The scenario
A vendor you depend on has disclosed a security event. You have 24 hours of media-driven family questions ahead of any vendor-supplied data scope.
First 60 minutes
- Get the vendor's disclosure in writing — date, scope, data classes.
- Demand a list of affected districts and a roadmap for individual-district scope reports.
- Acknowledge to families before the vendor's official notice if local press is already covering it.
- Audit the vendor's data-sharing agreement — was the breached data within the contracted scope?
- Open a K-12 MS-ISAC ticket and check whether other districts in your state are coordinating.
Decisions to make
Family communication timing
- — Vendor has issued formal notice: cite it and add district-specific scope.
- — Vendor has not yet issued notice but breach is in the press: acknowledge, commit to follow-up, do not speculate on scope.
Who to call
- K-12 MS-ISAC
- State department of education (for state-reporting platform vendors)
- State breach-notification regulator
- Other affected districts (coordinate where possible)
FAQ
Are we liable for a vendor's breach?
Under most state student-data-privacy laws (NY Ed Law 2-d, Illinois SOPPA, Texas HB 18), the district is the notification-responsible party even when the vendor caused the breach. The vendor contract should require breach-response cooperation; the district owes the families.