Media Center

June 5, 2026
Publications

In early May, thousands of K-12 schools, colleges, and universities were disrupted when Canvas, a leading edtech software program, went offline during one of the busiest times of the academic year.

The digital blackout was the result of a cyberattack. Instructure, Canvas’s parent company, soon after paid an undisclosed (but presumably substantial) amount to a known hacker group to remove the compromised data from the dark web. In all, over 275 million users across more than 8,000 public and private K-12 and higher education institutions worldwide were affected by the blackout, requiring schools to reschedule exams and leaving many school administrators equally in the dark.

The Canvas attack highlights the readiness obligations your institution must meet to address, mitigate, and remediate security threats at a moment’s notice. The key takeaways of these responsibilities include:

• Understanding your obligations under Pennsylvania’s data breach notification law and applicable federal breach notification regulations.
• Determining when these obligations are triggered and the deadline for notification and reporting.
• Updating your school’s readiness plan.
• Creating a uniform communication strategy to address concerned parents, students, and school officials.
• Performing accurate record-keeping activities under federal student data laws.

Does this breach trigger BPINA notification obligations?

Pennsylvania’s Breach of Personal Information Notification Act (BPINA) requires an entity to notify affected individuals if their personally identifiable information (PII) has been compromised by unauthorized access. If over 500 individuals have been affected, the business must also notify the Commonwealth’s Office of the Attorney General.

PII is narrowly defined as an individual’s first name or initial, last name, in combination with social security number, driver’s license number, financial account number, medical information, health insurance information, and a username or email address in combination with a password.

In its communications to its K-12 and higher education customers, Instructure stated that usernames, email addresses, course names, enrollment information, and messages were compromised in the incident. However, its ongoing investigation should identify the specific individuals affected and the categories of data compromised. On its webpage dedicated to the attack, Instructure assured that it will notify impacted schools and districts if its investigation finds that their student data was compromised.

Because it is unclear what categories of information were compromised, schools cannot determine whether their notification obligations have been triggered at this time. Nonetheless, Pennsylvania K-12 schools and higher education institutions should be prepared to act swiftly if it is ultimately determined that the compromised information is PII under BPINA.

BPINA notification timelines for public schools

Public schools face shorter timelines than private entities under BPINA. Public schools must notify affected individuals of a security incident within seven business days after determining a breach occurred. Public schools have an even shorter deadline to report the security incident to their local district attorney, which must be reported within three business days of determining that a breach occurred.

These deadlines are triggered upon the determination that the school’s system was breached. Under BPINA, a “determination” occurs once an entity has conducted a reasonable forensic investigation to determine the extent and nature of the incident.

Under these circumstances, Pennsylvania public schools likely need further information from Instructure to determine which individuals were affected and what data was compromised before this determination can be made.

Upon notification, Pennsylvania schools must prioritize getting the determination correct, expediting notifications to the affected individuals and local district attorneys, and documenting their determination dates and compliance efforts.

Who bears the notification obligation: Schools or vendors?

Until otherwise advised, your institution must assume responsibility for notifying the appropriate individual and government officials. While Instructure was the party that suffered the security incident, BPINA does not allow businesses to delegate their notification obligations to their third-party vendors without the vendors’ assurance that they will notify the appropriate parties.

Department of Education’s Office of Federal Student Aid notification requirements

Higher education institutions that receive Title IV funding must also incorporate FSA’s strict notifications into their incident response plans. Covered institutions must notify FSA of a breach involving PII within 24 hours of becoming known or identified. Institutions must submit their notice through the FSA Cybersecurity Intake Page.

Institutions that have more than 500 customers affected by a security breach must also notify the Federal Trade Commission through the FTC’s Safeguard Rule online reporting form. This notification must be provided within 30 days of discovering the security breach occurred.

FERPA compliance considerations

Pennsylvania schools that receive federal funding must also comply with the Family Educational Rights and Privacy Act (FERPA). While FERPA does not require schools, or their third-party service providers, to make direct data breach notifications, you should determine whether the compromised data was designated “directory information” or “personally identifiable information” under the law’s regulations. This determination will inform you of your institution’s record-keeping obligations under the rule.

Next steps

During this interim period, you should review your institution’s incident response plans and third-party vendor risk guidelines.

If Instructure notifies your school or school district that your students’ data was compromised in the attack, you should:

• Immediately request a list of the types of data and individuals that were impacted.
• Determine whether PII was accessed and document this date.
• Activate your incident response plan.
• Notify the appropriate government officials and individuals within the mandatory timeline under BPINA, FSA’s requirements, and/or FTC’s safeguard rule.
• Develop a communications strategy and designate school representatives to address the questions and concerns of parents, students, and regulators.
• Determine whether the compromised data was designated student directory information or personally identifiable information under FERPA.
• Conduct the appropriate record-keeping obligations for the affected individuals’ records.

How McNees’ privacy and data security attorneys can help

As cyberattacks become more prevalent, educational institutions must remain vigilant about their data security and notification responsibilities under state and federal laws. While these obligations are complex and often require urgent attention, McNees’ Privacy & Data Security Group can assist your school at every step to help protect your students’ data and safety.