Texas Data Breach Litigation: Paxton v. PowerSchool
Last month, Texas Attorney General, Ken Paxton, filed a lawsuit against PowerSchool, a major provider of education software, after a disastrous data breach in December 2024 exposed the personal and health records of over 880,000 Texas students and teachers.
This incident, and the resulting litigation, is an evolving case study in the importance of maintaining proper data privacy, cybersecurity, and AI governance in the education sector, and whenever sensitive personal data is at risk.
If you’re here for the tips, skip to the bottom!
The Suit
In December 2024, PowerSchool experienced a breach of its student-information system and related support portal. A hacker used credentials obtained through a subcontractor to gain administrative access to PowerSchool’s systems, and exfiltrated large volumes of unencrypted and highly sensitive data to a foreign server. Transferred information is reported to have included Social Security numbers, medical histories, disability records and, perhaps most alarmingly, school bus stop locations.
At the core of the litigation is not so much the fact that a data breach occurred, but PowerSchool’s marketing tactics in light of its shocking lack of any form of cybersecurity protection at all.
The Attorney General’s complaint is a scathing critique of the extensive misrepresentations PowerSchool made about its data security systems. Per the Complaint, PowerSchool marketed its K-12 education platform as a “mission-critical data backbone” with “state-of-the-art protections.” PowerSchool CEO, Hardeep Gulati, even used a White House cybersecurity talk to plug PowerSchool’s purported “relentless investment and focus on every element of security.” PowerSchool, for years, posted tips and best practices for maintaining student record security, including a September 10, 2024 blog post that recommended its customers “improve security by limiting the amount of administrative access privileges they grant and utilizing single sign-on (SSO) and Multi-Factor Authentication (MFA).” Yet, upon further investigation into the December breach, the Attorney General’s office determined PowerSchool itself failed to implement MFAs, among other cybersecurity fundamentals such as encryption of data-at-rest and in-transit, and segmentation of support systems and third-party contractor access. Adding to the line of serious infractions, PowerSchool stored personal identifiable information, sensitive personal information, and protected health information in unencrypted databases, which third-party support vendors were provided access to without sufficient monitoring and controls.
The Claims
PowerSchool is accused of violating the Texas Deceptive Trade Practices Act (DTPA), and the Texas Identity Theft Enforcement and Protection Act (ITEPA) both for misrepresenting the strength of its security, and for its actual omissions in providing adequate security for the data entrusted to it. The suit seeks injunctive relief, and monetary penalties, asserting that PowerSchool profited from its contracts with Texas without upholding representations made regarding data protections.
The Litigation in Context
This case is a stark reminder of a growing trend: regulators are increasingly leveraging existing consumer protection and privacy laws to tackle technology vendors’ failures in cybersecurity and AI governance. Therefore, even in the absence of specific data privacy/security or AI governance regulations, businesses may find themselves in hot water for making false representations about how data is collected, stored, processed, secured, managed, retained and deleted. Like Texas did here, the FTC and DOJ are both enforcing deceptive trade practices suits against companies that make false claims about the capabilities and security of their AI and data systems.
Reminders for Businesses Who Store Sensitive Data
PowerSchool is an extreme illustration of what can go wrong for companies in a breach context. But breaking apart each misstep reveals good reminders to keep businesses out of hot water and minimize data exposure risk:
Data Mapping & Vendor Audits: The PowerSchool breach occurred because a subcontractor’s credentials were compromised. It’s important to scrutinize vendor chains with external data processors, model-hosting vendors, and third-party training data suppliers. All data flows should be mapped, and security controls for each point of transfer should be assured in a vendor contract (e.g., using multi-factor authentication, encryption, logging). Vendors should periodically be audited to ensure continued compliance. Vendor accounts should be segmented to provide each with only the level of access necessary to achieve their function (following the principle of least privilege).
Data Minimization & Retention: The PowerSchool breach was so catastrophic, in part, due to the number of records compromised. Businesses that collect, store, or process data should ask: Do we need this data? For how long? And, Are we storing it securely? Minimizing the types of data collected, deleting data that is no longer mission critical, and ensuring secure storage will limit collateral damage in the event of a malicious attack. Businesses should catalogue the types of data collected so that, if needs change, unnecessary data can be offloaded, and if a malicious attack occurs, attention can be properly allocated to preserving the most sensitive data. Retention periods should be clearly defined, and document when data can be deleted or securely archived if no longer needed.
Transparency and Honesty: The PowerSchool case emphasizes that false advertising about data security may not only erode client and community trust, but can create liabilities under additional legal frameworks. Businesses should be honest about the security features of their products and services. Separately, best practice is maintaining a privacy policy (which is also a good thing to publish to build community trust), incident-response plans, and vendor-management policies.
Regulatory Compliance & Testing: Substantiate any claims made about efficacy of security with well-documented, expert-reviewed testing. Stay current with local and federal regulations that govern data privacy and security regulations, or get an attorney who can review your data flow and guide you through the updates that may be relevant to you. Even small businesses may be subject to state laws and sectoral regulations (FERPA for ed-tech, HIPAA for health care). Smaller companies are well-positioned to build compliance-by-design rather than reacting to malicious incidents and building compliance architecture after the fact.
Sensitive Data Gets Scrutinized: It is important to properly store and protect all data. However, sensitive data is subject to more regulations and data breaches containing sensitive data are more likely to lead to public disfavor, investigations, and high fines for failures in compliance. Any business that processes data of minors, vulnerable populations, or from regulated sectors (education, healthcare, finance), must operate with extra care.
Incident Response Preparedness: Businesses should plan and prepare for breaches by creating clear protocols compliant with local and federal requirements. Businesses should create playbooks outlining: roles (who will quarterback the incident response, and liaise with regulatory bodies and the public), containment of risk, forensic investigation (businesses would be wise to pre-negotiate a contract for a forensic advisor so if a data incident arises, this eliminates one uncertainty), communication (how and when will notifications be made to affected individuals and stakeholders), and remediation (e.g., credit monitoring). Tabletop simulations should be carried out regularly to check the efficacy of the incident response plan.
Implement Core Cybersecurity Hygiene: Don’t neglect cybersecurity 101 by failing to implement multi-factor authentication requirements, encryption policies, strict access controls following the principle of least privilege, segmentation of systems, and monitoring and logging access (particularly for geographic anomalies, admin account use, and exfiltration behaviors). Maintain up-to-date anti-malware, and ensure all platform patches and updates are pushed regularly (if not automatically) to neutralize system vulnerabilities.
Conclusion
Industry leaders and startups alike can find themselves in hot water if their cybersecurity and governance practices don’t keep pace with legal and ethical expectations. To avoid claims of deceptive trade practices, businesses must ensure that marketing matches capabilities. This practice will not only keep businesses out of litigation, but will safeguard reputation.
