Statement on the NYS Comptroller’s audit of NYC’s Privacy and Security of Student Data

For immediate release: May 4, 2025

For more information: Leonie Haimson, leonie@classsizematters.org; 917-435-9329 

The audit from the State Comptroller’s office released today confirms what many NYC advocates have long known:  the privacy policies and practices of the NYC Dept. of Education are sloppy, irresponsible and show a lack of concern for keeping students’ personal information safe from breach and misuse.    This makes DOE’s insistent push to rapidly expand the use of Artificial Intelligence tools in our schools unwarranted, given how these tools represent an even greater risk to student  privacy and safety.  

Even more troubling is the DOE contemptuous response to the auditors’ findings and recommendations to improve their processes, dismissing nearly each one as unfounded.  Altogether, the audit’s findings reinforce the lack of trust felt by many in DOE’s competence and caring when it comes to protecting student privacy. 

The audit’s findings put in question the AI guidance’s assurances on DOE’s ability to keep student data safe

In the recent DOE AI guidance, they repeat over and over that student privacy is rigorously protected through a vetting  process  called ERMA (Enterprise Request Management Application).   Yet the findings in this audit show that  DOE’s privacy processes are inherently defective.   The DOE’s lack of responsiveness and willingness to improve their privacy policies provide yet more evidence  that their rush to expand the use of AI in our schools is reckless.   AI products represent a special risk to student privacy as many  data-mine personal data to improve their products, which violates the state student privacy law, Ed Law 2D, the NY State Student Privacy law passed by the legislature in 2014. 

The audit’s findings, as well as repeated data breaches of NYC student data and its illegal use for commercial purposes reveal the inadequacy of the  DOE’s privacy vetting process.  As a member of the Chancellor’s AI Working Group, I along with other members proposed additional safeguards.  These included independent privacy impact assessments, data security audits, and tests for algorithmic bias that should be required for any educational product using AI.  DOE rejected all these recommendations.   Additional problems with the recently released AI guidance, including DOE’s refusal to rigorously comply with the state privacy law,  are described in our critique here. 

The findings confirm DOE’s failure to properly control and safeguard personal student information

The auditors discovered that DOE maintains  no central records as to which vendors and other third parties have access to student personal information, and that they maintain no written policies covering data classification, risk assessment, or backup and recovery, as required by the NIST data security framework specified by Ed Law 2D.  

In their response, DOE officials claim  that this conclusion is false, and that they are “able to determine which SIS or other applications that consume student data are in use by a given school or office.”  Yet just last week, on April 28, 2026, the DOE privacy office confirmed in an email to a parent that “at this time, there is no Central list of every educational technology tool used by each school.”  

Moreover, according to Ed Law 2D, it is every parent’s right to know which vendors have access to their children’s data, and to receive a copy of the data held by those vendors  within 45 days of their request. Yet this right is chronically  violated by DOE officials, and when parents do receive data files from their vendors, the files can be empty of information. 

There are more than 700  companies and other third parties that have access to personal student data according to the DOE website, though the number of the ed tech programs used is likely greater,  as some vendors provide schools with more than one product.   The number of products collecting and processing student data has steadily increased each year, and is even now even more rapidly growing, as DOE adds  new products with AI functionality to be used in classrooms throughout the city. 

Delays in recognizing and reporting breaches 

Because DOE officials do not know which schools use which products, they are unable to ensure that when data breaches occur, they are able to inform affected families within the legally required timeline or identify which data elements may have been exposed.

The auditors reported that there were at least 141 breaches of NYC personal student data  between January 5, 2023 through February 27, 2025, and in 48% of cases, the DOE reported them to  NYSED past the legal deadline of 10 days.  In at least one case, it took over 460 days.  DOE also missed the 60 day deadline to inform parents that their children’s data had been breached in at least 11% of the time. [Note: 60 days is in itself too long; NY law requires breach notification by private businesses  and state agencies within 30 days.]

 The Illuminate breach and problems with their privacy agreement

Some privacy vendor agreements are never even posted online in violation of the law - like that of Illuminate, which exposed the data of more than a million NYC current and former students in 2022, and yet whose privacy agreement was posted online only after the breach occurred.  Even then,  the agreement hinted that the data was not always encrypted, contrary to the requirements of the law, which turned out to be the case.  

The Illuminate example also shows that  DOE does not independently investigate breaches but instead relies on the unreliable reporting of vendors concerning the number and identity of students affected. After the data of more than 800,000 current and former NYC students was breached by Illuminate between late December 2021 and early January 2022, their families were not notified by DOE until March 25, 2022.  

Even worse, in May 2024, more than two years after the breach, a  second round of notifications to families revealed that about  380,000 more students and former students also had their information exposed.  This was also seven months after Illuminate had informed DOE of the additional students involved – far exceeding the 60 day deadline in the law, according to the information on the DOE website, which states that they started looking into this matter only after being told by Illuminate that more students were affected in October 2023.  This put additional students and former students at risk of identity theft and more, and unable to promptly acquire the insurance and credit monitoring offered by the vendor for free.

The PowerSchool breach and problems with their privacy agreement

After the massive nationwide breach of the PowerSchool student information system occurred in late December 2024,  parents throughout the country and elsewhere in the state were informed of the breach in early January 2025.  Yet at that time, DOE told a reporter they were still looking into whether any NYC schools or students were affected. 

In fact, DOE refused to confirm which schools were involved even after Daily News reported on their names  on February 6, 2025, from information relayed by the State Education Department.  Only after the Daily News reported on this did parents whose children attended these schools receive emails saying DOE was still looking into this matter.  It was not until April  2025  that DOE confirmed to parents that their children’s data had been breached, long past  the 60-day deadline in the law. 

To this day, the DOE has refused to post the names of the NYC schools affected by the PowerSchool breach on the webpage that reports on data security incidents, despite guidance from the NYSED that they should do so promptly, to alert the thousands of former students whose data was also exposed and put at risk of identity theft and worse. 

As the former NYSED Chief Privacy Officer Louise de Candia wrote on Feb.3, 2025, “ There is no doubt in my mind that PowerSchool violated Education Law Section 2-d and Part 121 of the regulations which require compliance with NIST CSF as well as reasonable administrative, technical and physical safeguards to protect the security, confidentiality and integrity of PII.”

And yet  DOE continues to allow NYC schools to use as many as 16 other privacy-invasive PowerSchool products, including Naviance, which is employed in many if not most New York high schools for college guidance purposes. This is despite the fact that in 2022, it was reported that Naviance  targeted ads for colleges on its student-facing platform disguised as objective recommendations and was shown to allow colleges to discriminate by race by targeting ads only to white students.

More recently, it was announced that PowerSchool had agreed to settle a class action lawsuit  alleging that the Naviance  platform contained ad tracking technology that transmitted a wide range of student data to Google, Microsoft and a company called Heap, including their names, ID numbers, graduation years,  demographic information, photographs and survey responses, as well as  their private communications with teachers.  This would violate not only state privacy laws but also the federal wiretapping statute.   Even now, the DOE has refused to tell parents or students about the Naviance agreement or  inform them they can apply for a portion of the $17.25 million settlement. 

The fact that the Illuminate and PowerSchool breaches exposed the data of many thousands of NYC students who had long graduated or otherwise left the system also shows that the data minimization and deletion by vendors required by Ed Lawa 2D is not enforced by DOE. More background here. 

To make things worse, the PowerSchool privacy agreement still posted on the DOE website is clearly non-compliant with the law, as it says that the company will only conform to the privacy requirements in federal and state law or in their contract with DOE when it is “commercially reasonable.”

Other problems highlighted in the audit and the DOE’s official response

The Comptroller’s office also found significant weaknesses in DOE’s technical data security controls that should be corrected, including “issues with system monitoring, unsupported systems, and firewalls.” Understandably, the auditors only communicated the details of these security weaknesses to DOE in a separate confidential report.  In their response, DOE makes no commitment to address these technical problems, but instead says that they would address them separately, within the confidential report.

In its response, DOE  claims to have made “several improvements to its privacy practices and policies,” including updating the Chancellor’s Regulation A-820 to “restrict the use of “directory information.”

In fact, the recent amendment to the Chancellor’s Regulation weakened the protections for student data, by redefining  a wide and essentially unlimited range of personal student information, including but not limited to their names, addresses, telephone numbers, email addresses, photographs, grade level, participation in activities and sports, and more, as directory data that can be shared with third parties, even when they are not providing services to schools.  Only an unreliable parent opt out  process was provided to prevent these disclosures from occurring.

Finally, the auditors also revealed that DOE officials took an inordinate time to respond to their requests; and that documentation requests took over five months to fulfill, while requests for meetings took two months  to schedule.  

Leonie Haimson is the co-chair of the Parent Coalition for Student Privacy, a member of the NYSED Data Privacy Advisory Committee, the Chancellor’s Data Privacy Working Group and the Chancellor’s AI Working Group

###

 

PowerSchool/Naviance court settlement: your child may be eligible for a payment

Update: More on the settlement here.

 April 2, 2026

It was recently announced that as part of a class action court settlement, the ed tech company PowerSchool and the Chicago Public Schools agreed to pay a total of $17.25 million to students whose privacy was violated by Naviance, a college advising company acquired  by PowerSchool in 2021. In turn, PowerSchool was bought by Bain Capital for $5.6 billion in 2024.

The lawsuit alleged that the Naviance platform contained ad tracking technology that transmitted a wide range of personal data to Google, Microsoft and a company called Heap, including student names, ID numbers, graduation years,  demographic information, photographs and survey responses, as well as  their private communications with teachers.

These practices, the attorneys argued, amounted to  “unlawful wiretapping” and “eavesdropping,” in violation of several federal and state privacy laws.

Naviance is widely used in schools throughout the country for college application and advising purposes, including in many NYC high schools.  Any student who logged into this platform at least once at school or at home between August 18, 2021 through January 23, 2026 is eligible for payment through the court settlement. A preliminary estimate by the attorney is that each student may receive about  $50, depending on how many apply.

You (or your child if they are over 18) is supposed to have been sent a notice by snail mail or email already on how to file a claim as part of the court settlement, along with a Class Member ID number.  But if you haven’t received this notice, you can still submit a claim here.

We have long been concerned about the privacy and safety of PowerSchool programs in general and Naviance in particular, and we have communicated our concerns with DOE’s Chief Privacy Officer, to no avail.

Several years ago, we had shared reports in the publication The Markup, showing how Naviance had been found to allow colleges to send targeted ads to students through its platform, in some cases ads that discriminated by their race.  These ads were purportedly disguised as objective college recommendations.  Using personal data to send targeted ads violates the provisions of the NY Student Privacy Law.

Then, as you may recall, in December 2024,  a massive breach of the PowerSchool student information system exposed the personal data of millions of students nationwide, including  thousands of current and former NYC students.  As a result of this breach, the company has been sued by  many states and districts for failing to implement the most basic data security and privacy protections.   After this occurred, I again urged DOE to cancel its contracts with PowerSchool, which offers many different, highly invasive programs to NYC schools, but received no response.

If your child uses Naviance, beware of any recommendations or other communications that they may receive through this platform.

I’d appreciate it if any parents whose child currently uses the platform might help us investigate the way Naviance works in more detail, to assess whether the company may still be continuing to violate our privacy laws and basic ethical standards, including through their new AI-powered chatbot called “PowerBuddy”.  If you and your child are willing, please email us at info@studentprivacymatters.org.  Please also let us know if you or your child has not received notice of this settlement, so we can inform the plaintiff’s attorneys.

Finally, whether or not you receive a settlement payout, it would be great if you would consider donating to Class Size Matters, earmarked to help fund the Parent Coalition for Student Privacy. Our amazing PCSP co-chair, Cassie Creswell, executive director of Illinois Families for Public Schools, worked with the attorneys on the class action lawsuit and helped identify the original plaintiff. We could really use your support.

New revelations showing DOE’s continuing lack of concern for the privacy and safety of NYC students - please sign our letter to the Chancellor today!

Update: 7/22/25:  The DOE did not further improve their regulations which will allow schools and DOE central to disclose a large amount of personal student data to third parties without parental consent.  We will work to make as many parents as possible aware in the fall to opt out, and hope for a far more clear and functional opt out process to be provided by DOE.

Also, we recently received more information about the number of students and staff affected by the PowerSchool breach, through a FOIL I submitted.  The info is below.  Meanwhile, parents, teachers and SLTs should try to convince their schools not to use ANY PowerSchool products since they have proven to be unreliable and irresponsible in their privacy and security practices; and urge their schools to require the company to delete the data they have already collected for current and former students as soon as possible. 

 

Data breached by PowerSchool in Dec. 2024; according to DOE FOIL 7.22.25

1.Please read and sign our letter, already signed by several members of the Chancellor’s Data Privacy Working Group as well as several education advocacy organizations and NYC Council Members, in opposition to the weakening of DOE’s student privacy protections in their proposed amendments to Chancellor’s regulation A-820.  If you would like to sign on, please fill out this form.  

These revisions would allow DOE to  disclose a vast array of highly sensitive student data to any individual or business they please, including students’ and parents’  names, email addresses, cell phones, home addresses, photos, and more, as long as they believe it would benefit the DOE or the students involved, with only a highly unreliable parent opt out method to prevent this.  The weakening of this regulation is up for a vote at the May 28 Panel for Educational Policy meeting, after the initial vote on this measure was delayed in October because of parent and advocate concerns and over 3,000 emails sent to the Chancellor and PEP members. 

2. Evidence of the  irresponsible practices of the DOE when it comes to protecting student privacy is further revealed by recent developments in the PowerSchool breach.

According to a May 7 announcement on the PowerSchool website and numerous news accounts, extortionists have now contacted schools and districts affected by the original PowerSchool Student Information System breach that occurred in December,  threatening the further exposure of  student data unless they are paid a ransom.

The original breach exposed the personal information of an estimated 60 million children, parents, and school staff across the US and in Canada, including an indeterminate number of current and former NYC students and teachers at four NYC high schools: Fordham HS for the Arts, Westchester Square Academy, Long Island City High School, and Lower East Side Prep. 

It is unknown at this time whether any of these NYC schools have been directly contacted by the cyber criminals, as has occurred in the case of schools elsewhere, and DOE has still not posted anything about this new threat on its webpage entitled “Data Security Incidents”, where it is supposed to provide this sort of information.

Still to this day,  DOE officials refuse to publicize the names of the four schools that had their student data stolen back in December, or to reveal publicly that former students at these schools likely had their information breached as well.

 The DOE was also months late in informing parents at these schools that their children’s data had been breached, and even now, refuses to provide any guidance to the many NYC schools that they should stop using  the 16 other invasive PowerSchool programs that collect a wide range of personal student and teacher data, even though it’s been shown that the company did not employ even the most basic security measures to prevent hacking. PowerSchool is now being sued by more than 20 different states, districts, and class action lawsuits as a result.   

The DOE’s lackadaisical attitude towards protecting student data is especially relevant right now, as mentioned above, as proposals  to weaken their Chancellor’s regulation, A-820 are on the agenda to be voted on by the PEP at the end of the month.

The only significant concession DOE has made in the latest round of revisions to this regulation is to require a written agreement with the third parties with whom they want to share all this sensitive student data , but as we have seen in the PowerSchool breach, as well as many others, including the Illuminate breach that exposed the data of more than a million NYC current and former students, their written agreements have done little to  stop the illegal disclosures and commercial exploitation of student data because of insufficient oversight and enforcement.

More details on the earlier PowerSchool breach and the recent ransomware attacks are below.

Background

The original hack of the PowerSchool School Information Systems (SIS) began on December 19 and ended on December 28.  On January 6, PowerSchool informed hundreds of districts and schools systems nationwide and in Canada that personal data stored in their student information systems had been accessed; later they admitted that they paid ransom to the criminals in exchange for their promise to destroy the data.

Most districts throughout New York state and elsewhere alerted parents to the threat, in early to mid-January, and shortly thereafter advised them how to sign up for free identity theft insurance and credit monitoring offered by PowerSchool.  It is well known that student data is very valuable for purposes of identity theft, as most children do not already have a credit rating.  

Yet DOE said nothing to parents about this at the four affected schools, and in fact, when reporters asked in January if any NYC schools were affected, DOE told them no.

It was not until February 3 that I learned in an email from the NY State Education Department Chief Privacy Officer Louise de Candia that four NYC schools did indeed have their student data hacked, and she gave me the schools’ names.  I forwarded this information to the Daily News reporter, Cayla Bamberger, who wrote an article about the breach on February 6 (free link here).  I also posted more details about the breach on my blog. 

But amazingly, even then the DOE refused to confirm the names of the affected schools to reporters, or to post their names on their website, even though the State Education Department specifically advised districts to do so, in order to alert former students to the risk to their privacy and safety. They wrote:

Like the Illuminate Education data breach that occurred in late 2021/early 2022, former students may be affected by this breach.  Therefore, we recommend that educational agencies put a notification on their web page to capture as wide an audience as possible. 

Further delay and inadequate notification of affected families and students

Only following the Daily News article did principals send a message to parents at these four schools, saying that they were still looking into whether their children’s data had been breached. 

Not until March 7, more than two months after the initial reports, did DOE apparently confirm internally that NYC students, former students, and staff had their data stolen by hackers, even though back in January there were simple instructions on Reddit, and elsewhere on how schools and districts should check their SIS log files to confirm which students and teachers were affected, and what data had been stolen.  

It was not until three weeks after that, the week of April 1, that the DOE mailed notification letters to affected students and staff, and not until April 3 was the following message posted on the DOE website:

“Approximately 3,437 students and 317 staff were affected by the PowerSchool SIS data security incident. … All students who were affected by this incident had the following information disclosed: name, student ID number, date of birth, grade level, expected graduation year, enrollment information, and home address. Some students also had race/ethnicity, gender, classroom assignment, parent name, parent email, home phone number, emergency contact name and phone, and medical contact information disclosed.  All staff who were affected by this incident had their file number/employee ID disclosed.”  

Still this statement was far from complete, as the DOE continued to refuse to disclose the names of the affected schools on the website, or that former students also had their data breached.  This was confirmed to me by the DOE chief privacy officer Dennis Doyle after I asked him about it.  Though he said he didn’t know how many former students were affected, “it’s possible the impacted data goes as far back as the 2021-22 school year.”  By looking at the demographic snapshot just for Long Island City HS, that means that another 1,321 students who were enrolled that year but have since graduated or dropped out may also have their data hacked.

The NY student privacy law Ed Law 2D regulations require that parents be informed as soon as possible about a breach of personal student data and in no case, more than 60 calendar days after its discovery:

“Educational agencies shall notify affected parents, eligible students, teachers and/or principals in the most expedient way possible and without unreasonable delay, but no more than 60 calendar days after the discovery of a breach.”

Of course, 60 days is too long in any case; State Ed originally proposed 45 days in their regulations, but some districts apparently complained this was too short a time frame. NY state has now amended its general business law to require all businesses to notify  affected individuals of breaches within 30 days, though it’s not clear if schools and district apply.

In any case, given that districts were informed of the PowerSchool breach on January 7, that would make the deadline in state law for notification March 8, 2025 – and yet parents in NYC were not sent letters confirming their kids’ data was breached until three weeks later. 

Unfortunately, the DOE has said nothing publicly about these recent ransomware attacks, though there is an update on their website dated May 8, the day after PowerSchool and numerous media accounts, including NBC news, reported on these new threats to student privacy. Instead, the DOE only informed parents on that date that the deadline to sign up for PowerSchool’s offer of free identity theft insurance had been extended to July 31; and then added “There is no evidence of continued unauthorized access”, even as parents throughout the country were being warned otherwise.

For example, schools in North Carolina received extortion emails on May 7, according to the state Department of Education’s public bulletin, posted the same day, alerting the public that these criminals appeared to have students' and staffers’ names, contact information, birthdays, medical information, parental information, and in some cases even their Social Security numbers. 

The North Carolina State Superintendent produced a sample template that districts were asked to send to parents, warning them not to respond if contacted by these threat actors, and not to open any suspicious links or emails related to this incident, or  engage with anyone claiming to have this data.”

About the more recent ransomware threats, there are three possible scenarios according to this article: that the original hackers did not delete the data back in January as they promised PowerSchool after receiving payment; or they had already sold or released the data to another group before deleting it.  There is a third possibility: that these latest demands are empty threats, but as PowerSchool reported, the samples of personal data sent to schools as warnings in May match the data previously stolen in December.

DOE’s continued lack of oversight, transparency and enforcement when it comes to   student privacy

All this sadly might have been prevented if DOE had taken the necessary precautions.  The privacy addendum that PowerSchool provided to DOE several years ago, and still posted on the DOE website should have provided sufficient warning.  It said that the company will:

 “Review data security and privacy policy and practices to ensure they are in conformance with all applicable federal, state, and local laws & the terms of this DSPP [Data Security Privacy Plan].… In the event Processor’s policy and practices are not in conformance, Processor will implement commercially reasonable efforts to ensure such compliance.”

In other words, PowerSchool proclaimed that they would comply with federal and state privacy laws -- and their own contract with DOE – only if they felt it was “commercially reasonable” and would not unduly affect their bottom line.

I also pointed out that DOE allows schools to use 17 privacy-invasive PowerSchool programs that collect a huge amount of sensitive teacher and student data, and asked for a meeting to discuss the many other ways in which the DOE consistently fails to properly vet their privacy agreements or to follow up with their vendors to ensure they are  adhering to these agreements.  Here is a copy of one of the slides I sent him.

Similar problems with lack of careful vetting and oversight occurred earlier with the Illuminate breach, as I wrote at the time, whose posted privacy addendum hinted that the data was not properly encrypted.  And while the DOE contract with Illuminate said they were entitled to security audits, it is unclear if they ever asked for one.

In any case,  I never got the meeting with Dennis I had requested nor did I receive any response to my warnings about PowerSchool.   

Even earlier, according to a January 2022 expose in The Markup, Naviance was found to have allowed colleges to place ads within its platform, disguised as objective recommendations, including ads that targeted only white students. – a practice that is clearly illegal under NY State law.

In May 2024, a multi-state parent class action lawsuit was filed in California alleging that PowerSchool disclosed personal student data, including highly sensitive health and disciplinary records to its third-party "partners" for commercial purposes,  illegal  in California, New York and many other states.  Among other data points, the lawsuit pointed out that Naviance collects student citizenship status, which is especially sensitive data these days given the threat of immigrant deportation. More about this lawsuit here. Yet this news did not deter Bain Capital from acquiring PowerSchool in October 2024  for $5.6 billion.

Following the December 2024 breach, many states and districts have now sued PowerSchool for failing to implement the most basic security measures to protect against breaches, including multi-factor authentication.  These lawsuits are demanding damages, and the court to require the company to strengthen its overall security systems, undertake a third-party security audit, and appoint an independent party to monitor progress. Some of these lawsuits, including one filed in the Eastern District of New York, have been now consolidated into a single court case in California.  Many parents have joined separate class action lawsuits, organized by private law firms as well. 

Two weeks ago, I wrote Dennis Doyle once again, and asked him the following question:

 “What oversight does DOE maintain to ensure that PowerSchool and vendors in general to hold to the security protections in their contracts, especially given the weak language in its privacy addendum?  This breach revealed that PowerSchool failed to use the most basic security measures, like multi-factor authentication, leading to  least 23 lawsuits, including many states with far less protective privacy laws than NY. Clearly, they did not employ data minimization or deletion, as the law requires, given that the data of former students was breached.”

This was his brief response: “ Our vendors undergo a security review conducted by DIIT and, for those storing data in the cloud, a cloud review conducted by OTI.”

No acknowledgement was made of the obvious fact that these security reviews failed to identify the profound weaknesses in PowerSchool’s cybersecurity practices, or any of the other breaches that showed the lack of required measures to secure student data.

I also asked Dennis if he intends “to ask PowerSchool to revise their privacy addendum to fully comply with Ed Law 2D, and/or to take any other actions to discourage schools to use the other 16 PowerSchool products posted on your website that DOE has made available to schools, many of them with access to extremely sensitive teacher and student data?”

He responded this way: “ As I stated earlier, our data-processing agreement with PowerSchool requires them to fully comply with Ed Law 2-d, notwithstanding any response to the contrary in the supplemental questionnaire.”  Our full exchange is posted here.

This is irresponsible in my view.  DOE should have advised schools following the breach to cease using any of the 17 products supplied to schools by PowerSchool that collect highly sensitive teacher and student data, and should have immediately notified parents at the affected schools of the threat to their family’s privacy, as other districts in the state and nation did.  DOE should also have also posted on their website more information about this breach, including the names of the affected schools and warned former students at these schools that their data may have been accessed as well.

In any case, DOE should do this now, given the renewed ransomware threats, and put out a press release to ensure that all parents, students, and former students at these schools sign up for the identity theft insurance and credit monitoring services offered by PowerSchool, as well as alerting them not to respond to cybercriminals if approached.

Whether the DOE itself could be in legal jeopardy by failing  to inform parents in a timely manner of the breach and waiting months to alert them to the steps they should take to prevent further disclosures, and/or the manner in which they ignored red flags in their PowerSchool privacy agreement, are questions that only an experienced attorney could answer. 

In any case, please read our letter in opposition to the further weakening of the DOE privacy policies, and consider signing it.

Alert: PowerSchool data breach at (at least) four NYC schools

 As reported in tonight's Daily News (free link here), contrary to previous DOE assurances, four NYC public schools were likely affected by massive PowerSchool breach:  . 

Fordham HS for the Arts

Long Island City High School

Lower East Side Prep 

                                                             Westchester Square Academy

About 3,000 students are currently enrolled in these schools, but former students may also have been affected if the school used the Student Information System in years past. 

Please let parents, students and former students at these schools know to ask questions at their schools as soon as possible.  They should then check for ID theft and sign up for free credit monitoring and ID theft insurance, offered by PowerSchool.  More info here.

What's unacceptable is how DOE still refuses to confirm to reporters the names of affected schools, or announce this publicly, as hundreds of other districts have done.  The information came instead from the NYSED Privacy office. 

NYSED has also put out guidance to districts, suggesting that PowerSchool may not be telling the whole story and that the data breach may affect not only former students, but also schools that no longer use the School Information System but once did.  [Update:  NYSED took down this alert at some point later, but you can find it archived here.]

 

Yet I can find no mention anywhere on these schools websites nor on the DOE website where they alert parents to data breaches - or as the DOE euphemistically like to call them, "Data Security Incidents." 

Also very problematic is how the PowerSchool contract with DOE for seventeen data-hungry products implies the company will only comply with state and federal privacy laws when they consider them "commercially reasonable." I shared my concerns with DOE over a year ago about this and got no response.

Though up to now, only the PowerSchool SIS has been reported as breached, such lax privacy language applies to all these products and is unacceptable. As has not been widely reported, PowerSchool failed to take the most simple security protections such as two-factor authentication for user access, and instead, the hacker just obtained the password of a single employee.

By the way, according to many reports, teacher personal data was also exposed. Have teachers at the affected schools been informed?