Texas AG Says PowerSchool Violated State Laws, Profited Off Student Data
Software company PowerSchool’s failure to protect the personal information of almost 900,000 Texas schoolchildren and educators late last year was a violation of the Texas Deceptive Trade Practices Act and the Identity Theft Enforcement and Protection Act, alleged Attorney General Ken Paxton (R) in a lawsuit Wednesday (see 2509030050). Texas joined Tennessee (see 2505120026) and a class-action in California (see 2501220057) in suing the company over the incident.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
Paxton asked the Texas District Court in Collin County to stop the software company from continuing to violate the laws and to pay monetary penalties for each violation. However, the AG didn't allege violations of the state's comprehensive privacy law, the Texas Data Privacy And Security Act. PowerSchool didn't respond to a request for comment.
Cybercriminals infiltrated PowerSchool on Dec. 28 and accessed highly sensitive information going back almost 20 years, including names, social security numbers and addresses of more than 60 million students and educators. Additionally, Paxton alleged that disability information, grades, medical information and bus stops were in the databases accessed in the breach.
Following the breach, North Carolina Attorney General Jeff Jackson (D) and Canada's Privacy Commissioner Philippe Dufresne launched investigations (see 2502060055 and 2502110031). Jackson announced in May that a 19-year-old Massachusetts college student was charged and agreed to plead guilty to hacking into PowerSchool's network and causing the breach (see 2505220037).
“For years, PowerSchool has misrepresented the nature and extent of its data privacy and security protections to Texas schools who entrust PowerSchool with their students’ and teachers’ highly sensitive personal information, including social security numbers and protected health information,” Paxton's complaint said. “In December of 2024, these failures resulted in a catastrophic data breach impacting over 800,000 Texas students and teachers.”
In response to the breach, “PowerSchool falsely, misleadingly, and deceptively represented to Texas schools, their teachers, Texas school-aged children and their parents that their exfiltrated” personally identifiable information (PII), sensitive identifiable information (SPI) and protected health information (PHI) “was deleted when it was not,” the complaint added.
Additionally, Paxton alleged that PowerSchool “benefits financially from commercial uses of school-aged children’s data,” as it “uses school-aged children’s data to develop its products and sell it to third parties.”
“If Big Tech thinks they can profit off managing children’s data while cutting corners on security, they are dead wrong,” said Paxton in a release Wednesday. “Parents should never have to worry that the information they provide to enroll their children in school could be stolen and misused.”