LB638 LB638
2023 2023
LEGISLATURE OF NEBRASKA
ONE HUNDRED EIGHTH LEGISLATURE
FIRST SESSION
LEGISLATIVE BILL 638
Introduced by Albrecht, 17.
Read first time January 18, 2023
Committee: Education
1 A BILL FOR AN ACT relating to education; to adopt the Nebraska K-12
2 Cybersecurity and Data Protection Act; and to declare an emergency.
3 Be it enacted by the people of the State of Nebraska,
-1-
LB638 LB638
2023 2023
1 Section 1. This act shall be known and may be cited as the Nebraska
2 K-12 Cybersecurity and Data Protection Act.
3 Sec. 2. The purpose of the Nebraska K-12 Cybersecurity and Data
4 Protection Act is to promote and institute protective cybersecurity
5 measures in alignment with best practices which address prevention,
6 mitigation, response, recovery, and establish systematized response
7 relating to cybersecurity and data protection within the Nebraska school
8 system.
9 Sec. 3. For purposes of the Nebraska K-12 Cybersecurity and Data
10 Protection Act:
11 (1) Computer database means a representation of information,
12 knowledge, facts, concepts, or instructions that is intended for use in a
13 computer, computer system, or computer network that is being prepared or
14 has been prepared in a formalized manner, or is being produced or has
15 been produced by a computer, computer system, or computer network;
16 (2) Cybersecurity means the art of protecting networks, devices, and
17 data from unauthorized access or criminal use and the practice of
18 ensuring confidentiality, integrity, and availability of information;
19 (3) Cybersecurity event means an event resulting in unauthorized
20 access to, or the disruption or misuse of, an information system or of
21 nonpublic information stored on an information system or network;
22 (4) Cybersecurity team includes, but is not limited to, identified
23 individuals with the knowledge and expertise to understand encryption
24 technology, and who electronically monitor Internet connectivity for a
25 school or educational service unit to prevent electronic attacks or
26 cybersecurity events, create plans that successfully deflect potential
27 attacks, provide preventive, ongoing, state-of-the-art training to
28 appropriate school and educational service unit staff members, and
29 expeditiously respond to adverse cybersecurity events by successfully
30 restoring data after a breach and return such system to a protected
31 status;
-2-
LB638 LB638
2023 2023
1 (5) Encrypted means the transformation of data into a form that
2 results in a low probability of assigning meaning to the data without the
3 use of a protective process or key;
4 (6) Information security means the administrative, technical, and
5 physical safeguards that are used to access, collect, distribute,
6 process, protect, store, use, transmit, dispose of, or otherwise handle
7 nonpublic information;
8 (7) Information system means a discrete set of electronic
9 information resources organized for the collection, processing,
10 maintenance, use, sharing, dissemination, or disposition of electronic
11 nonpublic information such as a student management system;
12 (8) Mitigation means identifying data and networks and developing
13 plans to protect such data and networks through periodic updates to
14 software, controlling account access, and leveraging hardware security
15 measures;
16 (9) Multi-factor authentication means authentication through
17 verification of at least two of the following types of authentication
18 factors:
19 (a) A knowledge factor, such as a password;
20 (b) A possession factor, such as a token or text message on a mobile
21 phone; or
22 (c) An inherent factor, such as a biometric characteristic.
23 (10) Prevention means creating a cybersecurity strategy that
24 includes, but is not limited to, developing cybersecurity policies,
25 conducting regular, ongoing risk vulnerability assessments, providing
26 awareness training to employees, including training on phishing
27 campaigns, and installing and updating spam filters and anti-malware
28 software;
29 (11) Ransomware means a computer or data contaminant, encryption, or
30 lock that is placed or introduced without authorization into a computer,
31 computer network, or computer system that restricts access by an
-3-
LB638 LB638
2023 2023
1 authorized person to a computer, computer data, computer system, or
2 computer network in a manner that results in the person responsible for
3 the placement or introduction of the contaminant, encryption, or lock
4 making a demand for payment of money or other consideration to remove the
5 contaminant, encryption, or lock;
6 (12) Recovery means that a status has been achieved to ensure day-
7 to-day business operations continue following an adverse cybersecurity
8 event and that data is once again protected from future loss; and
9 (13) Response means a process that is followed after an adverse
10 cybersecurity event that includes, but is not limited to:
11 (a) A comprehensive systemic audit including:
12 (i) How the adverse cybersecurity event was discovered;
13 (ii) A description of how nonpublic information was exposed, lost,
14 stolen, or breached;
15 (iii) A description of the specific types of nonpublic information
16 lost, stolen, or breached;
17 (iv) A list of any lost, stolen, or breached nonpublic information
18 that was recovered and how the recovery occurred; and
19 (v) The source of the cybersecurity event, if available; and
20 (b) In the event of a cybersecurity attack involving the potential
21 or actual breach of nonpublic information, response shall include
22 complying with all applicable notification requirements pursuant to
23 federal or state law.
24 Sec. 4. (1) The Educational Service Unit Coordinating Council shall
25 establish a cybersecurity team to conduct a statewide needs analysis to
26 determine appropriate cybersecurity measures and work to implement such
27 cybersecurity measures with individual educational service units and
28 schools in a manner that is respectful of each educational service unit's
29 regional relationship with its member schools.
30 (2) The cybersecurity team shall establish a response plan designed
31 to promptly respond to and recover from, a cybersecurity event in a
-4-
LB638 LB638
2023 2023
1 public school providing instruction in elementary or high school grades
2 that compromises the confidentiality, integrity, or availability of
3 nonpublic information in the school's possession. Such response plan
4 measures may include, but need not be limited to, the following:
5 (a) Placing access controls on information systems, including
6 controls to authenticate and permit access only to authorized individuals
7 to protect against the unauthorized acquisition of nonpublic information;
8 (b) Identifying and managing the data, personnel, devices, systems,
9 and facilities that enable the school to achieve its purposes in
10 accordance with the relative importance of such data, personnel, devices,
11 systems, and facilities to the school's objectives and risk strategy;
12 (c) Restricting access of nonpublic information stored in or at
13 physical locations to authorized individuals only;
14 (d) Protecting, by encryption or other appropriate means, all
15 nonpublic information while the nonpublic information is transmitted over
16 an external network, and all nonpublic information that is stored on a
17 laptop computer, a portable computing or storage device, or portable
18 computing or storage media;
19 (e) Adopting secure development practices for in-house developed
20 applications utilized by the school, and procedures for evaluating,
21 assessing, and testing the security of externally developed applications
22 utilized by the licensee;
23 (f) Modifying information systems in accordance with the information
24 security program;
25 (g) Utilizing effective controls, which may include multi-factor
26 authentication procedures for authorized individuals accessing nonpublic
27 information;
28 (h) Regularly testing and monitoring systems and procedures to
29 detect actual and attempted attacks on, or intrusions into, information
30 systems;
31 (i) Developing assigned roles, responsibilities, and levels of
-5-
LB638 LB638
2023 2023
1 decision-making authority for each level of the cybersecurity plan,
2 including prevention, mitigation, response, and recovery;
3 (j) Assessing and identifying weaknesses found within information
4 systems and associated quality controls, identifying nonpublic
5 information that may have been compromised by the cybersecurity event,
6 and overseeing reasonable measures to restore the security of compromised
7 information systems in order to prevent further unauthorized acquisition,
8 release, or use of nonpublic information that is in the district's
9 possession, custody, or control;
10 (k) Documenting and reporting cybersecurity events and related
11 incident response activities;
12 (l) Evaluating and revising the incident response plan, as
13 appropriate, following a cybersecurity event; and
14 (m) Overseeing the provision of public school district personnel
15 with cybersecurity awareness training that is updated as necessary based
16 on emergent threats and industry recommendations.
17 (3) The Educational Service Unit Coordinating Council shall annually
18 submit a written report electronically to the Education Committee of the
19 Legislature providing updates on progress in implementing the provisions
20 of the Nebraska K-12 Cybersecurity and Data Protection Act. Such report
21 shall include updates on the level of adoption of identified
22 cybersecurity practices in public school districts based on aggregated
23 data from educational service units, and shall include recommendations
24 for additional provisions to address and mitigate emerging, cybersecurity
25 threats to schools.
26 (4) The State Board of Education may adopt and promulgate rules and
27 regulations to carry out the Nebraska K-12 Cybersecurity and Data
28 Protection Act. The Commissioner may take any enforcement action under
29 the Commissioner's authority to enforce compliance with the Nebraska K-12
30 Cybersecurity and Data Protection Act.
31 Sec. 5. Since an emergency exists, this act takes effect when
-6-
LB638 LB638
2023 2023
1 passed and approved according to law.
-7-