The PowerSchool breach hit right before winter break 2024, exposing personal records for 62.4 million students. Social Security numbers. Medical records. Disability information. Even bus stop locations. The company paid hackers $2.85 million in ransom. The breach happened because a customer support account didn’t have multi-factor authentication turned on.

I’ve been following EdTech data breaches for years, but something about this one felt different. Maybe it was the scale, or the timing, or the sheer preventability of it. A CrowdStrike investigation revealed PowerSchool had actually been breached twice before in August and September 2024 without detecting those intrusions. The lack of multi-factor authentication on a customer support portal isn’t a sophisticated attack vector. It’s basic security hygiene.

What interested me more than the breach itself was how districts started responding. I spent the past few weeks looking into what “data sovereignty” actually means in the K-12 context, and what I found doesn’t match the conversation happening on EdTech conference panels. When people talk about districts “taking back control” of student data, there’s often an assumption that this means building in-house systems or migrating to open-source alternatives. The reality is more complicated and, in some ways, more interesting.

Mapping the problem

Education is now the most attacked sector globally, facing an average of 4,388 cyberattacks per school every week. Ransomware attacks against K-12 institutions jumped 827% between 2022 and 2023. A student record sells for between $250 and $350 on the black market. Those numbers create a certain kind of risk profile that school IT departments, which are chronically underfunded and understaffed, struggle to defend against.

The Illuminate Education breach in 2021-2022 exposed 10.1 million students, including 820,000 in New York City alone. The FTC investigation found the company stored student data in plain text and failed to decommission inactive accounts. The hacker used credentials from an employee who had left three and a half years earlier. Illuminate had received warnings about vulnerabilities from a 2020 security audit. The company waited nearly two years to notify some affected districts.

But focusing only on breaches misses a broader pattern. Even when systems work as designed, research from Internet Safety Labs found that 96% of educational apps share student data with third parties, including advertising entities. The College Board, which had signed the Student Privacy Pledge promising not to engage in behavioral advertising, was caught tracking and sharing student information with Facebook, Google, Microsoft, Snapchat, and advertising networks.

The regulatory framework hasn’t evolved with the technology. FERPA was written in 1974, before Google existed, before artificial intelligence, before most of what we now call “EdTech” was imaginable. Its “school official” exception was intended for teachers and internal staff. That same exception now applies to the average 2,591 EdTech tools schools deploy each year. FERPA creates no direct liability for vendors who misuse data. Only schools can be penalized, and in 50 years of enforcement, no institution has ever lost federal funding for FERPA violations. Whether that represents a toothless law or appropriate regulatory restraint depends partly on who you ask and partly on what you think federal oversight of education should look like.

What “data sovereignty” means in practice

When I started researching district responses, I expected to find examples of districts building their own student information systems, hosting their own LMS servers, developing custom applications. That infrastructure work is happening, but it’s rare. The technical requirements, staffing expertise, and ongoing maintenance burden for building and operating custom educational technology systems exceeds what most districts can sustain.

What’s more common is something that might be better described as collective bargaining around data practices. The Student Data Privacy Consortium has 28 state alliances and over 275,000 standardized Data Privacy Agreements executed since 2016. These agreements don’t replace commercial products with district-built alternatives. They create contractual requirements that vendors must meet as a condition of doing business with participating districts.

The Texas Student Privacy Alliance requires vendors to sign standardized agreements before districts will implement their technology. California’s Palmdale School District requires vendors to carry $1 million in liability insurance and maintains a public list of approved applications. The Education Cooperative (TEC) Student Data Privacy Alliance in Massachusetts serves over 1,000 districts across 10 states with 1,800+ signed vendor agreements, charging $1.00 per student annually, capped at $4,999 per district.

As one technology director from Westwood Public Schools described it: “Working independently, our district simply does not have the capacity to achieve such results.” That capacity gap raises interesting questions about what individual district autonomy means in a technology landscape where the vendors districts depend on operate at scale. If a district can’t effectively negotiate privacy terms with Google or Instructure on its own, what does it mean to maintain local control over technology decisions? The consortium model suggests one answer: aggregate small districts into a negotiating entity large enough to matter to vendors.

The rural district calculation

These capacity questions become more acute in rural districts. Technology leaders in small districts often manage networks while also teaching classes or driving buses. Small tax bases mean major purchases consume larger portions of budgets. CoSN’s 2024 report found 56% of K-12 schools are understaffed in classroom technology support, and that percentage skews higher in rural areas where private sector competition for IT talent makes hiring difficult.

The infrastructure costs for self-hosting illustrate the challenge. An open-source LMS requires servers with 8-32GB RAM, redundant storage with backup systems, SSL certificates, and system administration expertise in Linux and databases. Staffing represents the largest ongoing expense. Districts need at least part-time system administrators for Moodle, while Canvas’s Ruby on Rails architecture requires experienced developers. One study found even a “free” educational program cost $400 per teacher in stipends plus $250 in travel costs for required training. Security Operations Center and Security Information Event Management solutions become prohibitively expensive at the scale most school districts operate, yet without them, districts assume full liability for data protection.

This creates a particular bind. The districts with the fewest resources and the most limited technical capacity also tend to serve the students most dependent on school-issued devices. New America’s 2025 research found under-resourced districts deploy more pervasive student monitoring software precisely because students rely more heavily on district technology. The result is greater surveillance exposure for the most vulnerable student populations, implemented by districts with the least capacity to evaluate privacy implications or negotiate alternative terms with vendors.

Regional Educational Service Agencies represent one response to this capacity problem. Michigan’s Wayne County RESA contributes $5 million annually to reduce computer service costs for 33 school districts and 97 public school academies, providing shared infrastructure for payroll, finance, student records, and state reporting. Utah’s Regional Service Centers support 26 rural school districts with shared server infrastructure, technical support, and E-Rate compliance assistance. California’s EdTech Joint Powers Authority negotiates master agreements through the state procurement process.

These arrangements provide infrastructure that individual small districts can’t build alone. Whether they provide sufficient bargaining power to actually shift vendor behavior is a different question. A consortium of 33 school districts might have more leverage than a single district, but PowerSchool serves 6,500 schools globally. Google Classroom is used by over 150 million students worldwide. The scale asymmetry between even large regional cooperatives and major EdTech vendors remains substantial.

The open source question

Moodle remains the most common open-source choice for districts seeking technical independence from commercial vendors. Dearborn Public Schools in Michigan has self-hosted Moodle since the early 2000s. Their technology director described the decision this way: “We’ve chosen to invest in ourselves with Moodle. We now have a rich environment that focuses on student and teacher learning.”

But Moodle’s K-12 market share tells a different story about what most districts are choosing. The platform led K-12 LMS implementations from 2005-2012. Now it trails Canvas (28%), Google Classroom (24%), and Schoology (22%) for new implementations. That shift happened as commercial vendors invested in user experience design, mobile apps, and feature development at a pace that community-driven open source projects struggle to match.

Which raises an interesting question about the role of open-source alternatives in district data sovereignty efforts. If a state consortium negotiates strong privacy protections with Canvas or Google, does the open-source alternative still matter? One argument is that it does, because the mere existence of a viable alternative creates bargaining leverage. If districts can credibly threaten to migrate away from a commercial platform, vendors have more incentive to negotiate in good faith on privacy terms. Another argument is that it doesn’t, because the switching costs and feature gaps make the threat largely empty.

Interoperability standards offer a middle path that works regardless of hosting decisions. The Ed-Fi Data Standard has been implemented by major vendors including PowerSchool, Infinite Campus, and Skyward, and is used at the state level in South Carolina, Michigan, Texas, and elsewhere. Learning Tools Interoperability (LTI) enables any LTI-compliant tool to work with any LTI-compliant LMS. OneRoster standardizes roster and gradebook data exchange.

These standards reduce vendor lock-in without requiring districts to operate their own infrastructure. A district using Canvas with Ed-Fi integration could theoretically switch to a different LMS without rebuilding its entire data ecosystem. Whether districts actually exercise that option is a different question. The existence of a standard doesn’t eliminate switching costs or the disruption of changing systems. But it changes the calculation enough that districts might negotiate more aggressively on privacy terms, knowing they’re not entirely trapped.

The evolving regulatory landscape

The regulatory environment has changed substantially since 2020. The FTC finalized COPPA amendments in January 2025, explicitly including biometric identifiers in the definition of personal information and requiring separate parental consent before disclosing children’s data to third parties for targeted advertising. Violations can now result in penalties up to $51,744 per incident.

FTC enforcement actions have become more frequent and more public. The December 2025 action against Illuminate Education required implementation of a comprehensive information security program, deletion of unnecessary personal information, and notification of any future data breaches. The settlement totaled $5.1 million. More than 100 school districts have filed lawsuits against PowerSchool. The Texas Attorney General has initiated a state enforcement action.

Whether this represents a fundamental shift in enforcement or a temporary uptick in attention following high-profile breaches remains to be seen. Federal agencies have limited resources and thousands of EdTech companies to monitor. State attorneys general have even less capacity for sustained oversight of an industry operating across state lines.

The Student Privacy Pledge was retired in April 2025. Launched in 2014 as a voluntary commitment by EdTech companies, the pledge was meant to demonstrate industry self-regulation. Its custodians acknowledged that state laws have superseded voluntary commitments. That admission is worth considering: if industry self-regulation worked, why would the industry abandon it? But if state laws are sufficient, why did breaches accelerate even as more states passed student privacy legislation?

Student privacy advocacy organizations have built infrastructure for supporting districts, though their effectiveness varies. Common Sense Media’s Privacy Direct tool provides free access to 150-point privacy evaluations of over 600 products. The Electronic Frontier Foundation’s “Spying on Students” campaign documented practices across 152 EdTech privacy policies and filed an FTC complaint against Google’s education data practices. The Parent Coalition for Student Privacy successfully campaigned to stop the inBloom national student database in 2014.

These organizations operate primarily through documentation and awareness-raising. They can’t force vendors to change practices or penalize violations. Their value lies in reducing information asymmetry between districts and vendors, helping technology coordinators understand what they’re actually agreeing to when they click “accept” on a terms of service agreement.

Different paths districts are considering

Districts responding to data sovereignty concerns face several distinct directions, each with different resource requirements and trade-offs.

Some are joining privacy consortiums like their state’s Student Data Privacy Alliance or regional educational service agencies. These collective frameworks cost relatively little ($1 per student in many cases) and provide standardized agreements negotiated by people with expertise in both privacy law and educational technology. The bet here is that aggregated bargaining power can force vendor compliance where individual districts cannot. Whether vendors actually comply with those agreements, or whether districts have the capacity to monitor and enforce compliance, remains an open question. Contracts are only as strong as the ability to verify adherence and consequences for violations.

Others are focusing on interoperability standards as a way to reduce dependency. When evaluating new systems, these districts prioritize Ed-Fi compatibility, LTI support, and OneRoster compliance. The theory is that systems designed to export data in standard formats can’t trap districts as effectively. The counterargument is that interoperability standards don’t address privacy practices, just data portability. A district can move from one vendor to another without rebuilding infrastructure, but both vendors might share data with third parties or have weak security practices.

A smaller number are implementing tiered approval processes that distinguish between district-wide systems requiring board approval and rigorous vetting versus classroom tools individual teachers might pilot. This approach tries to balance teacher autonomy with institutional control. The challenge is enforcement. Teachers often adopt tools informally because the official approval process is too slow or cumbersome. IT departments discover applications already in use when they see the network traffic. At that point, pulling the tool means disrupting instruction, which creates pressure to retroactively approve rather than enforce the process.

Some districts are documenting what they’re using through public lists of approved applications with links to signed privacy agreements. Palmdale School District does this. The transparency makes it harder for vendors to backslide on commitments and easier for parents to understand what data their children’s schools collect. It also creates potential legal liability if breaches occur, since documentation of approved tools makes negligence easier to demonstrate.

A few better-resourced districts are budgeting explicitly for privacy capacity, whether through consortium membership fees or contracted privacy review services. Utah employs a Chief Privacy Officer and four full-time privacy staff. That level of capacity remains out of reach for most districts. The question is whether there’s a meaningful middle ground between four full-time staff and treating privacy review as “one more thing” an overwhelmed technology coordinator handles between other responsibilities.

What this might mean

The retirement of the Student Privacy Pledge marks an endpoint to voluntary industry commitments. The 275,000+ standardized data privacy agreements negotiated through the Student Data Privacy Consortium represent a different model, one based on collective bargaining rather than vendor self-regulation.

Whether consortiums can actually shift vendor behavior at scale remains uncertain. A state alliance representing 200 districts has more leverage than a single district, but Google Classroom serves 150 million students globally. The asymmetry in scale and resources between even large regional cooperatives and major EdTech vendors is substantial. Vendors might comply with consortium agreements in states where they must to maintain market access, while maintaining different practices elsewhere.

The PowerSchool breach could accelerate movement toward these collective frameworks, or it could simply become another data point in a long series of breaches that generate temporary outrage before districts return to purchasing decisions driven by features and convenience. Federal enforcement actions might signal sustained oversight of EdTech privacy practices, or they might represent a momentary spike following high-profile incidents.

For under-resourced and rural districts, the infrastructure provided by regional educational service agencies and consortium membership offers capabilities individual districts can’t develop independently. Whether that infrastructure translates into meaningful data protection depends partly on vendor compliance and partly on districts’ capacity to monitor and enforce agreements they’ve signed.

The open questions are less about technology choices than about power and capacity. Can districts generate sufficient collective leverage to change how commercial EdTech companies handle student data? Can they build or buy the technical expertise needed to evaluate vendor claims and detect violations? Do interoperability standards provide real alternatives or just the illusion of choice?

These questions don’t have clear answers yet. What’s becoming visible is that the current model, where individual districts negotiate separately with global technology companies while lacking resources to evaluate security practices or privacy policies, creates systematic vulnerabilities that breaches will continue to expose. Whether the alternatives being developed provide meaningful improvements depends on implementation details that are still emerging.

---

Resources for further exploration:

• Student Data Privacy Consortium: https://sdpc.a4l.org/
• CoSN Student Data Privacy Toolkit: https://www.cosn.org/edtech-topics/student-data-privacy/
• Common Sense Privacy Evaluations: https://www.commonsense.org/education/privacy

I’m interested in hearing how districts across the Great Plains are thinking about these trade-offs. Email me at licht.education@gmail.com if you’re working through these questions.