Objectives

To determine if the State Education Department (Department) consistently follows all laws and regulations regarding the safety and privacy of students’ data and is monitoring New York State school districts to ensure they are complying with the legislation and regulations that govern data privacy and security. The audit covered the period from March 2020 through November 2022.

About the Program

The Department is part of the University of the State of New York, one of the most complete, interconnected systems of educational services in the United States. The Department administers school aid, regulates school operations, maintains a performance accountability system, oversees the licensing of numerous professions, certifies teachers, and administers a host of other educational programs. Its responsibilities include oversight of more than 700 school districts with 2.4 million students. The Department is responsible for safeguarding its data and ensuring the confidentiality, integrity, and availability of its systems.

The COVID-19 pandemic forced many schools across the nation to close in 2020 and quickly transition to a remote learning environment, leading to an increased reliance on technology. This resulted in an escalation of cybersecurity threats – including ransomware and other types of cyberattacks. According to a U.S. Government Accountability Office report, the number of students impacted by cyberattacks rose from 39,000 students in 2018 to a high of nearly 1.2 million students in 2020. It is, therefore, more important than ever to ensure that schools have secure systems that protect the safety and privacy of students and their data.

In 2020, the Department adopted Part 121 of the Regulations of the Commissioner of Education (Part 121), which implements Section 2-d of the Education Law and outlines numerous requirements that all schools must implement to strengthen data privacy and security and protect personally identifiable information (PII). Our audit focused on charter schools and school districts, collectively referred to as school districts in this report.

Key Findings

• The Department did not provide adequate oversight of school districts’ compliance with the notification requirements for data incidents.
• The Department did not provide sufficient oversight of school districts’ compliance with other key requirements of Part 121.
• The Department has not completed a data classification for all the types of information it manages, processes, or stores, some of which contain student PII.
• We identified weaknesses in technical controls that need to be corrected to ensure the selected Department and school district information systems and their associated data are not at risk.

Key Recommendations

• Develop and implement controls to monitor school districts’ compliance with Part 121.
• Continue to work on completing a full data and asset classification of all current Department systems and data.
• Implement the recommendations detailed in the preliminary report to strengthen technical controls over the selected systems reviewed.