A massive data breach hit one of the country’s largest education software providers. According to EducationWeek, PowerSchool provides school software products to more than 16,000 customers, largely K-12 schools, that serve 50 million students in the United States. According to reports, PowerSchool informed customers that, on December 28, 2024, PowerSchool became aware of a cybersecurity incident involving unauthorized access to certain information through one of its community-focused customer support portals, PowerSource. The unauthorized access affected PowerSchool’s Student Information System (“SIS”).

According to one of its communications to customers, PowerSchool stated:

While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations. The particular information compromised will vary by impacted customer. We anticipate that only a subset of impacted customers will have notification obligations.

Needless to say, PowerSchool customers likely have lots of questions and concerns about next steps. The Q and A below are intended to help school communities and other affected entities strategize about next steps.

Is this just a PowerSchool problem?

There certainly are steps PowerSchool should be taking. As a service provider that processes the personal information of its customers, conducting a prompt investigation and informing data owners of critical information relating to the breach top the list. Additionally, each customer’s service agreement with PowerSchool may include broader obligations for the vendor. Providing ongoing support and mitigating potential harm also can reasonably be expected. But, schools and other PowerSchool customers may have obligations of their own.  

What should potentially affected PowerSchool customers be doing?

There are several items to consider:

Look at your incident response plan. If you have an incident response plan, it may provide steps to help keep your team organized and focused. If you do not have one, consider developing one in the future.

Gather information. As noted above, PowerSchool has already put out information concerning the breach, and more is likely to come. But there may be other helpful information for you online from trusted sources. For example a bleepingcomputer article provides information on (i) determining whether your school district was affected, and (ii) a link to a “detailed guide written by Romy Backus, SIS Specialist at the American School of Dubai, [that] explains how to check the PowerSchool SIS logs to determine if data was stolen.”

Be ready to communicate with your school community. Teachers, parents, students, former students, and others will have a lot of questions about the incident. According to a report by Infosecurity Magazine,

A message to parents by the Howard-Suamico School District in Wisconsin, US, seen by news outlet NBC 26, read: “PowerSchool confirmed that this was not a ransomware attack but it did pay a ransom to prevent the data from being released.

If a ransom was paid to a threat actor, there is no way to confirm that the data has not or will not be released or used for an impermissible purpose. For this and other reasons, it will be critical to have a plan for delivering prompt, consistent, and accurate messaging about the breach as soon as possible. Having a limited number of persons responsible for responding to questions can help to avoid misinformation and maintain consistent messaging.

As the investigation proceeds, PowerSchool likely will be providing more information about notifications, ID theft and credit monitoring services, and other information concerning the continued response to the incident. Affected schools and other PowerSchool customers will need to be ready to receive that information and decide how best to convey that information to their community. In the event decisions need to be made by a school’s Board, start thinking ahead to taking all the necessary steps to arrange for those meetings so decisions can be made appropriately, thoughtfully, and timely. Feel free to contact our incident response attorneys as we have helped many schools and school districts navigate challenging communications in similar incidents.

Get a handle on your legal and contractual rights and obligations. State breach notification laws generally place the obligation to notify affected persons and others on the owner of the personal information compromised in the breach, not the service provider that had the breach. In many cases, however, a vendor causing a data breach may take on the obligation to provide such notifications, but the owner of the data still will be on the hook if that process if not performed in a compliant manner.

Of course, state notification laws vary state to state. Examples of these variations include the definition of personal information, exceptions to the notification requirement, timeframes for notification, and requirements for ID theft and credit monitoring services. Reports noted above indicate that PowerSchool may be supporting the notification process. However, because the breach is affecting customers differently (e.g., different personal information affected, different state laws), PowerSchool may rely on instructions from customers about whether and how to comply with certain aspects of the notification requirements.

Note also that some states may have issued specific regulatory requirements for school districts and their vendors. For example, in New York, regulations issued by the New York State Department of Education and adopted by its Board of Regents in 2020 require school districts and state-supported schools to develop and implement robust data security and privacy programs to protect any personally identifiable information (“PII”) relating to students, teachers and principals. Among other things, the NY regulations require vendors that suffer a breach to notify the affected schools within seven (7) calendar days. The schools must in turn notify SED within ten (10) calendar days of receipt of notification of a breach from the vendor; and the schools must notify the affected individuals of the breach without unreasonable delay but in no case later than sixty (60) days of discovery or receipt of breach notification from the vendor.

Just as the law varies, the services agreement a school negotiated with PowerSchool may vary from PowerSchool’s standard form. Affected PowerSchool customers should be reviewing those agreements to assess their rights and obligations in areas such as information security, data breach response, and indemnity.

Evaluate insurance protections. Some organizations may have purchased “cyber” or “breach response” insurance which could cover some of the costs related to responding to the breach or defending litigation that may follow. PowerSchool should review their policy(ies) with their brokers to understand the potential coverage and what steps, if any, they need to take to confirm coverage.

What can individuals potentially affected by the PowerSchool breach do now?

It may take some time before notifications are sent to individuals affected by the breach. However, there are some resources that individuals could examine to consider their options now. Databreaches.net pulled together some helpful resources for potentially affected individuals, such as teachers, parents, and former students. Access that here.

When the dust clears from the PowerSchool incident, what should schools do going forward?

This is not the first vendor incident that has affected schools and it will not be the last. There are many steps schools and any organizations should consider taking following a vendor’s breach affecting the organization’s data. However, for the moment, affected schools and customers should focus on the incident at hand. When the time comes, they should consult with experienced legal counsel and information security experts to be sure they have adopted reasonable safeguards at a minimum to protect their data, and that they have assessed whether their vendors are doing the same.

* * *

For organizations large and small, incidents like this can be a significant disruption. To minimize that disruption, organizations may want and need to communicate with their applicable communities, and should do so confidently, but carefully. More information can be very helpful, but too much information and information that is repetitive can be confusing and frustrating. Organizations should involve key persons internally and possibly seek outside expertise and counsel to reach an appropriate balance in their response strategy and communications.

Print:
Email this postTweet this postLike this postShare this post on LinkedIn
Photo of Joseph J. Lazzarotti Joseph J. Lazzarotti

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP)…

Joseph J. Lazzarotti is a principal in the Berkeley Heights, New Jersey, office of Jackson Lewis P.C. He founded and currently co-leads the firm’s Privacy, Data and Cybersecurity practice group, edits the firm’s Privacy Blog, and is a Certified Information Privacy Professional (CIPP) with the International Association of Privacy Professionals. Trained as an employee benefits lawyer, focused on compliance, Joe also is a member of the firm’s Employee Benefits practice group.

In short, his practice focuses on the matrix of laws governing the privacy, security, and management of data, as well as the impact and regulation of social media. He also counsels companies on compliance, fiduciary, taxation, and administrative matters with respect to employee benefit plans.

Privacy and cybersecurity experience – Joe counsels multinational, national and regional companies in all industries on the broad array of laws, regulations, best practices, and preventive safeguards. The following are examples of areas of focus in his practice:

  • Advising health care providers, business associates, and group health plan sponsors concerning HIPAA/HITECH compliance, including risk assessments, policies and procedures, incident response plan development, vendor assessment and management programs, and training.
  • Coached hundreds of companies through the investigation, remediation, notification, and overall response to data breaches of all kinds – PHI, PII, payment card, etc.
  • Helping organizations address questions about the application, implementation, and overall compliance with European Union’s General Data Protection Regulation (GDPR) and, in particular, its implications in the U.S., together with preparing for the California Consumer Privacy Act.
  • Working with organizations to develop and implement video, audio, and data-driven monitoring and surveillance programs. For instance, in the transportation and related industries, Joe has worked with numerous clients on fleet management programs involving the use of telematics, dash-cams, event data recorders (EDR), and related technologies. He also has advised many clients in the use of biometrics including with regard to consent, data security, and retention issues under BIPA and other laws.
  • Assisting clients with growing state data security mandates to safeguard personal information, including steering clients through detailed risk assessments and converting those assessments into practical “best practice” risk management solutions, including written information security programs (WISPs). Related work includes compliance advice concerning FTC Act, Regulation S-P, GLBA, and New York Reg. 500.
  • Advising clients about best practices for electronic communications, including in social media, as well as when communicating under a “bring your own device” (BYOD) or “company owned personally enabled device” (COPE) environment.
  • Conducting various levels of privacy and data security training for executives and employees
  • Supports organizations through mergers, acquisitions, and reorganizations with regard to the handling of employee and customer data, and the safeguarding of that data during the transaction.
  • Representing organizations in matters involving inquiries into privacy and data security compliance before federal and state agencies including the HHS Office of Civil Rights, Federal Trade Commission, and various state Attorneys General.

Benefits counseling experience – Joe’s work in the benefits counseling area covers many areas of employee benefits law. Below are some examples of that work:

  • As part of the Firm’s Health Care Reform Team, he advises employers and plan sponsors regarding the establishment, administration and operation of fully insured and self-funded health and welfare plans to comply with ERISA, IRC, ACA/PPACA, HIPAA, COBRA, ADA, GINA, and other related laws.
  • Guiding clients through the selection of plan service providers, along with negotiating service agreements with vendors to address plan compliance and operations, while leveraging data security experience to ensure plan data is safeguarded.
  • Counsels plan sponsors on day-to-day compliance and administrative issues affecting plans.
  • Assists in the design and drafting of benefit plan documents, including severance and fringe benefit plans.
  • Advises plan sponsors concerning employee benefit plan operation, administration and correcting errors in operation.

Joe speaks and writes regularly on current employee benefits and data privacy and cybersecurity topics and his work has been published in leading business and legal journals and media outlets, such as The Washington Post, Inside Counsel, Bloomberg, The National Law Journal, Financial Times, Business Insurance, HR Magazine and NPR, as well as the ABA Journal, The American Lawyer, Law360, Bender’s Labor and Employment Bulletin, the Australian Privacy Law Bulletin and the Privacy, and Data Security Law Journal.

Joe served as a judicial law clerk for the Honorable Laura Denvir Stith on the Missouri Court of Appeals.