PowerSchool Data Breach: Accountability and Future Safeguards
A significant shift has emerged in the aftermath of a major data breach impacting PowerSchool, affecting millions of children, educators, and parents. Despite the conclusion of an investigation into the company’s cybersecurity protocols, a former federal privacy commissioner emphasizes that PowerSchool is still under scrutiny. Chantal Bernier, who previously served as Canada’s assistant privacy commissioner, noted that the company is “not off the hook.” Her assessment comes at a time when PowerSchool has committed to enhancing its cybersecurity measures in response to the breach.
In an interview with Global News, Bernier outlined that the agreement reached recently represents an effective strategy for the Office of the Privacy Commissioner (OPC) to ensure accountability. The agreement imposes specific deadlines on PowerSchool to bolster its cybersecurity infrastructure and demonstrate capabilities to mitigate future cyber threats. “This keeps the door open for the OPC to initiate further complaint investigations should PowerSchool fail to comply,” Bernier stated.
The OPC, led by privacy commissioner Philippe Dufresne, announced the termination of its investigation after PowerSchool implemented actions to contain the breach and notify affected parties. The company has also willingly agreed to additional measures to elevate its security standards. A commitment letter from PowerSchool specifies that it has until the end of July to submit any further information about the breach and must provide evidence of enhanced security features by year’s end.
By March 2026, PowerSchool is expected to achieve recertification under globally recognized information security standards. This includes conducting an independent, third-party assessment to validate its updated security measures. Dufresne will review PowerSchool’s strategies, ensuring that recommendations from the assessment are properly addressed and implemented.
The breach, dated December 2024, compromised a wealth of sensitive data—including medical records and social security numbers—belonging to millions of students and thousands of staff members across Canada who utilize PowerSchool’s platform. Nearly 90 school boards reported that they were directly affected, with certain institutions encountering ransom demands shortly thereafter.
U.S. prosecutors have indicated that a 19-year-old Massachusetts college student named Matthew Lane has agreed to plead guilty to charges related to the breach, including cyber extortion. This highlights the multifaceted implications of such cyber incidents not only in terms of data security but also legal ramifications.
Bernier remarked that PowerSchool has so far been transparent in communicating with stakeholders during the investigation, which has contributed positively to the resolution of the case. She cited the OPC’s commitment to enforcing compliance with privacy regulations more strategically, as detailed in the agency’s latest annual report.
However, Bernier advocates for strengthening the OPC’s enforcement capabilities, particularly through the introduction of penalties for privacy violations. Past efforts to amend the Personal Information Protection and Electronic Documents Act to enhance the OPC’s authority have failed in the House of Commons in recent years.
In a rapidly evolving technological landscape, where the exploitation of personal data is increasingly lucrative, Bernier stressed the need for significant financial consequences tied to misuse. “If organizations profit from utilizing personal data, they must also be held accountable financially for any missteps,” she asserted.
As the landscape for privacy compliance continues to shift, PowerSchool’s case serves as a critical reminder for organizations to prioritize cybersecurity in their operational frameworks. With regulators adopting stringent measures, companies must remain vigilant and transparent to safeguard the trust of their customers and stakeholders amidst the growing threat of cyber incidents.
