The new privacy commissioner’s report on the PowerSchool breach exposed a deeper K-12 governance problem: districts are retaining student data far longer than necessary. Records dating back to 1985 at Toronto District School Board and similar failures at Illuminate Education show how outdated retention policies, vendor sprawl, and weak deletion practices are turning student records into long-term financial and regulatory liabilities.
This week’s Deep Dive covers:
How Did a Vendor Breach Become a 30-Year Student Data Exposure Event?
Why Has Deleting Student Data Become Operationally So Difficult?
What Happens When Regulators, Insurers, and Plaintiffs Start Pricing This Risk In?
I. How Did a Vendor Breach Become a 30-Year Student Data Exposure Event?
The PowerSchool breach exposed more than weak vendor security. It revealed how districts and education agencies routinely retain student records far beyond legal and operational necessity. More than 62.4 million students and 9.5 million educators were affected across North America, with some exposed records dating back to 1985. The implication is straightforward: many districts are dramatically expanding breach damage through preventable retention failures.
When news of the PowerSchool breach broke, the immediate narrative was predictable: another education cybersecurity failure, another vendor caught flat-footed, another reminder that schools remain soft targets.
That framing misses the more consequential story.
The breach did not become one of the largest education data incidents in recent memory because hackers uncovered a previously unknown vulnerability or because districts lacked enterprise-grade cyber budgets. It became systemic because an extraordinary amount of old student data was still sitting inside systems long after its operational value had expired.
In Newfoundland and Labrador alone, the privacy commissioner found that breached student records dated back to 1995, while teacher records stretched back to 2010. Roughly 75% of impacted students were no longer in the K-12 system. The breach affected approximately 285,000 individuals in the province, many of whom had not attended a public school in years.
The findings became more difficult to defend from there.
The province had collected 244,917 student Medical Care Plan numbers, including 190,651 belonging to inactive students, despite already having separate student identifiers. Regulators concluded those records were being retained without legal justification and ordered the province to stop collecting the data and purge existing records. More troublingly, investigators found there was no formal retention policy governing student or teacher data inside PowerSchool.
This was not an isolated Canadian governance failure.
Toronto District School Board disclosed that records exposed in the breach dated back to 1985, including historical health card numbers, home addresses, and special education records. St. Louis Park Public Schools acknowledged that records dating back to the 1990s were exposed. In Washington County Schools, more than 30,000 active and inactive student files were compromised.
The pattern extends well beyond PowerSchool.
When Illuminate Education suffered its own breach, hackers accessed data from districts that were no longer even using the platform. One New York district had records exposed despite ending its relationship with the company nearly a decade earlier. Federal regulators later found that Illuminate had retained “terabytes of unmanaged and unstructured data” and lacked formal retention policies until after the breach. The result: a $5.1 million multistate settlement, a separate FTC consent order, and mandatory deletion reforms.
District leaders often justify retention through compliance anxiety.
What if a transcript is needed later? What if a parent files a dispute? What if state auditors request records?
Those concerns are legitimate but are also frequently overstated.
The Family Educational Rights and Privacy Act (FERPA) does not require districts to retain broad categories of student information indefinitely. Most retention schedules distinguish between permanent records, such as transcripts, and temporary records, such as disciplinary logs, medical data, and operational files, which often have explicit destruction timelines. California allows certain records to be destroyed six months after their usefulness ends. Alberta requires many records to be retained for seven years. Other jurisdictions follow similar models.
Yet districts increasingly behave as though all student data is permanent.
That assumption made sense in a paper-record environment where destroying files was cumbersome and digital risk was limited.
It makes far less sense when a single compromised credential can expose decades of behavioral reports, health records, disability accommodations, and personal identifiers belonging to adults who have not entered a classroom in years.
That is the real lesson from PowerSchool.
The breach was the attack.
The real failure happened much earlier: when districts turned temporary student records into permanent digital liabilities.
And that problem gets significantly harder once student data stops living in one system.
II. Why Has Deleting Student Data Become Operationally So Difficult?
Most districts no longer manage a single student database. They manage a fragmented data ecosystem where student records are continuously copied across thousands of vendors, internal systems, exports, and backups. The average district now accesses 2,982 edtech tools annually, while the average student touches 48 applications per year. The implication: deletion has become a systems architecture problem.
District leaders often respond to retention criticism with a reasonable question:
If deleting old data is so important, why hasn’t the system already solved this?
Because the modern student information system is no longer a repository. It is a distribution engine.
Platforms like PowerSchool, Infinite Campus, and Skyward increasingly serve as central identity layers that continuously push student data into a broader network of third-party vendors.
That includes:
Instructure and other LMS providers
assessment vendors
transportation platforms
special education software providers
family communication platforms
analytics tools
tutoring platforms
attendance tools
classroom applications procured at the school level
Every integration improves workflow efficiency and creates another place where student data can persist.
LearnPlatform’s latest market data illustrates how extreme this fragmentation has become. The average district now accesses 2,982 distinct edtech tools annually, up nearly 9% year over year. Students interact with 1,165 tools monthly across districts, while the average individual student uses 48 unique applications annually. Educators use roughly 50.
That number should concern district leadership for a simple reason: Most districts cannot confidently tell you where all student data currently resides. And in many cases, neither can vendors.
When a family updates an address in the SIS, that information may automatically flow to transportation routing platforms. Rostering data moves into learning management systems. Assessment vendors pull enrollment data. Special education platforms ingest student histories. Parent communication tools absorb contact records.
The modern district data architecture was built to move information quickly.
It was not built to eliminate it cleanly.
That creates a second problem: data replication without clear ownership.
A district may delete records inside PowerSchool and still leave copies sitting inside archived backups, vendor warehouses, CSV exports, and so on.
That is precisely what regulators uncovered at Illuminate Education.
The company retained data from districts that had already left the platform. In some cases, student information remained exposed years after contractual relationships ended. Regulators found that former customers were still sitting in Illuminate’s environment because deletion had never been operationalized as a formal discipline.
District procurement structures often make this worse.
Central IT rarely controls every purchasing decision. Schools, departments, curriculum teams, and individual educators frequently adopt tools independently. Some are approved. Some are not. Many collect student data.
This is why organizations like CoSN and International Society for Technology in Education now warn districts about “shadow IT” and maintain lists of high-risk applications that fail basic privacy standards.
The operational challenge becomes harder when no single executive owns the full lifecycle of student data.
IT manages infrastructure, legal manages compliance, and curriculum teams select tools. Registrars maintain records, and procurement negotiates contracts. Superintendents often see privacy only when something breaks.
That operating model worked when districts managed a few core vendors.cIt breaks when nearly 3,000 applications are touching student data every year.
The result is predictable: districts continue treating retention as a back-office records issue while their underlying architecture quietly turns temporary records into permanent ones.
And regulators are beginning to treat that operational failure as something far more expensive.
III. What Happens When Regulators, Insurers, and Plaintiffs Start Pricing This Risk In?
Data retention failures are moving from operational nuisance to financial liability. Regulators have already forced Illuminate Education to delete unnecessary student data after exposing 10.1 million student records, while multistate attorneys general secured a $5.1 million settlement. Cyber insurers are becoming more aggressive on credential controls and data governance. The implication: districts that treat retention casually may soon pay for it.
For years, district leaders could treat data retention as an administrative issue buried somewhere between records management, compliance, and IT.
That era is ending.
Regulators are becoming far more explicit about where accountability sits when unnecessary student data is exposed.
After the Illuminate Education breach exposed the personal information of more than 10 million students, federal regulators did not limit their criticism to weak cybersecurity controls. The Federal Trade Commission focused directly on the company’s inability to delete data it no longer needed. Investigators found that Illuminate retained student records from districts that had already left the platform and continued storing massive amounts of unmanaged data without formal retention policies. The eventual outcome was unusually severe: a federal consent order requiring deletion reforms and a separate $5.1 million multistate settlement led by attorneys general in California, New York, and Connecticut.
That case matters because it signals where enforcement is heading.
Regulators are no longer asking whether institutions suffered breaches. They are asking why organizations were still holding sensitive data in the first place.
The same pattern is emerging in the fallout from PowerSchool.
The Newfoundland privacy commissioner did not simply criticize the breach response. The report explicitly ordered the government to stop collecting student Medical Care Plan numbers and permanently purge them from legacy systems after determining the information lacked sufficient legal justification.
That should concern district leaders because regulatory scrutiny rarely remains isolated to vendors.
Districts sign the contracts. Districts approve software purchases. Districts often determine what information vendors receive. And districts are increasingly expected to demonstrate oversight over third-party platforms storing student records long after contracts expire.
The legal exposure compounds quickly.
Every additional year of unnecessary retention increases the number of former students who may need to be notified after a breach. It expands legal discovery requirements. It increases remediation costs. It creates reputational damage with families who reasonably assume their child’s records disappeared years ago.
And then there is insurance. This issue receives far less attention than it should.
Cyber insurers are becoming significantly more rigorous in education because K-12 remains a frequent target and a relatively under-defended one. Underwriters increasingly examine credential controls, access management, third-party exposure, and governance practices before issuing coverage. The exact failures seen in both PowerSchool and Illuminate Education, over-retention, weak credential controls, and poor visibility into historical data, are becoming underwriting concerns.
This is where many district leaders misread the problem. They assume better cybersecurity tooling is the answer.
More software will not solve a governance issue created by storing too much data across too many places for too long.
The districts that emerge from this cycle in stronger positions will likely do three things differently.
They will distinguish permanent records from operational records. They will demand contractually enforceable deletion terms from vendors. And they will treat data minimization as a core component of enterprise risk management rather than a compliance afterthought.
That work is operationally painful. It requires revisiting procurement habits, legacy systems, and internal ownership structures that have been ignored for years.
It is also significantly cheaper than explaining to parents why records from 1997 were still sitting in a vendor database when the breach occurred in 2026.
Bottom line: The uncomfortable lesson from PowerSchool is that most districts are not facing a cybersecurity crisis. Rather, they are facing a discipline crisis. And the systems that fix it first will not be the ones spending the most on security tools. They will be the ones finally learning how to let go of data they were never meant to keep forever.
K-12 Leadership Intelligence is for superintendents, district executives, and education leaders navigating board relations, state mandates, labor constraints, and political pressure.
This is one of our six education and learning-related publications spanning K-12, Higher Education, and Workforce. Our education newsletters reach tens of thousands of senior decision-makers across the U.S. and key international markets.
Ping us if you’d like to learn more, explore Enterprise Subscriptions, or would like to partner in other ways.
The Intelligence Council is a next-gen B2B media and business intelligence platform built for people who make strategy, allocate capital, and carry operating risk.