(a)(1) Upon the discovery of a breach of security that results in the unauthorized release, disclosure or acquisition of student information, excluding any directory information contained in such student information, a contractor shall notify, without unreasonable delay, but not more than thirty days after such discovery, the local or regional board of education of such breach of security. During such thirty-day period, the contractor may (A) conduct an investigation to determine the nature and scope of such unauthorized release, disclosure or acquisition, and the identity of the students whose student information is involved in such unauthorized release, disclosure or acquisition, or (B) restore the reasonable integrity of the contractor’s data system.
(2) Upon the discovery of a breach of security that results in the unauthorized release, disclosure or acquisition of directory information, student records or student-generated content, a contractor shall notify, without unreasonable delay, but not more than sixty days after such discovery, the local or regional board of education of such breach of security. During such sixty-day period, the contractor may (A) conduct an investigation to determine the nature and scope of such unauthorized release, disclosure or acquisition, and the identity of the students whose directory information, student records or student-generated content is involved in such unauthorized release, disclosure or acquisition, or (B) restore the reasonable integrity of the contractor’s data system.
(3) Upon receipt of notice of a breach of security under subdivision (1) or (2) of this subsection, a local or regional board of education shall electronically notify, not later than two business days after receipt of such notice, the student and the parents or guardians of the student whose student information, student records or student-generated content is involved in such breach of security. The local or regional board of education shall post such notice on the board’s Internet web site.
(b) Upon the discovery of a breach of security that results in the unauthorized release, disclosure or acquisition of student information, student records or student-generated content, an operator that is in possession of or maintains student information, student records or student-generated content as a result of a student’s use of such operator’s Internet web site, online service or mobile application, shall (1) notify, without unreasonable delay, but not more than thirty days after such discovery, the student or the parents or guardians of such student of any breach of security that results in the unauthorized release, disclosure or acquisition of student information, excluding any directory information contained in such student information, of such student, and (2) notify, without unreasonable delay, but not more than sixty days after such discovery, the student or the parents or guardians of such student of any breach of security that results in the unauthorized release, disclosure or acquisition of directory information, student records or student-generated content of such student. During such thirty-day or sixty-day period, the operator may (A) conduct an investigation to determine the nature and scope of such unauthorized release, disclosure or acquisition, and the identity of the students whose student information, student records or student-generated content are involved in such unauthorized release, disclosure or acquisition, or (B) restore the reasonable integrity of the operator’s data system.
(P.A. 16-189, S. 4; P.A. 17-13, S. 1; 17-200, S. 2.)
History: P.A. 17-13 made a technical change in Subsec. (a)(3), effective July 1, 2017; P.A. 17-200 amended Subsec. (a)(3) by replacing “forty-eight hours” with “two business days” and making a technical change, effective July 1, 2017.
Copyright ©2024 LegalFix. All rights reserved. LegalFix is not a law firm, is not licensed to practice law, and does not provide legal advice, services, or representation. The information on this website is an overview of the legal plans you can purchase—or that may be provided by your employer as an employee benefit or by your credit union or other membership group as a membership benefit.
LegalFix provides its members with easy access to affordable legal services through a network of independent law firms. LegalFix, its corporate entity, and its officers, directors, employees, agents, and contractors do not provide legal advice, services, or representation—directly or indirectly.
The articles and information on the site are not legal advice and should not be relied upon—they are for information purposes only. You should become a LegalFix member to get legal services from one of our network law firms.
You should not disclose confidential or potentially incriminating information to LegalFix—you should only communicate such information to your network law firm.
The benefits and legal services described in the LegalFix legal plans are not always available in all states or with all plans. See the legal plan Benefit Overview and the more comprehensive legal plan contract during checkout for coverage details in your state.
Use of this website, the purchase of legal plans, and access to the LegalFix networks of law firms are subject to the LegalFix Terms of Service and Privacy Policy.