(105 ILCS 85/15)
    Sec. 15. Operator duties. An operator shall do the following:
        (1) Implement and maintain reasonable security procedures and practices that otherwise
    
meet or exceed industry standards designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure.
        (2) Delete, within a reasonable time period, a student's covered information if the
    
school or school district requests deletion of covered information under the control of the school or school district, unless a student or his or her parent consents to the maintenance of the covered information.
        (3) Publicly disclose material information about its collection, use, and disclosure of
    
covered information, including, but not limited to, publishing a terms of service agreement, privacy policy, or similar document.
        (4) Except for a nonpublic school, for any operator who seeks to receive from a school,
    
school district, or the State Board in any manner any covered information, enter into a written agreement with the school, school district, or State Board before the covered information may be transferred. The written agreement may be created in electronic form and signed with an electronic or digital signature or may be a click wrap agreement that is used with software licenses, downloaded or online applications and transactions for educational technologies, or other technologies in which a user must agree to terms and conditions before using the product or service. Any written agreement entered into, amended, or renewed must contain all of the following:
            (A) A listing of the categories or types of covered information to be provided to
        
the operator.
            (B) A statement of the product or service being provided to the school by the
        
operator.
            (C) A statement that, pursuant to the federal Family Educational Rights and Privacy
        
Act of 1974, the operator is acting as a school official with a legitimate educational interest, is performing an institutional service or function for which the school would otherwise use employees, under the direct control of the school, with respect to the use and maintenance of covered information, and is using the covered information only for an authorized purpose and may not re-disclose it to third parties or affiliates, unless otherwise permitted under this Act, without permission from the school or pursuant to court order.
            (D) A description of how, if a breach is attributed to the operator, any costs and
        
expenses incurred by the school in investigating and remediating the breach will be allocated between the operator and the school. The costs and expenses may include, but are not limited to:
                (i) providing notification to the parents of those students whose covered
            
information was compromised and to regulatory agencies or other entities as required by law or contract;
                (ii) providing credit monitoring to those students whose covered information was
            
exposed in a manner during the breach that a reasonable person would believe that it could impact his or her credit or financial security;
                (iii) legal fees, audit costs, fines, and any other fees or damages imposed
            
against the school as a result of the security breach; and
                (iv) providing any other notifications or fulfilling any other requirements
            
adopted by the State Board or of any other State or federal laws.
            (E) A statement that the operator must delete or transfer to the school all covered
        
information if the information is no longer needed for the purposes of the written agreement and to specify the time period in which the information must be deleted or transferred once the operator is made aware that the information is no longer needed for the purposes of the written agreement.
            (F) If the school maintains a website, a statement that the school must publish the
        
written agreement on the school's website. If the school does not maintain a website, a statement that the school must make the written agreement available for inspection by the general public at its administrative office. If mutually agreed upon by the school and the operator, provisions of the written agreement, other than those under subparagraphs (A), (B), and (C), may be redacted in the copy of the written agreement published on the school's website or made available at its administrative office.
        (5) In case of any breach, within the most expedient time possible and without
    
unreasonable delay, but no later than 30 calendar days after the determination that a breach has occurred, notify the school of any breach of the students' covered information.
        (6) Except for a nonpublic school, provide to the school a list of any third parties or
    
affiliates to whom the operator is currently disclosing covered information or has disclosed covered information. This list must, at a minimum, be updated and provided to the school by the beginning of each State fiscal year and at the beginning of each calendar year.
(Source: P.A. 100-315, eff. 8-24-17; 101-516, eff. 7-1-21.)