Creating a new standard: The aftermath of the PowerSchool data breach

K-12 leaders are building better safeguards and holding vendors accountable in the wake of the most significant edtech cybersecurity incident ever.

Jason Mc Kenna Headshot
Jason McKenna
April 8, 2025

Shutterstock 2363734223In the months following the PowerSchool data breach that I wrote about earlier this year, school districts across the country haven't just been dealing with damage control – they've been taking unprecedented action to hold vendors accountable and fundamentally rethink how student data is protected. As the dust begins to settle on what has been called one of the most significant cybersecurity incidents in K-12 education history, a two-pronged response has emerged: legal action to establish accountability, and systemic reforms to prevent similar breaches in the future.

Legal Battlegrounds: Districts Take Unprecedented Action

The scale of the legal response has been remarkable. What began as a handful of lawsuits has swelled into what some are calling a "national campaign" against PowerSchool, with both families and school districts themselves taking the company to court.

School districts, traditionally hesitant to pursue litigation against their vendors, have broken new ground with their response. The St. Croix Falls School District in Wisconsin was among the first to file a federal lawsuit against PowerSchool, claiming breach of contract, unjust enrichment, and false advertising. Their complaint centered on what they called a "cornerstone" of their agreement with PowerSchool – the promise to protect student data, which they allege was broken by the company's failure to implement basic security measures like multi-factor authentication.

This district-led lawsuit has apparently sparked a movement. According to attorneys involved in the case, hundreds of districts have expressed interest in joining similar legal efforts, with plans to "file thousands" of complaints nationwide. The goal, as articulated by these attorneys, is not just compensation for public funds spent on inadequate services, but establishing stronger protections for the future.

In parallel, families affected by the breach have filed dozens of class-action lawsuits. These cases generally allege negligence in safeguarding the personal information of millions of students and teachers. The legal theory underlying many of these cases is that PowerSchool failed in its duty to implement reasonable security measures, particularly given the sensitivity of the data involved.

State officials have also begun to weigh in. North Carolina's Attorney General launched an investigation into the breach, noting that up to 4 million North Carolinians' data could be affected. School boards in several states have publicly urged their attorneys general to consider legal action against PowerSchool, emphasizing the "paramount importance" of protecting student and staff data.

Beyond Litigation: Systemic Changes in Data Protection

While the courts will ultimately determine liability, school systems aren't waiting for legal outcomes to make substantive changes to how they manage student data.

According to guidance from Jackson Lewis P.C., "Just as the law varies, so do contracts between vendors and schools vary in terms of requirements relating to data security, notifications of data breach, data breach response, and indemnity.” The firm recommends that schools review their contracts with PowerSchool to determine what specific obligations the vendor had regarding security protocols, notification timelines, and remediation responsibilities.

This contract review process is particularly important because notification requirements vary significantly by state. For example, many state laws and contracts with schools require breach notification within specific timeframes - sometimes as tight as 7 days. Schools are being advised to check whether PowerSchool met these contractual obligations, as this will inform potential remedies available to them.

Beyond contract scrutiny, the breach has catalyzed a fundamental shift in how schools approach data governance. Many districts are implementing stronger data minimization policies, questioning whether they should be collecting or storing sensitive personal information that isn't absolutely necessary. Privacy experts emphasize that if organizations practiced better data minimization, breaches would be far less harmful. This principle is now driving districts to reevaluate what student data they upload to any cloud system.

Creating a New Standard for EdTech Security

The PowerSchool breach seems to have created a watershed moment for how schools approach data security. The incident has made cybersecurity much more than an IT department concern – it's now a fundamental requirement that involves superintendents, school boards, and even parents.

Industry watchdogs have responded as well. The Future of Privacy Forum removed PowerSchool as a signatory to its Student Privacy Pledge in February – a rare rebuke that signals to schools that a trusted safeguard was breached. This industry censure adds weight to legal efforts, as districts can point to an objective standard that PowerSchool failed to meet.

In response to mounting pressure, PowerSchool has implemented tighter security measures, including adding multi-factor authentication for employee and contractor access to customer data. The company has publicly committed to setting a "higher standard in cybersecurity for the entire industry."

Building a More Secure Future

The enduring lesson from this incident appears to be that paper agreements on data security are only as good as their enforcement. Schools are now actively enforcing these agreements and demanding better. The conversations in board meetings nationwide have shifted to when and how they will upgrade their systems' security, whether with existing vendors under stricter scrutiny or with new solutions entirely.

For school leaders, the path forward seems clear: adopt data minimization policies, implement robust authentication requirements for any service with access to student data, establish clearer protocols for incident response, and hold vendors to higher standards through contractual enforcement and vigilant oversight.

While the breach remains a cautionary tale about the vulnerabilities inherent in our increasingly interconnected education system, the response from school districts demonstrates a commitment to restoring and maintaining trust. As I noted in my original article, having robust cybersecurity in education is not optionalβ€”it's essential. The actions taken in response to this breach may finally be giving that principle the priority it deserves.

Jason McKenna is V.P. of Global Educational Strategy for VEX Robotics and author of β€œWhat STEM Can Do for Your Classroom: Improving Student Problem Solving, Collaboration, and Engagement, Grade K-6.” His work specializes in curriculum development, global educational strategy, and engaging with educators and policymakers worldwide. For more of his insights, subscribe to his newsletter.

Recommended
Shutterstock 2452912013
Recruitment, Hiring, Onboarding, and Retention
Report: Teacher and principal turnover declining
Shutterstock 2533332665
Op-ed
Why history instruction is critical for combating online misinformation
Related Stories
Teachers discuss best practices and engagement at Teach Indy’s spring educator conference. (credit: Teach Indy)
Op-ed
What will make teachers stay? Ask them β€” and listen to what they have to say
Shutterstock 1983223742
Op-ed
The ABCs of ADCs: How to select the right adaptive digital content for your school system
Shutterstock 2512887887
Op-ed
How cuts to the Department of Education will impact STEM education
Shutterstock 2264912355
Op-ed
Beyond logic: The essential role of emotions in learning
More in Op-ed
Op-ed
Why history instruction is critical for combating online misinformation
Building background knowledge about history and civics is critical to developing students' media literacy and analytical skills.
Shutterstock 2533332665
Op-ed
What will make teachers stay? Ask them β€” and listen to what they have to say
Indianapolis pilot program found empowering educators to make changes in their schools can boost retention.
Teachers discuss best practices and engagement at Teach Indy’s spring educator conference. (credit: Teach Indy)
Op-ed
The ABCs of ADCs: How to select the right adaptive digital content for your school system
Charleston County School District
These edtech tools can be game changers, but it’s critical that district leaders select the right resources to meet the needs of their teachers and students.
Shutterstock 1983223742
Op-ed
Sustaining STEM excellence: Strategic responses to federal budget cuts
By diversifying funding, revitalizing teacher development, optimizing program design, and building strong community alliances, school leaders can continue to provide high-quality STEM education.
Op-ed
How cuts to the Department of Education will impact STEM education
Despite these challenges, K-12 leaders have demonstrated remarkable resilience and creativity in maintaining educational quality during periods of change and uncertainty.
Shutterstock 2512887887
Op-ed
Beyond logic: The essential role of emotions in learning
It's vital that we create emotionally intelligent learning environments in schools.
Shutterstock 2264912355
Research
New report: How districts in 7 states are helping chronically absent homeless kids
Nearly half of these at-risk students regularly miss class. Here are some common-sense approaches to finding and bringing them back to school.
Source: Analysis by Poverty Solutions at the University of Michigan. *Note: Data retrieved from Ed, Data Express Chronic Absenteeism Rate, data group 195 and 655 and NCES Table 204. The percentage for economically disadvantaged students chronically absent is an estimate based on the number of economically disadvantaged students chronically absent divided by the total number of free and reduced price lunch eligible students in the United States. These two groups do not necessarily define economic disadvantage in the same way.
STEM/STEAM
STEM and SEL: The overlooked connection worth leveraging
Instead of treating STEM and SEL as separate initiatives competing for limited time and resources, educators should identify opportunities where they mutually reinforce each other.
Shutterstock 2272641475
Op-ed
It's time to rethink the K-12 budget process
State education chiefs, superintendents, school boards and local leaders must champion a new vision for planning and budgeting, one that accelerates collaborative, cohesive, and informed actions on behalf of students.
Shutterstock 232590190
Op-ed
Most districts struggle to provide PD that works. Which approach is best?
A recent study examined the effectiveness of three common types of professional development.
Shutterstock 2339228307
Research
Why being forced to precisely follow a curriculum harms teachers and students
Research shows that flexibility in teaching methods and curricula allows teachers and students to participate more fully in the learning process – and even promotes a more democratic society.
Shutterstock 578727106
Op-ed
Making sure new edtech initiatives succeed: The 3 S’s
By ensuring initiatives meet all three criteria, we can move beyond the cycle of short-lived programs to create lasting positive change in education.
Shutterstock 388659994
Page 1 of 6
Next Page