The School Board of Miami-Dade County
Bylaws & Policies
Unless a specific policy has been amended and the date the policy was revised is noted at the bottom of that policy, the Bylaws and Policies of the Miami-Dade County Public Schools were adopted on May 11, 2011 and were in effect beginning July 1, 2011.
 

8351 - ELECTRONIC DATA SECURITY BREACH NOTICE REQUIREMENTS

The School Board shall take reasonable measures to protect and secure data containing personal information in electronic form and shall provide notice of a security breach pursuant to law.

Definitions

"Breach of security" or "breach" means unauthorized access of data in electronic form containing personal information belonging to Board members, employees, parents and students. Good faith access of personal information by an employee or agent does not constitute a breach of security, provided that the information is used for a proper, District-related purpose and is not subject to further unauthorized use.

"Data in electronic form" means any data stored electronically or digitally on any District or third-party agent computer system or other database and includes mass storage devices.

"Personal information" means:

 A.an individualís first name or first initial and last name in combination with any one or more of the following data elements for that individual:

  1.a social security number;

  2.driverís license or identification card number, passport number, military identification number or other similar number issued on a government document used to verify identity;

  3.a financial account number or credit or debit card number, in combination with any required security code, access code, or password that is necessary to access an individualsí financial account;

  4.information regarding an individualís medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional; or

  5.an individualís health insurance policy number or subscriber identification number and any unique identifier used by a health insurer to identify the individual.

 B.A user name or e-mail address, in combination with a password or security question and answer that would permit access to an online account.

The term does not include information about an individual that has been made publicly available by a Federal, State, or local governmental entity. The term also does not include information that is encrypted, secured, or modified by any other method or technology that removes elements that personally identify an individual or that otherwise renders the information unusable.

"Superintendent" means the Superintendent or designated individual or department.

"Third-party agent" means an entity that has been contracted to maintain, store, or process personal information on behalf of the Board.

Notice of Security Breach

Individuals

 A.The Board directs the Superintendent to provide notice to each individual whose personal information was, or the Superintendent reasonably believes to have been, accessed as a result of a breach. Notice shall be made as expeditiously as practicable and without unreasonable delay, taking into account the time necessary to allow the Superintendent to determine the scope of the breach, to identify the individuals affected by the breach, and to restore the reasonable integrity of the data system that was breached, but no later than thirty (30) days after the determination of a breach or reason to believe a breach occurred.

 B.If a Federal, State, or local law enforcement agency, including the school police, determines that notice to individuals would interfere with a criminal investigation, the notice shall be delayed upon the written request of the law enforcement agency for a specified period that the law enforcement agency determines is reasonably necessary. The law enforcement agency may, by a subsequent written request, revoke the delay as of a specified date or extend the period set forth in the original request.

 C.Notice to the affected individuals is not required, if, after an appropriate investigation and consultation with relevant law enforcement agencies, the Superintendent reasonably determines that the breach has not and will not likely result in identity theft or other financial harm to the individuals whose personal information has been accessed. Such a determination must be documented in writing and maintained for at least five (5) years.

 D.The notice to an affected individual shall be made by written notice to the affected individualís mailing address, or by e-mail sent to the e-mail address of the affected individual.

 E.The notice shall include, at a minimum:

  1.the date, estimated date, or estimated date range of the breach;

  2.a description of the personal information that was accessed or reasonably believed to have been accessed;

  3.a contact person and method that the individual can use to inquire about the breach and the personal information maintained about the individual; and

  4.information about the rights of parents or guardians of students who are under sixteen (16) years of age, incapacitated, or disabled, to request that the studentís credit be frozen pursuant to F.S. 501.001.

 F.The Superintendent may provide substitute notice in lieu of direct notice if such direct notice is not feasible because the cost of providing notice would exceed $25,000, the number of affected individuals exceeds $500,000, or the Board does not have an e-mail or mailing address for the affected individuals. The substitute notice must include a conspicuous notice on the Board website and notice in print and to broadcast media including major media in urban and rural areas where the affected individuals reside.

 G.Upon receiving notice of a breach of security of a system maintained by a third-party agent, the Superintendent shall notify all affected individuals according to the procedures in this section.

State and Credit Agencies

In addition to providing notice to the affected individuals according to the procedures above:

 A.For any breach of security affecting 500 or more individuals in the State, the Superintendent must provide written notice of the breach to the Florida Department of Legal Affairs in accordance with the requirements in F.S. 501.171.

 B.For any breach of security affecting 1,000 or more individuals at a single time, the Superintendent must notify, without reasonable delay, all consumer reporting agencies that compile and maintain files on consumers on a nationwide basis, as defined in the Fair Credit Reporting Act, 15 U.S.C. 1681a(p), of the timing, distribution and content of the notices.

Security Freeze on Student Credit

Pursuant to F.S. 501.0051, parents or guardians of students who are under sixteen (16), incapacitated, or disabled, may have a security freeze placed on the studentís credit in the event of a breach of security of personal information. The parent or guardian must submit a request to the consumer reporting agency with proof of authority and identification and pay a fee not to exceed $10 to secure and/or remove the freeze. However, no fee is required if the parent or guardian has documentation showing that the individual has been the victim of identity theft.

Upon request of a parent or guardian of a student under sixteen (16) years of age, incapacitated or disabled, who has been the victim of identity theft, the Superintendent shall provide documentation that is within the care, custody, or control of the Board sufficient to invoke the fee waiver under the law. This documentation may be a copy of a valid investigative report, an incident report, or a complaint with a law enforcement agency about the unlawful use of the protected consumerís identifying information by another person.

In addition, the Superintendent shall annually provide parents and guardians of students younger than sixteen (16) years of age, disabled, or incapacitated information regarding their rights under this law.

Enforcement

Violations of this policy could result in substantial civil penalties and subject employees to disciplinary action for failure to comply.

The provision of notice and information pursuant to this policy is not an admission that the information breach was caused by the Board either directly or indirectly. This policy does not create a private cause of action against violators.

F.S. 501.171, 501.0051

Adopted 1/14/15

© Miami-Dade 2015