Pittsfield Joins PowerSchool Data Breach LawsuitBy Brittany Polito, iBerkshires Staff 11:53AM / Sunday, May 04, 2025 | |
PITTSFIELD, Mass.— The school district could receive compensation for a PowerSchool breach in December that accessed students and teachers' personal information.
On Wednesday, the School Committee unanimously voted to join a mass action litigation against PowerSchool for the cybersecurity incident that affected thousands of school districts across the United States, including the Pittsfield Public Schools. Mount Greylock Regional School District and Northern Berkshire School Union also reported that some data was accessed.
The software company notified Pittsfield of the Dec. 19 breach in the first week of January and notified the district of remedial efforts, which included free Experian accounts to monitor people's credit, on Jan. 17.
"There are a couple of reasons I see to sign on. One is financial. We could potentially get money back for 25 years of PowerSchool. Not the whole cost, but the cost they should have incurred to protect our data. So it won't be the full cost, but it would be something, and 25 years of that cost could add up to a substantial sum. And again, I don't know what that sum is, yet," Information Technology Director Richard White said.
"The other reason I think we should sign up for this litigation is that PowerSchool, in our agreement, has a clause that says they're not liable for pretty much anything. That's kind of standard vernacular in an agreement with almost any company. This litigation will have it in the settlement, if we win, that we are not liable for this data breach or any actions thereof in the future."
The breach included all fields pertaining to students and teachers. White explained that it affected most of the staff members and students, but also anyone historically in the system over the last 25 years.
PowerSchool hired CrowdStrike Services to investigate the scope and extent of the third-party activity, with an investigation beginning on Dec. 29 and concluding on Feb. 17.
"We're going to have to do some investigation and try to see what harm has been done. If what PowerSchool says is true, and we're not sure it is, the data was destroyed, but if the data was not destroyed and was leaked, then potentially someone's identity could be stolen," he said.
"So if that identity was stolen, we can then prove harm."
The Education Cooperative, a student data privacy alliance, hired Frantz Law Group of California to see if it was possible to pursue any litigation against PowerSchool.
"Apparently it is. They've taken on the case and they're looking for school districts to sign up," White reported.
He explained that if a student notices 20 years from now that a false identity has been created in their name with loans and credit cards taken out, they could come back and sue Pittsfield. "However, it really should go back on the company who was supposed to be protecting our data on PowerSchool."
This suit differs from a class action, where all of the litigants have the same lawsuit. It is a mass action suit because the districts have individual contracts and agreements.
The cooperative will put the litigation forward at the end of May, "And if PowerSchool decides to settle right away and we're not signed on by that date, then we will not be part of it, not getting anything," White said.
The attorneys are asking for 30 percent of the final total, but are asking for their fees to be paid in the lawsuit, so the district may end up having to pay nothing and won't be charged if the case loses.
When asked if there was any reason not to join the suit, White said there is a highly unlikely chance that the software company, which is regarded as one of the best student information systems, could drop the district as a client.
Chair William Cameron said the most attractive aspect of the litigation is absolving the district from future litigation due to the data breach.
"The real harm from this, it seems to me, could come from the use of the stolen data subsequently, as using somebody else's identity, and so the idea of indemnification strikes me as a strong reason to give this serious consideration," he said.
Committee member William Garrity highlighted PowerSchool's "negligence" in not having proper cybersecurity controls in place from the get-go, adding that it is harder to get into his account to do schoolwork than it was for a support member to access personal information.
|