Cybersecurity regulations: What public facing boards need to know
Cybersecurity increasingly forms the bedrock on which municipal governments and school districts build digital infrastructure and deliver critical services. With online connectivity more ubiquitous every year, elected leaders must shoulder greater responsibility to ensure the organizations they govern and oversee protect personal data and sensitive information.
School boards and local government officials not only need to craft resilient, up-to-date cybersecurity policies — and make sure they’re followed — they also must stay abreast of fast-changing national, state and local regulations. And they bear responsibility for the crisis plans that guide response to any potential breach.
Those responsibilities have never weighed more heavily. Cyber threats are more common, damaging and sophisticated than at any point in the past, with ransomware and other assaults on K-12 educational institutions spiking sharply in 2023 and remaining high through 2024. The attack surface grows broader and more complex every year, in hardware — thanks to Internet of Things technologies — and in software, thanks to chatbots and AI tools. Incident disclosure timelines have shrunk, and both acknowledging breaches and mitigating their effects demand a well-prepared, well-equipped board.
Why cybersecurity matters now more than ever
Public sector organizations, from school boards to community colleges and city councils, operate under strict requirements for disclosing data breaches, protecting sensitive information, storing personal data securely and much more.
Compliance with cybersecurity regulations validates the use of public funds for organizational goals, demonstrates accountability in public service and has the added benefit of protecting against reputational (and legal) damage.
But the benefits extend far, far beyond box-ticking. Knowledge of requirements, guidelines and regulatory demands also empowers board members and helps them effectively fulfill their duty of care and to advocate for cybersecurity measures within the organization and to ask the right questions when talking to leaders and IT personnel. In the event of a breach, ransomware can inflict staggering financial costs, followed swiftly by the secondary costs associated with losing public confidence. Finally, and essentially, cybersecurity is a grave ethical responsibility for any modern organization. Protecting citizens’ or students’ data earns public trust.
Read on for an overview covering the most essential points on cybersecurity regulation for board secretaries and administrators, including:
- Federal regulations
- State-level laws and guidelines
- Where to find important resources
- The operational, financial and reputational benefits of strong cybersecurity
The regulatory landscape: Cybersecurity for local government and public education
Regulations governing cybersecurity in local government and public education cover a wide range of areas: digital safety, data management, informed consent, user authorizations and other aspects of cybersecurity.
They continue to change frequently as both security measures and cyber threats evolve — in 2024, 258 cybersecurity bills were proposed in 42 US statehouses, and 29 of them passed. The general trend is toward more stringent requirements for reporting, encryption, user protections and AI safety.
Federal requirements
School boards
Similar trends appeared at the national level. School boards face an especially impactful, and growing, list of federal cybersecurity and data protection requirements. The most significant of these are:
- The Family Educational Rights and Privacy Act (FERPA) gives parents the right to see their children’s school records, have those records amended when necessary and exert a degree of control over whether personal information is disclosed through school-related channels.
- The Protection of Pupil Rights Amendment (PPRA) limits when, whether and how schools receiving federal funds can ask students (or their parents) to provide information on certain protected topics, such as political affiliation or self-incriminating behavior.
- The Children’s Online Privacy Protection Act (COPPA) sets a series of strict requirements for any organization that collects information online from children under 13—they must, for instance, get parental consent, post clear privacy policies, maintain information security and provide suitable opt-out opportunities.
- The Children’s Internet Protection Act (CIPA) is now a 25-year-old law that seeks to protect children from harmful online content, and requires schools and libraries to implement internet safety policies and educate students about safe online behavior.
Importantly, although FERPA does not require districts to alert the public of data breaches, state laws typically do (as we’ll explain momentarily). Recognizing this, the federal Privacy Technical Assistance Center (PTAC) publishes a Data Breach Response Checklist for schools, and the National School Boards Association offers a handy guide to breach notifications — to affected individuals, state Attorneys General (where applicable) and more.
A number of programs (and other centralized resources) make it easier for schools to comply with these requirements. In November 2024, the Federal Communications Commission (FCC) initiated a $200 million pilot program to support cybersecurity infrastructure, equipment and training for K-12 schools — although demand far exceeds the program’s current capacity.
The Readiness and Emergency Management for Schools (REMS) office of the U.S. Department of Education offers handy resources like cybersecurity fact-sheets. CISA, too, is on the case.
Local government
When it comes to local government, the regulatory landscape is similarly well-populated and complex. Key recent cybersecurity measures include:
- The Federal Information Security Modernization Act (FISMA), updated in 2023, requires federal, state and local governments (and organizations doing business with them) to develop adequate protections for their information systems. The updated law creates more stringent cybersecurity requirements.
- The Gramm-Leach-Bliley Act sets standards for the protection of sensitive data by any organization that collects or stored financial information—potentially including schools, local governments and other public institutions.
- The National Institute for Standards and Technology (NIST) published new cybersecurity guidelines in 2020 under their SP 800-53 title.
- All personal health information is protected by the Health Insurance Portability and Accountability Act (HIPAA), which implements strict requirements for healthcare workers at government-run facilities such as prisons.
Like school boards, local governments must have plans and contingencies in place for responding to data breaches. The laws governing those responses vary from one jurisdiction to the next, with some states requiring notification within 30 days and others allowing indefinite time windows. In addition to the resources listed elsewhere, we suggest consulting this guide for an overview of public and private laws in your state.
Cybersecurity regulations at the state level
In most states, local governments and school boards must comply with law governing information systems security and consumer privacy, incident disclosures after data breaches and other cybersecurity requirements set by state Departments of Education.
To illustrate these interacting requirements in detail, consider the contrasts between Florida — public school population 2.4 million — and Connecticut, where public schools serve just over half a million students.
Florida public sector cybersecurity regulations
Floridian’s personal data benefit from four major regulations covering cybersecurity. These are:
- The Florida Information Protection Act (Fla. Stat. §501.171) which covers the general safeguarding of personal information accessible via the internet. This law, following federal examples and in a pattern echoed by many states, requires “reasonable measures to protect and secure data in electronic form containing personal information.”
- The Florida Cybersecurity Act (Fla. Stat. § 282.318)—referred to as the Local Government Cybersecurity Act, passed in 2022—defines how public institutions must respond to cybersecurity breaches. The requirements include incident notifications with different levels of urgency, training for staff and new cybersecurity standards.
- The Florida Educational Technology Security Act creates new requirements for how schools must restrict students’ access to online content, including prohibiting access to TikTok on school-owned devices.
- Finally, a recent 2024 law strengthened cybersecurity infrastructure by authorizing the Florida Center for Cybersecurity to augment efforts already undertaken by school districts themselves.
Connecticut public sector cybersecurity regulations
Connecticut maintains a rich central resource library to support school boards, local governments and other bodies in protecting sensitive information. Those resources, bolstered by the 2022 announcement of cybersecurity as a top state priority, help local leaders comply with key laws, including:
- The Connecticut Data Breach Notification Law (Conn. Gen. Stat. § 36a-701b), strengthened in 2021 to use a wider definition of “personal information” and a shorter window for reporting breaches, among other changes.
- Connecticut’s student data privacy law (Conn. Gen. Stat. §§ 10-234aa up through 10-234dd), which apply broad requirements to the collection, storage and handling of students’ personal information.
- The Connecticut Cybersecurity Strategy, which sets guidelines and goals for local governments and municipalities.
Key laws in other states
Almost every state in the union legislates cybersecurity in two basic ways: they require elected public officials to faithfully and promptly report any breaches in publicly held data, and they establish a set of baseline information privacy measures—sometimes presented as guidelines, in other cases as strict regulatory requirements with associated penalties for noncompliance.
For representative examples, consider the Alabama Data Breach Notification Act and the Hawaii Breach of Personal Information Law. Every single US state has a law on the books that shares a general structure with these examples. Typically, such laws protect vital identifying information (Social Security Numbers, driver’s license numbers, etc.) as well as contact information and medical/biometric information. The laws vary in specifics, such as the timing of the disclosure, how citizens must be notified and when exceptions apply, but most share basic characteristics.
Information privacy guidelines are less uniform. For example, California’s sprawling student data privacy laws share considerable overlap — alongside many nuanced differences — with Colorado’s Cybersecurity Initiative, the Illinois Department of Innovation and Technology’s cybersecurity best practices or the policies and guidelines of the Georgia Technology Authority.
Meanwhile, cybersecurity laws in Arkansas include a “self-funded” program to help cover the costs of certain types of data breaches. Many states use policies like this Massachusetts law creating a cybersecurity council or center to plan both requirements and responses for state agencies and municipal bodies (including school boards).
Due to the complexity of these statutes and the variance state-to-state, local officials, school board representatives and other elected leaders in the public sector should consult the most recent guidance from their state’s Department of Education (DoE), consumer protections agency (if applicable) and similar bodies. Almost all states issue guidelines — some of them with requirements for implementation — through their DoE, so be sure to check with your state’s governing body or department.
Helpful sources for recent updates include:
- PTAC’s state search tool, an ideal starting point, will point you toward the relevant authorities and sources of additional information
- The National Conference of State Legislatures, which publishes annual lists of new cybersecurity regulations (their 2024 roundup includes hundreds of bills)
- The Consortium for School Networking (CoSN), which creates a comprehensive cybersecurity policy report every year
- The Parent Coalition for Student Privacy, an advocacy group, also maintains a list of proposed bills focused specifically on privacy protections
Explore more useful cybersecurity resources
Local government
Take a big next step with this guide to modernizing cybersecurity for municipal governments and city councils. An essential resource for board clerks and secretaries, the review gets into pressing threats, the role of the board in mitigating them and how a well-prepared secretary can make the difference.
Equipped with a plan, you can then turn to our tips for communicating with local government leaders about cybersecurity protection, and how to pitch the upgrades you need.
School and college boards
Given the specificity of data privacy laws for schools, and the wide range of penalties that can accrue to districts that flout them, it’s worth starting with an overview of the cyber threat landscape — knowing your enemy is half the battle.
Then you can begin your response. First stop: crafting a cyber risk framework that your board can sink their teeth into.
When you’re ready to start thinking big-picture about solutions, we recommend this survey of publicly elected leaders, talking best practices and top recommendations. Dive into concrete courses of action for addressing the problem with a detailed checklist focused on the specific duties of the board.
How Diligent Community can support your cybersecurity efforts
You’ve seen the stats — and you understand the importance of cybersecurity as a base layer of solid communications and secure technology that allow the rest of the organization to function as it must.
It can be tempting to look toward short-term, ad hoc solutions that mix and match off-the-shelf recommendations with an IT staffer’s whipped-up code, or to use free file-sharing solutions — but those come with their own risks.
Those solutions are not going to cut it. Bad actors in the cybersecurity space are using powerful new technologies to crack public systems. An effective, well-designed cybersecurity stack — or cutting-edge security measures within trusted software — safeguards against data breaches and helps fulfill the board’s duty to the public.
They have other benefits, too — modern security is the best way to allow organizations to integrate new technologies safely, opening doors to improved efficiency and even whole new capabilities.
Diligent Community excels across the board on digital and data privacy. As a custom platform built from the ground up to support public boards — and keep their data safe while doing it — Diligent Community is loaded with secure features and market-leading security measures. They include:
- Secure data hosting: With all your files in a unique database on Amazon Web Services (AWS) servers, you benefit from FIPS 140-2-compliant 256-bit AES encryption — plus a centralized data repository that narrows the attack surface.
- Replace personal email and text messaging with secure on-platform communication protected by Transport Security Layer (TPS) 1.3.
- Annual third-party penetration testing, in-app role-based security and mandated, regular trainings for both developers and non-technical staff ensure expert handling of sensitive data.
- Data logging and auditing follow industry-leading protocols and NIST requirements.
Don’t leave vital services exposed to growing risks. Schedule a demo today.
Related resources
Board training regulations: what public boards need to know
Discover the latest regulations for public board training, including state mandates, tips for compliance and how technology can help streamline the process.
Livestreaming regulations: What public facing boards need to know
Livestreaming meetings boost transparency and compliance for education boards and councils. Learn about US regulations and best practices for seamless implementation.
AI regulations in the U.S.: Navigating a complex and evolving landscape
AI regulations in the U.S. are tough to keep up with. Read our blog to stay informed and ensure compliance.
5 proven cybersecurity practices school boards should adopt
Don’t wait until cybercrime hits close to home. Consider these practices now to protect your district, its business and your students.
