California Mandates K-12 Cyber Attack Notices

On the heels of a high-profile ransomware attack on the Los Angeles Unified School District (LAUSD), California Gov. Gavin Newsom signed into law a bill that requires schools to report to state authorities cyber attacks that impact more than 500 students or school personnel.

The bill signed by Gov. Newsom on Sept. 23 was introduced in the California Assembly in February by state Rep. Rudy Salas – several months before news of the LAUSD ransomware attack broke.

The new law requires any state school district, county office of education, or charter school to report attacks affecting more than 500 students or school personnel to the California Cybersecurity Integration Center (CCIC). The CCIC’s primary mission is to reduce the likelihood and severity of cyber incidents that could damage California’s economy, its critical infrastructure, or public and private sector computer networks in the state.

The law also requires CCIC to create a database that tracks cyber attacks on schools, and provide an annual report to the governor and policy committees of the state legislature with information on the attacks and any associated data breaches.

The new statute is set to expire in 2027.

Meanwhile, LAUSD – the second largest school district in the United States – is still recovering from the ransomware attack.

LAUSD Superintendent Albert Carvalho said on October 2 that the attack group has leaked to the public data stolen from the school district, which remains firmly behind its decision to not pay a ransom to the attackers.

“Los Angeles Unified remains firm that dollars must be used to fund students and education,” the district said in a statement.

“Paying ransom never guarantees the full recovery of data, and Los Angeles Unified believes public dollars are better spent on our students rather than capitulating to a nefarious and illicit crime syndicate,” it said.