberattacks on LEAs and the types and number of data breaches affecting LEAs that have been reported to the Attorney General.
Understanding that this bill imposes yet another reporting requirement on LEAs, the hope is that having a centralized database detailing these incidents will shine a light on the types of cyberattacks that we know LEAs are dealing with, further opening the eyes of representatives in Sacramento. This database and reporting, combined with more and more headline-grabbing attacks like the one on LAUSD, could eventually lead to some dedicated state-level resources for schools to bolster their cybersecurity programs and defenses.
State takes aim at online platforms and services accessed by kids.
Over the past several years, California has taken steps to greatly increase the security of all consumers, but in particular, minors, online. For instance, in 2018, the Legislature passed, and voters approved, the California Consumer Privacy Act (CCPA). The CCPA was further refined by a subsequent ballot measure and a handful of pieces of legislation in the years that followed. However, much of those efforts focused on the collection, sale, and use of consumer data, rather than focusing on the products and platforms themselves.
AB 2273, jointly authored by Assemblymembers Buffy Wicks (D-Richmond), Jordan Cunningham (R- San Luis Obispo), and Cottie Petrie-Norris (D-Costa Mesa), establishes the California Age-Appropriate Design Code Act. Modeled after recently enacted law in the United Kingdom, the bill institutes a series of obligations and restrictions on businesses that provide an online service, product, or feature likely to be accessed by a child. The bill additionally establishes a working group to evaluate best practices for the implementation of the bill’s provisions.
Set to take effect on January 1, 2024, you can find detailed provisions of the new restrictions and obligations listed in the bill, below. This bill also likely signals an intent of policymakers in Sacramento to continue looking at ways to address how children interact with online materials and platforms – particularly in the context of child mental health. Look for more bills on this issue to surface in the coming years.
The Governor signed the following technology bills:
- AB 2273 (Wicks) – The California Age-Appropriate Design Code Act.
This bill establishes the California Age-Appropriate Design Code Act, placing a series of obligations and restrictions on businesses that provide online services, products, or features likely to be accessed by children. Specifically, the bill:- Requires a business that provides an online service, product, or feature likely to be accessed by children (“covered business”) to take specified actions, including to:
- undertake a Data Protection Impact Assessment for any online service, product, or feature likely to be accessed by children, as specified;
- estimate the age of child users with a reasonable level of certainty appropriate to the risks that arise from the data management practices of the business, or apply the privacy and data protections afforded to children to all consumers;
- provide any privacy information, terms of service, policies, and community standards concisely, prominently, and using clear language suited to the age of children likely to access that online service, product, or feature;
- if the online service, product, or feature allows the child’s parent, guardian, or any other consumer to monitor the child’s online activity or track the child’s location, provide an obvious signal to the child when the child is being monitored or tracked;
- enforce published terms, policies, and community standards established by the business, including, but not limited to, privacy policies and those concerning children; and
- provide prominent, accessible, and responsive tools to help children, or if applicable their parent or guardian, exercise their privacy rights and report concerns.
- Provides that a covered business shall not engage in specified activity, including:
- using the personal information of any child in a way that the business knows or has reason to know is materially detrimental to the physical health, mental health, or well- being of a child;
- profiling a child by default, except as specified;
- collecting, selling, sharing, or retaining any personal information that is not necessary to provide an online service, product, or feature with which a child is actively and knowingly engaged, except as specified;
- using the personal information of a child for any reason other than a reason for which that personal information was collected, except as specified;
- collecting, selling, or sharing any precise geolocation information of children by default unless the collection of that precise geolocation
- information is strictly necessary to provide the service, product, or feature requested and then only for the limited time that the collection of precise geolocation information is necessary to provide the service, product, or feature; and
- collecting, selling, or sharing any precise geolocation information without providing an obvious sign to the child for the duration of that collection that precise geolocation information is being collected.
Chapter 320, Statutes of 2022
- Requires a business that provides an online service, product, or feature likely to be accessed by children (“covered business”) to take specified actions, including to:
- AB 2355 (Salas) – School cybersecurity.
This bill requires an LEA to report a cyberattack impacting 500 or more pupils or personnel to report to the Cal-CSIC, and requires the Cal-CSIC to provide an annual report to the Governor and the Legislature with specified information related to the cyberattacks. Per the provisions of the bill, a “cyberattack” is defined as either of the following:- any alteration, deletion, damage, or destruction of a computer system, computer network, computer program, or data caused by unauthorized access, or;
- unauthorized denial of access to legitimate users of a computer system, computer network, computer program, or data.
Chapter 498, Statutes of 2022
- AB 2750 (Bonta, Mia) – Department of Technology: state digital equity plan.
This bill requires, by January 1, 2024, the California Department of Technology (CDT) in consultation with the California Public Utilities Commission (CPUC) and the California Broadband Council to develop a state digital equity plan and seek all available federal funding to develop and implement a digital equity plan. The bill also requires that the plan include an identification of the barriers to digital equity faced by specified populations.
Chapter 597, Statutes of 2022 - AB 2752 (Wood) – Broadband infrastructure and video service: mapping: subscriber information.
This bill clarifies that the CPUC can collect address-level data from broadband service providers for broadband mapping requirements.
Chapter 801, Statutes of 2022 - SB 1172 (Pan) – Student Test Taker Privacy Protection Act.
The CCPA requires a business to inform consumers of the categories of personal information to be collected and the purposes for which the categories of personal information are collected or used and whether that information is sold or shared. This bill restricts the personal information that a business providing educational proctoring services can collect, use, retain, and disclose. It further provides consumers an enforcement mechanism for any violations thereof.
Chapter 720, Statutes of 2022
Capitol Advisors Group has produced a set of comprehensive client briefs detailing new education laws that were passed by the Legislature and signed into law by Governor Newsom in 2022. Each brief is organized by subject area and includes an executive summary highlighting major changes we think you should know about. Bills signed by the Governor take effect on January 1, 2023, unless the bill specifically states otherwise.