Fixing FERPA: Adding Cybersecurity Requirements
July 3, 2025
Jessica Arciniega, Morgan Sexton, and Amelia Vance
CC BY-NC 4.0
The Family Educational Rights and Privacy Act (FERPA) governs how schools handle everything from report cards to sensitive psychological evaluations. Yet this cornerstone of student privacy law was written in 1974—nearly three decades before most Americans had ever heard of the internet, and long before anyone imagined that a single cyberattack could expose the intimate details of millions of students' lives. The result? A massive gap between the digital threats students face and the legal protections designed to shield them.
Today, FERPA faces a fundamental mismatch: it regulates a digital world using analog-era thinking. FERPA does not include any explicit security requirements to protect student personally identifiable information (PII). This doesn't mean schools ignore data security—most districts work hard to protect student information and expect their technology vendors to do the same. But the absence of clear legal requirements creates dangerous confusion and may lead to the adoption of insufficient safeguards for student data.
To address today's digital reality, FERPA needs explicit cybersecurity requirements that reflect how schools actually operate in 2025. These requirements should reflect the evolving digital landscape, offering schools the flexibility they need to implement effective protections.
Why This Matters: The Stakes Keep Getting Higher
Understanding why FERPA reform is urgent requires grasping how student data collection and use has transformed since 1974. Four fundamental changes have revolutionized the role of student data in education—and what happens when it's compromised.
Collecting Massive Amounts of Student Data
Modern schools collect extensive amounts of student data, including:
| Data Collected: | Why: |
| Home Addresses | To plan bus routes. |
| Emergency Contact Information | To ensure student safety. |
| Academic Performance Data | To identify students who need extra help and to track whether interventions are working. |
| Special Education Documentation | To meet legal requirements for ensuring students with disabilities receive appropriate services. |
| Health Information | To prevent dangerous allergic reactions and ensure students get needed medications. |
| Family Income Data | To determine eligibility for free meals that many students rely on. |
The sheer amount of student data collected today would have been unimaginable in the paper filing cabinets of 1974. But the alternative—schools operating without this information—would mean many students going without essential services and supports.
But when this information is compromised, the consequences can extend far beyond administrative inconvenience. For example, the Los Angeles Daily News reported that cybercriminals gained access to student psychological evaluations, details about medications and diagnoses, reports of sexual abuse, and deeply personal family information in the 2022 LAUSD attack. These aren't just data points—they're intimate details that can affect students' lives for years to come.
The Vendor Ecosystem: A New Layer of Risk
Schools now depend on an average of 2,591 different educational technology (edtech) tools during a single school year (Learn Platform). Each tool represents a potential entry point for cybercriminals and a new data sharing relationship that must be secured. This vendor ecosystem didn't exist when FERPA was written, yet it now forms the backbone of American education.
The challenge isn't just the number of vendors—it's that many vendors handle the most sensitive student information. Student information systems (SIS) store comprehensive academic and personal records; learning management platforms track every click and assignment; communication tools contain private conversations between teachers, students, and families; mental health apps collect detailed psychological information. Each vendor relationship multiplies both the potential educational benefits and the risks to sensitive student data.
Increased Frequency of Cyberattacks
Cybercriminals increasingly target schools because student data is valuable and often inadequately protected. Since 2005, schools and colleges in the United States have experienced 3,713 data breaches, exposing at least 37.6 million individual records according to a 2024 analysis from Comparitech.
Long-Term Privacy Risks
Some risks–like identity theft, financial fraud, and emotional distress–may be immediately apparent following a student data breach. But student data is particularly valuable to criminals because it often includes comprehensive personal information that can be exploited for years, sometimes not surfacing until children become adults and discover their identities have been compromised. Secondary targeting represents an often-overlooked consequence; as seen with the PowerSchool breach, criminals may use stolen data to launch new attacks on the same victims. Students whose information was compromised in one breach can become prime targets for future scams and identity theft attempts.
FERPA’s Vague Security Standards—And Why They’re Not Enough
Reading Security Requirements Into 1974 Language
Like we said before, FERPA was enacted long before the internet was as ubiquitous in education and our everyday lives as it is today. As a result, FERPA doesn't include explicit cybersecurity requirements anywhere in its text.
Instead, USED has pointed to specific language in FERPA to infer security obligations within the existing legal framework, focusing on two key provisions requiring reasonable methods:
-
Schools must "use reasonable methods to identify and authenticate the identity of parents, students, school officials, and any other parties to whom the agency or institution discloses personally identifiable information from education records." (34 CFR § 99.31(c)).
-
Under the school official exception, schools must "use reasonable methods to ensure that school officials obtain access to only those education records in which they have legitimate educational interests." (34 CFR § 99.31(a)(1)(ii)).
USED has used this interpretation to provide beneficial guidance to assist schools in implementing robust security measures to protect student data. However, these efforts face inherent limitations because of the lack of explicit statutory and regulatory language.
A Concrete Example of the Problem
For example, USED has said that "data security is also an essential part of complying with FERPA as violations of the law can occur due to weak or nonexistent data security protocols." But note that poor security practices are not themselves FERPA violations, they only become FERPA violations if they actually result in unauthorized disclosure of student data.
Consider the following scenario. A school fails to implement basic security best practices, such as by not limiting who can access sensitive student records—a policy change that would require no technology investment but dramatically reduces exposure if a breach occurs—when using the school's SIS. Technically, this security gap isn't a FERPA violation…yet. However, if a bad actor exploits this security vulnerability to gain unauthorized access to student PII in the SIS, a FERPA violation has now occurred because the school disclosed student data to the bad actor without obtaining consent.
Why This Indirect Approach Creates Dangerous Gaps
You can think of FERPA's current security protections like a law that says "drive safely" without providing road signs, speed limits, or traffic rules; and then decides whether or not you “drove safely” enough solely on whether you were later involved in a car accident. Schools know they must protect student data, but they lack clear guidance on what security measures they—and, in particular, their vendors—are actually required to implement to prevent unauthorized access. This lack-of-standards makes it ambiguous when violations occur, whereas mandated security standards in law would provide USED with clear authority to proactively enforce protections and hold vendors accountable before students are harmed.
The Real-World Consequences
No Clear Baseline for "Reasonable" Security
Without explicit requirements, schools—especially smaller, under-resourced districts—often don't know what level of security is expected or necessary. The interpretation of "reasonable" varies dramatically and struggles to keep pace with technological change. While four-digit numerical passwords might have seemed reasonable twenty years ago, today they're widely understood to be easily compromised by modern attack methods.
This isn't to say that the legal concept of "reasonableness" has no place in law; there are extensive legal theories and case law built around the idea of the hypothetical "reasonable person." But it's crucial to ensure there's a commonly understood definition or set of factors defining what "reasonable" includes when it comes to cybersecurity protections, particularly as technology rapidly evolves.
Critical Gaps in Security Coverage
The current regulatory language only requires "reasonable methods" in two specific scenarios: authenticating identities of individuals receiving student records, and limiting school officials’ access to only the records they have a legitimate educational interest in. While identity verification and access control are important cybersecurity concepts, these two elements alone cannot sustain a comprehensive security program.
Limiting FERPA's security requirements to only these two scenarios may unfortunately be interpreted to exclude other critical security elements like firewalls, intrusion detection systems, vulnerability scanning, and incident response procedures—all essential components identified in USED's Data Security Checklist guidance.
The Human Error Problem
Even robust technical defenses can be undermined by human mistakes, which represent a leading cause of data breaches. In New York State alone, 200 of the 384 student data incidents reported in 2024 were caused by human error (NYSED). But despite human error being such a significant vulnerability, current FERPA provisions don't include any training requirements for those handling student data.
The Vendor Problem: Where the Biggest Risks Hide
Today's schools depend heavily on third-party edtech vendors for essential services, and many educational data breaches stem from these vendors’ systems. This reality creates vulnerabilities that FERPA wasn't designed to address. Major vendor breaches like the 2022 Illuminate Education incident (affecting over 3 million current and former students) and the 2024 PowerSchool breach (affecting 62 million students) demonstrate how vendor vulnerabilities can expose massive amounts of student data.
Public Commitments Aren't Enough
PowerSchool positioned itself as a national leader in K-12 education data security, making high-profile commitments to cybersecurity that included the company’s CEO speaking at a White House cybersecurity summit in 2023. PowerSchool made strong representations about their cybersecurity protections, writing in an article that:
“PowerSchool’s significant investment in advanced security technologies, including static and dynamic code scanning, best-of-breed Web Application Firewalls, and more than 30 annual penetration tests, reinforces its unwavering commitment to providing unparalleled protection and trust to districts and schools. As a signatory of the Student Privacy Pledge 2020, PowerSchool adheres to all applicable state, province, and federal regulations and goes beyond those by independently verifying its security management system annually to third-party audited, internationally recognized standards for security management systems, achieving the ISO:27001 certification and SOC2 Type 2 – the gold standard data security certification for business service providers. PowerSchool is also partnered with the Consortium for School Networking (COSN) on their recently rolled-out K-12 Community Vendor Assessment Tool (K-12CVAT) and is an active partner of 1EdTech, focusing on industry standards, interoperability, and data privacy and security best practices. PowerSchool products have been vetted and certified as TrustEd Apps by 1Edtech, based on the organization’s rigorous data and privacy rubric.”
Schools often trust public commitments, certifications, and representations like these. However, the 2024 breach revealed several security failures that undermined PowerSchool’s promises. As The 74 reported, the incident occurred when a PowerSchool subcontractor's credentials were compromised, allowing hackers to access the sensitive data of over 62.4 million students and 9.5 million educators. PowerSchool allowed the subcontractor—who most likely did not need access to data of that many students from that many schools—to access and export full student and teacher data tables containing decades of sensitive information, including records from districts that were no longer PowerSchool customers. The company's customer support portal lacked multi-factor authentication, a fundamental security measure. Perhaps most troubling, PowerSchool failed to detect suspicious activity for months, missing obvious red flags that should have triggered immediate security alerts.
Contractual Limitations
Most vendors are bound by contractual security obligations. For example, the Student Data Privacy Consortium's National Data Privacy Agreement (NDPA), a standardized contract used by districts across the country, requires vendors to "utilize administrative, physical, and technical safeguards" and implement a specific Cybersecurity Framework to protect student data. But if districts don't use standardized agreements created by privacy and security experts, their lack of technical expertise and negotiating leverage to demand strong security protections from vendors may lead to inconsistent and often inadequate safeguards for student data.
Without legally mandated vendor standards under FERPA, there's no baseline to ensure these third-party systems adequately protect student data.
A Path Forward: Modernizing FERPA for the Digital Age
FERPA should be updated to include clear, enforceable cybersecurity requirements that address today's threat landscape while maintaining necessary flexibility for schools of different sizes and resource levels. The most urgent priority is mandatory vendor security standards, given the scale and scope of vendor breaches that represent immediate danger to student data. However, schools themselves also need updated standards, starting with comprehensive training requirements for employees with access to student data to address the leading cause of data incidents–human error.
Mandatory Vendor Security Standards: The First Priority
Third-party vendors handle vast amounts of student data but aren't directly regulated by FERPA, creating a massive gap in student data protection. The scale of vendor breaches—like the 2024 PowerSchool breach which affected 62 million students—demonstrates why this must be the first focus of FERPA reform.
Solution 1: Mandatory Contractual Provisions
While FERPA doesn't directly govern companies, requiring that written contracts between schools and edtech companies include cybersecurity language could provide much-needed leverage to schools. FERPA should require schools to enter into written contracts with all edtech vendors collecting, accessing, or using student data; and those contracts should be required to include specific cybersecurity provisions. Schools, as the primary entities governed by FERPA, would be unable to disclose student PII to vendors under FERPA’s school official exception unless contracts included the specific security requirements. This approach would retain FERPA’s current model of indirectly regulating vendors by requiring protections to be included in contracts.
Building cybersecurity requirements for vendors into FERPA would align with other data privacy frameworks, including the California Consumer Protection Act (CCPA), the EU's General Data Protection Regulation (GDPR), and various laws mandating security measures in contracts with service providers. For example, Virginia's student privacy law requires vendors to "maintain a comprehensive information security program that is reasonably designed to protect the security, privacy, confidentiality, and integrity of student personal information and makes use of appropriate administrative, technological, and physical safeguards."
Solution 2: Aligning with Established "Reasonable Security" Standards
Rather than creating entirely new standards, FERPA could reference a set of cybersecurity standards established by a formal authority. We particularly like the idea incorporating the Federal Trade Commission’s (FTC) existing framework and guidance establishing necessary security protections that most edtech vendors are already required to follow.
The FTC is a federal agency that generally oversees industry data security practices under its authority to regulate unfair and deceptive practices under Section 5 of the FTC Act. The FTC has repeatedly made clear for over a decade that a company's failure to secure data constitutes an "unfair" practice. FTC settlements have shown time and again that it does not matter if a “companies’ practices were not purposefully deceptive or unfair; rather the violations stem from mere failure to invest the time and security resources needed to protect data.” (Davis Wright Tremaine).
There would be several benefits of incorporating the FTC’s cybersecurity framework into FERPA:
- Identifying specific factors while retaining flexibility: The FTC's approach requires security measures to be reasonable given the type and sensitivity of data involved, the company's size and resources, and current technological capabilities. This standard evolves with technology and has been tested through enforcement actions, creating clear precedents for adequate protection.
- Proven application to protect student data: The FTC regularly updates its guidance on reasonable and unreasonable security practices—guidance that courts have upheld. The FTC has even used this reasonable security standard to enforce protections for student data, such as in a settlement with edtech vendor Chegg that alleged the company failed to employ reasonable security measures, including storing data in plain text and using outdated encryption for passwords.
- Not reinventing the wheel: A FERPA regulatory or statutory update could simply require that vendors adhere to security standards outlined in FTC guides like "Start with Security: A Guide for Business," which details minimum security practices businesses should implement based on FTC settlements.
- Consistent requirements for vendors: Aligning FERPA security requirements with existing reasonable security standards already required by the FTC would promote consistency, reduce compliance burdens on vendors, improve security across the board, and create an environment capable of addressing emerging threats effectively.
Alternatively, a FERPA amendment could designate USED or another federal agency like the Cybersecurity and Infrastructure Security Agency (CISA)—which is tasked with reducing threats to U.S. critical infrastructure, including schools—to set and update security standards.
Security Standards for Schools: Building Internal Capacity
Mandatory Training
Mandatory TrainingAs noted above, the vast majority of cybersecurity incidents in schools stem from human error. To help mitigate the risk of data breaches resulting from human mistakes, FERPA should require schools to implement annual, role-specific cybersecurity training for all staff and educators with access to student PII. Additional guidance from USED can then elaborate on what topics such trainings should cover to prepare individuals for cyber scenarios they are likely to encounter. For example, USED may issue guidance stating that training for educators may cover topics like identifying phishing attempts and their schools’ procedures for reporting suspected data incidents.
Flexible Security Requirements Accommodating Different School Contexts
All schools must protect the student data entrusted to them. That being said, schools vary dramatically in size, resources, and technical expertise, making overly rigid requirements potentially burdensome for smaller or rural districts that may lack dedicated IT staff. Rather than burdening institutions with overly prescriptive measures, FERPA can offer a collaborative approach that acknowledges their challenges while raising the security bar.
While explicit cybersecurity requirements for schools must be added to FERPA, such requirements should retain flexibility for schools to develop appropriate security measures tailored to their unique circumstances. USED could preserve flexibility while clarifying what constitutes "reasonable methods" by formalizing a set of reasonableness factors. The Department has previously stated:
“Although FERPA does not dictate requirements for safeguarding education records, the Department encourages the holders of personally identifiable information to consider actions that mitigate the risk and are reasonably calculated to protect such information. Of course, an educational agency or institution may use any method, combination of methods, or technologies it determines to be reasonable, taking into consideration the size, complexity, and resources available to the institution; the context of the information; the type of information to be protected (such as social security numbers or directory information); and methods used by other institutions in similar circumstances. The greater the harm that would result from unauthorized access or disclosure and the greater the likelihood that unauthorized access or disclosure will be attempted, the more protections an agency or institution should consider using to ensure that its methods are reasonable.” (2008 Federal Register, page 74844, emphasis added)
Codifying a flexible standard like this one would encourage vital data governance measures while still allowing schools to adapt security measures to their specific circumstances.
Multiple state student privacy laws already impose security requirements on schools. For example, New York requires all education agencies to have a data security and privacy policy aligned with the State Department of Education's standard—currently NIST CSF 1.1—and post that policy on the school website. Texas requires districts to adopt a cybersecurity policy that secures infrastructure against attacks, determines risk, and implements mitigation planning.
While requiring alignment with cybersecurity frameworks would be ideal, we recognize that such measures aren't always feasible for all schools or states. However, even schools with limited resources can benefit from parts of New York's approach—prioritizing transparency by requiring security policies to be publicly accessible. A flexible framework accommodates disparities while empowering schools to craft solutions that align with their unique capacities and needs.
A flexible standard framework (based on previous USED guidance):
- Schools should implement security measures that are reasonable considering:
- The institution's size, complexity, and available resources;
- The type and sensitivity of information being protected;
- The potential harm from unauthorized access or disclosure;
- The likelihood that unauthorized access will be attempted; and
- Methods used by similar institutions in comparable circumstances.
Mandatory Transparency and Data Breach Reporting
Schools should be transparent with their communities when cybersecurity incidents occur. But research from The 74's 2024-2025 investigation into over 300 K-12 cyberattacks revealed a "pervasive pattern of obfuscation" where school districts routinely provide "incomplete, misleading or downright inaccurate information" about breaches. In Los Angeles, district officials initially denied that student psychological evaluations were exposed in a 2022 ransomware attack, calling such reports "absolutely incorrect"—only to acknowledge later that approximately 2,000 such evaluations had indeed been published online (The 74). In Minneapolis, officials told families they had "found no evidence that personal information was compromised," not “acknowledg[ing] for nearly two weeks after the attack that sensitive records may have been compromised — and wait[ing] months to notify breach victims directly by letter (The 74). This lack of transparency isn't just poor communication—it undercuts trust between schools and the community and can prevent families from taking protective action like monitoring their credit or watching for identity theft attempts.
Some states have addressed this transparency gap through legislation. For example, following breaches involving unencrypted personal information, Pennsylvania requires school districts to notify the District Attorney within three days and affected individuals within seven business days. New York requires educational agencies to report every discovery or report of a breach or unauthorized release of student, teacher, or principal data to the Chief Privacy Officer within 10 days, and notify impacted stakeholders. These reports become part of the Chief Privacy Officer's annual reports, enhancing transparency throughout the state and providing state-level visibility into what vulnerabilities districts are facing and what support they may need. This framework creates accountability through transparency while helping the state understand systemic cybersecurity challenges across its education system.
FERPA should require schools to notify affected individuals within a specific timeframe (such as the 60-day standard used by many states) and to provide clear, accurate information about what data was compromised.* Schools should also be required to report incidents to the state education agency or other state entity, creating the transparency needed policymakers and other schools to understand the scope of the threat and learn from each other's experiences.
*Note: To enable schools to provide such transparency, schools should include provisions in their contracts with edtech vendors requiring that vendors promptly report any and all suspected data incidents to the school and cooperate with/help facilitate the school’s required data breach notifications.
Providing Necessary Resources and Support
Any new security requirements for schools must be accompanied by resources to help schools implement them effectively. State education agencies may face significant challenges implementing comprehensive cybersecurity measures due to limited resources, funding constraints, and lack of in-house expertise–and schools are likely even less equipped. With federal cybersecurity support programs facing reduced staffing and funding, states are increasingly taking the lead in providing these critical resources.
Several states have developed successful models for supporting school cybersecurity. For example, Connecticut provides cybersecurity services at no cost to all school districts through its Connecticut Education Network, offering both broadband access and comprehensive security protections. North Carolina has built a Joint Cybersecurity Task Force that includes the FBI, National Guard, state education agency, and school districts, creating a coordinated statewide approach to cyber threats. These state-level initiatives demonstrate how collaborative approaches can provide smaller districts with cybersecurity expertise they couldn't afford individually.
Additional targeted funding specifically for K-12 cybersecurity technical assistance would help bridge remaining gaps. Specifically, we recommend designating security as part of the technical assistance support that the Privacy Technical Assistance Center’s (PTAC) at USED may provide for districts, and to provide funding for PTAC to hire additional cybersecurity experts.
