The scenario
A misconfigured SharePoint, an over-broad email forward, or a vendor breach has exposed IEP documents. These are not generic student records — they include diagnoses, medications, behavior plans, and parent contact data.
First 60 minutes
- Quantify exactly which students' IEPs are in scope before any notification.
- Loop in the special-education director and district counsel in the first call.
- Notify affected families individually — not via a district-wide bulletin.
- Document the disclosure for FERPA recordkeeping.
- If a vendor was involved, demand a written remediation statement before the next IEP team meeting.
Decisions to make
Disclosure scope
- — Internal-only exposure (staff who shouldn't have access): retraining + access revocation.
- — External exposure: full state notification + individual family notice + offer of an in-person meeting.
Who to call
- FERPA recordkeeping
- IDEA — state special-education office
- State breach-notification regulator
- Office for Civil Rights if discrimination claim emerges
Mandatory reporting note: If the exposure includes evidence of abuse, neglect, or a credible threat to a student, mandatory-reporting obligations apply in parallel with the breach response.
FAQ