Louisiana recently enacted new requirements that govern the collection, disclosure and use of personally identifiable information of students. The new laws include increased contract requirements between schools or districts and anyone entrusted with such personally identifiable information. The items listed below are specific requirements necessary for any contract that governs the release of student information.
Sensitive information must be protected at a level that can ensure that only those who are authorized to view the information are allowed access (secure passwords, encryption, etc.) The vendor's network must maintain a high level of electronic protection to ensure the integrity of sensitive information and to prevent unauthorized access in these systems. Regular review of the protection methods used and system auditing are also critical to maintain protection of these systems. Vendor agrees to protect and maintain the security of data with protection security measures that include maintaining secure environments that are patched and up to date with all appropriate security updates as designated by a relevant authority.
In order to ensure that only appropriate individuals and entities have access to personally identifiable student data, organizations must implement various forms of authentication to establish the identity of the data. Each organization must individually determine the appropriate level of assurance that would provide, in its specific environment, reasonable means of protecting the privacy of student data it maintains. No individual or entity should be allowed unauthenticated access to confidential personally identifiable student records at any time.
The individual, vendor or entity shall implement appropriate measures designed to ensure the confidentiality and security of personally identifiable information, protect against any anticipated access or disclosure of information, and prevent any other action that could result in substantial harm to New Beginnings Schools Foundation or any individual identified with the data or information in vendor's custody.
Vendor agrees that any and all New Beginnings Schools Foundation personally identifiable student data will be stored, processed and maintained solely on designated servers and that no New Beginnings Schools Foundation data at any time will be processed on or transferred to any portable or laptop computing device or any portable storage medium, unless that storage medium is in use as part of the vendor's designated backup and recovery processes. All servers, storage, backups and network paths utilized in the delivery of the service shall be contained with the states, districts, and territories of the United States unless specifically agreed to in writing by a New Beginnings Schools Foundation employee with signature authority.
Vendor agrees that any and all data exchanged shall be used expressly and solely for the purposes enumerated in the Original Agreement of Contract. Data shall not be distributed, repurposed or shared across other applications, environments, or business units of vendor. As required by Federal and State law, vendor further agrees that no data of any kind shall be revealed, transmitted, exchanged or otherwise passed to other vendors or interested parties.
Vendor agrees that as required by applicable state and federal law, auditors from state, federal, New Beginnings Schools Foundation or other agencies so designated by the School System, shall have the option to audit the outsourced service. Records pertaining to the service shall be made available to auditors and New Beginnings Schools Foundation during normal working hours for this purpose.
Vendor agrees to comply with the Louisiana Database Breach Notification Law (Act 499) ad all applicable laws that require the notification of individuals in the event of unauthorized release of personally identifiable information or other event requiring notification. In the event of a breach of any of the vendor's security obligations or other event requiring or other even requiring notification under applicable law, vendor agrees to notify New Beginnings Schools Foundation immediately and assume responsibility for all such individuals in accordance with applicable law and to indemnify, hold harmless and defend New Beginnings Schools Foundation and its employees from and against any claims, damages, or other harm related to Notification Event.
The vendor agrees that upon termination of this Agreement it shall return all data to New Beginnings Schools Foundation in a useable electronic form, and erase, destroy, and render unreadable all New Beginnings Schools Foundation data in its entirety in a manner that prevents physical reconstruction through the use of commonly available file restoration utilities , and certify in writing that these actions have been completed within 30 days of the termination or within 7 days of the request of an agent of New Beginnings Schools Foundation, whichever shall come first.
Vendor and New Beginnings Schools Foundation acknowledge that unauthorized disclosure or use of the protected information may irreparably damage New Beginnings Schools Foundation in such a way that adequate compensation could not be obtained from damages in an action at law. Accordingly, the actual or threatened unauthorized disclosure or use of any protected information shall give New Beginnings Schools Foundation the right to seek injunctive relief restraining such unauthorized disclosure or use, in addition to any other remedy otherwise available (including reasonable attorney fees). Vendor hereby waives the posting of a bond with respect to any action for injunctive relief. Vendor further grants New Beginnings Schools Foundation the right, but not the obligation, to enforce these provisions in vendor's name against any of vendor's employees, officers, board members, owners, representatives, agents, contractors, and subcontractors violating the above provisions.
Vendor must have established and implemented a clear data breach response plan outlining organizational policies and procedures for addressing a potential breach, which is an essential step in protecting student data. Prompt response is essential for minimizing the risk of any further data loss and; therefore, plays an important role in mitigating any negative consequences of the breach, including potential harm to affected individuals. A data breach is any instance in which there is an unauthorized release or access of personally identifiable information or other information not suitable for public release. This definition applies regardless of whether an organization stores and manages the data directly or through a contractor, such as a cloud service provider.NEW BEGINNINGS SCHOOLS FOUNDATION CONTRACT ADDENDUM
A vendor's audit strategy will require the following actions to protect and retain audit logs. The storing of audit logs and records on a server separate from the system that generates the audit trail. Access to audit logs must be restricted to prevent tempering or altering of audit data. Retention of audit trails must be based on a schedule determined collaboratively with operational, technical, risk management, and legal staff.
Vendor is permitted to disclose Confidential information to its employees, authorized subcontractors, agents, consultants and auditors on a need to know basis only, provided that all such subcontractors, agents, consultants and auditors have written confidentiality obligations to vendor and New Beginnings Schools Foundation.
The confidentiality obligations shall survive termination of any agreement with vendor for a period of fifteen (15) years or for so long as the information remains confidential, whichever is longer and will inure to the benefit of the New Beginnings Schools Foundation.