A bill for an act relating to school email security by requiring school districts, charter schools, and area education agencies to implement certain email security standards.

Senate

File

2200

-

Introduced

SENATE

FILE

2200

BY

GREEN

A

BILL

FOR

An

Act

relating

to

school

email

security

by

requiring

school

1

districts,

charter

schools,

and

area

education

agencies

to

2

implement

certain

email

security

standards.

3

BE

IT

ENACTED

BY

THE

GENERAL

ASSEMBLY

OF

THE

STATE

OF

IOWA:

4

TLSB

6720XS

(2)

91

mb/jh

S.F.

2200

Section

1.

Section

256E.7,

subsection

2,

Code

2026,

is

1

amended

by

adding

the

following

new

paragraph:

2

NEW

PARAGRAPH

.

0n.

Be

subject

to

and

comply

with

the

3

requirements

of

section

279.89

relating

to

student

email

4

security

standards

in

the

same

manner

as

a

school

district.

5

Sec.

2.

Section

256F.4,

subsection

2,

Code

2026,

is

amended

6

by

adding

the

following

new

paragraph:

7

NEW

PARAGRAPH

.

v.

Be

subject

to

and

comply

with

the

8

requirements

of

section

279.89

relating

to

student

email

9

security

standards

in

the

same

manner

as

a

school

district.

10

Sec.

3.

Section

273.3,

Code

2026,

is

amended

by

adding

the

11

following

new

subsection:

12

NEW

SUBSECTION

.

27.

Be

subject

to

and

comply

with

the

13

requirements

of

section

279.89

relating

to

student

email

14

security

standards.

15

Sec.

4.

NEW

SECTION

.

279.89

Student

email

security

16

standards.

17

1.

As

used

in

this

section,

unless

the

context

requires

18

otherwise:

19

a.

“Advanced

threat

detection”

means

the

use

of

machine

20

learning,

behavioral

analysis,

and

sandboxing

to

prevent

21

delivery

of

malicious

attachments,

embedded

links,

and

zero-day

22

threats.

23

b.

“Data

loss

prevention”

means

the

automatic

inspection

24

of

email

content

and

attachments

to

prevent

unauthorized

25

transmission

of

personally

identifiable

information,

protected

26

health

information,

student

education

records,

or

confidential

27

internal

communications.

28

c.

“Email

security

solution”

means

any

cloud-based,

29

on-premises,

or

hybrid

system

that

provides

protective

30

filtering,

threat

detection,

policy

enforcement,

logging,

and

31

user-level

controls

for

inbound

and

outbound

email

traffic.

32

d.

“Encryption

enforcement”

means

the

capability

to

33

automatically

apply

encryption

policies

to

outbound

messages

34

containing

sensitive

data.

35

-1-

LSB

6720XS

(2)

91

mb/jh

1/

4

S.F.

2200

e.

“Impersonation

protection”

means

the

ability

to

detect

1

and

block

spoofed

senders,

lookalike

domains,

and

unauthorized

2

attempts

to

pose

as

internal

users

or

third-party

vendors.

3

2.

By

January

1,

2027,

the

board

of

directors

of

each

school

4

district

shall

implement

an

email

security

solution

that

meets

5

all

of

the

following

requirements:

6

a.

Inbound

and

outbound

filtering

of

email

traffic

for

spam,

7

malware,

phishing,

ransomware,

and

advanced

persistent

threats.

8

b.

Artificial

intelligence-driven

threat

detection,

9

including

behavioral

analysis,

sandbox

execution,

and

real-time

10

analysis

of

embedded

uniform

resource

locators

and

attachments.

11

c.

Full-spectrum

impersonation

protection,

including

domain

12

and

display

name

spoofing

defense,

user

impersonation

alerts,

13

and

forged

sender

blocking.

14

d.

Data

loss

prevention

policies

capable

of

scanning

15

subject

lines,

body

content,

and

attachments

for

personally

16

identifiable

information,

protected

health

information,

17

and

student

records,

and

triggering

block,

quarantine,

or

18

encryption

workflows

as

appropriate.

19

e.

Policy-based

encryption

of

outbound

email

traffic

20

containing

protected

or

confidential

content.

21

f.

Quarantine

and

end-user

self-service

portals,

enabling

22

safe

engagement

and

reducing

administrative

burden.

23

g.

Directory

service

integration

to

enable

role-based

policy

24

application

and

user-level

visibility.

25

h.

Comprehensive

logging,

alerting,

and

forensic

analysis,

26

including

the

ability

to

correlate

threats

across

users

and

27

time,

and

generate

detailed

reporting

for

compliance

purposes.

28

i.

Support

for

integration

with

productivity

platforms

29

without

dependence

on

their

native

filtering

features.

30

3.

A

school

district

shall

be

considered

noncompliant

if

31

the

email

security

platform

or

vendor

used

by

the

district

or

32

agency

does

not

meet

the

requirements

of

this

section

in

full.

33

Sec.

5.

STATE

MANDATE

FUNDING

SPECIFIED.

In

accordance

34

with

section

25B.2,

subsection

3,

the

state

cost

of

requiring

35

-2-

LSB

6720XS

(2)

91

mb/jh

2/

4

S.F.

2200

compliance

with

any

state

mandate

included

in

this

Act

shall

1

be

paid

by

a

school

district

from

state

school

foundation

2

aid

received

by

the

school

district

under

section

257.16

and

3

by

an

area

education

agency

from

state

school

foundation

aid

4

received

by

the

area

education

agency

under

section

257.35.

5

This

specification

of

the

payment

of

the

state

cost

shall

be

6

deemed

to

meet

all

of

the

state

funding-related

requirements

of

7

section

25B.2,

subsection

3,

and

no

additional

state

funding

8

shall

be

necessary

for

the

full

implementation

of

this

Act

9

by

and

enforcement

of

this

Act

against

all

affected

school

10

districts

and

area

education

agencies.

11

EXPLANATION

12

The

inclusion

of

this

explanation

does

not

constitute

agreement

with

13

the

explanation’s

substance

by

the

members

of

the

general

assembly.

14

This

bill

relates

to

student

email

security,

including

15

requiring

school

districts,

charter

schools,

and

area

education

16

agencies

to

implement

certain

email

security

standards.

17

The

bill

requires

school

districts,

charter

schools,

and

18

area

education

agencies

to

implement

student

email

security

19

solutions

by

January

1,

2027.

The

solutions

must

include

20

inbound

and

outbound

email

filtering

for

spam,

malware,

21

phishing,

ransomware,

and

advanced

threats;

artificial

22

intelligence-driven

threat

detection;

full-spectrum

23

impersonation

protection;

data

loss

prevention

scanning

24

for

personally

identifiable

information,

protected

health

25

information,

and

student

records;

policy-based

encryption

of

26

sensitive

outbound

emails;

quarantine

and

end-user

self-service

27

portals;

directory

service

integration;

comprehensive

logging

28

and

reporting;

and

support

for

integration

with

productivity

29

platforms.

A

school

district,

charter

school,

or

area

30

education

agency

is

noncompliant

if

its

email

security

solution

31

does

not

meet

the

requirements

of

the

bill.

32

The

bill

may

include

a

state

mandate

as

defined

in

Code

33

section

25B.3.

The

bill

requires

that

the

state

cost

of

any

34

state

mandate

included

in

the

bill

be

paid

by

a

school

district

35

-3-

LSB

6720XS

(2)

91

mb/jh

3/

4

S.F.

2200

from

state

school

foundation

aid

received

by

the

school

1

district

under

Code

section

257.16

and

by

an

area

education

2

agency

from

state

school

foundation

aid

received

by

the

area

3

education

agency

under

Code

section

257.35.

The

specification

4

is

deemed

to

constitute

state

compliance

with

any

state

mandate

5

funding-related

requirements

of

Code

section

25B.2.

The

6

inclusion

of

this

specification

is

intended

to

reinstate

the

7

requirement

of

school

districts

and

area

education

agencies

to

8

comply

with

any

state

mandates

included

in

the

bill.

9

-4-

LSB

6720XS

(2)

91

mb/jh

4/

4