NYS school data incidents surged in 2025 - Newsday

{
  "text": "# Third-Party Contractor Breaches Now Drive One-Third of NYS School Data Incidents — A Governance and Contractual Liability Crisis\n\n## Why This Matters at Board and Regulatory Level\n\nNew York State school districts reported a 72% surge in data incidents in 2025—from 384 to 662 cases—with one-third (230 incidents) attributed to unauthorized access or disclosure by third-party contractors. This is not a technology problem masquerading as a governance issue. It is a structural failure in vendor risk management, contractual enforcement, and liability allocation that exposes school boards, administrators, and their insurers to cascading regulatory and civil exposure. Schools have become a case study in how budget constraints, fragmented vendor ecosystems, and weak contractual controls create supply chain vulnerability at scale.\n\nThe governance implication is stark: organizations managing sensitive data—student records, health information, financial details—are outsourcing security responsibility to vendors they have minimal contractual leverage over, limited visibility into, and weak mechanisms to hold accountable. When a vendor breaches, the school district bears the regulatory penalty, notification costs, credit monitoring liability, and reputational damage. The vendor, by contrast, often faces no contractual consequence. This liability inversion is not accidental. It reflects the absence of vendor-specific security requirements, incident notification timelines, audit rights, and financial penalties in most school procurement agreements.\n\n## The Vendor Risk Governance Gap\n\nAccording to the New York State Education Department's chief privacy officer report, 221 of 662 incidents in 2025 involved external breaches or hacking—but the most revealing statistic is the 230 incidents (35%) caused by \"unauthorized access or disclosure by a third-party contractor.\" This category captures a different risk vector than external hacking: it reflects vendors with legitimate system access who either failed to secure that access, inadvertently exposed data, or—in worst cases—were themselves compromised and became a vector for attacker entry.\n\nThe PowerSchool breach, which impacted at least nine Long Island districts and continued affecting schools into 2025, exemplifies this pattern. A single vendor vulnerability cascaded across multiple school systems simultaneously. The 2022 Illuminate Education breach, which exposed personal data on 1.7 million New York students and resulted in a $5.1 million settlement with the New York Attorney General, further demonstrates that vendor breaches in education are not isolated incidents—they are systemic exposures affecting entire cohorts of students and families.\n\nYet most school districts lack the contractual architecture to manage this risk. As James Richroath, executive director of technology for Patchogue-Medford school district, stated: \"Even though we do all the ed law paperwork, are they following that and are they reporting it to us in a timely fashion?\" This reflects a critical governance blind spot. Schools sign annual vendor contracts that include data security and privacy requirements, but they have no systematic way to verify compliance, no contractual obligation for vendors to report breaches within defined windows, and no financial penalties for non-compliance or delayed disclosure.\n\n## Contractual Language as a Governance Control\n\nThe absence of vendor-specific security requirements in school procurement agreements is not a cost-saving measure—it is a liability multiplier. Well-structured vendor risk programs require contractors to maintain encryption at rest and in transit, implement access logging and multi-factor authentication, maintain incident response procedures, and report security incidents within 24–48 hours of discovery. These are not optional enhancements. They are baseline controls that should be embedded in every contract managing sensitive data.\n\nMoreover, contractual language should explicitly designate vendors as agents of the school for breach notification purposes. This means vendors are obligated to notify the school immediately upon discovery of a breach, not weeks later through regulatory channels or media reports. Contracts should specify financial penalties for late notification, require vendors to maintain cyber liability insurance, and grant schools audit rights to verify ongoing compliance. The absence of these provisions is particularly acute in education, where budget constraints often prevent districts from hiring dedicated cybersecurity staff or conducting vendor security assessments.\n\nThe state report noted that 341 incidents in 2025 involved human error—accidental disclosure of confidential information. While training and process controls matter, contractual language should also require vendors to implement technical controls that reduce the likelihood of accidental exposure: data loss prevention (DLP) tools, restricted file sharing permissions, and audit trails for sensitive data access. These are not novel requirements. They are standard practice in healthcare, financial services, and government sectors managing comparable data.\n\n## The Visibility and Accountability Crisis\n\nSchool districts typically do not maintain vendor risk registers, do not track vendor-related incidents separately from internally caused breaches, and do not conduct periodic security reviews of their vendor ecosystem. When incidents surge 72% and one-third involve external actors, the governance response must include a comprehensive vendor ecosystem audit, security-specific contract renegotiation, and ongoing vendor risk monitoring.\n\nSandeep Dhillon, director of district technology services at Nassau BOCES, noted that \"what is missing is having visibility into platforms, applications and have a strong vetting process which requires the additional staff and budget.\" This is the core governance problem: schools lack the contractual mechanisms and internal capacity to maintain visibility into vendor security posture. The solution is not to eliminate vendor relationships—schools cannot operate without technology partners. The solution is to establish contractual frameworks that create accountability, enforce transparency, and allocate liability appropriately.\n\nTJ Sayers, senior director of threat intelligence at the Center for Internet Security, observed that schools are \"low-hanging fruit\" for attackers and that \"the landscape over the last five years has increased in terms of the cyberthreat activity that K through 12 schools are facing.\" This threat landscape is not static. AI-assisted phishing, ransomware, and malware are becoming more sophisticated and more accessible to threat actors with minimal technical skill. Schools cannot defend against this threat environment through budget constraints and trust-based vendor relationships. They require contractual controls that enforce security standards, enable rapid incident detection and response, and create financial consequences for vendor non-compliance.\n\n## Systemic Weakness: Regulatory Exposure Without Contractual Leverage\n\nCybersol's analysis identifies a critical systemic weakness in how public sector organizations manage vendor risk: they face regulatory obligations to protect sensitive data but lack contractual mechanisms to enforce those obligations on vendors. New York State requires schools to include data security and privacy plans, parents' bill of rights, and minimum technical safeguards in vendor agreements. Yet the state does not require schools to include specific incident notification timelines, audit rights, or financial penalties for non-compliance.\n\nThis creates a governance asymmetry. Schools are liable under state breach notification law (General Business Law § 668) for unauthorized disclosure of personal information, regardless of whether the breach originated internally or through a vendor. Schools face potential liability under FERPA (Family Educational Rights and Privacy Act) for inadequate safeguards of student records. Yet schools have no contractual right to audit vendor security controls, no contractual obligation for vendors to report breaches within specific timeframes, and no financial recourse if vendors fail to implement required safeguards.\n\nAs emerging frameworks like NIS2 (in the EU) and state-level critical infrastructure protections expand, this liability inversion will become more acute. Organizations managing sensitive data will face regulatory penalties for vendor breaches even when they lack contractual visibility or enforcement mechanisms. The governance response requires schools and other public sector organizations to treat vendor risk as a core governance function, not a procurement afterthought. This means establishing vendor risk committees, conducting periodic vendor security assessments, maintaining vendor risk registers, and renegotiating contracts to include specific security requirements, incident notification timelines, and audit rights.\n\n## Closing Reflection\n\nThe 72% surge in data incidents across New York State schools, with one-third involving third-party contractors, is not a cybersecurity problem alone. It is a governance failure rooted in weak contractual controls, inadequate vendor visibility, and misaligned liability allocation. Schools—and by extension, other public sector and regulated organizations—must move beyond trust-based vendor relationships and procurement agreements that lack security-specific language. The original Newsday reporting provides detailed context on specific incidents, vendor failures, and district-level responses. Readers should review the full article and conduct comprehensive vendor risk audits, prioritizing contractual security language, incident notification requirements, and audit rights as core governance controls. The cost of renegotiating vendor agreements is negligible compared to the liability exposure created by a single major vendor breach.\n\n**Original source:** Newsday, reporting by Lorena Mongelli. Published April 6, 2026.\n\n**Full article:** https://www.newsday.com/long-island/education/school-data-incidents-nys-long-island-trw4ysk4",
  "hashtags": [
    "#VendorRisk",