Sign in Subscribe

FERPA Liability and the PowerSchool Breach: What Maryland Private Schools Need to Know

FERPA Liability and the PowerSchool Breach: What Maryland Private Schools Need to Know

A school administrator called us last month after the PowerSchool breach. Her first question wasn't "are we affected?" It was "are we liable?"

That question is exactly the right one — and the answer depends on something most private schools in Maryland have never thought through.

The Part Most Schools Miss

The PowerSchool breach exposed 62 million student records. Names, addresses, grades, medical information, disciplinary histories — all of it. The Department of Education is currently reviewing FERPA compliance across every scho>

But here's what matters for your school, whether you used PowerSchool or not: FERPA liability doesn't end with your software vendor.

Under FERPA, when your school shares student records with a third-party platform — a student information system, a learning management platform, an email provider, a tutoring app — you are responsible for making sure that vendo>

If a vendor you trusted gets breached and they didn't have proper safeguards in place, the question regulators will ask is: did your school verify those safeguards before handing over student data? For most small private school>

The Three Gaps We Find Most Often

When we do IT security assessments for private schools and tutoring centers in Southern Maryland, the same gaps show up repeatedly. These aren't obscure technical failures — they're documentation and process gaps that any schoo>

1. No Written Data Security Policy

FERPA requires schools to use "reasonable methods" to protect student records. In practice, that means a written policy — who has access to student data, how it's stored, what happens if something goes wrong, and how staff are >

Not a binder in a drawer that nobody reads. An actual documented plan your staff follows.

If an auditor or a Department of Education reviewer walked into your school today and asked to see your FERPA compliance documentation, what would you hand them? For most small private schools in Maryland, the answer is not muc>

2. No Role-Based Access Controls

Not every teacher needs access to every student record. Not every staff member needs a login to your student information system. Not every administrator needs to see medical or disciplinary files.

Role-based access controls mean staff can only see the data they need to do their specific job. It's one of the most common gaps we find in small schools, and one of the most straightforward to address. It's also one of the fir>

3. No Signed Vendor Data Processing Agreements

Every vendor that touches student data — your student information system, your email provider, your learning management platform, your school communication app — should have a signed data processing agreement with your school. >

The PowerSchool situation is a direct example of what happens when schools assume the vendor handled this. Tens of thousands of schools trusted a widely-used platform. Many of them will have no documentation proving they verifi>

What FERPA Actually Requires

FERPA doesn't prescribe a specific security standard the way GLBA or HIPAA do. It requires "reasonable methods" — which sounds vague until you're explaining to a regulator why your school had no written security policy and no v>

The Department of Education interprets "reasonable methods" in light of what's available and common practice. In 2026, having no written policy, no access controls, and no vendor agreements is not reasonable. Those aren't enter>

FERPA also operates through your school's continued eligibility for federal funding. For private schools that receive federal Title I or Title IV funding, a FERPA violation isn't just a fine — it's a threat to that funding stre>

What to Do Right Now

If you're a private school administrator in Maryland reading this and you're not sure where your school stands on any of these three areas, here's a practical starting point:

Ask yourself these questions:

  • Do we have a written data security policy covering student records? When was it last updated?
  • Do we have a list of every vendor that accesses student data? Do we have signed agreements with each of them?
  • Do we have a process for reviewing and limiting who has access to student information systems?

If you can't answer yes to all three, that's where the work is.

What Lewis IT Does for Maryland Private Schools

Lewis IT LLC works with private schools, small charter schools, and tutoring centers across Southern Maryland — St. Mary's County, Calvert County, and Charles County. We're not a generalist IT firm that handles schools occasionally. We understand FERPA, we understand what school administrators are actually managing, and we know how to build compliance documentation and access controls that fit a school's budget and operations.

Our IT security assessments for schools cover:

  • Review of existing data security documentation (or help creating it from scratch)
  • Audit of vendor agreements and identification of unsigned gaps
  • Review of access controls in your student information system and other platforms
  • Network and device security review
  • A clear written summary of findings and prioritized next steps

The assessment is free. It takes about 30 minutes to start. And it will tell you exactly where you stand before a breach or a regulatory review forces the conversation.

The Bottom Line

The PowerSchool breach is a wake-up call, but the FERPA compliance gaps it's exposing have been there for years at most small private schools. The good news is that the three most common gaps — a written security policy, role-b>

If you're not sure where your school stands, that's exactly what a security assessment is for.

Schedule a free school IT security assessment --> www.lewisit.io/contact-us

Subscribe to Lewis IT Bin

Sign up now to get access to the library of members-only issues.
Jamie Larson
Subscribe
DigitalOcean Referral Badge