S.F. 2200 Section 1. Section 256E.7, subsection 2, Code 2026, is 1 amended by adding the following new paragraph: 2 NEW PARAGRAPH . 0n. Be subject to and comply with the 3 requirements of section 279.89 relating to student email 4 security standards in the same manner as a school district. 5 Sec. 2. Section 256F.4, subsection 2, Code 2026, is amended 6 by adding the following new paragraph: 7 NEW PARAGRAPH . v. Be subject to and comply with the 8 requirements of section 279.89 relating to student email 9 security standards in the same manner as a school district. 10 Sec. 3. Section 273.3, Code 2026, is amended by adding the 11 following new subsection: 12 NEW SUBSECTION . 27. Be subject to and comply with the 13 requirements of section 279.89 relating to student email 14 security standards. 15 Sec. 4. NEW SECTION . 279.89 Student email security 16 standards. 17 1. As used in this section, unless the context requires 18 otherwise: 19 a. “Advanced threat detection” means the use of machine 20 learning, behavioral analysis, and sandboxing to prevent 21 delivery of malicious attachments, embedded links, and zero-day 22 threats. 23 b. “Data loss prevention” means the automatic inspection 24 of email content and attachments to prevent unauthorized 25 transmission of personally identifiable information, protected 26 health information, student education records, or confidential 27 internal communications. 28 c. “Email security solution” means any cloud-based, 29 on-premises, or hybrid system that provides protective 30 filtering, threat detection, policy enforcement, logging, and 31 user-level controls for inbound and outbound email traffic. 32 d. “Encryption enforcement” means the capability to 33 automatically apply encryption policies to outbound messages 34 containing sensitive data. 35 -1- LSB 6720XS (2) 91 mb/jh 1/ 4

S.F. 2200 e. “Impersonation protection” means the ability to detect 1 and block spoofed senders, lookalike domains, and unauthorized 2 attempts to pose as internal users or third-party vendors. 3 2. By January 1, 2027, the board of directors of each school 4 district shall implement an email security solution that meets 5 all of the following requirements: 6 a. Inbound and outbound filtering of email traffic for spam, 7 malware, phishing, ransomware, and advanced persistent threats. 8 b. Artificial intelligence-driven threat detection, 9 including behavioral analysis, sandbox execution, and real-time 10 analysis of embedded uniform resource locators and attachments. 11 c. Full-spectrum impersonation protection, including domain 12 and display name spoofing defense, user impersonation alerts, 13 and forged sender blocking. 14 d. Data loss prevention policies capable of scanning 15 subject lines, body content, and attachments for personally 16 identifiable information, protected health information, 17 and student records, and triggering block, quarantine, or 18 encryption workflows as appropriate. 19 e. Policy-based encryption of outbound email traffic 20 containing protected or confidential content. 21 f. Quarantine and end-user self-service portals, enabling 22 safe engagement and reducing administrative burden. 23 g. Directory service integration to enable role-based policy 24 application and user-level visibility. 25 h. Comprehensive logging, alerting, and forensic analysis, 26 including the ability to correlate threats across users and 27 time, and generate detailed reporting for compliance purposes. 28 i. Support for integration with productivity platforms 29 without dependence on their native filtering features. 30 3. A school district shall be considered noncompliant if 31 the email security platform or vendor used by the district or 32 agency does not meet the requirements of this section in full. 33 Sec. 5. STATE MANDATE FUNDING SPECIFIED. In accordance 34 with section 25B.2, subsection 3, the state cost of requiring 35 -2- LSB 6720XS (2) 91 mb/jh 2/ 4

S.F. 2200 compliance with any state mandate included in this Act shall 1 be paid by a school district from state school foundation 2 aid received by the school district under section 257.16 and 3 by an area education agency from state school foundation aid 4 received by the area education agency under section 257.35. 5 This specification of the payment of the state cost shall be 6 deemed to meet all of the state funding-related requirements of 7 section 25B.2, subsection 3, and no additional state funding 8 shall be necessary for the full implementation of this Act 9 by and enforcement of this Act against all affected school 10 districts and area education agencies. 11 EXPLANATION 12 The inclusion of this explanation does not constitute agreement with 13 the explanation’s substance by the members of the general assembly. 14 This bill relates to student email security, including 15 requiring school districts, charter schools, and area education 16 agencies to implement certain email security standards. 17 The bill requires school districts, charter schools, and 18 area education agencies to implement student email security 19 solutions by January 1, 2027. The solutions must include 20 inbound and outbound email filtering for spam, malware, 21 phishing, ransomware, and advanced threats; artificial 22 intelligence-driven threat detection; full-spectrum 23 impersonation protection; data loss prevention scanning 24 for personally identifiable information, protected health 25 information, and student records; policy-based encryption of 26 sensitive outbound emails; quarantine and end-user self-service 27 portals; directory service integration; comprehensive logging 28 and reporting; and support for integration with productivity 29 platforms. A school district, charter school, or area 30 education agency is noncompliant if its email security solution 31 does not meet the requirements of the bill. 32 The bill may include a state mandate as defined in Code 33 section 25B.3. The bill requires that the state cost of any 34 state mandate included in the bill be paid by a school district 35 -3- LSB 6720XS (2) 91 mb/jh 3/ 4

S.F. 2200 from state school foundation aid received by the school 1 district under Code section 257.16 and by an area education 2 agency from state school foundation aid received by the area 3 education agency under Code section 257.35. The specification 4 is deemed to constitute state compliance with any state mandate 5 funding-related requirements of Code section 25B.2. The 6 inclusion of this specification is intended to reinstate the 7 requirement of school districts and area education agencies to 8 comply with any state mandates included in the bill. 9 -4- LSB 6720XS (2) 91 mb/jh 4/ 4