Why Districts Are Creating Their Own Data Breach Risks

The PowerSchool breach exposed a deeper K-12 problem: districts are retaining decades of student data they no longer need, and expanding regulatory, financial, and cybersecurity risk.

The new privacy commissioner’s report on the PowerSchool breach exposed a deeper K-12 governance problem: districts are retaining student data far longer than necessary. Records dating back to 1985 at Toronto District School Board and similar failures at Illuminate Education show how outdated retention policies, vendor sprawl, and weak deletion practices are turning student records into long-term financial and regulatory liabilities.

This week’s Deep Dive covers:

1. How Did a Vendor Breach Become a 30-Year Student Data Exposure Event?

2. Why Has Deleting Student Data Become Operationally So Difficult?

3. What Happens When Regulators, Insurers, and Plaintiffs Start Pricing This Risk In?

I. How Did a Vendor Breach Become a 30-Year Student Data Exposure Event?

The PowerSchool breach exposed more than weak vendor security. It revealed how districts and education agencies routinely retain student records far beyond legal and operational necessity. More than 62.4 million students and 9.5 million educators were affected across North America, with some exposed records dating back to 1985. The implication is straightforward: many districts are dramatically expanding breach damage through preventable retention failures.

When news of the PowerSchool breach broke, the immediate narrative was predictable: another education cybersecurity failure, another vendor caught flat-footed, another reminder that schools remain soft targets.

That framing misses the more consequential story.