(105 ILCS 85/15)
    Sec. 15. Operator duties. An operator shall do the following:
        (1) Implement and maintain reasonable security
    
procedures and practices that otherwise meet or exceed industry standards designed to protect covered information from unauthorized access, destruction, use, modification, or disclosure.
        (2) Delete, within a reasonable time period, a
    
student's covered information if the school or school district requests deletion of covered information under the control of the school or school district, unless a student or his or her parent consents to the maintenance of the covered information.
        (3) Publicly disclose material information about its
    
collection, use, and disclosure of covered information, including, but not limited to, publishing a terms of service agreement, privacy policy, or similar document.
        (4) Except for a nonpublic school, for any operator
    
who seeks to receive from a school, school district, or the State Board in any manner any covered information, enter into a written agreement with the school, school district, or State Board before the covered information may be transferred. The written agreement may be created in electronic form and signed with an electronic or digital signature or may be a click wrap agreement that is used with software licenses, downloaded or online applications and transactions for educational technologies, or other technologies in which a user must agree to terms and conditions before using the product or service. Any written agreement entered into, amended, or renewed must contain all of the following:
            (A) A listing of the categories or types of
        
covered information to be provided to the operator.
            (B) A statement of the product or service being
        
provided to the school by the operator.
            (C) A statement that, pursuant to the federal
        
Family Educational Rights and Privacy Act of 1974, the operator is acting as a school official with a legitimate educational interest, is performing an institutional service or function for which the school would otherwise use employees, under the direct control of the school, with respect to the use and maintenance of covered information, and is using the covered information only for an authorized purpose and may not re-disclose it to third parties or affiliates, unless otherwise permitted under this Act, without permission from the school or pursuant to court order.
            (D) A description of how, if a breach is
        
attributed to the operator, any costs and expenses incurred by the school in investigating and remediating the breach will be allocated between the operator and the school. The costs and expenses may include, but are not limited to:
                (i) providing notification to the parents of
            
those students whose covered information was compromised and to regulatory agencies or other entities as required by law or contract;
                (ii) providing credit monitoring to those
            
students whose covered information was exposed in a manner during the breach that a reasonable person would believe that it could impact his or her credit or financial security;
                (iii) legal fees, audit costs, fines, and any
            
other fees or damages imposed against the school as a result of the security breach; and
                (iv) providing any other notifications or
            
fulfilling any other requirements adopted by the State Board or of any other State or federal laws.
            (E) A statement that the operator must delete or
        
transfer to the school all covered information if the information is no longer needed for the purposes of the written agreement and to specify the time period in which the information must be deleted or transferred once the operator is made aware that the information is no longer needed for the purposes of the written agreement.
            (F) If the school maintains a website, a
        
statement that the school must publish the written agreement on the school's website. If the school does not maintain a website, a statement that the school must make the written agreement available for inspection by the general public at its administrative office. If mutually agreed upon by the school and the operator, provisions of the written agreement, other than those under subparagraphs (A), (B), and (C), may be redacted in the copy of the written agreement published on the school's website or made available at its administrative office.
        (5) In case of any breach, within the most expedient
    
time possible and without unreasonable delay, but no later than 30 calendar days after the determination that a breach has occurred, notify the school of any breach of the students' covered information.
        (6) Except for a nonpublic school, provide to the
    
school a list of any third parties or affiliates to whom the operator is currently disclosing covered information or has disclosed covered information. This list must, at a minimum, be updated and provided to the school by the beginning of each State fiscal year and at the beginning of each calendar year.
(Source: P.A. 100-315, eff. 8-24-17; 101-516, eff. 7-1-21.)