K-12 Cyber Laws Grew in 2022; More Needed


State policymakers significantly accelerated their efforts to help K-12 institutions across the U.S. shore up their cybersecurity defenses last year, a new report by the Consortium for School Networking (CoSN) found.

“This year, legislators in 36 states introduced 232 cybersecurity bills with direct or indirect focus on the education sector,” the nonprofit said in its Federal Education Cybersecurity Policy Developments report.

Of the legislation introduced across the country, 37 cybersecurity bills directed towards the education sector were adopted in 18 different states. This compares to 49 new cybersecurity laws across the K-12 education sector in 2021, and just 10 in 2020.

Florida and California had the highest count of cybersecurity education laws enacted this past year, accounting for a combined total of 10 out of the 37 bills.

“The 2022 laws largely focus on policy changes targeted across state and local government, not just on education entities,” the 41-page report said.

CoSN continued, “They address a range of cybersecurity policy areas and strategies including governance improvements, mandatory incident reporting, required prevention and contingency planning, expanding the available cyber workforce, and security investments targeting state agencies, local agencies, and higher education institutions.”

Cyberattacks are among the leading operational and privacy threats facing the nation’s schools, the report highlighted. Cyberattacks can compromise confidential student and employee information and disrupt classroom instruction and administrative functions.

The problem plagues the entire education sector. Among all hacks, ransomware attacks are on the rise in the education sector, targeting K-12 institutions’ confidential data in exchange for large sums of money.

However, CoSN’s report also emphasized that more needs to be done in the new year to protect these increasingly vulnerable school systems from cyberattacks.

CoSN encouraged state leaders tasked with making cybersecurity policy improvements in 2023 to consider three ideas:

  • Cybersecurity workforce: consider a more strategic approach to recruitment, training, and retention as well as greater funding to ensure schools can compete with the private sector;
  • Prevention and planning: government must provide funding for technology to identify and repel attacks, but investments must also focus on educating students, staff, families, and the public about how to recognize and avoid attacks; and
  • Incident reporting, contingency planning, and coordination: policies should encourage greater participation in the collaborative groups that already exist in this space by providing funding and strategic direction, and policymakers should find ways to remove stigmas associated with reporting attacks.