California schools unite behind Assembly Bill 1023 to deter cyberattacks and protect student privacy

Elk Grove, Calif. (June 26, 2023) — Cybercrime is on the rise across the country and, increasingly, public schools are the target of sophisticated attacks that capture sensitive data, violate privacy, dismantle operations and extort funds from school districts and county offices of education. Assemblymember Diane Papan (D-San Mateo) told a crowd at Elk Grove Unified School District’s Florence Markofer Elementary that she authored CSBA-sponsored Assembly Bill 1023 to provide local educational agencies with resources to defend against cyberattacks and protect sensitive data for students, staff and families.

“As technology plays a greater role in schools and in society, we must develop safeguards to protect critical data and safeguard the privacy of students, families and staff — particularly from nefarious actors willing to disrupt public education and put our communities at risk,” said Papan. “Current law fails to offer the support school districts and county offices of education need to defend against cyberthreats and mitigate any successful attacks.”

Gov. Gavin Newsom has proposed funding in this year’s budget to enhance the California Cybersecurity Integration Center (Cal-CSIC), but this support is not specific to TK-12 and the statutory language could be used to exclude schools from cybersecurity funding. CSBA-sponsored AB 1023 would ensure that state agencies are required to provide direct cybersecurity assistance to TK-12 schools, allowing them to prepare for and respond to cyberattacks more effectively.

“AB 1023 would bring needed attention and resources to cybersecurity, an overlooked aspect of school safety,” said California School Boards Association President Susan Markarian. “Schools have access to more sensitive information and fulfill a more essential purpose than virtually any other local government agency and deserve robust, focused support to prepare for ransomware attacks. This support is important for all school districts, but is especially critical for small districts that often lack the resources and candidate pool to hire experienced cybersecurity personnel.”

Ransomware attacks have grown in recent years and schools have increasingly been identified as soft targets lacking the capacity to ward off hackers. In addition, greater reliance on information technology to deliver instruction and services since the COVID-19 pandemic has left schools increasingly vulnerable to cyberattacks. In 2022, cyberattacks against the education sector increased by 36 percent from the previous year. For local educational agencies, it is not a matter of if — but when — their school information systems will be subject to a cybersecurity attack, which can render the entire school district or county office of education unable to conduct the day-to-day business of educating students.

In California, local educational agencies as large as Los Angeles USD and as small as the Glenn County Office of Education have been victimized by cybercrime, with the Glenn County attack prompting a multiple-day closure of school districts that were supported by the county office of education, which ultimately paid a ransom to recover sensitive data.

“While we are doing our best to combat these threats, we can’t do it alone, as most education technology departments are understaffed with limited resources. AB 1023 is an important step that will provide cybersecurity guidance and coordination to school districts, county offices of education and charter schools from the California Cybersecurity Integration Center,” said Jerry Jones, executive director, Sacramento County Office of Education Technology Services. “This change will ensure that the state agency tasked with protecting California’s critical infrastructure and computer networks will provide greater focus, assistance and support to K-12 agencies.”