Jackson Lewis LLP

01/11/2025 | News release | Distributed by Public on 01/11/2025 13:50

FAQs for Schools and Persons Affected By the PowerSchool Data Breach

A massive data breach hit one of the country's largest education software providers. According to EducationWeek, PowerSchool provides school software products to more than 16,000 customers, largely K-12 schools, that serve 50 million students in the United States. According to reports, PowerSchool informed customers that, on December 28, 2024, PowerSchool became aware of a cybersecurity incident involving unauthorized access to certain information through one of its community-focused customer support portals, PowerSource. The unauthorized access affected PowerSchool's Student Information System ("SIS").

According to one of its communications to customers, PowerSchool stated:

While we are unaware of and do not expect any actual or attempted misuse of personal information or any financial harm to impacted individuals as a result of this incident, PowerSchool will be providing credit monitoring to affected adults and identity protection services to affected minors in accordance with regulatory and contractual obligations. The particular information compromised will vary by impacted customer. We anticipate that only a subset of impacted customers will have notification obligations.

Needless to say, PowerSchool customers likely have lots of questions and concerns about next steps. The Q and A below are intended to help school communities and other affected entities strategize about next steps.

Is this just a PowerSchool problem?

There certainly are steps PowerSchool should be taking. As a service provider that processes the personal information of its customers, conducting a prompt investigation and informing data owners of critical information relating to the breach top the list. Additionally, each customer's service agreement with PowerSchool may include broader obligations for the vendor. Providing ongoing support and mitigating potential harm also can reasonably be expected. But, schools and other PowerSchool customers may have obligations of their own.

What should potentially affected PowerSchool customers be doing?

There are several items to consider:

Look at your incident response plan . If you have an incident response plan, it may provide steps to help keep your team organized and focused. If you do not have one, consider developing one in the future.

Gather information . As noted above, PowerSchool has already put out information concerning the breach, and more is likely to come. But there may be other helpful information for you online from trusted sources. For example a bleepingcomputer article provides information on (i) determining whether your school district was affected, and (ii) a link to a "detailed guide written by Romy Backus, SIS Specialist at the American School of Dubai, [that] explains how to check the PowerSchool SIS logs to determine if data was stolen."

Be ready to communicate with your school community . Teachers, parents, students, former students, and others will have a lot of questions about the incident. According to a report by Infosecurity Magazine,

A message to parents by the Howard-Suamico School District in Wisconsin, US, seen by news outlet NBC 26, read: "PowerSchool confirmed that this was not a ransomware attack but it did pay a ransom to prevent the data from being released.

If a ransom was paid to a threat actor, there is no way to confirm that the data has not or will not be released or used for an impermissible purpose. For this and other reasons, it will be critical to have a plan for delivering prompt, consistent, and accurate messaging about the breach as soon as possible. Having a limited number of persons responsible for responding to questions can help to avoid misinformation and maintain consistent messaging.

As the investigation proceeds, PowerSchool likely will be providing more information about notifications, ID theft and credit monitoring services, and other information concerning the continued response to the incident. Affected schools and other PowerSchool customers will need to be ready to receive that information and decide how best to convey that information to their community. In the event decisions need to be made by a school's Board, start thinking ahead to taking all the necessary steps to arrange for those meetings so decisions can be made appropriately, thoughtfully, and timely. Feel free to contact our incident response attorneys as we have helped many schools and school districts navigate challenging communications in similar incidents.

Get a handle on your legal and contractual rights and obligations . State breach notification laws generally place the obligation to notify affected persons and others on the owner of the personal information compromised in the breach, not the service provider that had the breach. In many cases, however, a vendor causing a data breach may take on the obligation to provide such notifications, but the owner of the data still will be on the hook if that process if not performed in a compliant manner.

Of course, state notification laws vary state to state. Examples of these variations include the definition of personal information, exceptions to the notification requirement, timeframes for notification, and requirements for ID theft and credit monitoring services. Reports noted above indicate that PowerSchool may be supporting the notification process. However, because the breach is affecting customers differently (e.g., different personal information affected, different state laws), PowerSchool may rely on instructions from customers about whether and how to comply with certain aspects of the notification requirements.

Note also that some states may have issued specific regulatory requirements for school districts and their vendors. For example, in New York, regulations issued by the New York State Department of Education and adopted by its Board of Regents in 2020 require school districts and state-supported schools to develop and implement robust data security and privacy programs to protect any personally identifiable information ("PII") relating to students, teachers and principals. Among other things, the NY regulations require vendors that suffer a breach to notify the affected schools within seven (7) calendar days. The schools must in turn notify SED within ten (10) calendar days of receipt of notification of a breach from the vendor; and the schools must notify the affected individuals of the breach without unreasonable delay but in no case later than sixty (60) days of discovery or receipt of breach notification from the vendor.

Just as the law varies, the services agreement a school negotiated with PowerSchool may vary from PowerSchool's standard form. Affected PowerSchool customers should be reviewing those agreements to assess their rights and obligations in areas such as information security, data breach response, and indemnity.

Evaluate insurance protections . Some organizations may have purchased "cyber" or "breach response" insurance which could cover some of the costs related to responding to the breach or defending litigation that may follow. PowerSchool should review their policy(ies) with their brokers to understand the potential coverage and what steps, if any, they need to take to confirm coverage.

What can individuals potentially affected by the PowerSchool breach do now?

It may take some time before notifications are sent to individuals affected by the breach. However, there are some resources that individuals could examine to consider their options now. Databreaches.net pulled together some helpful resources for potentially affected individuals, such as teachers, parents, and former students. Access that here.

When the dust clears from the PowerSchool incident, what should schools do going forward?

This is not the first vendor incident that has affected schools and it will not be the last. There are many steps schools and any organizations should consider taking following a vendor's breach affecting the organization's data. However, for the moment, affected schools and customers should focus on the incident at hand. When the time comes, they should consult with experienced legal counsel and information security experts to be sure they have adopted reasonable safeguards at a minimum to protect their data, and that they have assessed whether their vendors are doing the same.

* * *

For organizations large and small, incidents like this can be a significant disruption. To minimize that disruption, organizations may want and need to communicate with their applicable communities, and should do so confidently, but carefully. More information can be very helpful, but too much information and information that is repetitive can be confusing and frustrating. Organizations should involve key persons internally and possibly seek outside expertise and counsel to reach an appropriate balance in their response strategy and communications.