Third-Party Contractor Breaches Now Drive One-Third of School Data Incidents: A Vendor Governance Crisis

Why This Matters at Board and Regulatory Level

New York State school districts reported 662 data incidents in 2025—a 72% surge from 384 in 2024. Of these, approximately 230 incidents (one-third) involved unauthorized access or disclosure by third-party contractors. Yet schools remain the liable entity for breach notification, regulatory reporting, and remediation costs, while possessing minimal contractual leverage to enforce vendor accountability or recover damages. This structural imbalance represents a vendor risk governance failure that extends far beyond education and signals systemic weakness in how regulated institutions manage critical service providers.

The Vendor Accountability Gap

The data tells a stark story: schools are outsourcing data handling to vendors without establishing corresponding governance structures. Long Island alone reported 44 incidents in 2025, with the majority of 2025 breaches statewide traced to PowerSchool—a single vendor platform affecting at least nine districts and an educational agency. Yet interviews with district technology leaders reveal that vendor oversight remains largely contractual theater: annual contract signatures without meaningful audit rights, security baseline verification, or enforceable incident response timelines.

James Richroath, executive director of technology for Patchogue-Medford school district, articulated the governance problem directly: "Even though we do all the ed law paperwork, are they following that and are they reporting it to us in a timely fashion?" This question exposes a critical weakness. Schools have delegated custody of student personally identifiable information to third parties but lack mechanisms to verify compliance, enforce remediation, or terminate relationships when security failures occur. Most vendor agreements predate modern data protection frameworks and contain no provisions for cost-sharing, cyber liability insurance verification, or automatic notification escalation.

Contractual Notification Complexity and Liability Cascade

The 2024 PowerSchool breach—affecting millions of students nationally—and the 2022 Illuminate Education compromise (1.7 million New York students exposed) demonstrate that single vendor failures cascade across multiple institutions simultaneously. Yet schools have not translated their own regulatory notification obligations into vendor accountability mechanisms. A properly structured vendor agreement should include: mandatory breach notification within 24–48 hours, automatic cost-sharing for notification and credit monitoring, cyber liability insurance requirements with school as additional insured, unannounced audit rights, and termination provisions triggered by material security incidents.

Without these contractual foundations, schools absorb full operational and financial exposure. The Hempstead charter school case—where a $3.5 million wire transfer fraud occurred through email compromise—illustrates how vendor ecosystem vulnerabilities (spoofed emails from law firms, compromised internal addresses) create liability that extends beyond the vendor relationship itself. Schools become liable for third-party failures they cannot control or prevent.

Budget Constraints as Governance Choice, Not Inevitability

Industry experts cited in the reporting emphasize that schools "do not necessarily have the funding to prioritize cybersecurity" and face "budgetary constraints" preventing dedicated security staff and modern safeguards. This framing obscures a governance reality: budget allocation is a choice. Schools that have invested in vendor risk management—such as Nassau BOCES, which operates a managed security operations center serving approximately two dozen districts—demonstrate that structured vendor oversight is operationally feasible and cost-effective when prioritized.

The absence of vendor governance is not a resource problem; it is a risk prioritization problem. Schools have chosen to defer prevention investment until breach response becomes mandatory. This approach transfers prevention costs into remediation costs, which are invariably higher and fall on the institution rather than the vendor.

Supply Chain Concentration and Systemic Risk

The concentration of incidents on Long Island (44 of 662 statewide) and the clustering of 2025 breaches around PowerSchool suggest vendor ecosystem concentration that is rarely mapped in school governance frameworks. When a single vendor platform serves dozens of districts, a single security failure becomes a supply chain incident affecting multiple regulated entities simultaneously. Yet most school boards lack visibility into vendor concentration risk, have not conducted supply chain mapping, and have not established contractual provisions for coordinated incident response or collective liability recovery.

This supply chain concentration is material to board-level decision-making. A vendor breach affecting 10 districts simultaneously creates regulatory exposure, notification costs, and reputational damage that scales across institutions. Schools should establish vendor risk committees, conduct annual vendor concentration assessments, and require vendors to disclose their customer base and any material security incidents affecting other clients.

Cybersol's Editorial Perspective

The education sector exemplifies a broader pattern where regulated entities delegate critical data handling to vendors without establishing governance structures to manage that delegation. Schools are not unique in this failure—healthcare systems, financial institutions, and government agencies exhibit the same pattern. Yet education is particularly vulnerable because budget constraints are real, vendor options are limited, and regulatory frameworks (FERPA, state education law) impose notification obligations on schools without corresponding vendor accountability mechanisms.

Schools must immediately audit third-party agreements for: explicit security baselines aligned with NIST or CIS frameworks, mandatory incident notification timelines with financial penalties for non-compliance, cyber liability insurance requirements with school as additional insured, unannounced audit rights, and termination provisions triggered by material security incidents or failure to remediate within defined timelines. Contracts should include automatic cost-sharing for breach notification, credit monitoring, and regulatory response. Without these contractual foundations, schools remain exposed to vendor-driven liability they cannot control.

The 72% increase in incidents is not a cybersecurity problem; it is a vendor governance problem. Schools have outsourced risk without outsourcing accountability. Until that structural imbalance is corrected through explicit contractual mechanisms, incident rates will continue to rise and schools will continue to absorb costs that should be borne by vendors.

Original Source

Author: Newsday (Lorena Mongelli)
Publication: Newsday
URL: https://www.newsday.com/long-island/education/school-data-incidents-nys-long-island-trw4ysk4
Date: Updated April 6, 2026

Readers should review the full Newsday article for detailed incident breakdowns, expert commentary from the Center for Internet Security and K12 Security Information eXchange, and specific case studies including the PowerSchool and Illuminate Education breaches.