Your team just uncovered a data breach.
And during those frightful first moments, when you should be focused on your incident response plan, you look at your Fitbit because you must document the time of breach discovery.
And start your stopwatch.
"I've got 23 hours and 59 minutes until I have to notify on this. How much can we learn by then?"
The Mississippi Department of Education (MDE) is proposing an unusually strict 24-hour notification for school districts that have a cybersecurity or privacy incident.
Attorneys from law firm Adams and Reese blogged about the proposal and the notification issue:
"The time for notification of an incident is very short, and far shorter than the time contained in most laws and regulations (including Mississippi's own data breach notification law).
It is often unclear whether or to what extent an incident has actually occurred, and therefore, districts will need to be prepared to give notification even before all facts are gathered.
Also, the proposed rule would require notification of many types of incidents, not just ransomware attacks or data breaches."
It's hard to imagine how this notification burden would work for school districts. For many, cybersecurity is the responsibility of IT teams that are stretched thin.
The notification timeline is only a small part of a significant and sweeping cybersecurity proposal for Mississippi school districts. The state's Department of Education is proposing the following 22 requirements for what each district must have:
Does your organization have all of these plans and policies in place?
Attorneys writing about the proposal noted another interesting twist:
"The rule also requires each district to allow MDE to investigate any incident. It is not clear to what extent MDE's investigation would be in the nature of an enforcement action versus assisting the district."
And when will that investigation happen? Will it be during the district's incident response phase or afterward? These are valid questions about the proposed policy.
While this proposal only applies to school districts within a single state, we know that keeping up with state-by-state privacy and cyberlaw changes is like a game of whack-a-mole.
At SecureWorld New York, we interviewed Jordan Fischer of XPAN Law Group. Listen to that interview about cybersecurity and privacy law strategy here, or on any podcast platform: