Desk, books, and computerDesk, books, and computer

Cyber Risk and FERPA: Why Student Data Is One of the Most Targeted- And Least Protected Assets in Education

A data breach at a school district creates three separate jobs at once. The IT lead has to find out what happened and stop it. The superintendent has to explain it to parents, staff, and the press before all the facts are in. The school board has to decide, usually months later, whether the budget for cybersecurity and insurance should have been bigger. Those are three different roles with three different points of failure, and in most districts only one of them gets consulted before something goes wrong.

What FERPA Actually Requires

The Family Educational Rights and Privacy Act (FERPA), enacted in 1974, gives parents and eligible students the right to access, review, and control the disclosure of education records. Any institution that receives federal funding must comply, which covers every public school district in the country.

FERPA requires that education records stay confidential and that districts maintain policies governing who can access and release them. It does not require any specific technical control. It does not mandate encryption, multifactor authentication, endpoint detection, network segmentation, or a documented incident response plan. FERPA defines what has to be protected. It says nothing about how.

A district can be fully FERPA-compliant on the morning of a breach. FERPA does not ask whether the servers were patched, whether administrator accounts required multifactor authentication, or whether the third-party vendor holding student records had been security-reviewed in the last two years. Those are separate questions, and they are the ones that actually determine whether an attack succeeds.

When a Vendor Breach Becomes the District's Problem

On January 7, 2025, PowerSchool, the student information system used by thousands of U.S. school districts, disclosed a cyberattack. The company paid the attacker, a 19-year-old college student later convicted and sentenced to four years in federal prison, to guarantee deletion of the stolen data. He went on to contact individual districts and attempt to extort them anyway.

Sixteen months later, on April 29, 2026, it happened again. A hacking group calling itself ShinyHunters breached Instructure, the company behind the Canvas learning management system used across K-12 and higher education. The group claimed to have accessed data from 9,000 schools worldwide and threatened to leak it. Instructure took Canvas offline in the middle of final exams. Districts from Orange County Public Schools in Florida to Arlington Public Schools in Virginia received breach notifications naming students' names, email addresses, in-platform messages, and student ID numbers as likely exposed. “It's a substantial cyberattack that has echoes of the 2024 PowerSchool breach,” said Doug Levin, director of K12 Security Information Exchange (K12 SIX), the nonprofit that tracks K-12 cyber incidents.

Neither breach started inside a district's own network. Both happened at a vendor no district could audit in real time, and both became the district's problem the moment a parent recognized their child's name in a notification letter. That is the shape of exposure most districts are least prepared for, because it is not a failure their own IT lead could have patched.

K12 Security Information Exchange, which the U.S. Government Accountability Office has called the most complete source tracking this issue, had cataloged more than 1,600 publicly disclosed cyber incidents at U.S. K-12 districts between 2016 and 2022 alone, and researchers who study underreporting believe the true number runs 10 to 20 times higher. Older incidents still carry real numbers worth knowing: Judson Independent School District in Texas paid more than $547,000 in ransom in 2021 after concluding it had no better option, before legal, regulatory, and notification costs were even added. PowerSchool and Canvas did not reverse this trend. They confirmed it, at a scale most districts had not budgeted for.

Budget is a documented part of the problem, not a guess. In the Consortium for School Networking's 2026 State of EdTech survey, 65 percent of K-12 technology leaders named insufficient staffing and the lack of a dedicated budget, not attacker sophistication, as the top barrier to addressing cybersecurity. The same year, federal grant support for K-12 cybersecurity was reduced, and many states and districts are managing their own budget shortfalls. That funding question does not get answered in Washington. It gets answered, or it doesn't, at the school board table.

Three Roles, Three Decisions

A cyber incident in a school district is not one job. It is three, and each one belongs to a different person.

  • IT lead. Owns the technical controls: multifactor authentication on remote access and administrator accounts, encryption of data at rest and in transit, offline backups, endpoint detection, and security review of every education technology vendor with access to student records. None of this is required by FERPA. All of it is what commercial cyber underwriters now check before they will bind a policy, and it is what actually slows down or stops an attack in progress.
  • Superintendent. Owns the response: notifying families, staff, and the press on a timeline that is rarely fully within the district's control, coordinating legal counsel, and absorbing public scrutiny for a technical failure that may have occurred several layers below their own desk.
  • School board. Owns the budget and the risk-financing decision: how much to spend on security and insurance before an incident, and what to say to the community after one about why that number was what it was. That is a fiduciary decision, made almost entirely in advance, not during a crisis.

The gap in most districts is not that any one of these people is doing their job poorly. It is that the three jobs are rarely coordinated, and the budget conversation the board needs to have gets treated as a line item instead of a governance decision.

Where Commercial Cyber Coverage Comes Up Short

Even a well-run district with a real commercial cyber policy usually has three gaps built into that coverage.

  • Ransomware sublimits. A district carrying $5 million in cyber coverage may find ransomware losses capped at a $500,000 sublimit buried in the policy. Documented ransomware demands against school districts have exceeded that figure on their own, before recovery and forensic costs are added.
  • Narrow business interruption triggers. Coverage for lost operations typically requires a defined network security failure as the trigger. Many policy forms now exclude social engineering attacks, misconfigured cloud storage, and third-party vendor breaches from that definition. The Canvas outage is the case in point: Instructure took the platform offline, instruction was disrupted in districts nationwide, and a district's own cyber policy is written around its own network, not its vendor's. A breach at PowerSchool or Instructure may not trigger the district's own policy at all, even when the data exposed belongs to the district's students.
  • Sublimited regulatory and notification costs. A breach involving student data brings FERPA notification obligations, potential Department of Education inquiry, and in many states additional student privacy law requirements. Commercial policies frequently sublimit or exclude the legal defense and family notification costs that these obligations create.

Property and casualty (P&C) insurers denied 50 percent of claims across all lines in 2023. There is no reason to expect the education sector's claim experience runs better than that average, and every reason, given the policy language above, to expect it runs worse.

What a Captive Changes

An education-sector captive insurance company is written by the district, or a group of districts, rather than by a commercial carrier managing its own broader portfolio risk. That distinction changes what the policy actually covers.

  • Ransomware at full policy limits. Written without a sublimit that caps recovery at a fraction of the actual loss.
  • FERPA regulatory defense and notification costs. Department of Education inquiry costs and state-mandated notification expenses built into the policy directly, instead of carved out.
  • Business interruption without a narrow trigger. Coverage can respond to any network outage, ransomware event, or vendor breach that halts district operations, rather than the narrower trigger language commercial carriers have been adding for years.
  • Vendor breach liability. The kind that hit PowerSchool in 2025 and Instructure's Canvas platform in 2026, covered even when the district's own network was never touched.

The district writes the terms because the district owns the insurer.

One honest caveat: the tax treatment available under Internal Revenue Code Section 831(b), where premiums are deductible and underwriting income accumulates tax-deferred, is built for taxable entities. A public school district, as a governmental unit, generally does not pay federal income tax and will not benefit from that provision directly. Where it does matter is for the taxable affiliates some districts operate, such as certain foundations or auxiliary organizations, and for private school networks structured as taxable entities. For a public district itself, the case for a captive rests on coverage design and control, not the tax benefit, and that case stands on its own.

Who Qualifies

Districts spending $300,000 or more combined on cyber, property, general liability, and workers' compensation coverage are typically in the range where a captive feasibility study shows real economic value. That is a guideline, not a hard rule. Districts with significant student data exposure or documented gaps in current cyber coverage may see a case for it at lower premium levels.

Larger districts and multi-school networks are frequently well above that threshold once every coverage line is added together.

Contact 3F Captive Services for a no-cost policy analysis. We identify the gaps in your district's current cyber and liability program and model what a captive structure could cover for your specific institution.

⚠ This post is for informational purposes only and does not constitute insurance, legal, or tax advice. Coverage terms, policy forms, and regulatory requirements vary by carrier, jurisdiction, and institution type. Consult qualified insurance, legal, and tax advisors regarding your specific situation.

Sources

[1] Levin, Douglas A. “PowerSchool Cyber Incident FAQ.” K12 Security Information Exchange (K12 SIX), January 12, 2025. k12six.org/news/powerschool-cyber-incident-faq.

[2] Langreo, Lauraine & Prothero, Arianna. “A Cyberattack on Canvas Could Cause Lasting Aftershocks for Schools.” Education Week, May 8, 2026.

[3] Consortium for School Networking. “U.S. State of EdTech 2026,” as cited in Education Week, May 8, 2026.

[4] Levin, Douglas A. “The State of K-12 Cybersecurity: Year in Review – 2021.” K12 Security Information Exchange (K12 SIX), 2022. (Judson ISD ransom figure.)

[5] K12 Security Information Exchange. “K-12 Cyber Incident Map,” cataloging 1,619 publicly disclosed incidents, 2016–2022. k12six.org/map.

[6] Shearer, Brian. “Regulating Insurance as a Public Utility.” Forthcoming, Columbia Business Law Review (April 2026). P&C claim denial rate: Section II.B, pp. 49–50. NAIC 2024 Market Share Reports.

[7] Internal Revenue Code Section 831(b). Captive insurance company tax treatment for qualifying small insurance companies.

[8] Family Educational Rights and Privacy Act (FERPA), 20 U.S.C. § 1232g; 34 CFR Part 99.

Discover Tailored Insurance Solutions

Unlock the potential of customized captive insurance designed specifically for your unique business needs.