(a)(1) Upon the discovery of a breach of security that results in the unauthorized release, disclosure or acquisition of student information, excluding any directory information contained in such student information, a contractor shall notify, without unreasonable delay, but not more than thirty days after such discovery, the local or regional board of education of such breach of security. During such thirty-day period, the contractor may (A) conduct an investigation to determine the nature and scope of such unauthorized release, disclosure or acquisition, and the identity of the students whose student information is involved in such unauthorized release, disclosure or acquisition, or (B) restore the reasonable integrity of the contractor’s data system.

(2) Upon the discovery of a breach of security that results in the unauthorized release, disclosure or acquisition of directory information, student records or student-generated content, a contractor shall notify, without unreasonable delay, but not more than sixty days after such discovery, the local or regional board of education of such breach of security. During such sixty-day period, the contractor may (A) conduct an investigation to determine the nature and scope of such unauthorized release, disclosure or acquisition, and the identity of the students whose directory information, student records or student-generated content is involved in such unauthorized release, disclosure or acquisition, or (B) restore the reasonable integrity of the contractor’s data system.

(3) Upon receipt of notice of a breach of security under subdivision (1) or (2) of this subsection, a local or regional board of education shall electronically notify, not later than two business days after receipt of such notice, the student and the parents or guardians of the student whose student information, student records or student-generated content is involved in such breach of security. The local or regional board of education shall post such notice on the board’s Internet web site.

(b) Upon the discovery of a breach of security that results in the unauthorized release, disclosure or acquisition of student information, student records or student-generated content, an operator that is in possession of or maintains student information, student records or student-generated content as a result of a student’s use of such operator’s Internet web site, online service or mobile application, shall (1) notify, without unreasonable delay, but not more than thirty days after such discovery, the student or the parents or guardians of such student of any breach of security that results in the unauthorized release, disclosure or acquisition of student information, excluding any directory information contained in such student information, of such student, and (2) notify, without unreasonable delay, but not more than sixty days after such discovery, the student or the parents or guardians of such student of any breach of security that results in the unauthorized release, disclosure or acquisition of directory information, student records or student-generated content of such student. During such thirty-day or sixty-day period, the operator may (A) conduct an investigation to determine the nature and scope of such unauthorized release, disclosure or acquisition, and the identity of the students whose student information, student records or student-generated content are involved in such unauthorized release, disclosure or acquisition, or (B) restore the reasonable integrity of the operator’s data system.