The PowerSchool Breach: A Wake-Up Call for Vendor Management in Canadian Privacy Programs

Written By Lauren Preston

If you have recently attended our Privacy Workshops, you would have heard me emphasize the importance of vendor management in your privacy program. One example I often use is the PowerSchool breach, among many others.

The fundamental lesson is clear: vendor management ensures that when you entrust personal information to a third party, you've done everything reasonably possible to protect the individuals whose information you hold. That's not just good risk management, it's the core of privacy accountability.

The recent cybersecurity incident at PowerSchool serves as a stark reminder that in today's interconnected digital ecosystem, your organization's privacy and security posture is only as strong as your weakest vendor. Vendor and supply chain incidents are the second-highest cause of cybersecurity breaches, with an average cost of USD 4.91M, and also carrying the longest time to identify and contain. With AI now thrown in the mix, 1 in 6 breaches involve AI-driven attacks, so the need to assess vendors has only been amplified.

Businesses must recognize that vendor management isn't merely a compliance checkbox; it is a fundamental pillar of privacy protection and organizational risk management.

When Your Vendor's Breach Becomes Your Crisis

During December 2024, a cyberattack compromised PowerSchool’s systems, exposing sensitive personal information of millions of Canadians, including students, parents, and educators. The compromised data included names, contact details, dates of birth, education records, and in some cases, medical information and Social Insurance Numbers. The attackers used compromised credentials to access PowerSchool’s student information system and support portal, and later attempted extortion of school boards.

 The PowerSchool breach, which affected millions of children and educators across multiple Canadian jurisdictions, including Ontario and Alberta, demonstrates how quickly a service provider's security failure can cascade into a crisis for every organization in the supply chain. PowerSchool, a widely used student information system, experienced unauthorized access to its systems, exposing sensitive personal information of students, parents, and educators.

What makes this incident particularly instructive is its scope. When a centralized service provider like PowerSchool is compromised, the impact radiates outward to affect countless schools, school boards, and ultimately, the families who trusted these institutions with their children's personal information. The Privacy Commissioners of Ontario and Alberta have both launched investigations, underscoring the regulatory scrutiny that follows when vendor security measures fall short. While the investigation into PowerSchool is complete, the boards remain under investigation.

As part of their investigation, the Regulators found that school boards:

  • Failed to include certain privacy and security-related provisions in their contracts with PowerSchool, including compliance with the applicable provincial public sector privacy laws;

  • Lacked policies and procedures to effectively monitor and oversee its technical and security safeguards (including user access privileges for remote support personnel and the use of multi-factor authentication);

  • Failed to limit remote access to its student information systems by PowerSchool support personnel for only as long as necessary to address specific technical issues; and

  • Lacked adequate breach response plans or protocols.

For more information about this breach, please visit the IPC website here: https://www.ipc.on.ca/en/media-centre/news-releases/ontario-alberta-powerschool-breach.

The Illusion of Outsourced Accountability

Here is a fundamental truth that every organization that processes information must internalize: outsourcing services does not outsource accountability.

Under Canadian privacy legislation, whether PIPEDA, provincial private sector laws, or public sector privacy laws, organizations remain accountable for the personal information in their custody or control, even when that information is processed by a third party.

When a school board contracts with PowerSchool to manage student information, the school board remains the custodian of that information and accountability remains with it. The school board must answer to students, parents, and regulators when something goes wrong, even if the wrongdoing originated with the vendor, such as PowerSchool. This is the essence of accountability in privacy law, and it is why robust vendor management isn't optional.

The Pillars of Effective Vendor Management

Based on decades of practice and reinforced by incidents like PowerSchool, effective vendor management in privacy programs must rest on several foundational elements:

1. Assessment before engagement:

Before signing any contract, organizations must conduct thorough privacy and security assessments of potential vendors. This includes reviewing their security certifications, incident response history, data handling practices, and compliance with relevant privacy frameworks. Simply being compliant with SOC2 or ISO is not enough. The risk assessment must consider privacy procedures and policies. For cloud-based services or those involving cross-border data transfers, particular attention must be paid to the location of data at rest, who can access it, and what legal frameworks govern that access.

2. Contractual safeguards that have teeth:

Vendor agreements must include robust privacy and security terms that go beyond boilerplate language. These should specify the purposes for which data can be used, prohibit unauthorized disclosure, require prompt breach notification, mandate security controls aligned with industry standards, grant audit rights, and establish clear liability and indemnification provisions. In the public sector context, these agreements must also ensure vendors understand and comply with information access and privacy statutes.

3. Ongoing monitoring and oversight:

Vendor management doesn't end when the contract is signed. Organizations need mechanisms for continuous oversight, including regular security assessments, compliance audits, review of security incident reports, and evaluation of the vendor's evolving risk profile. The technology landscape changes rapidly, and a vendor that was secure three years ago may have fallen behind current threats.

4. Incident response planning that includes vendors:

Every organization should have an incident response plan that explicitly addresses vendor-related breaches. This means knowing how you'll be notified, what information you'll need from the vendor to assess impact, how you'll communicate with affected individuals, and what your regulatory reporting obligations are. The PowerSchool incident highlights how chaotic post-breach response can be when these plans aren't in place.

5. Data minimization in vendor relationships:

One of the most effective ways to reduce vendor risk is to minimize what data vendors have access to in the first place. Before sharing information with any service provider, ask whether all the data elements are truly necessary. Can you pseudonymize or aggregate data? Can you limit the scope or duration of access? Every data field you don't share with a vendor can't be compromised in their breach. Conducting a Privacy Impact Assessment is a great tool to assess these criteria and can aid in mitigating risk.

Building a Culture of Third-Party Accountability

Beyond processes and contracts, effective vendor management requires a cultural shift in how organizations view their service providers. Vendors should be seen as extensions of your own organization from a privacy and security perspective. This means involving privacy professionals in procurement decisions from the outset, not as an afterthought. It means educating business units about vendor risks, so they understand why these requirements exist. It means having difficult conversations with vendors whose security practices don't meet your standards and being willing to walk away from relationships that pose unacceptable risks.

The PowerSchool breach will undoubtedly lead to lessons learned, improved practices, and possibly regulatory guidance. But we shouldn't need another major incident to take vendor management seriously. Every organization should be developing or reviewing its vendor management framework today, asking hard questions about gaps, and ensuring oversight over third-party relationships.

 

Moving Forward

As investigations into the incident continue against the school boards, organizations using the platform face difficult questions from parents, students, and communities. Those with robust vendor management programs, including strong contracts, regular oversight, and clear incident response plans, will be better positioned to respond effectively and demonstrate accountability.

This incident should serve as a catalyst. Review your vendor inventory. Assess your high-risk relationships. Strengthen your contracts. Build your monitoring capabilities. Because in privacy, as in so many areas of risk management, it's not a question of whether the next vendor breach will occur, it's a question of when, and whether you'll be prepared.

Lauren Preston

Lauren Preston is a Privacy Solutions Architect at Bamboo Data Consulting who thrives on making privacy practical, approachable, and even enjoyable. With expertise spanning finance, tech, health, and more, she loves creating strategies that help businesses stay secure while building trust. When she’s not tackling privacy challenges, Lauren writes about everything from data compliance tips to building privacy-first cultures while focusing on the legal aspect of privacy. She’s a Certified Information Privacy Professional (CIPP/C) who believes privacy can be as interesting as her next creative challenge - or at least close!

Previous

The Hidden Privacy Risks of “Buy Now, Pay Later” Apps
Next

When Personalization Breaks Privacy: Lessons from the TikTok Decision