Navigating the PowerSchool Breach - Key Questions to Consider

Last week, Ontario and Alberta’s information and privacy commissioners released the findings of their investigations into the PowerSchool breach incident, which has become the latest breach widely discussed in the privacy community and beyond. This discussion has focused mainly on its implications for third party vendor management, which were increasingly heightened in this instance given the wide reach of the breach to millions of Canadians, including students, parents and educators. 

In December 2024, a cyberattack compromised PowerSchool’s systems when attackers used compromised credentials to access PowerSchool’s student information system (SIS) and support portal, exposing sensitive personal information - including names, contact details, dates of birth, education records, medical information and Social Insurance Numbers - in schools across Canada and the US.  The cyberattacker then attempted extortion of school boards using this data. The cyberattacker was eventually caught and sentenced to four years in a US prison.

In its investigation report (the key findings of which may be found here), the IPC has sent a clear, though not novel, message to schools, public sector organizations, and all organizations that outsource third party services - accountability and due diligence are essential in both the contracting and oversight of IT vendors. While outsourcing these services has become the norm given its cost savings and increased security, the potential risks must be properly managed in order to implement this model successfully.

In her recent blog post reflecting on her office’s report, Patricia Kosseim, Ontario’s Privacy Commissioner, calls on governments, parents, educators, regulators, and school administrators to work together in addressing the findings of the report and in negotiating new or revised agreements with edtech vendors.  This approach would enable efficiency for both school boards and vendors, and ensure that the right privacy and security-related provisions are included in contracts from the start.  

In executing this approach, these are some of the key questions that all parties should be asking to manage third party risk: 

1. How is the risk associated with third party vendor management being managed by the school/board?  Who is the owner of the risk, and who is ultimately accountable and responsible for overseeing and addressing the risk?

2. Do third party vendor contracts clearly and accurately lay out roles, responsibilities, privacy and security practices, safeguards, compliance monitoring, and audit rights?

3. Does the incident response plan between the vendor and the school/board specify clear breach notification processes, including third party vendors?

4. Are parents aware of which third parties are being used by the school and managing children’s personal information? Are school/boards effectively communicating a list of vendors to the community?

5. When sharing students’ personal information with third party vendors, is only the minimum amount of data required is being shared? Are vendors only requesting to collect the least amount of personal information necessary to achieve the purpose?  

While these are not new questions that organizations should be asking related to their privacy and security practices, this widespread breach serves as a reminder that regulators are watching and provides an opportunity to re-ask these questions with a more critical lens towards demonstrating accountability.