(a) Third-party contractors shall promptly notify each educational agency with which it has a contract of any breach or unauthorized release of personally identifiable information in the most expedient way possible and without unreasonable delay but no more than seven calendar days after the discovery of such breach.

(b) Each educational agency shall in turn notify the chief privacy officer of the breach or unauthorized release no more than 10 calendar days after it receives the third-party contractor’s notification using a form or format prescribed by the department.

(c) Third-party contractors must cooperate with educational agencies and law enforcement to protect the integrity of investigations into the breach or unauthorized release of personally identifiable information.

(d) Educational agencies shall report every discovery or report of a breach or unauthorized release of student, teacher or principal data to the chief privacy officer without unreasonable delay, but no more than 10 calendar days after such discovery.

(e) Educational agencies shall notify affected parents, eligible students, teachers and/or principals in the most expedient way possible and without unreasonable delay, but no more than 60 calendar days after the discovery of a breach or unauthorized release by an educational agency or the receipt of a notification of a breach or unauthorized release from a third-party contractor unless that notification would interfere with an ongoing investigation by law enforcement or cause further disclosure of personally identifiable information by disclosing an unfixed security vulnerability. Where notification is delayed under these circumstances, the educational agency shall notify parents, eligible students, teachers and/or principals within seven calendar days after the security vulnerability has been remedied or the risk of interference with the law enforcement investigation ends.

(f) Where a breach or unauthorized release is attributed to a third-party contractor, the third-party contractor shall pay for or promptly reimburse the educational agency for the full cost of such notification.

(g) Notifications required by this section shall be clear, concise, use language that is plain and easy to understand, and to the extent available, include: a brief description of the breach or unauthorized release, the dates of the incident and the date of discovery, if known; a description of the types of personally identifiable information affected; an estimate of the number of records affected; a brief description of the educational agency’s investigation or plan to investigate; and contact information for representatives who can assist parents or eligible students that have additional questions.

(h) Notification must be directly provided to the affected parent, eligible student, teacher or principal by first-class mail to their last known address; by email; or by telephone.

(i) Upon the belief that a breach or unauthorized release constitutes criminal conduct, the chief privacy officer shall report such breach and unauthorized release to law enforcement in the most expedient way possible and without unreasonable delay.