Research Director/Principal Researcher

In re PowerSchool holdings, inc. and PowerSchool group, LLC customer security breach litigation | ongoing | labaton keller sucharow. Source originally from "in re PowerSchool holdings, inc. and PowerSchool group, LLC customer security breach litigation | ongoing | labaton keller sucharow" by labaton - view original. Private equity cost-cutting and third-party vendor governance: The PowerSchool litigation as structural warning. Why this matters at board and regulatory level. The PowerSchool breach litigation - now consolidated in federal court with 60+ million exposed K-12 records - exposes a governance architecture failure that extends far beyond a single vendor incident. The case demonstrates how cost optimization decisions made operationally (outsourcing cybersecurity to lower-cost contractors) create exponential liability exposure at board, regulatory, and contractual levels. Critically, the litigation names not only PowerSchool but also Bain Capital as a defendant, establishing precedent that private equity ownership bears direct accountability for vendor risk governance decisions. For organizations subject to NIS2, DORA, FERPA, and state data protection regimes, this case signals that vendor delegation without contractual safeguards, audit rights, and explicit liability allocation is no longer a procurement efficiency - it is a governance failure. The two-tier vendor relationship and supply chain opacity. The breach mechanism reveals a structural governance gap that most organizations overlook: PowerSchool outsourced critical cybersecurity and engineering functions to Movate, a third-party contractor described in the litigation as lacking "even basic security protocols." Schools contracted with PowerSchool for secure data management; PowerSchool contracted with Movate for security delivery; but schools had no contractual visibility into Movate's controls, no audit rights, and no direct liability allocation with the actual vendor. When ShinyHunters exploited compromised Movate employee credentials in December 2024, the breach propagated through a supply chain that schools could neither monitor nor contractually govern. This opacity - a vendor's vendor operating without transparent security standards - is precisely what NIS2 Article 17 (third-party risk management) and DORA Article 15 (critical third-party dependencies) now mandate organizations identify and contractually address. The PowerSchool case suggests that many organizations still treat vendor contracts as procurement documents rather than risk allocation instruments. Bain Capital's liability and the board-level governance implication. The litigation's inclusion of Bain Capital as a defendant - with the court sustaining claims for negligence, negligence per se, unfair competition, agency liability, direct liability, and aiding and abetting - establishes that ownership and board-level decisions about cost structure carry direct legal accountability. Plaintiffs allege that Bain, following its June 2024 acquisition of PowerSchool, "directed PowerSchool to offshore cybersecurity, engineering, and IT functions to third-party contractors with insufficient cybersecurity protocols." The court's March 2026 decision to allow these claims to proceed signals that boards cannot insulate themselves from vendor governance failures by claiming operational delegation. This is a material shift in liability allocation: cost-cutting decisions that result in inadequate vendor vetting or insufficient contractual safeguards are no longer treated as business judgment - they are treated as negligence. For boards overseeing organizations with third-party data processors or security vendors, this establishes that due diligence documentation, vendor audit protocols, and contractual security baselines are not optional governance enhancements; they are mandatory liability mitigation. Contractual safeguards as liability mitigation, not procurement efficiency. The PowerSchool case underscores a critical distinction that many organizations fail to operationalize: vendor contracts are risk allocation instruments, not procurement documents. Cost-cutting justifications for outsourcing security functions must pair with explicit contractual mechanisms: security baselines and frameworks (ISO 27001, SOC 2 Type II), audit rights (annual third-party assessments, breach notification timelines), incident response protocols (detection and disclosure obligations), liability caps and indemnification clauses, and cyber liability insurance requirements. The litigation suggests these safeguards were either absent or unenforceable in PowerSchool's relationship with Movate. Schools that contracted with PowerSchool had no contractual mechanism to enforce security standards on Movate, no audit rights to verify controls, and no clear liability allocation when the breach occurred. For NIS2 and DORA-regulated entities, this contractual gap is now a direct compliance violation. Regulators will examine whether organizations have contractual requirements for vendors handling sensitive data, whether audit rights are explicit and exercisable, and whether liability allocation is clear and enforceable. Regulatory exposure and FERPA responsibility transfer myth. PowerSchool, as an educational records processor under FERPA (Family Educational Rights and Privacy Act), bears direct responsibility for the security of student data. The litigation makes clear that outsourcing security functions to inadequately vetted vendors does not transfer that responsibility - it compounds it. Regulators examining this breach will assess: (1) whether PowerSchool conducted adequate due diligence on Movate's security posture before delegation; (2) whether contractual requirements for security standards were established and monitored; (3) whether audit rights were exercised; (4) whether incident detection and response protocols were adequate; and (5) whether notification obligations were met. The same analysis applies to any organization that delegates data processing or security functions to third parties. FERPA, state data protection laws, and now NIS2 and DORA all establish that responsibility for third-party risk management cannot be contracted away. This litigation will likely establish sector-wide precedent on what constitutes adequate due diligence, contractual governance, and audit oversight for educational technology vendors - with implications for healthcare, financial services, and critical infrastructure sectors that rely on similar outsourcing models. Cybersol's governance perspective: the overlooked risk layer. The PowerSchool case reveals a systemic weakness in how organizations approach vendor governance: they treat third-party risk as an operational or procurement function rather than a governance and liability function. Most organizations have vendor management processes, but few have contractual mechanisms that explicitly allocate liability, establish security baselines, grant audit rights, and require incident notification. The result is that when a breach occurs - particularly one involving a vendor's vendor - liability fragments, notification obligations become unclear, and regulatory exposure multiplies. Organizations often overlook the distinction between vendor management (operational oversight) and vendor governance (contractual risk allocation and board-level accountability). The PowerSchool litigation establishes that this distinction is now material to liability exposure. Boards cannot claim due diligence without documented evidence of vendor vetting, contractual security requirements, audit protocols, and incident response procedures. For organizations subject to NIS2, DORA, FERPA, HIPAA, or state data protection laws, vendor governance is no longer a procurement efficiency - it is a regulatory and liability imperative. Closing reflection. The PowerSchool litigation is not an isolated vendor breach case - it is a governance precedent. The court's decision to sustain claims against both PowerSchool and Bain Capital establishes that cost-cutting decisions affecting vendor security governance carry direct board-level liability. Organizations with third-party relationships involving data processing, security functions, or critical infrastructure should review this case for contractual gaps, audit protocol weaknesses, and liability allocation failures. The original complaint and court filings provide detailed analysis of what regulators and courts now consider adequate due diligence, and what they consider negligent delegation. For governance teams, this case is essential reading.

The Overwatch Foundation helps schools thwart hackers, protect student data. A hacker infiltrating the local high school doesn't sound like much of a threat in today's threat-filled world, but Alyssa Rosenzweig begs to differ. She knows what the bad guys are after: students' data. "It's not an immediate threat but, in 10 years, when they go to apply for their first loan, then it will show up," she said. "Criminals are very patient." Stealing students' information to impersonate them online isn't a theoretical concern. Case in point: A massive breach of security at PowerSchool, an education software provider, exposed data belonging to some 9,000 people in New Hampshire - students, teachers and staff - as well as hundreds of thousands nationwide last December. That personal information is now available for the taking. Bad actors can use it for things such as taking out credit cards, overriding social media accounts or filing fake insurance claims, which can ruin credit histories and cause years of turmoil to the victim. "We've already seen it. People who were 17 when that breach happens, they turn 18 and their data's out there. Suddenly it's being sold, monetized, all that," Rosenzweig said. Rosenzweig is familiar with this in her role as deputy director of The Overwatch Foundation, an unusual four-year-old nonprofit that helps local governments in New Hampshire plan against and deal with online threats. Last year, the foundation focused on water and wastewater treatment plants, an often-overlooked vulnerability, and this year it launched what they call the K-12 Cybersecurity in a Box program, which makes a portfolio of cybersecurity services available to public schools. The program faces two big obstacles: money and attention. "We have two people on staff that used to be school I.T. staff. They say the school was always willing to spend more money on a physical security thing instead of the digital. They would lose battles constantly - 'I want this money' or we could add to the baseball field. [...] Towns too; they'd rather buy another plow than invest in basic cybersecurity," she said. "It's hard to get people to vote yes on a warrant article [...] about tech support." The Overwatch Foundation's funding comes from FEMA and is slated to last through 2030. They don't provide 24/7 tech help - the foundation, based in Concord, has just 10 full-time employees - but give expertise and advice on ways to educate people to avoid phishing or other routes for network breaches. They also help in getting grants to buy technical packages like one offered by Texas firm CrowdStrike. "We encourage understaffed schools to go the managed route," Rosenzweig said of hiring a company. "That's the only way you can do it." Rosenzweig said the foundation has so far been involved with CrowdStrike licenses for "high value targets" that protect around 75,000 students. The foundation is working to build a statewide database of knowledge that all schools can use to boost their protection. But perhaps its biggest job is to getting the word out, said Rosenzweig, because cybersecurity is like herd immunity: the more people have protection the better everybody is. They try to move cybersecurity from the bottom of most operational priority lists and make it higher, responding to concern about hacking from other governments or criminal groups. "Around 50% of municipalities in New Hampshire are working with us [...] a lot haven't received their first touch yet," she said. "We've only been around two years. When you're new, you need some of that network effect."