Skip to main content
All playbooks

Playbook

Vendor / EdTech supply-chain compromise

PowerSchool's 2024-2025 incidents are the archetype. Generalizes to any SIS / LMS / payment / transportation vendor.

The scenario

A vendor you depend on has disclosed a security event. You have 24 hours of media-driven family questions ahead of any vendor-supplied data scope.

First 60 minutes

  1. Get the vendor's disclosure in writing — date, scope, data classes.
  2. Demand a list of affected districts and a roadmap for individual-district scope reports.
  3. Acknowledge to families before the vendor's official notice if local press is already covering it.
  4. Audit the vendor's data-sharing agreement — was the breached data within the contracted scope?
  5. Open a K-12 MS-ISAC ticket and check whether other districts in your state are coordinating.

Decisions to make

Family communication timing

  • Vendor has issued formal notice: cite it and add district-specific scope.
  • Vendor has not yet issued notice but breach is in the press: acknowledge, commit to follow-up, do not speculate on scope.

Who to call

  • K-12 MS-ISAC
  • State department of education (for state-reporting platform vendors)
  • State breach-notification regulator
  • Other affected districts (coordinate where possible)

FAQ

Are we liable for a vendor's breach?

Under most state student-data-privacy laws (NY Ed Law 2-d, Illinois SOPPA, Texas HB 18), the district is the notification-responsible party even when the vendor caused the breach. The vendor contract should require breach-response cooperation; the district owes the families.