New York Codes, Rules and Regulations
Title 8 - EDUCATION DEPARTMENT
Chapter II - Regulations of the Commissioner
Subchapter E - Elementary and Secondary Education
Part 121 - Strengthening Data Privacy and Security in NY State Educational Agencies to Protect Personally Identifiable Information
Section 121.11 - Third Party Contractor Civil Penalties
Current through Register Vol. 46, No. 12, March 20, 2024
(a) Each third party contractor that receives student data or teacher or principal data pursuant to a contract or other written agreement with an educational agency shall be required to notify such educational agency of any breach of security resulting in an unauthorized release of such data by the third party contractor or its assignees in violation of applicable state or federal law, the parents bill of rights for student data privacy and security, the data privacy and security policies of the educational agency and/or binding contractual obligations relating to data privacy and security, in the most expedient way possible and without unreasonable delay. Each violation of this paragraph by a third-party contractor shall be punishable by a civil penalty of the greater of $5,000 or up to $10 per student, teacher, and principal whose data was released, provided that the latter amount shall not exceed the maximum penalty imposed under General Business Law § 899-a a (6) (a).
(b) Except as otherwise provided in subdivision (a) each violation of Education Law § 2-d by a third-party contractor or its assignee shall be punishable by a civil penalty of up to $1,000.00; a second violation by the same third party contractor involving the same data shall be punishable by a civil penalty of up to $5,000; any subsequent violation by the same third party contractor involving the same data shall be punishable by a civil penalty of up to $10,000. Each violation shall be considered a separate violation for purposes of civil penalties and the total penalty shall not exceed the maximum penalty imposed under General Business Law § 899-a a (6) (a).
(c) The Chief Privacy Officer shall investigate reports of breaches or unauthorized releases of student data or teacher or principal data by third-party contractors. As part of an investigation, the Chief Privacy Officer may require that the parties submit documentation, provide testimony, and may visit, examine and/or inspect the third-party contractor's facilities and records.
(d) Upon conclusion of an investigation, if the Chief Privacy Officer determines that a third-party contractor has through its actions or omissions caused student data or teacher or principal data to be breached or released to any person or entity not authorized by law to receive such data in violation of applicable state or federal law, the data and security policies of the educational agency, and/or any binding contractual obligations, the Chief Privacy Officer shall notify the third-party contractor of such finding and give the third-party contractor no more than 30 days to submit a written response.
(e) If after reviewing the third-party contractor's written response, the Chief Privacy Officer determines the incident to be a violation of Education Law § 2-d, the Chief Privacy Officer shall be authorized to:
(f) If the Chief Privacy Officer determines that the breach or unauthorized release of student data or teacher or principal data on the part of the third-party contractor or assignee was inadvertent and done without intent, knowledge, recklessness or gross negligence, the Chief Privacy Officer would make a recommendation to the Commissioner that no penalty be issued upon the third-party contractor. The Commissioner would then make a final determination as to whether the breach or unauthorized release of student data or teacher or principal data on the part of the third-party contractor or assignee was inadvertent and done without intent, knowledge, recklessness or gross negligence and whether or not a penalty should be issued.
