
Joseph Lazzarotti of the Jackson Lewis law firm has some helpful advice for schools affected by the PowerSchool breach. Here are a few snippets:
State breach notification laws generally place the obligation to notify affected persons and others on the owner of the personal information compromised in the breach, not the service provider that had the breach. In many cases, however, a vendor causing a data breach may take on the obligation to provide such notifications, but the owner of the data still will be on the hook if that process if not performed in a compliant manner.
Lazzarotti advises affected PowerSchool customers to review their agreements with PowerSchool to assess their rights and obligations in areas such as information security, data breach response, and indemnity. He also reminds people that state laws vary in terms of notification requirements to students and parents. New York State has some of the strongest laws. As Lazzarotti explains:
… regulations issued by the New York State Department of Education and adopted by its Board of Regents in 2020 require school districts and state-supported schools to develop and implement robust data security and privacy programs to protect any personally identifiable information (“PII”) relating to students, teachers and principals. Among other things, the NY regulations require vendors that suffer a breach to notify the affected schools within seven (7) calendar days. The schools must in turn notify SED within ten (10) calendar days of receipt of notification of a breach from the vendor; and the schools must notify the affected individuals of the breach without unreasonable delay but in no case later than sixty (60) days of discovery or receipt of breach notification from the vendor.
His article is a good one for school districts to read. Read more at Workplace Privacy, Data Management & Security Report. In the meantime, he also suggests a resource for affected individuals:
It may take some time before notifications are sent to individuals affected by the breach. However, there are some resources that individuals could examine to consider their options now. Databreaches.net pulled together some helpful resources for potentially affected individuals, such as teachers, parents, and former students. Access that here.