¶ Intro & Update on PowerSchool
Live from the NTP studios, this is the K-12 Tech Talk Podcast. I am Josh, K-12 Tech Director in Missouri. Chris is here. He's another K-12 Tech Director. Hey, Chris.
Hello.
And Mark. You might have seen Mark, before we let Mark talk, you might have seen Mark on a recent episode of CTV News in Canada. Hey. Hey, Mark. How are you? i
Said a not hey.
Oh no no that's not how canadians say a how you doing hey hey
I was on uh i was on canadian national news this.
Week talking about it was pretty crazy it was pretty crazy
Yeah all my friends in canada um said they saw me i don't have any friends in canada.
Well now you do millions uh you won't find us on what's it called not oh i almost said a very bad website red red note you won't find us on red note no uh but you can email us k12 techtalk at gmail.com share us with your friends we're on all of the popular streaming uh podcast services spotify itunes you name it uh shoot us an email or send us a message over on x not red note yet news any any yet no i i won't be joining we'll
See what the cool kids do
Yeah it's kind of sad scrolling tiktok these days Cause like a lot of them are just like, goodbye everybody. Goodbye world.
And I don't have a,
Here's a dance.
Mark, have you mastered any Tik TOK dances?
No, I should though. I should spend the next three days.
I was going to say is you're out as your final video to the world. Not a chimp lady. Speaking of chimp lady, one of, one of my son's coworkers knows the chimp lady. Okay. like really knows her it's great yeah i've
Been following spencer pratt you guys know him
Uh from the hills mtv yeah the hills yeah he's blowing
Up on tiktok he's back
Yeah he's been a big deal.
Okay we should probably get into it uh we are we are a week out uh it's been a week roughly a week since the power school breach hit the news um i won't say we broke the news but we were we were pretty early on and reporting on it uh and our favorite manifesto writer has an update to his uh original take on the power school breach. But before we get to that, Chris, do you want to talk about Lumu, one of our newest sponsors?
I do. Check out Lumu at lumu.io. If you are drowning in cybersecurity alerts within your district, within your space, Lumu can help you cut through that noise. They can automate responses with all that you have going on. So we know that the bad guys, they can bypass your traditional cyber stack of stuff, your EDR, your firewall, your email security. Lumu can get plugged into your district and help you with all of that with their crazy features.
So maybe a new service product to you, but check out Lumu, L-U-M-U dot I-O.
Blumu and Doug. All right, Mark, what updates do you have for us in your take on the PowerSchool breach?
Yeah. So there hasn't been a lot of kind of technical updates in the week and a half or so since the announcement. I did link, we'll link this in the show notes. I wrote a kind of an article about, you know, what's happened in the last week. And one of the first things I did was link to a few resources that you should really look for if you're looking for all the technical details. So there's a Substack article from Indy Lombardo. K-12-6 has published their FAQs.
And then obviously the Google Doc from a tech director, Rami Backus, she works for the American School in Dubai, I believe. That has been used for everybody who's in a school district looking for the technical details on how to find it. That's where you need to go. So what's happened in the last week? I think we all have gone through PowerSchool's webinar with their CEO and their CISO. And I kind of mentioned in my note that I was very impressed with the level of detail that they shared.
It was incredibly, incredibly informative. But in the next few days, there's a lot of questions that came up and they kind of fall into three categories. So should we kind of dive into the three main questions that we still have? The first one being, how did the account compromise lead to this, both with how was it compromised? Why didn't MFA stop it? Was there MFA? It was kind of some unknown questions around the level of MFA.
Could it, you know, was it insufficient or was it just not in place at all? And then how did one account have access to all of the customers? There's a lot of questions around that. Power school did say that they're going to release the CrowdStrike investigation report. I think that's January 17th or so. So it's coming up.
Yeah, it was coming up.
Yeah, that's it. That's a really short time to investigate. But hopefully we'll have some answers to that first question when the CrowdStrike report comes out. Any thoughts on that?
No, no, I think like you said, it's going to be interesting to see the CrowdStrike report and what they're to see if we can tell if that report has been. filtered or distilled down. I'm sure there'll be a private report that goes to PowerSchool directly. It'll be interesting to see how much of that content makes it publicly.
Yeah, and you surely don't want any... If there is any continuing weaknesses in PowerSchool security, you definitely do not want that published. So I'm not going to criticize anybody if there's a private and a public version.
You would expect it.
Yeah. Same thing goes if you're a school district. You should have a private briefing for your board and superintendent.
Yes.
And then your public one. So the second question is how many districts were impacted by this?
¶ What is the impact?
This is one that I'm very, very curious on because we did start to hear towards the end of last week that there were former customers of power school that were also notified.
Yep.
Oh no.
Thoughts on this.
That sounds bad.
Yeah. I mean, it's, it's definitely not ideal. You, you would assume that, that when your contract expires and you leave a vendor, that the kind of unsaid rule there is delete my data. But apparently that wasn't happening.
So, okay. Question for you on that one. If you're a random ed tech company, yeah, that should be the expectation. Delete the, you know, achievement metrics and scores and stuff like that in the roster. If you're PowerSchool, you're holding data that is technically required to be held if it's the only record.
That's, but, okay, continue.
So if you are PowerSchool, and let's say, let's put ourselves in the seat of a PowerSchool lawyer, you've got a former customer. You can't get in touch with that former customer because we know that school districts don't always keep up their public directories or people changing ebb and flow. And you've got a customer that has left you guys, and it's about a year later or six months later. The agreement isn't very clear into what you're supposed to do with the data.
Do you delete data knowing that that could actually be the primary data source for former alumni students of that district?
I think you have two scenarios there. I think you have the scenario that you just described where the customer goes silent and is not communicating. But I think there's also a scenario where the customer isn't silent and has informed you that they are migrating to a different product. To me, if it's scenario B and I have informed PowerSchool that I'm moving to another product, PowerSchool should delete that data. It's on the district's responsibility to maintain that data at that point.
But like you said, if it's scenario A where the district just has gone silent and hasn't paid their bill, yeah, that's a little gray. I think you have to do some verification there before PowerSchool deletes that data. The scenario that I know of, the district told them they were leaving.
Both of those have those great questions of, I mean, you're cis, whatever you have. As a tech over the contracts, do I read the sentences that say if I leave this that they promise to delete the data in a year, in six months, whatever?
However, better you want, if you've got a DPA with them, a clause in the DPA is data deletion. When you request, they have X number of days to delete the data. So and we'll get into deep. That's another topic of discussion later in the show. But but yeah, you yeah, you need to know where your data is.
So maybe PowerSchool is just reading through 18,000 data private individual data privacy agreements right now.
Maybe. Maybe.
All right. And the last question.
That didn't make me feel good at all, Mark.
Sorry, my bad. The last question is related to this, though, but different is how many students were impacted. And the other thing that started to come out towards the middle to end of last week was that school districts were saying, wait a minute, we didn't just have our active students in there. We have all of our former withdrawn alumni students contained in that student export. It was confirmed that the student export did include all students.
And so now school districts are, they've notified some of their, well, they notify their active families and now they got to go back and notify alumni, withdrawn students.
That's super cool. How exciting.
Yeah, I mean, do the math on that. If you're a similar size district to where I work, and you've got 300 kids a grade level, and you've had power school for 10 years, that's immediately 3,000 kids of graduates, potentially, plus your kids that withdraw mid-year. So say another three to four hundred kids plus your current enrollment, which would be roughly thirty six hundred to four thousand kids. You're reaching close to ten thousand kids real quick.
Simple math, boys.
Plus your staff.
My former district was the first school district in the country. Got to drop that factoid here because we here in Boston love to just say that we're the first for everything. We had five hundred some odd thousand students, archived students in our system. So that's one district.
Not power school.
No, not power school. That's one district. Now, you got a class action lawsuit that's dropped like 800,000. There's no way it's anywhere close to 800,000. No. It's got to be millions, if not tens of millions of students. If we're talking about active and former students.
Probably 10 times that. Yeah.
Yep.
Well, South Carolina, the example I gave was South Carolina. They're an entire state that uses power school, and they have 800,000 students in the state. It's active students.
That's active. That doesn't include graduated.
Correct. So add $16,000 a year for South Carolina, and you're looking at a massive amount. And if you do the back-of-the-envelope math, this is not at all accurate math here. You can use a napkin, too.
Paper towel?
But South Carolina is a small, small, I think it's a half a percent of PowerSchool's overall clientele. So we're looking at an unknown number of students, but a rather significant one at the very least. man.
That's that's my that number is mind-blowing
Yeah so i end the article with a couple silver linings i did say um and again i don't mean to kind of underscore or or diminish this but we we got a little bit lucky that power school was up and active and so you know i talked a little bit about what it would happen if we had data exfiltration on top of a system being out last week when when everybody came back to school we'd be talking about students sitting at home for possibly days um and then uh this
this conversation i think that's the other silver line of this whole thing is that we're the entire industry is talking about this right now and and changes will happen it's.
It's going to be really interesting to see the conversations that take place because of this um you know everything from
¶ The Bigger Picture
providers proving that they have ISO certification, you know, that they're meeting an ISO standard or a NIST standard. Well, like you, you can say this because if you look at DPAs that are signed by PowerSchool, they said they were meeting a standard. I believe it was the ISO standard. I, I would really question those ISO audits at this point. Like who, who was doing them? show me that you were getting that stamp of approval because there i have some serious questions
Yeah power school is um sock two type two certified uh they have been for a few years and so yeah there's a lot of questions around if these are some of the industry standard certifications um how much can we rely on them so.
Does that that then call into question that that certifier's capability and ability to continue to certify?
It's really hard to say. It all depends on the outcome of the CrowdStrike report in terms of what happened and how did it happen. And then the questions are going to come down like, is this line that is covered under SOC 2? Or is there a weakness in how it was analyzed and re-evaluated, how it was reported by PowerSchool, how it was reported maybe by a subcontractor? We just, we don't know.
Yeah. And we're still we're a week out from notification. We're we're barely we're not even a month out from the incident. Again, for all that has transpired, I still think this is we have good data, good information in a relatively quick manner. You can complain that the notification didn't happen fast enough and likely not within standard of your if you have an agreement or your state law. Yeah, I'm not I'm not discounting that.
But show me another breach of this magnitude that had a notification go out to clients with as much actionable and real data that was included in those webinars that the CEO and their CISO gave. I still say that's worth a good job, guys, there.
Yeah, I was I was initially a little bit critical of PowerSchool about the notification timeline until I attended the webinar and saw heard and heard just how much they shared, which was very incredible. Still, again, lots of unknown questions. And that's that's what the purpose of my post was of like this kind of wrap up these questions into the main categories. But, you know, I think PowerSchool is set a high bar for communication.
But I do say I hope they keep it up. But at this point, they've been hit with three class action lawsuits. You probably have a lot of lawyers in the room at all hours of the day scrutinizing exactly what to do. So we're out of the fire. And now that the embers are still hot, you've got a lot of other chefs in the kitchen. They're going to influence communication. I hope PowerSchool can continue and improve and approve upon their communication. But we'll see.
I think that fire is just getting started.
We've kind of wanted to say it out loud, I guess. The PowerSchool, like the public-facing website FAQ stuff, It kind of felt like it got a little nicer, prettier.
Yeah.
Again, you kind of wonder. It just, you wonder, are you going to be, did you do like the one big push for transparency and are you going to pull it back for a while? That doesn't help the K-12 techs and the K-12 folks know what to do next.
Or did a fancy pants lawyer come in and say, you're not saying that again?
It's a little, yeah, I think that was my initial response when I saw the FAQ was, it feels very polished, very sanitized. in comparison to what we saw in the webinar, but we'll see.
Yep.
All right.
Should we go on to new news?
Before that, let's talk about Visor, V-I-Z-O-R. Use Visor for your one-to-one program. They can help you out with your inventory, your barcode check out and check in and more. If you head over to visor.cloud slash K12 tech, K12 tech, is that right? visor.cloud.com. You can do a 30-minute demo with them and get some swag of ours if you'll do that. So check out Vizor.
All right. I don't think we should say new news. Some other very popular podcast has that phrase.
¶ Scholastic Breach Discussion
So on to it. So it's been a rough, what, week and a half for ed tech providers? News of a massive breach from Scholastic. This week, 8 million data on 8 million people stolen by a did I read this right, Mark, a furry hacker,
A furry hacker.
Please describe that.
Yeah. Can you can you tell our listeners, Mark, that might not be in tune to the same realm? Maybe you are what what a furry is.
To be clear, I am not a furry myself, if that's what you are insinuating. I don't I don't get why they call it a furry hacker. I mean, I guess it's a hacker that is a furry in their pictures.
Yeah, right. Yeah. Yeah.
A furry is somebody who dresses as an animal in a very like cartoonish style costume. Very elaborate toy.
Yeah.
Yeah. Yeah. And we won't go into the.
It's a whole culture.
It's a culture. A hacker going by the alias parasocial is apparently a self-proclaimed furry hacker stole a bunch of scholastic data for fun again that's his exact words for fun no ransom nothing just said here it is world eight million people yeah.
That i uh what was that yesterday i guess had a have i been pwned notification hey
So that's uh here's my question for you when i was trying to research this have you heard anything from scholastic no.
No i can't say that i have
Okay because i scoured scholastics website and i couldn't find anything um i know they've got a bunch of different websites with all the different you know areas here but i couldn't find anything okay i'm just trying to figure out is this real is this reported like what's going on here so.
Can we draw a comparison between scholastics non-ownership of this and power school's ownership of their breach yeah like yeah you have two granted one is way smaller than the other but still diametrically opposite of each other in the way that they're handling this this breach
Now we should we should also add we're recording this on tuesday the 14th and so if this in the time between when we record this and when the episode airs that's classic has yeah come on say something hey you know kudos to you for that. But right now, we got nothing.
Yeah. It's interesting. Okay. Alright. Another... I I'm going to, I'm just going to refrain because I can't probably make it through this without an inappropriate joke. Mark, why don't you take the next one?
¶ Political Landscape Changes
There's a great organization called whiteboard advisors and they've published a briefing on what they believe Linda McMahon's policy priorities are going to be in her term. I didn't say her one up. Notice I didn't say her first term in her term. There's a lot of stuff.
Appointment. I don't, I don't know that you can call it a term. Can you, can we just like, it's an appointment. She's serving as the head of DOE.
Yeah. There's not really too much in here that's relevant to ed tech. But one of the things that raised kind of a flag in my mind is that they're saying that they believe.
Leotards versus singlets.
Yeah. Yeah. It was really the outfits that wrestlers will be wearing.
Get out of here.
No, it's they raise the topic of, you know, that one of the things that has been really pushed around the conservative areas is. this idea of parents being able to review curriculum. So should the Department of Education make it required that school districts publish or make available their curriculum to parents to view? How do we actually do that? Because I think our folks are going to have to be involved in something like that. Or will they?
They do mention in here there's about 12 states that do this already. And you guys said before the show, Missouri is one of them. So yeah, tell us how this is done.
I could be totally wrong here, but for the last couple of years, we've had it available to where if a parent wants to inspect curriculum, they're able to come in and meet with building administrators or district administrators and inspect that curriculum, the units of study, yada, yada, yada. You know, kind of the conversation goes along with... Being being a tuned in parent or being an involved parent, none of that really should be a surprise to you.
Like you're you should be informed with regular communication from your from your student's teacher about what they're doing in the class anyway. I agree that parents should have the ability to do this. And it does nothing but add that layer of transparency for school districts because school districts often get beat up about, you know, they're they're teaching the woke agenda. They're teaching things I don't agree with.
Well, one way to combat those types of statements is to make it available to be seen and not hide behind not not hiding that information. So I agree with it. I don't know that it's right to make it required, you know, local control. It's different here in Missouri, but I think it's a fine idea.
So, so I don't know if parents have come into your school, if you've been able to put this into practice, but does this mean that at any given time, you've got 180 days worth of curriculum that a parent come in and read all of that and view it? And yeah, have parents actually exercise that?
I've, I've known of a handful. Wow.
We have ours through our school website. And it's, I mean, a more advanced Google site with a lot of Google folders and a lot of Google Docs and uploads. And our, I mean, our teachers would meet and go over things with curriculum. And like, I just clicked around on it. Like it's broken down by grade level and then by subject area. And there's the pacing guides and the units. And it's, you know, anything that you would want public. Of course, it's not showing assessments.
It's not showing the actual assignments, but it's pretty stinking detailed. And I know I've laughed at the site because it was developed before Google came out with like shared drives. And like super complicated, like on the sharing and keeping up with who's assigned to who and who has access to what folder and who's the editor and who's the owner and all that kind of stuff. And we've started to move over to something better than this, but it's there. It's living. It's breathing.
I have to think that it's not always up to date just because of sheer movement of teachers come and go and curriculum gets updated. It changes. But the idea of it is that, yeah, you can click on our website and you could click on a pacing guide and click on a unit and see what your child should be learning about.
Do the publishers allow you to do this? Because I guess that's the other question, too. You're making proprietary material public in what you've just described.
I don't know that it's the actual content. I think it's a unit of study and how it aligns with Missouri Learning Standards. So we are tackling Missouri Learning Standards A.24, and we're going to use this resource and do this activity, and we're going to measure comprehension by doing this. it's more along those lines. It's not actually sharing, you know, pages 15 through 25 out of a textbook.
It's, it's what, what you're going to do, what activity you're going to do, how you're going to do it, and then how you're going to measure comprehension of that activity.
See, that makes sense. I just wonder how much of this is driven by political desires, as you mentioned before, you know, to, to attack the woke agenda. Like, how can you do that without actually inspecting the raw materials in the curriculum, which is proprietary. Interesting. Interesting. Perhaps we'll be supporting our districts with setting up different websites and links to syllabi.
Don't do what I just said.
Actually, ours is in a shared Google Drive. Because if the person that owns Chris's folder leaves and you disable that account, everything off in the ether.
¶ Curriculum Transparency
How we are is a lot of work on the tech department.
The problem with shared Google Drives, and we're going down a rabbit hole here, the problem with shared Google Drives is that they can't be published externally. So I think that's probably part of the reason why we ask parents to come in to inspect because we don't publish that outside. I don't know.
Got it.
All right. Well, the last update is, or the last news article is an update on something we talked about a long time ago. Remember the principal who, there was a deepfake audio made of him and it turned out it was the athletic director. Yeah. And the athletic director then obviously got fired for making a fake deepfake of the principal's voice. Well, he's back and he has filed a lawsuit against his school district.
On what grounds?
In this, the plaintiff alleges that the Baltimore County Public Schools inaction to correct the record on the audio evidence allowed the national destruction of his reputation to go on while he endured public humiliation and violent threats. I mean, I can't deny that that was, you know, that was a very hard area for him. I don't know what the school district did or did not do. The interesting thing is he's also suing for negligence in hiring,
retention and supervision. I mean, the district didn't do enough in that area, which I thought the story was that it was the principal who's supervising the athletic director. And that's, you know, that relationship didn't go well. And that's why he, the athletic director, then made this. So is he saying that he didn't do a good job supervising? I don't know. So, yes, we're back here. now we have a school district um in the hot seat once again uh for a deep fake uh lawsuit interesting.
This has been one of my examples to share with teachers on what is ai and what can it do because i just think these are things that you can expect to happen more and more yeah yeah because this is this is just kind of like the first one that we heard about but As soon as we give AI to the kitties, it's over.
Yeah. Yeah. In the article, it also mentions that 43% of surveyed teachers had heard about sexly explicit deep fakes in their school. So it's coming. It's here. There's a good number of teachers who are already experiencing this stuff. So.
Which is crazy.
¶ Legal Implications of Deepfakes
Yeah. That's it for the news for this week.
Thanks, Mark.
Thanks, Mark. By the way, check out ClassLink. Like Clever But Better. Go to classlink.com. They can do your SSO, your rostering, and more.
So the main topic for tonight, and it again revolves around this PowerSchool breach, but it doesn't necessarily have to be PowerSchool. It could be the Scholastic breach. It could be any number of third-party breaches where you're holding data. But there's some overwhelming topics that keep coming up, and right now it just happens to be around this PowerSchool breach.
Um, what, what should districts be doing or know the requirements for notification, uh, notification to parents, what state agencies do they need to notify or do they have to notify law enforcement? And where does this land with data privacy agreements? What, what water, uh, do data privacy agreements hold in a scenario like this? So let's start at the beginning. Should districts be worried about notifying their parents in a breach like this?
And I mean, it's the hot topic. Let's use the PowerSchool breach as an example. Mark, if your district, if you're, you know, rewind the calendar a year and you're back at your old big district and let's say they used PowerSchool, they didn't. In this scenario, would you be quick to notify your parents? Yeah, see. Okay.
I mean i'll take it one step further i think even if you're not a power school district, the attention that this is gained i would be surprised if school districts that they haven't received they also haven't received questions from parents i think that even if you're not a power school s is customer you probably should at least send a brief message out say you may have heard on the news but we're not impacted so yeah at the very very least everybody should be notifying
uh districts or families if you're a customer impacted by a breach i'm.
I'm asking my boss and asking the attorney
Really you're
Not they'll tell me something right they'll say don't send letter or do send letter
To a degree but i mean you have anecdotal stories of of districts being told by attorneys don't don't worry about it right now
Okay so chris is chris is kind of technically right that the notification should be your lawyer and your superintendent but like i'll follow what josh is just saying chris what happens if your lawyer says nah don't say anything let this one sweep this one on the rug then.
I'm asking my boss I don't know. We'll see what he says.
That would be one of those scenarios where there would be an email.
Yeah.
You know, documenting your objection to that. Like, yeah, from just from a mark, I think before the show, you would use the word ethical from from an ethical standpoint as a public entity in the data that we house. by God, you have a responsibility to tell parents when something like this has happened. Yeah.
Even if it's not as public as PowerSchool, if it's like a vendor that parents wouldn't know about, you're still scholastic.
Substitute PowerSchool for the scholastic breach that happened yesterday.
Yeah.
There could be, man,
I'm going to say this so much later in my life. If I'm told no, my attorney my boss I write the email of objection and possibly an anonymous Facebook post gets made oh
Yeah don't even joke about that
You know you just don't know by the way on K12 Tech Pro we do have an anonymous tips line if your school's been hacked and you want to share with your neighbor but you can't be the attorneys You can submit that. We'll share it out.
Oh, my God.
Yeah, I don't know. I don't know.
Let's ignore that one.
I'll see you guys in court.
Next category you mentioned, Josh, was state agencies. What are your obligations to report to your state?
This is where you have to know your state law. Uh, state laws can vary wildly as far as, uh, the, the clock that you have ticking from when you find out to, you have to notify parents, constituents, or state agencies, everything from, uh, Department of Education to state auditor to the attorney general. In Missouri, the notification should be to DESE and the auditor's office, and their state statute says if it is more than 1,000 people, that you have to also notify the attorney general's office.
And there are very prescriptive timeframes that those notifications must take place. The state auditor has a website with a form that you can fill out. DESE has a fillable PDF that you can download and send to them. I didn't find anything for the attorney general's office. Again, that's all for the state of Missouri. Now, like I said, these vary wildly state to state, but I think you're going to see a little bit of commonality among them.
Yeah.
And this is the one I want to bank on. I want my state to tell me what to do. I want there to be a number established. Give me how many days. Give me how many students. Going back to what my boss is saying or what attorney says, this is what you can bank on. They have to go off of this. I'm not going to break the law.
You know, in the some of the qualifiers for the state of Missouri was student data that included an identifiable and identifiable number assigned to them, which included Social Security number. That would be the M.O.S.S. number stuff. Other protected information as well. I had that was the story. The district said their attorney said this. They didn't have to notify because the information taken was just directory information.
I said, no, directory information is only directory information when it's used in the manner which you disclose to the parent at the beginning of the year. Anything outside that disclosure, that data is no longer directory information. so that to me and that came straight from ptac at a ferpa 101 session in october at a conference to me that is that was very very very bad advice from their attorney
I hate to say it but in some states he's exactly right because i was researching a few different states i looked at california massachusetts new york some of the big ones and then some other smaller states and they define a breach very, very specifically as containing certain pieces of information in some states that did not contain the information that would, would have been in power school.
No kidding.
So the definition of breach is the first thing you need to know in your state. And then from there is what do you have to do if this is a breach or not, and then what you need to do. Um, and so that's unfortunate that this doesn't, there's no consistent answer from state to state. Right. And then even within every single state, you've got to understand the definition of a breach and being able to apply that to a system.
All the more reason to know your vendors and know what information they have moving forward.
Law enforcement. Are you notifying law enforcement in a breach like this? The power school one, that's an easy one because apparently law enforcement was already engaged during the investigation. So you don't I don't think you need to re notify. But I imagine when you start notifying state agencies, especially the attorney general's office, there's probably a referral to law enforcement that takes place there. But, yeah, law enforcement is definitely one of those things you need to keep
top of mind. And that's why you need to have good relationships with a local FBI office anyway.
I think it might be something that you reach out. If you know your local CISA or FBI rep, it's first to reach out to them and let them know that you're part of a Breach Lake Power school. But I hate to say this. I don't think school districts are necessarily obligated because the crime wasn't committed against them. It was the vendor themselves. So long story short, that's what law enforcement and your legal attorney is going to be able to say.
But I've had a couple of incidents where I've been involved in law with law enforcement and they've had to turn me away and say the crime wasn't committed against you. It was committed against somebody else. And therefore, they're the one that needs to submit the police report.
Because your server wasn't technically hacked. It was PowerSchool server that was technically hacked.
Yeah. Yeah.
Now, again, this is where everybody's in a different position. Every state's different. You know, if you own the PowerSchool server and it was an on-premise server and it's on-site, that could be perceived in one way or another. But, I mean, ultimately in the PowerSchool, we know that they're ultimately responsible for notifying law enforcement. Then they just, you have a local question as to whether or not you have to do it as well.
And finally, something that's
Come up in quite a bit. Near and dear to your heart.
Yeah, I said before the show, I've got the tattoo. and this has come up in a number of conversations today, is where do data privacy agreements stand in this whole debacle? Yeah. It's it's no secret power school had signed DPAs in the state of Missouri with, I think, 10 10 or so districts. Granted, there's no prescriptive damages in the DPA, but it just outlines what the provider should be adhering to and doing at the request of the LEA.
It's Mark, you had said before the show that it's going to be really interesting to see where we land after this. The value of a DPA.
Yeah, I think ultimately, I don't think school districts are going to have a leg to stand on in terms of a lawsuit. There will be a class. There's already multiple class action lawsuits. So right there, if there's a class action lawsuit that gets settled, the individual districts, it's going to be hard for them to file additional lawsuits against.
No, but those lawyers are going to make out like bandits.
The lawyers across the country are going to just move on from that one.
So, some of the language in this DPA. So, the DPA has agreed to PowerSchool and input a statement that said, the total and aggregate liability and indemnity obligations by either party under the DPA is and shall remain subject to the exclusions, limitations, and liability and indemnity provisions set out in the applicable service agreement.
So that statement right there says whatever damages you're going to go after, they have to apply the damages in the service agreement that you have signed with PowerSchool. So you better know your agreement, your service agreement with PowerSchool forward and backward in any vendor. Insert the vendor. We're saying PowerSchool because it's the most recent.
And I would say as a school district that uses PowerSchool, what are the damages?
Right. Right now. Because really, it's a PR thing, right? The district really has suffered PR damage, not a monetary loss at this point.
Yeah, because that guy deleted it for sure, and they watched him stomp it into the mud.
Yeah, he gave a pinky promise that he wasn't going to release it.
So so if the data is never used if it never sees the light of day is.
That in the power is that in the parent letter our school promises that they watched the man stomping with his boot
I think they did say something to that to the extent but if our school provides credit monitoring to families or they don't right and there there's never any sort of damages no nobody has and you're gonna have to prove damages like it means you're gonna have to prove that a bank account was created as a direct result of this data breach.
Or a credit card was taken out. Yeah. Yeah. Yeah.
We're very speechless in terms of like where this can go. But long story short, there's just going to be a whole lot of lawyers that just argue back and forth over the efficacy of data breach agreements and what this means.
¶ Obligations After a Breach
You know it's funny you bring up uh credit monitoring service and and okay every let's just say they they come out and they say every we're gonna pay for everybody to have credit monitoring service for a year great but what happens the bad guys are gonna see that press release they're just gonna wait 13 months to do something right uh you you are if if you're included in this breach you are way better off freezing your credit with
all three agencies than relying on any sort of credit monitoring service. You can do it for free. It can be undone in a heartbeat. Just don't forget your passwords.
I think my data has been involved in so many data breaches at this point that I've got credit monitoring for life.
I don't think you can stack them, though, Mark. I don't think you can make it congruent like that. Yeah, I don't know. I don't know what the real value of credit monitoring service is anymore. It makes us feel good. Yeah, okay. I don't know. Whatever.
It's a feeling.
¶ Final Thoughts on Data Privacy
So, okay.
So we just talked about parents, state agencies, law enforcement, and data privacy agreements. What, if you're a school district in the power of school breach, what are you obligated to do right now? Like, sum it up. What should we be doing, Josh?
I think at a minimum, notifying parents. And I think you're starting to have a hard conversation about notifying withdrawn and graduated students next.
um and if and you know we say parents but if those people if they're graduated students are over the age of 18 that the kid needs to be notified i say kid but they're over they're an adult yeah um you man i yeah you probably should be notifying desi desi probably already knows about it they probably got a list going um that's going to be one of those uncomfortable conversations that your superintendent probably isn't going to want to notify desi because they don't want to get on that radar.
They don't want to get on the radar of the auditor's office.
That's the only obligated, like, that's the only law, like, I have to do this one.
Depending on your state law and you need to know your state's privacy laws. But yes, in Missouri, the big ones are DESE, auditor's office, and if it's over a thousand people affected, attorney general for Missouri. Yeah, those are all not fun conversations to have.
Yeah, because this is like Well, that DPA didn't work out. I don't have to tell the cops. It wasn't actually me. I should tell the parents.
Yeah.
And I got it. Probably my state. I have to tell somebody bigger than me.
But if you have a leadership that's taking a stance of, I don't want to be on anybody's radar. This wasn't our fault. It wasn't our hardware. They didn't really attack us. They attacked our vendor. It's the vendor's responsibility to do these notifications, not mine. that's To me, that's a hard conversation. I'm not sure I would agree with that stance.
I had a neighboring school district that years ago, for sure, had student data hacked, exposed, exported, and they went completely quiet. No letter sent home. Like, it was just, I mean, just literal crickets. Tech department didn't communicate anything out.
It was just rumor for weeks. and then it got quiet on the rumor side as well and then it just kind of went away and that can be okay if nothing bad happens down the road with the data but that's a terrible way, a terrible look ethics and all those things what are we doing?
All it takes is one anonymous Facebook post or one anonymous call to the auditor's office
I think Mark said that, I didn't say that Right,
Right. It was Mark that said that. All it takes is one anonymous phone call to the attorney general's office. And if they're looking to make a name for themselves and they want to string up public ed, what better way to do that than go after a school district that looks like they were trying to hide a breach?
Yeah.
Yeah, not a good look. Chris, you want to talk about managed methods real quick?
Yeah, a great look. You should take a great look at Managed Methods. Go to managedmethods.com. They give you easy, affordable student safety monitoring for your school district. They know that you can be on a tight budget. They can help out with that. They can look at your Google Workspace, at your office, at your Microsoft 365, and see what's going on in there and help you track what's going on. So check out managedmethods.com.
I got a call for managed methods today, actually. You know, we're recording this early because we're a couple of us are busy Thursday night. You know what's going to happen? The report from CrowdStrike is going to come out on Thursday because we're not recording Thursday night.
I welcome it.
I think they had said on Friday this week. I think the day I heard was the 17th.
So four o'clock Friday, just as everyone's leaving the office for the weekend and the holiday weekend. Alright, any other good news to look forward to in the next week, Mark?
I mean, you know my political opinion, so you know how I would answer that question.
Oh, that's right. Yeah, Inauguration's Monday.
Some of us are more excited than the others.
Well, one.
Hey, we do have, we got, if you have any Forda questions or needs, if you want to look at a Forda product, email fortinetpodcast at fortinet.com. But we do have something cool coming up. It's on January 28th. The Secured Schools Learning Technology Center virtual event is happening January 28th. And we have two sessions that we're presenting at that thing. So I'll put a link to this in the podcast description.
Come and hang out with us. I'm sure Mark, right, Josh, Mark's going to make us some really cool presentations.
Yeah he makes the best slides we're
Gonna kick butt at this thing hang out with us at it
You know if you're watching the calendar it is uh what is it friday you can start submitting 471s if your 28 day waiting period is over uh so it's officially that season the good old e-rate 471 season mark
Are you doing e-rate anymore is this like no
I'm uh i'm.
Free my
Current customers were free.
Congratulations.
Yeah.
Mark, do you have any visits?
Do you have a life, Mark?
No. Are you going to be on CTV anytime soon again, Mark?
I don't know. I'll let you know. I mean, there's a lot of news going on in Canada. So maybe they'll reach back out and ask me my thoughts.
Yeah. To fully say it, tell the story. We can post this link too. But pretty cool. We had a quick reach out from Canadian TV. uh needed a security expert a cyber security expert uh named mark uh to go and talk about this power it was
Also weird that they asked for someone named it like their name had to be mark
Yeah ridiculous yeah well
I did it guys and.
So so mark mark went on there you're
Welcome canadians hey hey.
And we we enjoyed it
Yeah i i told them everything that the power school breach entailed and what it was all about, and I think it went well.
And that you enjoyed poutine.
I told them how much I enjoy their combination of gravy and french fries.
And cheese curds, right?
And I gave some tips. I gave some tips on bacon. I thought that what Canadians have done with bacon is just ham.
Oh yeah, it's ham.
So, yeah. That was the gist of the interview.
But we'll share a link to the real interview on CTV.
It was a lot shorter than that.
Yeah, it was. It was quite a bit shorter than that.
Yep.
And there was no mention of poutine. All right. Well, that's been a week. We thank you for listening. Share us with your friends. Shoot us an email, k12techtalk at gmail.com. We're over on X as well. We won't be on Red Note. We will see you next week. Thanks for listening.
We might not be the same You share the same pain that I
Do The views and opinions expressed on the K-12 Tech Talk podcast are the personal opinions of Josh, Chris, and Mark and do not represent the views or opinions of our sponsors or other organizations that we're affiliated with. The material and information presented here is for general information and entertainment purposes only. Thanks for listening, and we'll see you next week.