Creating a new standard: The aftermath of the PowerSchool data breach

In the months following the PowerSchool data breach that I wrote about earlier this year, school districts across the country haven't just been dealing with damage control – they've been taking unprecedented action to hold vendors accountable and fundamentally rethink how student data is protected. As the dust begins to settle on what has been called one of the most significant cybersecurity incidents in K-12 education history, a two-pronged response has emerged: legal action to establish accountability, and systemic reforms to prevent similar breaches in the future.

Legal Battlegrounds: Districts Take Unprecedented Action

The scale of the legal response has been remarkable. What began as a handful of lawsuits has swelled into what some are calling a "national campaign" against PowerSchool, with both families and school districts themselves taking the company to court.

School districts, traditionally hesitant to pursue litigation against their vendors, have broken new ground with their response. The St. Croix Falls School District in Wisconsin was among the first to file a federal lawsuit against PowerSchool, claiming breach of contract, unjust enrichment, and false advertising. Their complaint centered on what they called a "cornerstone" of their agreement with PowerSchool – the promise to protect student data, which they allege was broken by the company's failure to implement basic security measures like multi-factor authentication.

This district-led lawsuit has apparently sparked a movement. According to attorneys involved in the case, hundreds of districts have expressed interest in joining similar legal efforts, with plans to "file thousands" of complaints nationwide. The goal, as articulated by these attorneys, is not just compensation for public funds spent on inadequate services, but establishing stronger protections for the future.

In parallel, families affected by the breach have filed dozens of class-action lawsuits. These cases generally allege negligence in safeguarding the personal information of millions of students and teachers. The legal theory underlying many of these cases is that PowerSchool failed in its duty to implement reasonable security measures, particularly given the sensitivity of the data involved.

State officials have also begun to weigh in. North Carolina's Attorney General launched an investigation into the breach, noting that up to 4 million North Carolinians' data could be affected. School boards in several states have publicly urged their attorneys general to consider legal action against PowerSchool, emphasizing the "paramount importance" of protecting student and staff data.

Beyond Litigation: Systemic Changes in Data Protection

While the courts will ultimately determine liability, school systems aren't waiting for legal outcomes to make substantive changes to how they manage student data.

According to guidance from Jackson Lewis P.C., "Just as the law varies, so do contracts between vendors and schools vary in terms of requirements relating to data security, notifications of data breach, data breach response, and indemnity.” The firm recommends that schools review their contracts with PowerSchool to determine what specific obligations the vendor had regarding security protocols, notification timelines, and remediation responsibilities.

This contract review process is particularly important because notification requirements vary significantly by state. For example, many state laws and contracts with schools require breach notification within specific timeframes - sometimes as tight as 7 days. Schools are being advised to check whether PowerSchool met these contractual obligations, as this will inform potential remedies available to them.

Beyond contract scrutiny, the breach has catalyzed a fundamental shift in how schools approach data governance. Many districts are implementing stronger data minimization policies, questioning whether they should be collecting or storing sensitive personal information that isn't absolutely necessary. Privacy experts emphasize that if organizations practiced better data minimization, breaches would be far less harmful. This principle is now driving districts to reevaluate what student data they upload to any cloud system.

Creating a New Standard for EdTech Security

The PowerSchool breach seems to have created a watershed moment for how schools approach data security. The incident has made cybersecurity much more than an IT department concern – it's now a fundamental requirement that involves superintendents, school boards, and even parents.

Industry watchdogs have responded as well. The Future of Privacy Forum removed PowerSchool as a signatory to its Student Privacy Pledge in February – a rare rebuke that signals to schools that a trusted safeguard was breached. This industry censure adds weight to legal efforts, as districts can point to an objective standard that PowerSchool failed to meet.

In response to mounting pressure, PowerSchool has implemented tighter security measures, including adding multi-factor authentication for employee and contractor access to customer data. The company has publicly committed to setting a "higher standard in cybersecurity for the entire industry."

Building a More Secure Future

The enduring lesson from this incident appears to be that paper agreements on data security are only as good as their enforcement. Schools are now actively enforcing these agreements and demanding better. The conversations in board meetings nationwide have shifted to when and how they will upgrade their systems' security, whether with existing vendors under stricter scrutiny or with new solutions entirely.

For school leaders, the path forward seems clear: adopt data minimization policies, implement robust authentication requirements for any service with access to student data, establish clearer protocols for incident response, and hold vendors to higher standards through contractual enforcement and vigilant oversight.

While the breach remains a cautionary tale about the vulnerabilities inherent in our increasingly interconnected education system, the response from school districts demonstrates a commitment to restoring and maintaining trust. As I noted in my original article, having robust cybersecurity in education is not optional—it's essential. The actions taken in response to this breach may finally be giving that principle the priority it deserves.

Jason McKenna is V.P. of Global Educational Strategy for VEX Robotics and author of “What STEM Can Do for Your Classroom: Improving Student Problem Solving, Collaboration, and Engagement, Grade K-6.” His work specializes in curriculum development, global educational strategy, and engaging with educators and policymakers worldwide. For more of his insights, subscribe to his newsletter.