Data breach holds PowerSchool accountable, according to former privacy commissioner
The Office of the Privacy Commissioner (OPC) of Canada has reached an agreement with PowerSchool, a leading educational technology company, to improve its privacy and security protections following a massive data breach that affected millions of children, teachers, and parents.
Under the terms of the agreement, PowerSchool has committed to making significant improvements to its security, with clear deadlines to demonstrate these improvements and ongoing compliance. The company will provide additional information related to the breach by the end of July 2023 and will continue supporting affected clients and maintaining regular breach reporting and notification obligations under applicable Canadian federal and provincial privacy laws.
By July 31, 2025, PowerSchool must confirm whether it plans to implement additional authentication measures for its PowerSource platform and provide copies of any new forensic investigations or recommendations beyond earlier reports. The company will also need to strengthen its monitoring and detection tools capable of identifying irregular activity patterns and conduct a thorough review and readjustment of system access privileges to align with security best practices and operational requirements, including access controls for customer support agents.
By December 31, 2025, PowerSchool must provide evidence to the OPC that it has strengthened its monitoring and detection tools and conducted a thorough review of system access privileges.
By March 2026, PowerSchool must obtain recertification for the global information security standard ISO/IEC 27001 and submit an independent, third-party security assessment and report to the OPC detailing updated safeguards protecting personal information, breach prevention, response capabilities, and other cybersecurity measures. If recommendations arise from this assessment, PowerSchool must provide the OPC with acceptance status, an implementation plan, timelines, or detailed reasons for non-acceptance for commissioner review and approval.
Chantal Bernier, former assistant federal privacy commissioner, expressed satisfaction with the agreement, stating it aligns with the OPC's commitment in the latest annual report. A spokesperson for PowerSchool stated they are grateful for the OPC's collaboration in helping them strengthen their safeguards further.
However, Bernier emphasized the need for financial consequences for the misuse of personal data, given its high profitability. She stated that if companies make a lot of money using personal data, they should be subject to paying a lot of money for misusing it. Bernier also noted that PowerSchool is not off the hook regarding the data breach and reiterated the OPC's commitment to ensuring companies comply with privacy regulations more strategically.
An ongoing investigation by the Information and Privacy Commissioner of Ontario is looking into the role, if any, of provincially mandated school boards in the protection of the leaked data. Efforts to amend the Personal Information Protection and Electronic Documents Act to give the OPC such powers died in the House of Commons in 2020 and 2022. The OPC's annual report focuses on making investigations more relevant and efficient for any given situation.
The OPC's agreement with PowerSchool sets a precedent for holding companies accountable for their cybersecurity practices and highlights the importance of protecting personal data in the digital age.
- Despite the agreement with PowerSchool, Chantal Bernier, former assistant federal privacy commissioner, advocated for financial consequences for the misuse of personal data due to its high profitability, suggesting that companies making a lot of money using personal data should pay a lot of money for misusing it.
- The ongoing agreement between the OPC and PowerSchool underscores the crucial role of technology, especially cybersecurity, in safeguarding personal data in the digital age, with PowerSchool committing to improving its security measures and maintaining compliance.
