DataBreaches is trying to keep up with updates from PowerSchool, but from the outset, DataBreaches has recommended districts, parents, and teachers assume the worst — i.e., assume that all of the data really weren’t deleted permanently. On the premise of better safe than sorry, and reminding people that PowerSchool’s attorney is not YOUR attorney, here are some protective steps or actions to consider taking, below. I would not wait for any advice from PowerSchool at this point, as none of the suggestions below involve any fees to you and you can immediately begin to take steps to protect yourself. The following advice is just advice based on what I would do if I was in your situation.
Update: On January 13, PowerSchool uploaded a web page for updates.
For Teachers
Place a security freeze on your credit report now. A security freeze on your credit report stops criminals from opening accounts in your name if a credit report would be required to open a new account. You will be placing a security freeze on your credit reports at three major credit report firms: Experian, TransUnion, and Equifax. You can usually complete the process quickly online. Experian offers easy-to-understand directions on their website. So do TransUnion and Equifax.
Note:
- You will need to provide them with your identity information including SSN and they may require you submit proof.
- The freeze will remain in place until you remove it. If you ever need to allow a firm to check your credit (like for a mortgage application or credit card application), you can usually call these companies to “unfreeze” the report for a short period of time and have it resume after that time.
- Placing a security freeze on your credit report is free.
- A security freeze on your credit report will not stop criminals from opening up accounts that do not require a credit report check. You will need to remain vigilant for that.
For Parents of Minor Children
If your child’s Social Security Number (SSN) is involved or may be involved, parents can be advised to check to see if their minor child has a credit report (if under 18, there generally shouldn’t be any credit report). The Consumer Financial Protection Bureau has helpful information as to how to do that and how to challenge any report that is fraudulent. Frustratingly, the credit reporting bureaus seem to require parents to mail in inquiries or mail in requests to remove a child’s credit report. Experian also has information on how to check if the child has a credit report and how to request removal of the report if they do have one.
Parents may also wish to consider placing a fraud alert on their child’s name.
As with the procedures for teachers, expect to have to provide identity information including SSN to make requests or change records.
For Teachers, Parents, and Former Students Who Have Been Affected
Consider filing a police report to report that your information was stolen. Then if it is ever misused as a result of this incident, there is a record that you notified law enforcement proactively.
Consider contacting your bank and credit card issuers to alert them that your information was stolen and to request that they put a flag or alert on your account in case the information is misused at some point.
If you have ever re-used password or login credentials for important accounts, change your passwords – and don’t just add “2025” or an exclamation point at the end. Criminals are very good at guessing changes in passwords. (Thanks to Doug Levin for suggesting I add this one).
Other
Attorney Joe Lazzarotti has some helpful suggestions for school districts and schools now and going forward.
K12 SIX has a helpful PowerSchool Cyber Incident FAQ. Need answers that you can’t find? You can contact them.
I have no idea what PowerSchool will offer people in the way of complimentary or mitigation services. They may try to only offer free credit monitoring and identity theft restoration services to those whose SSN was involved. And they may claim that they cannot offer certain services to very young children because services may not be available for children younger than a certain age or in certain states.
PowerSchool and individual school districts who self-host are bound by state laws. If teachers want to check their state’s breach notification laws, you can find them linked from here. Sadly, that national council table does not include state statutes requiring notification of breaches of student data, and FERPA, the federal law protecting the privacy of student education records, does not require individual notification of breaches involving student data. For state-regulated obligations applicable to student data, you will have to find your state’s laws specific to student data. So far, I haven’t found any updated compilation I can point you to, but I’m still looking.
I hope the above is some help to those who are affected and want to take steps to protect themselves.
Updated January 12 to include links to Joe Lazzarotti’s article and K12 SIX’s FAQ.