senate Bill S6007A

Establishes penalties for the unauthorized release of personally identifiable information from student records and certain records of classroom teachers and building principals

download pdf

Sponsor

Co-Sponsors

view all co-sponsors

Bill Status


  • Introduced
  • In Committee
  • On Floor Calendar
    • Passed Senate
    • Passed Assembly
  • Delivered to Governor
  • Signed/Vetoed by Governor
view actions

actions

  • 11 / Dec / 2013
    • REFERRED TO RULES
  • 08 / Jan / 2014
    • REFERRED TO RULES
  • 09 / Jan / 2014
    • COMMITTEE DISCHARGED AND COMMITTED TO EDUCATION
  • 14 / Jan / 2014
    • 1ST REPORT CAL.28
  • 22 / Jan / 2014
    • AMENDED 6007A
  • 22 / Jan / 2014
    • 2ND REPORT CAL.
  • 23 / Jan / 2014
    • ADVANCED TO THIRD READING
  • 20 / Jun / 2014
    • RECOMMITTED TO RULES

Summary

Establishes penalties for the unauthorized release of personally identifiable information from student records and certain records of classroom teachers and building principals.

do you support this bill?

Bill Details

See Assembly Version of this Bill:
A8353
Versions:
S6007
S6007A
Legislative Cycle:
2013-2014
Current Committee:
Senate Rules
Law Section:
Education Law
Laws Affected:
Amd §305, Ed L; amd §§156.00, 156.30 & 165.45, Pen L

Sponsor Memo

BILL NUMBER:S6007A

TITLE OF BILL: An act to amend the education law and the penal law,
in relation to establishing penalties for the unauthorized release of
personally identifiable information from student records and certain
records of classroom teachers and building principals

PURPOSE:

This bill enhances protections and create stricter penalties in the
case of a breach of data as it relates to the protections of
personally identifiable information of students and certain records of
teachers and building principals as they relate to annual professional
performance reviews.

SUMMARY OF PROVISIONS:

Section 1: Section 1 amends section 305 of the education law by adding
a new subdivision 44. The bill first lays out the definitions as used
within the act. Notable definitions include: "student data" which
refers to the personally identifiable information ("PII") of a
student; "teacher or principal data" which refers to the PII of
teachers and principals in regards to their annual professional
performance reviews; and "third party contractor" which refers to
persons or entities who are allowed to access such PIT of students,
teachers, or principals.

The bill thereafter creates the position of Chief Privacy Officer
("CPO") within the State Education Department ("SED"). The CPO shall
be selected by the commissioner and shall be responsible for
formulating the policies and procedures as they relate to student data
or teacher or principal data The CPO shall be required by January 1,
2014, and each January first thereafter, to submit an annual report to
the executive and legislative branches that will address issues and
updates on student data and privacy in the State.

The bill requires the CPO to work with members of the yew York State
Educational Conference Board and parents to establish a Parents Bill
of Rights for Data Privacy and Security ("Parents Bill of Rights").
The Parents Bill of Rights shall be required to be signed and adhered
to by any third party contractor that enters into an agreement with an
educational agency, i.e., a district or BOCES, or the SED, where that
third party contactor receives any PIT of students, teachers, or
principals. The Parents Bill of Rights is to be completed within 120
days of this bill being enacted.

The bill would also permit districts to opt-out of having the data
they are required to submit to SED due to federal and state
requirements from being uploaded to SED's statewide education data
portal ("EDP").

The bill requires that the CPO publish on SED's website a complete
list of all data elements that are collected, why such data elements
are collected, and the legal and/or regulatory authority the
department has to collect such data elements.


The bill additionally requires that any time there is a breach of
student data or teacher or principal data that the third party
contractor notify the district, parent, teacher, and/or principal, as
applicable, in the most expedient way possible and without
unreasonable delay. If a third party contractor fails to notify in the
most expedient way possible and without unreasonable delay, the third
party contractor may be subject to a class E felony as well as a civil
penalty up to $150,000.

SED is authorized to impose administrative penalties that are greater
than the penalties that the federal Family Educational Rights and
Privacy Act ("FERPA") provides. SED may prohibit a third party
contractor from accessing student data or teacher or principal data
from the district that is harmed or from any district within the state
for a fixed period of up to five years. SED may also determine that
the third Party contactor is not deemed a "responsible bidder" for
purposes of submitting requests for proposals or that the third party
contractor must provide additional training to its employees in the
areas of data privacy and security. If it is determined that any
release of data was no fault of the third party contractor, the
department may make a finding that no administrative penalties should
be imposed.

The bill would also require the commissioner to establish regulations
whereby individuals may submit complaints of a possible breach of data
to the CPO.

The bill would also require SED to promulgate regulations outlining
best practices for districts to follow in regards to privacy and
security. Each district would have 90 days from enactment of this
legislation to ensure it has adopted the best practices guidelines.

Moreover, each third party contactor would be required to establish
that it has privacy protections in place when it contracts to acquire
student data or teacher or principal data in its official capacities.
The third party contractor would also have to agree in writing to
abide by the terms of the Patents Bill of Rights each time it receives
student data or teacher or principal data.

Finally, the bill outlines civil penalties that may be imposed upon a
third party contactor if they are in violation of this act.

Section 2: Section 2 creates new definitions in the penal law by
amending subdivision 7 and creating new subdivisions 10, 11, and 12 to
section 156.00 of the penal law.

Section 3: Section 3 creates a new class E felony in section 156.30 of
the penal law when a person is guilty of unlawful duplication of
computer material in the first degree with the intent to disseminate
such material.

Section 4: Section 4 adds a new subdivision B to section 165.45 of the
penal law.

Section 5: Section 5 sets forth an effective date that this act shall
take effect 90 days after it shall become law, provided however, the


commissioner shall have 120 days from enactment to establish a Parents
Bill of Rights.

JUSTIFICATION:

For many years it has been prerogative of school districts and the
State Education Department ("SED") to collect data on our students to
better enhance the students' educational experience and to allow for
the efficient operation of school districts. By collecting data on our
students, teachers and administrators can better formulate lesson
plans and better provide services that our students desperately need.
The data that has been collected has also been very beneficial to
parents who, in many instances, have the opportunity to quickly access
their child's grades and attendance records.

Presently, every district in the state contracts with third party
vendors to provide many of the services that benefit our children This
is not a new phenomenon. In fact, using outside vendors to provide
services to districts has been an established practice and protocol
for many years. These services include transportation, food and lunch
programs, and special education services, among many others. These
types of services would be very costly and time consuming if
individual districts had the burden of administering them exclusively.
Vendors, therefore, are a necessary component of a child's education
because most districts do not have the time, resources, or expertise
to provide the services being provided under the contract. Simply put,
if a district did not contract out for these services, our students
would not be receiving the high quality education that we should
expect for all of our students.

Consent, in certain instances, is not needed by parents or eligible
students by third party contactors that collect personally
identifiable information ("PIT") because of exceptions in the federal
Family Educational Rights and Privacy Act ("FERPA") and its
implementing regulations. These excepted circumstances are
institutional services that are necessary for the functioning of a
school district. As indicated above, without these institutional
services provided by third party contractors, school districts would
severely struggle to exist and children would be denied necessary
services.

While FERPA contains many protections to prevent PII from being
disclosed to inappropriate parties or being re-disclosed if given to a
third party contactor, FERPA should be viewed as a floor. The only
penalty available under FERPA is a five-year prohibition from
accessing data from the respective school district that the third
party contractor received the data from.

This bill would accomplish beneficial goals to enhance the protections
of our students PII. It would create greater transparency of what data
is being collected, who has access to it, and what happens to the data
when the contracted for services are completed. It would create a
Chief Privacy Officer ("CPO") to oversee student data and privacy at
the department. In addition, it creates very strict civil and criminal
penalties to act as deterrents from abuse. Importantly, this bill
would not only protect the PII of our students, but it would also


protect the P11 of cur teachers and principals in their annual
professional performance reviews ("APPR").

Another critical aspect of this bill is to allow districts to opt-out
of having the student, teacher, and principal data they already send
to the department based on state and federally required directives,
from being unloaded to the as-yet-complete education data portal
("EDP"). Since 2010, the Regents Reform Agenda has ambitiously changed
the educational landscape in New York through a transition to the
common core standards, common core aligned assessments, and a teacher
and principal evaluation system. While these are all important and
noteworthy steps in ensuring every student in the state receives a
high quality education, there has been considerable consternation on
the part of parents, administrators, teachers, and students at the
pace at which the Reform Agenda has been rolled out. Changes are
continually being advanced to ensure those initiatives are implemented
correctly, and notably, districts and their unions are right now going
back to the table to fine tune their APPR plans. Therefore,
districts, parents, teachers, and students simply cannot afford
another onerous obligation on top of the significant changes they are
currently undertaking.

There is no doubt that some districts would reap immediate benefits
from the EDP, however, it should at the very least be optional for
districts to take part in this mandated initiative while they continue
to deal with the already complex and time consuming implemented
aspects of the Reform Agenda. While participation in the EDP under
this legislation would be optional, it is important to note that
districts would, still-as has been current practice-be obligated to
send the data they are currently required to collect to the
Department.

It is fundamental that we protect our students, teachers, and
principals P11 from being used inappropriately. It is also important
that we allow districts to continue to use data responsibly in order
to provide necessary services for our students by continuing to allow
third parties to provide the services they have been providing for
many years. This bill would strike an appropriate balance between
protecting our students, teachers and Principals, and allowing
districts to provide necessary services efficiently.

LEGISLATIVE HISTORY:

New bill

FISCAL IMPLICATIONS:

To be determined.

EFFECTIVE DATE:

This act shall take effect on the ninetieth day after it shall become
law, provided however, the commissioner shall have 120 days from
enact- ment to develop a parents bill of rights for student data and
privacy.


view bill text
                    S T A T E   O F   N E W   Y O R K
________________________________________________________________________

                                 6007--A
    Cal. No. 28

                       2013-2014 Regular Sessions

                            I N  S E N A T E

                            December 11, 2013
                               ___________

Introduced  by  Sens.  FLANAGAN,  RANZENHOFER,  ADDABBO, BONACIC, BOYLE,
  DeFRANCISCO,  FELDER,  HANNON,  LARKIN,  MARTINS,  MAZIARZ,   O'BRIEN,
  SEWARD, VALESKY -- read twice and ordered printed, and when printed to
  be committed to the Committee on Rules -- recommitted to the Committee
  on  Rules  in  accordance  with  Senate  Rule  6,  sec. 8 -- committee
  discharged and said bill committed to the Committee  on  Education  --
  reported  favorably  from  said  committee,  ordered  to first report,
  amended on first report,  ordered  to  a  second  report  and  ordered
  reprinted, retaining its place in the order of second report

AN  ACT  to  amend  the  education law and the penal law, in relation to
  establishing penalties for  the  unauthorized  release  of  personally
  identifiable  information  from student records and certain records of
  classroom teachers and building principals

  THE PEOPLE OF THE STATE OF NEW YORK, REPRESENTED IN SENATE AND  ASSEM-
BLY, DO ENACT AS FOLLOWS:

  Section 1. Section 305 of the education law is amended by adding a new
subdivision 44 to read as follows:
  44. UNAUTHORIZED RELEASE OF PERSONALLY IDENTIFIABLE INFORMATION.
  A.  AS  USED  IN  THIS  SUBDIVISION THE FOLLOWING TERMS SHALL HAVE THE
FOLLOWING MEANINGS:
  (1) "BUILDING PRINCIPAL" MEANS A BUILDING PRINCIPAL SUBJECT TO  ANNUAL
PERFORMANCE  EVALUATION  REVIEW  UNDER  THE  PROVISIONS OF SECTION THREE
THOUSAND TWELVE-C OF THIS CHAPTER.
  (2) "CLASSROOM TEACHER" MEANS A TEACHER SUBJECT TO ANNUAL  PERFORMANCE
EVALUATION  REVIEW  UNDER  THE  PROVISIONS  OF  SECTION  THREE  THOUSAND
TWELVE-C OF THIS CHAPTER.
  (3) "EDUCATIONAL AGENCY" MEANS A SCHOOL DISTRICT, BOARD OF COOPERATIVE
EDUCATIONAL SERVICES, SCHOOL, INSTITUTION OF  HIGHER  EDUCATION  OR  THE
EDUCATION DEPARTMENT.
  (4) "INSTITUTION OF HIGHER EDUCATION" MEANS AN ENTITY WITH A CAMPUS IN
NEW YORK THAT PROVIDES HIGHER EDUCATION, AS DEFINED IN SUBDIVISION EIGHT

 EXPLANATION--Matter in ITALICS (underscored) is new; matter in brackets
                      [ ] is old law to be omitted.
                                                           LBD13221-05-4

S. 6007--A                          2

OF SECTION TWO OF THIS TITLE, THAT IS SUBJECT TO THE REQUIREMENTS OF THE
FAMILY  EDUCATIONAL RIGHTS AND PRIVACY ACT, SECTION TWELVE HUNDRED THIR-
TY-TWO-G OF TITLE TWENTY OF THE UNITED STATES CODE.
  (5) "PERSONALLY IDENTIFIABLE INFORMATION", AS APPLIED TO STUDENT DATA,
MEANS  PERSONALLY IDENTIFIABLE INFORMATION AS DEFINED IN SECTION 99.3 OF
TITLE THIRTY-FOUR OF THE CODE OF FEDERAL  REGULATIONS  IMPLEMENTING  THE
FAMILY  EDUCATIONAL RIGHTS AND PRIVACY ACT, SECTION TWELVE HUNDRED THIR-
TY-TWO-G OF TITLE TWENTY OF THE UNITED STATES CODE, AND, AS  APPLIED  TO
TEACHER OR PRINCIPAL DATA, MEANS "PERSONALLY IDENTIFYING INFORMATION" AS
SUCH  TERM IS USED IN SUBDIVISION TEN OF SECTION THREE THOUSAND TWELVE-C
OF THIS CHAPTER.
  (6) "SCHOOL" MEANS ANY PUBLIC ELEMENTARY OR SECONDARY SCHOOL,  CHARTER
SCHOOL,   UNIVERSAL  PRE-KINDERGARTEN  PROGRAM  AUTHORIZED  PURSUANT  TO
SECTION THIRTY-SIX HUNDRED TWO-E OF THIS CHAPTER, AN  APPROVED  PROVIDER
OF PRESCHOOL SPECIAL EDUCATION, ANY OTHER PUBLICLY FUNDED PRE-KINDERGAR-
TEN  PROGRAM,  AN  APPROVED PRIVATE SCHOOL FOR THE EDUCATION OF STUDENTS
WITH DISABILITIES, A STATE-SUPPORTED SCHOOL SUBJECT TO THE PROVISIONS OF
ARTICLE EIGHTY-FIVE OF THIS CHAPTER, A STATE-OPERATED SCHOOL SUBJECT  TO
THE PROVISIONS OF ARTICLE EIGHTY-SEVEN OR EIGHTY-EIGHT OF THIS CHAPTER.
  (7)  "STUDENT"  MEANS  ANY PERSON ATTENDING OR SEEKING TO ENROLL IN AN
EDUCATIONAL AGENCY.
  (8) "ELIGIBLE STUDENT" MEANS A STUDENT EIGHTEEN YEARS OR OLDER  OR  AN
EMANCIPATED  MINOR.  AN EMANCIPATED MINOR AS USED IN THIS SECTION REFERS
TO A STUDENT AT LEAST SIXTEEN YEARS OR OLDER WHO IS NO LONGER A  DEPEND-
ENT OF OR IN THE CUSTODY OF A PARENT AS DEFINED IN THIS SECTION.
  (9)  "PARENT"  MEANS  A  PARENT, LEGAL GUARDIAN, OR PERSON IN PARENTAL
RELATION TO A STUDENT.
  (10) "STUDENT DATA" MEANS  PERSONALLY  IDENTIFIABLE  INFORMATION  FROM
STUDENT RECORDS OF AN EDUCATIONAL AGENCY.
  (11)  "TEACHER OR PRINCIPAL DATA" MEANS PERSONALLY IDENTIFIABLE INFOR-
MATION FROM THE RECORDS OF AN EDUCATIONAL AGENCY RELATING TO THE  ANNUAL
PROFESSIONAL  PERFORMANCE  REVIEWS  OF  CLASSROOM TEACHERS OR PRINCIPALS
THAT IS CONFIDENTIAL AND NOT SUBJECT TO RELEASE UNDER THE PROVISIONS  OF
SECTION THREE THOUSAND TWELVE-C OF THIS CHAPTER.
  (12)  "THIRD  PARTY CONTRACTOR" SHALL MEAN ANY PERSON OR ENTITY, OTHER
THAN AN EDUCATIONAL AGENCY, THAT RECEIVES STUDENT  DATA  OR  TEACHER  OR
PRINCIPAL  DATA  FROM  AN  EDUCATIONAL  AGENCY PURSUANT TO A CONTRACT OR
OTHER WRITTEN AGREEMENT FOR  PURPOSES  OF  PROVIDING  SERVICES  TO  SUCH
EDUCATIONAL  AGENCY,  INCLUDING  BUT  NOT  LIMITED TO DATA MANAGEMENT OR
STORAGE SERVICES, CONDUCTING STUDIES FOR OR ON  BEHALF  OF  SUCH  EDUCA-
TIONAL AGENCY, OR AUDIT OR EVALUATION OF PUBLICLY FUNDED PROGRAMS.  SUCH
TERM SHALL INCLUDE AN EDUCATIONAL PARTNERSHIP ORGANIZATION THAT RECEIVES
STUDENT  AND/OR  PRINCIPAL  DATA FROM A SCHOOL DISTRICT TO CARRY OUT ITS
RESPONSIBILITIES PURSUANT TO SECTION TWO HUNDRED ELEVEN-E OF THIS  CHAP-
TER AND IS NOT AN EDUCATIONAL AGENCY AS DEFINED IN SUBPARAGRAPH THREE OF
PARAGRAPH  A  OF  THIS  SUBDIVISION, AND A NOT-FOR-PROFIT CORPORATION OR
OTHER NON-PROFIT ORGANIZATION, OTHER THAN AN EDUCATIONAL  AGENCY,  OR  A
FOR-PROFIT  CORPORATION  OR  BUSINESS  ENTITY  THAT IS AFFILIATED WITH A
CHARTER SCHOOL AND PROVIDES MANAGEMENT AND/OR OTHER SERVICES TO  SUPPORT
THE CHARTER SCHOOL IN ACCORDANCE WITH A CHARTER ISSUED PURSUANT TO ARTI-
CLE FIFTY-SIX OF THIS CHAPTER.
  B.  (1)  THE COMMISSIONER SHALL APPOINT A CHIEF PRIVACY OFFICER WITHIN
THE DEPARTMENT. THE CHIEF PRIVACY OFFICER SHALL BE QUALIFIED BY TRAINING
OR EXPERIENCE IN STATE AND FEDERAL  EDUCATION  PRIVACY  LAWS  AND  REGU-
LATIONS,  CIVIL  LIBERTIES,  ANNUAL  PROFESSIONAL  PERFORMANCE  REVIEWS,
INFORMATION TECHNOLOGY, AND  INFORMATION  SECURITY.  THE  CHIEF  PRIVACY

S. 6007--A                          3

OFFICER  SHALL  REPORT  TO THE COMMISSIONER ON MATTERS AFFECTING PRIVACY
AND THE SECURITY OF STUDENT, TEACHER, AND PRINCIPAL DATA.
  (2)  THE FUNCTIONS OF THE CHIEF PRIVACY OFFICER SHALL INCLUDE, BUT NOT
BE LIMITED TO:
  (I) PROMOTING THE IMPLEMENTATION OF  FAIR  INFORMATION  PRACTICES  FOR
PRIVACY AND SECURITY OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA;
  (II) ASSISTING THE COMMISSIONER IN HANDLING INSTANCES OF DATA BREACHES
AS WELL AS ASSISTING THE COMMISSIONER IN DUE PROCESS PROCEEDINGS REGARD-
ING ANY ALLEGED BREACHES OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA;
  (III) PROVIDING ASSISTANCE TO EDUCATIONAL AGENCIES WITHIN THE STATE ON
MINIMUM  STANDARDS  AND  BEST  PRACTICES ASSOCIATED WITH PRIVACY AND THE
SECURITY OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA;
  (IV) FORMULATING A PROCEDURE WITHIN THE  DEPARTMENT  WHEREBY  PARENTS,
STUDENTS,  TEACHERS,  SUPERINTENDENTS, SCHOOL BOARD MEMBERS, PRINCIPALS,
AND OTHER PERSONS OR ENTITIES THE CHIEF PRIVACY  OFFICER  DETERMINES  IS
APPROPRIATE,  MAY  REQUEST  INFORMATION  PERTAINING  TO  STUDENT DATA OR
TEACHER OR PRINCIPAL DATA IN A TIMELY AND EFFICIENT MANNER;
  (V) ASSISTING THE COMMISSIONER IN  ESTABLISHING  A  PROTOCOL  FOR  THE
SUBMISSION OF COMPLAINTS OF POSSIBLE BREACHES OF STUDENT DATA OR TEACHER
OR PRINCIPAL DATA;
  (VI)  MAKING RECOMMENDATIONS AS NEEDED REGARDING PRIVACY AND THE SECU-
RITY OF STUDENT DATA ON BEHALF OF THE DEPARTMENT TO  THE  GOVERNOR,  THE
SPEAKER  OF THE ASSEMBLY, THE TEMPORARY PRESIDENT OF THE SENATE, AND THE
CHAIRS OF THE SENATE AND ASSEMBLY EDUCATION COMMITTEES;
  (VII) DEVELOPING, WITH INPUT  FROM  THE  NEW  YORK  STATE  EDUCATIONAL
CONFERENCE BOARD AND PARENTS, THE PARENTS BILL OF RIGHTS FOR DATA PRIVA-
CY AND SECURITY; AND
  (VIII)  ANY OTHER FUNCTIONS THAT THE COMMISSIONER SHALL DEEM APPROPRI-
ATE.
  (3) THE CHIEF PRIVACY OFFICER SHALL HAVE THE POWER TO:
  (I) ACCESS ALL RECORDS, REPORTS, AUDITS, REVIEWS,  DOCUMENTS,  PAPERS,
RECOMMENDATIONS, AND OTHER MATERIALS MAINTAINED BY AN EDUCATIONAL AGENCY
THAT RELATE TO STUDENT DATA OR TEACHER OR PRINCIPAL DATA;
  (II)  TO  REVIEW  AND  COMMENT  UPON ANY DEPARTMENT PROGRAM, PROPOSAL,
GRANT, OR CONTRACT THAT INVOLVES  THE  PROCESSING  OF  STUDENT  DATA  OR
TEACHER  OR  PRINCIPAL DATA BEFORE THE COMMISSIONER BEGINS OR AWARDS THE
PROGRAM, PROPOSAL, GRANT, OR CONTRACT; AND
  (III) ANY OTHER POWERS THAT THE COMMISSIONER SHALL DEEM APPROPRIATE.
  (4) THE CHIEF PRIVACY OFFICER SHALL SUBMIT BY JANUARY FIRST, TWO THOU-
SAND FIFTEEN, AND EACH JANUARY FIRST THEREAFTER, A  REPORT  OUTLINING  A
SUMMARY OF ACTIVITIES, RECOMMENDATIONS, COMPLAINTS, AND STATUTORY, REGU-
LATORY  OR  DEPARTMENTAL CHANGES PERTAINING TO THE PROTECTION OF STUDENT
DATA OR TEACHER OR PRINCIPAL DATA. THE  REPORT  SHALL  BE  SUBMITTED  ON
BEHALF  OF  THE DEPARTMENT TO THE GOVERNOR, THE SPEAKER OF THE ASSEMBLY,
THE TEMPORARY PRESIDENT OF THE SENATE, AND THE CHAIRS OF THE SENATE  AND
ASSEMBLY  EDUCATION  COMMITTEES.  THE REPORT SHALL ALSO BE MADE PUBLICLY
AVAILABLE ON THE DEPARTMENT'S WEBSITE.
  (5) THE CHIEF PRIVACY OFFICER MAY HOLD MORE THAN ONE  POSITION  WITHIN
THE  DEPARTMENT;  PROVIDED  HOWEVER,  THAT  NO  ADDITIONAL POSITION WILL
INTERFERE WITH THE DUTIES OF THE CHIEF PRIVACY OFFICER OUTLINED IN  THIS
PARAGRAPH.
  C.  (1)  THE  CHIEF PRIVACY OFFICER SHALL DEVELOP, WITH INPUT FROM THE
NEW YORK STATE EDUCATIONAL CONFERENCE BOARD AND PARENTS, A PARENTS  BILL
OF  RIGHTS FOR DATA PRIVACY AND SECURITY. THE PARENTS BILL OF RIGHTS FOR
DATA PRIVACY AND SECURITY SHALL BE  INCLUDED  WITH  EVERY  CONTRACT  THE
DEPARTMENT OR EDUCATIONAL AGENCY ENTERS INTO WITH A THIRD PARTY CONTRAC-

S. 6007--A                          4

TOR WHERE THE THIRD PARTY CONTRACTOR RECEIVES STUDENT DATA OR TEACHER OR
PRINCIPAL  DATA.    EVERY  THIRD  PARTY  CONTRACTOR  THAT  ENTERS INTO A
CONTRACT WITH THE DEPARTMENT OR AN EDUCATIONAL AGENCY  WHERE  THE  THIRD
PARTY  CONTRACTOR  RECEIVES  STUDENT  DATA  OR TEACHER OR PRINCIPAL DATA
SHALL BE REQUIRED TO AGREE IN WRITING TO ABIDE  BY  THE  PROVISIONS  SET
FORTH  IN THE PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY. AT A
MINIMUM, THE PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND SECURITY  SHALL
INCLUDE:
  (I)  WHO  THE  EXCLUSIVE  PERSONS OR ENTITIES ARE THAT THE THIRD PARTY
CONTRACTOR WILL SHARE THE STUDENT DATA  OR  TEACHER  OR  PRINCIPAL  DATA
WITH, IF ANY;
  (II)  WHEN  THE AGREEMENT EXPIRES AND WHAT HAPPENS TO THE STUDENT DATA
OR TEACHER OR PRINCIPAL DATA UPON EXPIRATION OF THE AGREEMENT;
  (III) IF AND HOW A PARENT, STUDENT, ELIGIBLE STUDENT, TEACHER OR PRIN-
CIPAL MAY CHALLENGE THE ACCURACY OF THE STUDENT DATA OR TEACHER OR PRIN-
CIPAL DATA THAT IS COLLECTED;
  (IV) WHERE THE STUDENT DATA OR  TEACHER  OR  PRINCIPAL  DATA  WILL  BE
STORED,  AND  THE SECURITY PROTECTIONS TAKEN TO ENSURE SUCH DATA WILL BE
PROTECTED, INCLUDING WHETHER SUCH DATA WILL BE ENCRYPTED; AND
  (V) THE EXCLUSIVE PURPOSES FOR WHICH THE STUDENT DATA  OR  TEACHER  OR
PRINCIPAL DATA WILL BE USED.
  (2) THE COMMISSIONER SHALL PROMULGATE REGULATIONS FOR A COMMENT PERIOD
WHEREBY PARENTS MAY SUBMIT COMMENTS AND SUGGESTIONS TO THE CHIEF PRIVACY
OFFICER TO BE CONSIDERED FOR INCLUSION IN THE PARENTS BILL OF RIGHTS FOR
STUDENT DATA PRIVACY AND SECURITY.
  (3)  THE  DEPARTMENT SHALL POST THE PARENTS BILL OF RIGHTS FOR STUDENT
DATA PRIVACY AND SECURITY ON THE DEPARTMENT'S WEBSITE. EACH  EDUCATIONAL
AGENCY  THAT HAS AN INTERNET WEBSITE SHALL ALSO POST THE PARENTS BILL OF
RIGHTS FOR STUDENT DATA AND SECURITY ON ITS WEBSITE.
  (4) THE PARENTS BILL OF RIGHTS FOR STUDENT DATA PRIVACY  AND  SECURITY
SHALL  BE  COMPLETED  WITHIN ONE HUNDRED TWENTY DAYS AFTER THE EFFECTIVE
DATE OF THIS SUBDIVISION.
  D. (1) EACH EDUCATIONAL AGENCY SHALL BE ABLE TO OPT-OUT OF HAVING  THE
STUDENT  DATA  OR  TEACHER  OR  PRINCIPAL DATA THAT THEY ARE REQUIRED TO
REPORT TO THE DEPARTMENT THROUGH STATE OR FEDERAL LAW OR REGULATION FROM
BEING UPLOADED BY THE DEPARTMENT TO THE  DEPARTMENT'S  EDUCATIONAL  DATA
PORTAL.
  (2)  NOTHING  IN  THIS  PARAGRAPH SHALL ALLOW AN EDUCATIONAL AGENCY TO
FAIL TO COMPLY WITH ANY  STUDENT  DATA  OR  TEACHER  OR  PRINCIPAL  DATA
REPORTING REQUIREMENTS TO THE DEPARTMENT AS REQUIRED BY STATE OR FEDERAL
LAW OR REGULATION.
  E.  THE  CHIEF  PRIVACY  OFFICER  SHALL MAKE PUBLICLY AVAILABLE ON THE
DEPARTMENT'S WEBSITE A COMPLETE LIST OF ALL STUDENT OR TEACHER OR  PRIN-
CIPAL  DATA ELEMENTS COLLECTED WITH AN EXPLANATION AND/OR LEGAL OR REGU-
LATORY AUTHORITY OUTLINING THE REASONS SUCH DATA ELEMENTS ARE COLLECTED.
  F. (1) EACH THIRD PARTY  CONTRACTOR  THAT  RECEIVES  STUDENT  DATA  OR
TEACHER OR PRINCIPAL DATA PURSUANT TO A CONTRACT OR OTHER WRITTEN AGREE-
MENT  WITH AN EDUCATIONAL AGENCY SHALL BE REQUIRED TO NOTIFY SUCH EDUCA-
TIONAL AGENCY OF ANY BREACH OF SECURITY  RESULTING  IN  AN  UNAUTHORIZED
RELEASE  OF  SUCH  DATA IN VIOLATION OF APPLICABLE STATE OR FEDERAL LAW,
THE PARENTS BILL OF RIGHTS FOR STUDENT DATA PRIVACY  AND  SECURITY,  THE
DATA  PRIVACY  AND  SECURITY  POLICIES  OF THE EDUCATIONAL AGENCY AND/OR
BINDING CONTRACTUAL OBLIGATIONS RELATING TO DATA PRIVACY  AND  SECURITY,
IN  THE  MOST  EXPEDIENT  WAY POSSIBLE AND WITHOUT REASONABLE DELAY. THE
EDUCATIONAL AGENCY SHALL, UPON NOTIFICATION BY THE THIRD PARTY  CONTRAC-
TOR,  BE REQUIRED TO REPORT TO THE CHIEF PRIVACY OFFICER ANY SUCH BREACH

S. 6007--A                          5

OF SECURITY AND UNAUTHORIZED RELEASE OF SUCH DATA  AND  TO  REPORT  SUCH
BREACH AND UNAUTHORIZED RELEASE TO LAW ENFORCEMENT IN THE MOST EXPEDIENT
WAY POSSIBLE AND WITHOUT UNREASONABLE DELAY.
  (2) IN THE CASE OF AN UNAUTHORIZED RELEASE OF STUDENT DATA, THE EDUCA-
TIONAL  AGENCY, OR THE THIRD PARTY CONTRACTOR INVOLVED, SHALL NOTIFY THE
PARENT OR ELIGIBLE STUDENT OF THE UNAUTHORIZED RELEASE OF  STUDENT  DATA
THAT  INCLUDES  PERSONALLY  IDENTIFIABLE  INFORMATION  FROM  THE STUDENT
RECORDS OF SUCH STUDENT IN THE MOST EXPEDIENT WAY POSSIBLE  AND  WITHOUT
UNREASONABLE DELAY. IN THE CASE OF AN UNAUTHORIZED RELEASE OF TEACHER OR
PRINCIPAL  DATA,  THE  EDUCATIONAL AGENCY, OR THE THIRD PARTY CONTRACTOR
INVOLVED, SHALL NOTIFY EACH AFFECTED TEACHER OR PRINCIPAL OF  THE  UNAU-
THORIZED  RELEASE OF DATA THAT INCLUDES PERSONALLY IDENTIFIABLE INFORMA-
TION FROM THE TEACHER OR  PRINCIPAL'S  ANNUAL  PROFESSIONAL  PERFORMANCE
REVIEW  IN  THE  MOST  EXPEDIENT  WAY  POSSIBLE AND WITHOUT UNREASONABLE
DELAY.
  (3) FAILURE TO  NOTIFY  AGAINST  PUBLIC  POLICY.  (I)  A  THIRD  PARTY
CONTRACTOR  SHALL  NOT  FAIL TO NOTIFY THE EDUCATIONAL AGENCY OR PARENT,
ELIGIBLE STUDENT, TEACHER OR PRINCIPAL, AS APPLICABLE, IN THE MOST EXPE-
DIENT WAY POSSIBLE AND WITHOUT UNREASONABLE DELAY.
  (II) EACH VIOLATION OF CLAUSE (I) OF THIS SUBPARAGRAPH  SHALL  CONSTI-
TUTE A CLASS E FELONY, AND SHALL BE PUNISHABLE BY A CIVIL PENALTY OF THE
GREATER  OF  FIVE  THOUSAND DOLLARS OR UP TO TEN DOLLARS PER INSTANCE OF
FAILED NOTIFICATION, PROVIDED THAT THE LATTER AMOUNT  SHALL  NOT  EXCEED
ONE HUNDRED FIFTY THOUSAND DOLLARS.
  G. IF THE CHIEF PRIVACY OFFICER DETERMINES THAT A THIRD PARTY CONTRAC-
TOR,  IN  VIOLATION OF APPLICABLE STATE OR FEDERAL LAW, THE DATA PRIVACY
AND SECURITY POLICIES OF THE EDUCATIONAL AGENCY AND/OR BINDING  CONTRAC-
TUAL  OBLIGATIONS RELATING TO DATA PRIVACY AND SECURITY, HAS RE-RELEASED
ANY STUDENT DATA OR TEACHER OR PRINCIPAL DATA RECEIVED  FROM  AN  EDUCA-
TIONAL  AGENCY  TO ANY PERSON OR ENTITY NOT AUTHORIZED BY LAW TO RECEIVE
SUCH DATA PURSUANT TO A LAWFUL SUBPOENA OR OTHERWISE, THE CHIEF  PRIVACY
OFFICER,  AFTER  AFFORDING THE THIRD PARTY CONTRACTOR WITH NOTICE AND AN
OPPORTUNITY TO BE HEARD, SHALL BE AUTHORIZED TO:
  (1) ORDER THAT THE THIRD PARTY CONTRACTOR BE PRECLUDED FROM  ACCESSING
STUDENT  DATA  OR  TEACHER  OR  PRINCIPAL  DATA, AS APPLICABLE, FROM THE
EDUCATIONAL AGENCY FROM WHICH THE CONTRACTOR OBTAINED THE DATA THAT  WAS
IMPROPERLY DISCLOSED FOR A FIXED PERIOD OF UP TO FIVE YEARS; AND/OR
  (2)  ORDER  THAT A THIRD PARTY CONTRACTOR WHO KNOWINGLY AND RECKLESSLY
ALLOWS FOR THE UNAUTHORIZED RELEASE OF STUDENT DATA OR TEACHER OR  PRIN-
CIPAL  DATA BE PRECLUDED FROM ACCESSING STUDENT DATA OR TEACHER OR PRIN-
CIPAL DATA FROM ANY EDUCATIONAL AGENCY IN THE STATE FOR A  FIXED  PERIOD
OF UP TO FIVE YEARS; AND/OR
  (3) ORDER, IN THE CASE OF AN EDUCATIONAL AGENCY THAT IS A PUBLIC AGEN-
CY  SUBJECT  TO  COMPETITIVE  BIDDING  REQUIREMENTS,  THAT A THIRD PARTY
CONTRACTOR WHO KNOWINGLY AND  RECKLESSLY  ALLOWS  FOR  THE  UNAUTHORIZED
RELEASE  OF  STUDENT  DATA  OR TEACHER OR PRINCIPAL DATA, THAT THE THIRD
PARTY CONTRACTOR SHALL NOT BE DEEMED A RESPONSIBLE BIDDER OR OFFERER  ON
ANY  CONTRACT  WITH  THE  EDUCATIONAL  AGENCY  FROM WHICH THE CONTRACTOR
OBTAINED THE DATA THAT WAS IMPROPERLY DISCLOSED THAT INVOLVES THE  SHAR-
ING  OF  STUDENT  DATA  OR  TEACHER OR PRINCIPAL DATA, AS APPLICABLE FOR
PURPOSES OF THE PROVISIONS OF SECTION ONE HUNDRED THREE OF  THE  GENERAL
MUNICIPAL  LAW  OR PARAGRAPH C OF SUBDIVISION TEN OF SECTION ONE HUNDRED
SIXTY-THREE OF THE STATE FINANCE LAW, AS APPLICABLE, FOR A FIXED  PERIOD
OF UP TO FIVE YEARS; AND/OR
  (4)  REQUIRE  THE  THIRD  PARTY  CONTRACTOR TO PROVIDE TRAINING AT THE
CONTRACTOR'S EXPENSE ON THE FEDERAL AND STATE  LAW  GOVERNING  CONFIDEN-

S. 6007--A                          6

TIALITY  OF  STUDENT  DATA  AND/OR  TEACHER  OR  PRINCIPAL  DATA AND THE
PROVISIONS OF THIS SUBDIVISION TO ALL ITS OFFICERS  AND  EMPLOYEES  WITH
ACCESS  TO  SUCH  DATA,  PRIOR  TO BEING PERMITTED TO RECEIVE SUBSEQUENT
ACCESS  TO SUCH DATA FROM THE EDUCATIONAL AGENCY FROM WHICH THE CONTRAC-
TOR OBTAINED THE DATA THAT WAS IMPROPERLY DISCLOSED OR FROM  ANY  EDUCA-
TIONAL AGENCY; AND/OR
  (5)  IF IT IS DETERMINED THAT THE UNAUTHORIZED RELEASE OF STUDENT DATA
OR TEACHER OR PRINCIPAL DATA ON THE PART OF THE THIRD  PARTY  CONTRACTOR
WAS INADVERTENT AND DONE WITHOUT INTENT OR GROSS NEGLIGENCE, THE COMMIS-
SIONER  MAY  DETERMINE  THAT  NO  PENALTY BE ISSUED UPON THE THIRD PARTY
CONTRACTOR.
  H. THE COMMISSIONER, IN CONSULTATION WITH THE CHIEF  PRIVACY  OFFICER,
SHALL  PROMULGATE  REGULATIONS  ESTABLISHING PROCEDURES TO IMPLEMENT THE
PROVISIONS OF THIS SUBDIVISION, INCLUDING BUT NOT LIMITED TO  PROCEDURES
FOR THE SUBMISSION OF COMPLAINTS FROM PARENTS AND/OR PERSONS IN PARENTAL
RELATION  TO  STUDENTS,  CLASSROOM  TEACHERS  OR BUILDING PRINCIPALS, OR
OTHER STAFF OF AN EDUCATIONAL AGENCY,  MAKING  ALLEGATIONS  OF  IMPROPER
DISCLOSURE  OF  STUDENT DATA AND/OR TEACHER OR PRINCIPAL DATA BY A THIRD
PARTY CONTRACTOR OR ITS OFFICERS OR EMPLOYEES THAT MAY BE SUBJECT TO THE
SANCTIONS SET FORTH IN PARAGRAPH G OF THIS SUBDIVISION. UPON RECEIPT  OF
A  COMPLAINT  OR  OTHER  INFORMATION  INDICATING  THAT  SUCH AN IMPROPER
DISCLOSURE BY A THIRD PARTY CONTRACTOR  MAY  HAVE  OCCURRED,  THE  CHIEF
PRIVACY  OFFICER  SHALL BE AUTHORIZED TO INVESTIGATE, VISIT, EXAMINE AND
INSPECT THE THIRD PARTY CONTRACTOR'S FACILITIES AND  RECORDS  AND  ISSUE
ANY  SUBPOENAS DEEMED NECESSARY TO OBTAIN DOCUMENTATION FROM, OR REQUIRE
THE TESTIMONY OF, ANY PARTY RELATING TO THE ALLEGED IMPROPER  DISCLOSURE
OF STUDENT DATA OR TEACHER OR PRINCIPAL DATA.
  I.  THE  COMMISSIONER, IN CONSULTATION WITH THE CHIEF PRIVACY OFFICER,
SHALL PROMULGATE REGULATIONS ESTABLISHING MINIMUM STANDARDS  FOR  EDUCA-
TIONAL  AGENCY  DATA SECURITY AND PRIVACY POLICIES AND SHALL DEVELOP ONE
OR MORE MODEL POLICIES FOR USE BY EDUCATIONAL AGENCIES. EACH EDUCATIONAL
AGENCY, BY NO LATER THAN NINETY DAYS AFTER THE EFFECTIVE  DATE  OF  THIS
SUBDIVISION,  SHALL  ENSURE  THAT  IT  HAS A POLICY ON DATA SECURITY AND
PRIVACY IN PLACE THAT IS CONSISTENT WITH APPLICABLE  STATE  AND  FEDERAL
LAWS  AND  APPLIES  TO STUDENT DATA AND, WHERE APPLICABLE, TO TEACHER OR
PRINCIPAL DATA. SUCH POLICY SHALL BE PUBLISHED ON  THE  WEBSITE  OF  THE
EDUCATIONAL  AGENCY, IF SUCH EDUCATIONAL AGENCY HAS AN INTERNET WEBSITE,
AND NOTICE OF SUCH POLICY SHALL BE PROVIDED TO ALL OFFICERS AND  EMPLOY-
EES  OF  THE EDUCATIONAL AGENCY. AS APPLIED TO STUDENT DATA, SUCH POLICY
SHALL PROVIDE  ALL  PROTECTIONS  AFFORDED  TO  PARENTS  AND  PERSONS  IN
PARENTAL RELATIONSHIPS, OR STUDENTS WHERE APPLICABLE, REQUIRED UNDER THE
FAMILY  EDUCATIONAL RIGHTS AND PRIVACY ACT, SECTION TWELVE HUNDRED THIR-
TY-TWO-G OF TITLE TWENTY OF THE UNITED STATES CODE, WHERE APPLICABLE THE
INDIVIDUALS WITH DISABILITIES EDUCATION ACT, SECTIONS FOURTEEN  HUNDRED,
ET.  SEQ.  OF  TITLE  TWENTY  OF THE UNITED STATES CODE, AND THE FEDERAL
REGULATIONS IMPLEMENTING SUCH STATUTES. EACH  EDUCATIONAL  AGENCY  SHALL
ENSURE THAT IT HAS IN PLACE PROVISIONS IN ITS CONTRACTS WITH THIRD PARTY
CONTRACTORS  OR  IN SEPARATE DATA SHARING AND CONFIDENTIALITY AGREEMENTS
THAT REQUIRE THAT CONFIDENTIALITY OF THE SHARED STUDENT DATA OR  TEACHER
OR PRINCIPAL DATA BE MAINTAINED IN ACCORDANCE WITH FEDERAL AND STATE LAW
AND THE EDUCATIONAL AGENCY'S POLICY ON DATA SECURITY AND PRIVACY.
  J.  EACH EDUCATIONAL AGENCY THAT ENTERS INTO A CONTRACT OR OTHER WRIT-
TEN AGREEMENT WITH A THIRD PARTY CONTRACTOR UNDER WHICH THE THIRD  PARTY
CONTRACTOR  WILL RECEIVE STUDENT DATA OR TEACHER OR PRINCIPAL DATA SHALL
ENSURE THAT SUCH CONTRACT OR  AGREEMENT  INCLUDE  A  DATA  SECURITY  AND
PRIVACY  PLAN THAT OUTLINES HOW ALL STATE, FEDERAL, AND LOCAL DATA SECU-

S. 6007--A                          7

RITY AND PRIVACY CONTRACT REQUIREMENTS WILL BE IMPLEMENTED OVER THE LIFE
OF THE CONTRACT, CONSISTENT WITH THE EDUCATIONAL AGENCY'S POLICY ON DATA
SECURITY AND PRIVACY. SUCH PLAN SHALL INCLUDE, BUT SHALL NOT BE  LIMITED
TO,  A  SIGNED  COPY  OF THE PARENTS BILL OF RIGHTS FOR DATA PRIVACY AND
SECURITY, AND A REQUIREMENT THAT ANY OFFICERS OR EMPLOYEES OF THE  THIRD
PARTY CONTRACTOR WHO HAVE ACCESS TO STUDENT DATA OR TEACHER OR PRINCIPAL
DATA HAVE RECEIVED OR WILL RECEIVE TRAINING ON THE FEDERAL AND STATE LAW
GOVERNING CONFIDENTIALITY OF SUCH DATA PRIOR TO RECEIVING ACCESS.
  K.  (1)(I)  EACH VIOLATION OF ANY PROVISION OF THIS SECTION BY A THIRD
PARTY CONTRACTOR SHALL BE PUNISHABLE BY A CIVIL PENALTY  OF  UP  TO  ONE
THOUSAND  DOLLARS; A SECOND VIOLATION BY THE SAME THIRD PARTY CONTRACTOR
INVOLVING THE SAME STUDENT DATA OR TEACHER OR PRINCIPAL  DATA  SHALL  BE
PUNISHABLE BY A CIVIL PENALTY OF UP TO FIVE THOUSAND DOLLARS; ANY SUBSE-
QUENT  VIOLATION  BY  THE SAME THIRD PARTY CONTRACTOR INVOLVING THE SAME
STUDENT DATA OR TEACHER OR PRINCIPAL DATA SHALL BE PUNISHABLE BY A CIVIL
PENALTY OF UP TO TEN THOUSAND DOLLARS.
  (II) EACH VIOLATION OF THIS SUBDIVISION SHALL BE CONSIDERED A SEPARATE
VIOLATION FOR PURPOSES OF CIVIL PENALTIES.
  (2) THE ATTORNEY GENERAL SHALL HAVE THE AUTHORITY TO  ENFORCE  COMPLI-
ANCE WITH THIS SECTION BY INVESTIGATION AND SUBSEQUENT COMMENCEMENT OF A
CIVIL ACTION TO SEEK CIVIL PENALTIES FOR VIOLATIONS OF THIS SECTION, AND
TO  SEEK  APPROPRIATE  INJUNCTIVE  RELIEF. IN CARRYING OUT SUCH INVESTI-
GATION AND IN MAINTAINING SUCH CIVIL ACTION LOCAL  LAW  ENFORCEMENT  ARE
AUTHORIZED  TO SUBPOENA WITNESSES, COMPEL THEIR ATTENDANCE, EXAMINE THEM
UNDER OATH AND REQUIRE THAT ANY BOOKS, RECORDS,  DOCUMENTS,  PAPERS,  OR
ELECTRONIC  RECORDS  RELEVANT  OR MATERIAL TO THE INQUIRY BE TURNED OVER
FOR INSPECTION, EXAMINATION OR AUDIT, PURSUANT TO THE CIVIL PRACTICE LAW
AND RULES.
  (3) NOTHING CONTAINED IN THIS SUBDIVISION SHALL BE CONSTRUED AS CREAT-
ING A PRIVATE RIGHT OF ACTION AGAINST THE DEPARTMENT OR  AN  EDUCATIONAL
AGENCY.
  L.  NOTHING  IN  THIS  SECTION  SHALL  LIMIT THE ADMINISTRATIVE USE OF
STUDENT DATA OR TEACHER OR PRINCIPAL DATA BY A PERSON ACTING EXCLUSIVELY
IN THE PERSON'S CAPACITY AS AN EMPLOYEE OF AN EDUCATIONAL AGENCY  OR  OF
THE STATE OR ANY OF ITS POLITICAL SUBDIVISIONS, ANY COURT OR THE FEDERAL
GOVERNMENT THAT IS OTHERWISE REQUIRED BY LAW.
  S  2.  Subdivision  7  of section 156.00 of the penal law, as added by
chapter 558 of the laws of 2006, is amended and three  new  subdivisions
10, 11 and 12 are added to read as follows:
  7.  "Access"  means  to  instruct,  communicate  with,  store data in,
retrieve from, or otherwise make use of any  resources  of  a  computer,
physically,  directly or by electronic means; INCLUDING DISSEMINATION OF
DATA.
  10. "EDUCATIONAL AGENCY" MEANS AN EDUCATIONAL AGENCY AS SUCH  TERM  IS
DEFINED  IN  SUBDIVISION FORTY-FOUR OF SECTION THREE HUNDRED FIVE OF THE
EDUCATION LAW. AN EDUCATIONAL AGENCY AS SO DEFINED  SHALL  BE  DEEMED  A
GOVERNMENTAL INSTRUMENTALITY FOR PURPOSES OF THIS ARTICLE.
  11. "THIRD PARTY CONTRACTOR" MEANS A THIRD PARTY CONTRACTOR AS DEFINED
IN SUBDIVISION FORTY-FOUR OF SECTION THREE HUNDRED FIVE OF THE EDUCATION
LAW.
  12.  "EDUCATIONAL  COMPUTER  MATERIAL"  MEANS  PERSONALLY IDENTIFIABLE
INFORMATION FROM STUDENT RECORDS  OR  CONFIDENTIAL  ANNUAL  PROFESSIONAL
PERFORMANCE  REVIEWS  OF  CLASSROOM  TEACHERS OR PRINCIPALS, OF A SCHOOL
DISTRICT, BOARD OF COOPERATIVE EDUCATIONAL SERVICES, SCHOOL, INSTITUTION
OF HIGHER EDUCATION, OR THE STATE EDUCATION DEPARTMENT.

S. 6007--A                          8

  S 3. Section 156.30 of the penal law, as amended by chapter 590 of the
laws of 2008, is amended to read as follows:
S 156.30 Unlawful  duplication of computer related material in the first
           degree.
  A person is guilty of unlawful duplication of computer related MATERI-
AL in the first degree [material] when having no right to do so,  he  or
she copies, reproduces or duplicates in any manner:
  1. any computer data or computer program and thereby intentionally and
wrongfully  deprives  or  appropriates from an owner thereof an economic
value or benefit in excess of two thousand five hundred dollars;[or]
  2. any computer data or computer program with an intent to  commit  or
attempt to commit or further the commission of any felony[.]; OR
  3.  EDUCATIONAL  COMPUTER  MATERIAL  WITH THE INTENT TO DISSEMINATE IN
VIOLATION OF SECTION THREE HUNDRED FIVE OF THE EDUCATION LAW.
  Unlawful duplication of computer related material in the first  degree
is a class E felony.
  S 4. Section 165.45 of the penal law is amended by adding a new subdi-
vision 8 to read as follows:
  8.  THE  PROPERTY CONSISTS OF EDUCATIONAL COMPUTER MATERIAL AS DEFINED
IN ARTICLE ONE HUNDRED FIFTY-SIX OF THIS CHAPTER.
  S 5. This act shall take effect on the ninetieth day  after  it  shall
have  become  a  law,  provided,  however, the commissioner of education
shall within one hundred twenty days after it  shall  have  become  law,
develop a parents bill of rights for student data privacy and security.

Comments

Open Legislation comments facilitate discussion of New York State legislation. All comments are subject to moderation. Comments deemed off-topic, commercial, campaign-related, self-promotional; or that contain profanity or hate speech; or that link to sites outside of the nysenate.gov domain are not permitted, and will not be published. Comment moderation is generally performed Monday through Friday.

By contributing or voting you agree to the Terms of Participation and verify you are over 13.