Skip to main content
All playbooks

Playbook

IEP / 504 / special-education data exposure

Extra-sensitive PII, extra-sensitive notification obligations. FERPA + IDEA + state-law overlay.

The scenario

A misconfigured SharePoint, an over-broad email forward, or a vendor breach has exposed IEP documents. These are not generic student records — they include diagnoses, medications, behavior plans, and parent contact data.

First 60 minutes

  1. Quantify exactly which students' IEPs are in scope before any notification.
  2. Loop in the special-education director and district counsel in the first call.
  3. Notify affected families individually — not via a district-wide bulletin.
  4. Document the disclosure for FERPA recordkeeping.
  5. If a vendor was involved, demand a written remediation statement before the next IEP team meeting.

Decisions to make

Disclosure scope

  • Internal-only exposure (staff who shouldn't have access): retraining + access revocation.
  • External exposure: full state notification + individual family notice + offer of an in-person meeting.

Who to call

  • FERPA recordkeeping
  • IDEA — state special-education office
  • State breach-notification regulator
  • Office for Civil Rights if discrimination claim emerges

Mandatory reporting note: If the exposure includes evidence of abuse, neglect, or a credible threat to a student, mandatory-reporting obligations apply in parallel with the breach response.

FAQ