A cybersecurity incident involving a key vendor to primary schools is a reminder of the growing cyber risks schools and other organizations can face as they outsource key technology and data practices to third parties. Here’s what schools should know about the incident, how they can respond to it, and how they can prepare for the next potential cyber event.
What happened at PowerSchool
Recently, PowerSchool — a software and cloud services provider to thousands of schools, primarily serving K-12 students in more than 90 countries — reported that it had become aware on December 28, 2024, of a “cybersecurity incident involving unauthorized exportation of personal information” (opens a new window) of students and educators.
Media reports suggest that personally identifiable information (PII) for millions of students and teachers was exposed, and have described the incident as a ransomware attack. PowerSchool has not used that language in public messages about the incident, but has acknowledged that PII — potentially including names, contact information, dates of birth, Social Security numbers, and “limited medical alert information” — was exfiltrated.
Since discovering the incident, PowerSchool has notified potentially affected schools and offered identity protection services to students and educators whose information was exposed.
Growing points of entry
Ransomware attacks, data breaches, technology outages, and other cybersecurity events are becoming more commonplace and costly to resolve.
According to cybersecurity consultant Arete, the median payment demanded in ransomware attacks in the third quarter of 2024 was $660,000 (opens a new window), up 36% from $485,000 in the second quarter; the median ransomware payment was $300,000 in the third quarter, more than double the $125,000 median value for the second quarter. In 2024, meanwhile, the average total cost of a data breach increased to $4.88 million (opens a new window), up from $4.45 million in 2023, according to research from IBM and the Ponemon Institute.
At the same time, the reach of cyberattacks and other events is growing as technology chains become more complex and opaque. Imagine an organization as a castle and its cybersecurity posture as a moat. In the past, when technology systems were less complex, there was a single entry point into the castle — just one vulnerable point to protect against attackers.
Over time, however, organizations have come to rely on increasing numbers of technology vendors, which rely on their own providers, which similarly rely on other providers. Instead of just one point of entry, attackers can now exploit a web of potential weak spots that are, collectively, more difficult to monitor, manage, and protect.
As a result, schools and other organizations can now face technology interruptions or exposure of critical data — including PII and protected health information (PHI) — because of events involving both direct and indirect technology service providers. Consider just a few of the other events that made headlines in 2024:
In February, hackers stole PHI and PII belonging to nearly 200 million people from Change Healthcare, a medical payment clearinghouse owned by UnitedHealth.
In June, a ransomware attack against software provider CDK Global shut down the systems of roughly 15,000 car dealerships across the U.S. and Canada for more than a week.
In July, a software update defect involving cybersecurity provider CrowdStrike’s Falcon threat monitoring platform affected an estimated 8.5 million Windows devices (opens a new window), leading to the cancellation of commercial flights and elective surgeries and preventing retail banking customers from accessing their accounts.
The PowerSchool event also mirrors a 2020 data breach in which bank information and other PII was stolen from Blackbaud, a financial software vendor serving colleges and universities, healthcare entities, and nonprofit organizations. The Federal Trade Commission ultimately took action against Blackbaud, alleging that it had failed to protect its network and the personal data it collected.
In addition to regulatory action, events such as these can lead to high costs related to notifying affected parties, remediating the effects on organizations and individuals, restoring normal operations, disclosure to investors, litigation by shareholders and customers, and more.
Liability at issue
Organizations that work with cloud services providers and other technology vendors sometimes assume that by contracting with such providers they are also transferring liability in the event of an incident involving data those providers process on their behalf. Generally, that is not the case: Organizations are still liable for their data, even if a technology provider processes or has access to it.
Where schools are involved, however, the question of liability can become more complicated. That’s because public schools chartered and run by state governments likely have sovereign immunity. Although statutes and case law in individual states can vary, sovereign immunity essentially shields public schools from certain forms of civil litigation and criminal prosecution.
In many cases, notification and breach monitoring obligations can be ambiguous and vague. Schools that can and may deploy sovereign immunity should secure the opinion and support of retained counsel in determining their obligations regarding breach response and mitigation.
PowerSchool, as a private business, does not have the benefit of sovereign immunity. Its liability from this event could thus be magnified as government-backed schools whose data was compromised invoke immunity to limit their exposure.
It is important to note, however, that privately run schools — including charter, religious, and faith-based schools — whose data was exposed in this incident also do not have the benefit of sovereign immunity and thus could face significant liability. Moreover, while sovereign immunity provides a defense for public schools, it does not prevent them from being targeted in litigation by school employees, students, and parents, who are likely to view them as responsible for failing to safeguard their data.
Mitigating potential impacts
Schools that have received notification from PowerSchool about the exposure of sensitive data should first seek to catalog the scope of data that was shared with PowerSchool. Ideally, this and other immediate actions will be outlined in incident response plans developed before the event.
As part of its incident response, schools should work with their insurance broker to determine their defensive posture. Among other matters, brokers can advise on whether to file a notice of circumstance with a cyber insurer or direct notice of a claim. Some cyber insurers offer hotlines through which policyholders can get immediate advice regarding an incident; it’s important to note that calling a hotline typically does not satisfy reporting obligations under a cyber insurance policy.
At the same time, schools should consider engaging legal counsel, which can help them prepare for potential litigation. Counsel can also advise on steps to prepare for and respond to regulatory actions, including possible investigation by federal and state regulators.
How cyber insurance can help
For schools facing potential liability from the PowerSchool breach and similar incidents in the future, cyber insurance can help offset many potentially sizable costs. A well-crafted cyber insurance policy can include both:
First-party coverage, which can reimburse organizations for the costs of investigating a cyber event and restoring normal operations. These include costs related to incident response, defense, forensics, data correction, business interruption, and more.
Third-party coverage for liabilities to others. This includes damages owed to third parties, regulatory penalties, and additional costs and expenses, including legal defense costs. In some cases, policies will provide access to specific “panel” counsel to defend policyholders from liability claims, along with vendors that can assist in incident response.
(Because public entity schools are likely to incur legal defense costs — even with sovereign immunity providing a shield from litigation — they can also benefit from cyber insurance.)
Not every cyber insurance policy, however, is identical. Affected organizations should work with their insurance brokers to understand what is and is not covered under their policies. If any gaps in existing coverage are identified, schools should work with their brokers to seek to fill those gaps during upcoming cyber insurance policy renewal discussions.
Schools should be prepared, however, for potentially greater scrutiny at renewal; even before the PowerSchool incident, cyber insurers were already more closely examining insurance buyers’ relationships with and management of technology vendors. Insurers, for example, are now regularly requesting that insureds identify their 10 largest IT vendors during the underwriting process.
Preparing for future events
It’s impossible for any organization to completely eliminate the risk of a cyber event occurring. Strong cyber hygiene and planning and preparation, however, can help to reduce the frequency and severity of such events.
Enacting strong cybersecurity controls is essential to preventing cyber losses and minimizing their scope. Oftentimes, cyber insurers will also require such controls or look more favorably upon insureds with them in place. Commonly required or preferred controls include:
Multifactor authentication.
Endpoint detection and response.
Offsite data backups.
Comprehensive employee training.
Regular software patching.
Email filtering software.
Password management.
Privileged access management.
Resilient organizations also invest in incident response planning, which can be developed with the help of outside specialists but are most valuable when key internal stakeholders are involved. An effective incident response plan should document how an organization detects, analyzes, and responds to various cyber events. As no organization has the time, money, and resources to treat every event the same, plans should document the criteria for distinguishing between events that require a response and those that may threaten the survival of the business, given its operations, finance, obligations to third parties, and more. Incident response plans should identify the key steps businesses must take to contain, respond to, and continue operations in the event of an incident and be regularly tested and updated.
Vendor management and oversight
Finally, schools should closely examine their vendor relationships. It’s vital that schools catalog their most critical vendors, understanding what specific services they provide and what data they hold on their behalf. Schools should also:
Take steps to avoid having vendors retain sensitive data unnecessarily — for example, after they have completed any work for which it is needed.
Review key vendor contracts, with support from outside counsel and insurance brokers, who can advise on language related to indemnification and insurance requirements.
Insist upon, secure, and manage certificates of insurance as evidence of vendors’ insurance coverage.
Regularly audit the cybersecurity practices of their key vendors to ensure they are properly managing data, are enacting robust controls, and have incident response plans in place.
For more information, please click here to visit our education webpage (opens a new window). Alternatively, if you wish to connect with a member of our education insurance team, please click here and complete the form. (opens a new window)
