Regulatory grid
Who you call. In what order. Without the legalese.
Federal frameworks every US district and Canadian school board lives under, plus state and provincial overlays for the jurisdictions we cover most often.
US federal frameworks
FERPA (20 U.S.C. § 1232g)
Family Educational Rights and Privacy Act. Governs disclosure of education records. Doesn't have its own breach-notification clock, but unauthorized disclosure is investigated by the US Department of Education's Student Privacy Policy Office.
COPPA (15 U.S.C. §§ 6501-6506)
Children's Online Privacy Protection Act. School-authorized educational use of under-13 services often runs under district consent. Verify each edtech vendor's school-consent posture in writing.
CIPA
Children's Internet Protection Act. E-rate prerequisite. Filtering and acceptable-use posture matter in incidents that involve student-generated content.
K-12 MS-ISAC
Multi-State Information Sharing & Analysis Center, K-12 chapter. Free incident-response support, threat intel, and DDoS mitigation for member districts. Call them in the first hour.
Canadian federal frameworks
PIPEDA (federal, private-sector vendors)
Personal Information Protection and Electronic Documents Act. Applies to commercial vendors handling student or staff data. Mandatory breach reporting to the OPC and affected individuals where there is a 'real risk of significant harm.'
Office of the Privacy Commissioner of Canada (OPC)
Federal regulator for PIPEDA. Use the OPC breach reporting form (priv.gc.ca) and keep a 24-month breach record even when notification isn't triggered.
Canadian Centre for Cyber Security (CCCS)
Part of CSE. Free incident response, threat intelligence, and ransomware advisory for Canadian public-sector organizations including school boards and CSS. Call contact@cyber.gc.ca in the first hour — they coordinate with the RCMP National Cybercrime Coordination Unit (NC3) when criminal investigation is appropriate.
RCMP NC3 / provincial police cybercrime units
Criminal reporting channel for ransomware and extortion. CCCS will usually broker the handoff. Quebec, Ontario, and BC also have provincial cybercrime units worth knowing locally.
State & provincial overlays
The K-12 jurisdictions with the heaviest privacy regimes.
New York
NY Education Law 2-d + Part 121
Notification: Notify NYSED and affected families 'as expeditiously as possible' and no later than 60 calendar days from discovery.
California
SOPIPA + AB 1584 + CCPA carve-outs
Notification: California Civil Code 1798.29 requires notice 'in the most expedient time possible and without unreasonable delay.'
Texas
Texas Education Code 32.151 + HB 18 (Securing Children Online through Parental Empowerment Act)
Notification: Texas Business & Commerce Code 521.053: notify affected persons within 60 days; notify TX AG if 250+ residents.
Illinois
Student Online Personal Protection Act (SOPPA)
Notification: 30 calendar days from confirmation of a breach involving covered information.
Florida
Florida Student Data Privacy (FS 1002.222) + FIPA
Notification: FIPA requires notification within 30 days of determination of a breach; AG notice if 500+ FL residents affected.
Ontario
MFIPPA + Education Act + PHIPA (where applicable)
Notification: MFIPPA requires notice to the Information and Privacy Commissioner of Ontario (IPC) and affected individuals at the first reasonable opportunity where there is a real risk of significant harm.
British Columbia
FIPPA (BC) + School Act
Notification: FIPPA s.36.3 requires notification to the Office of the Information and Privacy Commissioner (OIPC) and affected individuals without unreasonable delay when there is a real risk of significant harm.
Alberta
FOIP (Alberta) + Education Act
Notification: FOIP s.34.1 requires notice to the Office of the Information and Privacy Commissioner (OIPC) where a reasonable person would consider there is a real risk of significant harm. Affected individuals must be notified as soon as practicable.
Québec
Loi 25 (Law 25, formerly Bill 64) + Education Act
Notification: Loi 25 requires notification to the Commission d'accès à l'information (CAI) and affected individuals 'with diligence' (sans délai) when a confidentiality incident presents a risk of serious injury.
Nova Scotia
FOIPOP + Education Act + Regional Centres for Education governance
Notification: FOIPOP does not set a fixed clock, but the Office of the Information and Privacy Commissioner (OIPC NS) expects notification 'as soon as reasonably practicable' where a real risk of significant harm exists.