Oliver Page
Case study
November 13, 2025
All About HB 103: Cybersecurity Reporting Requirements for North Carolina Schools might sound like a straightforward topic, but many K-12 IT leaders are finding it's more nuanced than expected. Here's what you need to know right away:
Quick Answer: What is HB 103?
Here's the challenge: While HB 103 allocates significant funding for school safety and explicitly mentions cybersecurity preparedness, the bill itself doesn't spell out detailed cybersecurity reporting requirements in the way its title might suggest. Instead, it creates a framework through the Center for Safer Schools to collect data on safety systems broadly.
North Carolina schools are facing mounting cyber threats. The 2022 Appropriations Act represents the state's legislative response to growing concerns about school safety—including digital safety. The bill directs substantial resources toward protecting students and staff, while establishing mechanisms for statewide data collection and analysis.
For K-12 IT Directors, this means understanding both what HB 103 does require (reporting school safety data to the Center for Safer Schools) and what it enables (access to grant funding and a stronger statewide focus on cybersecurity preparedness). The bill works alongside other North Carolina legislation like the Student Data Privacy Act to create a more comprehensive protection framework.
The reality? Even without explicit line-by-line cybersecurity reporting mandates, schools that experience data breaches, ransomware attacks, or phishing incidents should assume these fall under the safety systems and policies that the Center for Safer Schools is mandated to track. Proactive compliance means better protection for your students and staff.
All About HB 103: Cybersecurity Reporting Requirements for North Carolina Schools helpful reading:
To understand All About HB 103: Cybersecurity Reporting Requirements for North Carolina Schools, you must see the bigger picture. HB 103 is not just a cybersecurity bill; it's the state's comprehensive 2022 Appropriations Act, a massive budget bill that prioritized K-12 education.
Signed by Governor Cooper in July 2022, the total state budget reached $27.9 billion for the 2022-23 fiscal year. A staggering $16.5 billion of that went to K-12 education—59% of the entire state budget, making it the top priority. This funding included crucial allocations for school safety, both physical and digital. The message was clear: protecting students means protecting them from all threats, whether they walk through the door or come through an internet connection.
With a strong financial position, including a projected $4.75 billion Rainy Day Fund, the state could invest seriously in long-term priorities.
School safety received a major boost. HB 103 added $32 million for School Safety Grants, bringing the total to $41.7 million. The state also invested at least $41 million more into School Resource Officers (SROs), with an additional $15 million for the SRO Grant program in elementary and middle schools. Low-wealth counties received an increased state match, ensuring protection isn't dependent on a zip code's tax base.
For those focused on digital threats, HB 103 allocated $5 million specifically for cybersecurity and bomb threat preparedness at North Carolina's six Historically Black Colleges and Universities. While not directly targeting K-12, this signaled that legislators were recognizing that modern threats aren't just physical.
The cybersecurity landscape in education is constantly evolving. You can learn more in K-12 Cybersecurity: Protecting Schools from Evolving Threats. North Carolina schools can often layer these state funds with federal resources like the BJA STOP School Violence Program to build stronger defenses.
HB 103 gave the Center for Safer Schools a crucial mandate: gather data on school safety systems, policies, and procedures across the state, then report findings and recommendations to the General Assembly.
The Center acts as North Carolina's central intelligence hub for school safety, creating a bird's-eye view of what's happening in schools. This centralized data collection allows legislators to make informed decisions based on real needs, not guesswork.
The reporting framework is intentionally broad. While it doesn't mandate reporting every phishing email, it requires schools to share information about their safety systems. In 2024, school safety systems absolutely include cybersecurity. A ransomware attack is as much a safety incident as a broken door lock. This centralized oversight creates accountability and helps identify patterns, allowing the state to respond with targeted resources. The data collected will shape future funding, inform best practices, and ultimately help protect students and staff across North Carolina.
All About HB 103: Cybersecurity Reporting Requirements for North Carolina Schools isn't about a prescriptive checklist of cyber incidents to report to a state hotline. Instead, HB 103 creates a more powerful framework for proactive compliance and data-driven security improvements.
The Center for Safer Schools is tasked with gathering data on "school safety systems, policies, and procedures." This broad mandate encompasses cybersecurity, as digital threats are inseparable from overall school safety. Just as schools report on fire drills, cyber incidents that compromise safety systems fall under this umbrella. The process flows from schools to the Center for Safer Schools, which analyzes patterns and makes recommendations to the General Assembly. This feedback loop allows real-world data to shape future policy.
The principle is that schools need robust internal processes for identifying, responding to, and learning from cybersecurity incidents. Even without filing weekly reports, you should document these events internally to provide data when the Center for Safer Schools calls.
HB 103 doesn't provide a specific list of reportable cyber incidents. However, the Center's mandate implies that any cybersecurity event impacting school safety, policies, or procedures is relevant. Schools should be prepared to report on incidents that compromise operations or student safety.
Data breaches are at the top of this list. Any unauthorized access to sensitive student or staff information, such as Social Security numbers, grades, or medical records, must be documented. These breaches can have serious legal and financial consequences.
Ransomware attacks are a nightmare scenario for school districts. When malicious software locks up your network and demands payment, it directly impacts your safety systems. These attacks can shut down everything from attendance tracking to lunch programs.
Phishing campaigns that succeed in stealing credentials or installing malware should also be tracked. A single blocked phishing email isn't reportable, but a coordinated attack that compromises accounts is a different story. A solid Incident Response Planning in K12 strategy helps you identify when an incident crosses the line from nuisance to genuine threat.
Unauthorized access to school networks or applications is a clear security failure. Whether it's a student hacking the grade system or an external actor probing defenses, these incidents reveal vulnerabilities. Similarly, widespread malware infections that compromise multiple devices can cripple operations.
The key question is: Did this incident affect our ability to keep students safe, maintain operations, or protect sensitive data? If yes, you should track it internally. This documentation is invaluable for understanding patterns and demonstrating due diligence.
HB 103 became effective in July 2022 for the 2022-2023 fiscal year. While there are no hard deadlines for individual schools to report specific incidents under HB 103 itself, being unprepared has consequences. The Center for Safer Schools will gather data on its own timeline, and schools that can't provide comprehensive information will be at a disadvantage.
Poorly handled breaches lead to serious reputational risk. When parents' trust is broken by a preventable cyber incident, the damage can last for years.
There's also the matter of grant eligibility. The $32 million in School Safety Grants are more accessible to schools that can demonstrate robust cybersecurity policies. Unprepared schools may face increased scrutiny when applying for state or federal grants.
Most importantly, this is about student safety. Every successful cyberattack potentially exposes children to identity theft or privacy violations. Proactive reporting and tracking are about protecting the kids in your care.
Conducting regular Cybersecurity Audits: Strengthening K-12 Schools Against Cyber Threats helps identify vulnerabilities before attackers do. Think of it as a fire drill for your digital infrastructure. The bottom line is that HB 103 is about building a culture of proactive defense. By documenting incidents and continuously improving, you'll be ready for data requests and, more importantly, you'll be protecting your students and staff.
The value of All About HB 103: Cybersecurity Reporting Requirements for North Carolina Schools lies not just in its mandates, but in what it makes possible. The legislation creates a framework for understanding and responding to cybersecurity threats across the state's schools. By empowering the Center for Safer Schools to collect and analyze data, the state is building a comprehensive picture of where schools are vulnerable.
With centralized threat analysis, North Carolina can identify patterns—such as regional ransomware spikes or effective phishing campaigns. This intelligence allows the state to develop targeted responses, allocate resources effectively, and share best practices across districts. The funding provisions, including $32 million for School Safety Grants and $5 million for HBCU cybersecurity, show the state is putting real money behind protecting students and staff. Combining funding with data-driven decisions creates a foundation for an improved statewide security posture.
HB 103 fosters a proactive security culture where cybersecurity is part of the conversation at every level. When everyone understands that cybersecurity is a fundamental component of school safety, just like fire drills, we are all better protected.
HB 103 doesn't exist in a vacuum. It fits into North Carolina's comprehensive framework to protect student data, which includes other key legislation.
The NC Student Data Privacy Act, detailed in our NC Student Data Privacy Act Guide, sets strict rules on who can access student data and how it must be protected. The NC Identity Theft Protection Act, which we cover in What to know about the NC Identity Theft Protection Act for K12, requires schools to notify individuals when their personal information is breached.
HB 103 complements these laws by creating the infrastructure to understand how well these protections are working statewide. The Center for Safer Schools' data collection naturally includes the mechanisms schools use to comply with these other acts. Schools can also tap into federal resources like Federal Formula Grants to supplement state funding. This multi-layered approach creates a "defense in depth," forming a comprehensive shield for student data and school operations.
Technology and policies alone are not enough. If a staff member clicks on a malicious link, it can all come crashing down. Your people are the most critical "system" in your cybersecurity defense.
Prevention is far smarter than reacting to a breach after the damage is done. It starts with recognizing that your staff is your first line of defense. If they can spot a phishing email or a suspicious request, they can stop an attack in its tracks. Cybercriminals know school staff are busy and exploit that vulnerability. Phishing awareness is therefore essential.
Ransomware attacks on schools have skyrocketed, and the most common entry point is a staff member falling for a phishing attempt. The good news is that staff training works. As we explore in Cybersecurity Training: Urgent for Educational Safety, regular, engaging training transforms your staff from potential vulnerabilities into your strongest defense.
Effective training uses gamification, real-world scenarios, and bite-sized lessons that fit into busy schedules. For schools navigating HB 103, investing in staff training is about building a culture where everyone understands their role in protecting student data. This means fewer incidents to report, better data to share with the Center for Safer Schools, and safer learning environments.
Want to know where your school stands right now? Consider getting a complimentary phishing audit to understand your specific vulnerabilities. That knowledge is the first step toward building a truly resilient cybersecurity culture.
We know navigating new legislation can be overwhelming. Here are answers to common questions about All About HB 103: Cybersecurity Reporting Requirements for North Carolina Schools.
HB 103 does not require schools to file individual incident reports with a state agency. Instead, the Center for Safer Schools is tasked with gathering data on school safety systems and policies, which includes cybersecurity. The Center analyzes this data and reports its findings and recommendations to the North Carolina General Assembly to inform future policy and funding.
Individual schools are responsible for their own internal incident response and documentation. The Center then aggregates data from schools for its statewide analysis.
Yes. The 2022 Appropriations Act (HB 103) allocated $32 million for School Safety Grants, bringing the total available to $41.7 million. These grants can be used for security improvements, including cybersecurity infrastructure.
The bill also included a specific $5 million fund for cybersecurity and bomb threat preparedness at North Carolina's six Historically Black Colleges and Universities (HBCUs). While targeted at higher education, this signals the state's growing recognition of cybersecurity as a necessary investment.
K-12 schools can use the broader School Safety Grants to strengthen their digital defenses, such as firewalls, software, or staff training programs. To understand where to best focus resources, we encourage schools to start with a complimentary phishing audit to identify specific vulnerabilities.
Governor Cooper signed HB 103 into law in July 2022, and its provisions became effective for the 2022-2023 fiscal year. All provisions, including data collection mandates and funding allocations, kicked in at that time. If your school is still working to align its practices, the important thing is to start now to build robust safety and cybersecurity procedures.
So, where does all this leave us? All About HB 103: Cybersecurity Reporting Requirements for North Carolina Schools isn't about a rigid checklist of reports you must file every time something goes wrong. Instead, it's foundational legislation that signals a turning point in how North Carolina approaches school safety in the digital age.
The 2022 Appropriations Act (HB 103) represents a clear commitment. Through substantial funding allocations and the establishment of the Center for Safer Schools as a central data collection hub, the state is building a framework for better-informed policy decisions. This isn't just bureaucracy for bureaucracy's sake. It's about creating a statewide picture of the threats our schools face, so we can collectively build stronger defenses.
Here's the practical takeaway: your school needs robust cybersecurity systems and procedures in place, not just to potentially satisfy future data requests, but to protect your students, staff, and operations today. The expectation is clear, even if the exact reporting mechanisms are still taking shape. Proactive defense isn't something you can put off until there's a crisis at your doorstep.
We've seen time and again that the strongest cybersecurity defense starts with people, not just technology. Your staff members are on the front lines every day, facing phishing emails, suspicious links, and evolving threats. When they're trained and aware, they become your school's best protection. When they're not, they're the easiest entry point for cybercriminals.
At CyberNut, we understand the unique challenges facing North Carolina K-12 schools. We specialize in providing custom cybersecurity training that doesn't feel like another burden on your already stretched resources. Our automated, gamified micro-trainings focus on the threats that matter most, like phishing, in a way that's actually engaging for your staff. We designed our approach specifically for educational institutions because we know you need solutions that work in the real world, not just in theory.
Want to know where your school stands right now? Start with a complimentary phishing audit. It's a straightforward way to identify your specific vulnerabilities and understand where your team needs the most support. There's no obligation, just honest insight into your current security posture.
Building a resilient cybersecurity culture takes time, but you don't have to figure it all out alone. Explore more expert insights and practical resources on our resources page to help guide your school through North Carolina's evolving cybersecurity landscape. Together, we can create safer schools where students can learn and grow without the shadow of cyber threats hanging overhead. Let's make it happen, one well-trained staff member at a time.
Oliver Page
Some more Insigths
Back
.png)
.png)
.png)
.png)
.png)
.png)
