Logo
Insights Business| SaaS| Technology FERPA Wasn’t Built for This
Business
|
SaaS
|
Technology
May 12, 2026

FERPA Wasn’t Built for This

AUTHOR

James A. Wondrasek James A. Wondrasek
Graphic representation of the topic FERPA Wasn't Built for This

When ShinyHunters claimed 275 million records from Instructure’s Canvas platform in early May 2026, compliance officers across 8,809 institutions faced the same problem at the same moment. The Canvas breach triggered simultaneous obligations under FERPA, COPPA, GDPR, and at least 130 state student privacy statutes. No incident response plan was written for that.

The breach exposed a regulatory architecture that was never designed for platform-scale incidents. FERPA has no fixed breach notification timeline and gives no private right of action to affected students or parents. K-12 districts trigger COPPA. Forty-four Dutch institutions trigger GDPR’s 72-hour clock. Eleven states have class-action suits routing through state law — not federal statute — because FERPA simply lacks the enforcement mechanisms to support them.

Here’s what that means for institutions on the breach list, and what you need to do about it.

What Was FERPA Designed to Do — and What Lies Outside Its Scope?

FERPA — the Family Educational Rights and Privacy Act, codified at 20 U.S.C. § 1232g — was enacted in 1974. It gives parents and students the right to access and correct educational records, restricts disclosure without consent, and places those obligations on institutions receiving federal funding. The DoE’s Student Privacy Policy Office investigates complaints, and FERPA’s ultimate sanction is loss of federal funding — a remedy so extreme it has never actually been applied in 50-plus years.

Two structural gaps define FERPA’s limits when you’re managing a breach.

No fixed notification timeline. FERPA specifies no deadline for notifying students or parents after a breach. There is simply no such provision in the statute.

No private right of action. Students and parents cannot sue under FERPA. Their only recourse is a complaint to the Student Privacy Policy Office.

Neither gap was a design flaw in 1974 — the statute predates the internet, cloud computing, and multi-tenant SaaS platforms. FERPA’s framers were thinking about paper files in locked cabinets at individual schools, not a platform holding records for 8,809 institutions simultaneously. If your compliance planning begins and ends with FERPA, you are underprotected.

Does the School-Official Exception Under 34 C.F.R. § 99.31 Protect Instructure After a Breach?

Instructure‘s lawful access to 275 million student records rests on one provision: the School-Official Exception under 34 C.F.R. § 99.31(a)(1). It permits schools to share student records with vendors without individual consent, provided three conditions are met: (a) the vendor functions as a school official, (b) it has a legitimate educational interest in the records, and (c) it uses data only for authorised purposes under the institution’s direct control. Pre-breach, Instructure qualifies on all three. The post-breach question is trickier.

These conditions have to be continuously maintained. Once ShinyHunters exfiltrated student data, it was no longer being used “only for authorised purposes.” Condition (c) requires use “under the institution’s direct control.” At the moment of exfiltration, that control was gone.

Whether a breach violates the exception or merely coexists with it is an unresolved legal question. It’s a theory that plaintiff attorneys may deploy in class-action litigation. The exception establishes the lawful basis for pre-breach data access — it is not a shield against the consequences of a security failure.

This is why the Data Processing Addendum matters: it’s where the exception’s conditions get contractual force and where breach consequences are specified.

What Are FERPA’s Critical Gaps for Schools Responding to This Breach?

Three structural gaps in FERPA hit hardest when you are managing a breach response right now.

Gap 1: No fixed notification timeline.

FERPA imposes no deadline for notifying students or parents after a breach. Compare that to frameworks that do: New York Education Law Section 2-d requires vendors to notify affected institutions within seven calendar days of breach awareness. GDPR Article 33 requires supervisory authority notification within 72 hours of awareness that a breach “likely occurred.” California’s SOPIPA requires “expedient” notification without waiver.

The institutions facing the tightest clocks are in New York, California, and EU jurisdictions — not because of federal law, but despite it.

Gap 2: No private right of action.

This is why class-action litigation triggered by the Canvas breach proceeds under state student privacy laws and common law negligence, not FERPA. The statute provides no civil enforcement hook. In over 50 years of FERPA enforcement, the threat of lost federal funding has never been applied. It is not a deterrent, and it is not a remedy for an affected student.

Gap 3: Vendor obligations are indirect.

FERPA applies to schools, not vendors. Instructure’s obligations flow through the School-Official Exception conditions and the contractual DPA — not the statute. Schools with inadequate DPAs have no contractual leverage to demand timely notification, documentation, or remediation from Instructure.

This DPA gap is the primary compliance risk for independent schools. FERPA’s gap creates a contractual gap, which creates a compliance gap. That chain is simple, and it is the chain you need to break.

What Did COPPA’s April 2026 Update Change — and Why Does It Matter for K-12 Schools?

COPPA — the Children’s Online Privacy Protection Act — applies to operators collecting personal information from children under 13. That means virtually every K-12 district using Canvas.

The FTC‘s April 22, 2026 rule amendments — effective just weeks before the Canvas breach was publicly disclosed — added four material changes:

  1. Written information security programme requirements. Operators must now maintain a documented security programme covering risk assessments, safeguard controls, and annual evaluation. K-12 districts need to ask whether that programme existed and whether their DPA required Instructure to maintain an equivalent one.

  2. Data minimisation mandates. Operators may only collect what is necessary for the educational purpose. The rule prohibits indefinite data retention and requires a public written retention policy.

  3. Standardised deletion obligations. Children’s data must be deleted once no longer necessary. Assess whether your Canvas relationship retained child data beyond any defensible educational purpose.

  4. Heightened parental consent mechanics. Separate consent is now required for third-party data sharing. DPAs that permitted Instructure to share data with sub-processors without separate parental consent may face compliance exposure.

The financial stakes are real. Civil penalties reach up to $51,744 per affected child per violation — even a small K-12 district faces potential six-figure exposure if COPPA compliance was deficient. Verify the specifics against the Federal Register before finalising your breach response documentation.

Does the GDPR Apply to the Canvas Breach — and What Is the 72-Hour Notification Deadline?

Yes — for EU-campus data. Instructure is a US company, but GDPR’s extraterritorial scope under Article 3 applies the moment it processes personal data of EU residents. Where the processor is based is irrelevant.

The Canvas breach names institutions across multiple EU jurisdictions. Forty-four Dutch institutions are explicitly listed, triggering Autoriteit Persoonsgegevens notification obligations. The University of Oxford is named, triggering obligations under UK GDPR governed by the ICO. Spanish institutions also appear. Most English-language compliance guidance on the breach has been US-centric — institutions in the Netherlands, UK, and Spain are on a faster-moving track.

GDPR Article 33: the 72-hour clock. Article 33 requires supervisory authority notification within 72 hours of becoming aware that a breach “likely occurred” — not from confirmation, not from vendor notification. From awareness. Public disclosure of the Canvas breach began May 1–3, 2026. Institutions with EU-campus users that had not filed supervisory authority notifications by May 5–6 are potentially in breach of Article 33. Article 34 creates a parallel obligation to notify affected individuals directly where high risk is established — for student names, email addresses, IDs, and private messages, that threshold is almost certainly met.

Australian institutions face obligations under the Australian Privacy Act 1988 and the Notifiable Data Breaches scheme — separate obligations assessed under Australian privacy law, not GDPR.

How Do State Student Privacy Laws Fill the Gaps FERPA Leaves?

Approximately 130 state student privacy statutes supplement — and in key respects go further than — FERPA. Two are directly relevant to the Canvas breach.

New York Education Law Section 2-d. NY Ed Law 2-d applies to educational agencies and their third-party contractors in New York. Instructure must notify affected institutions within seven calendar days of discovering a breach. The law creates a private right of action — students and parents can sue directly. It also mandates specific DPA language: contracts with ed-tech vendors must include defined security obligations and breach notification mechanics. Seven calendar days is the sharpest contrast to FERPA’s no-fixed-timeline framework.

California SOPIPA. SOPIPA prohibits operators — including Instructure — from using student data for targeted advertising, building student profiles beyond educational purposes, or selling student data. It applies regardless of where the operator is headquartered, and it creates a private right of action.

Why this matters for litigation routing. Class-action suits in 11 states after the Canvas breach are not based on FERPA. They route through state statutes and common law negligence because those provide the civil enforcement hooks federal law does not.

FERPA compliance is necessary but not sufficient. Map your state-law obligations — especially if you have campuses or enrolments in New York or California — and assess whether your DPA with Instructure satisfies those requirements.

What Must a Data Processing Addendum Include to Protect Institutions After a Vendor Breach?

The DPA is the contractual mechanism through which vendor obligations flow — under the School-Official Exception, under GDPR Article 28, under COPPA, under NY Ed Law 2-d. Without an adequate DPA, you have no enforceable tool to demand timely notification, remediation, or documentation from Instructure. Here is what an adequate DPA must contain:

  1. Breach notification timeline. A defined period — 72 hours of awareness is the GDPR-aligned standard — within which the vendor must notify you.

  2. Scope of data processing. Precise specification of what data the vendor may access, for what purposes, and in what systems. This gives contractual force to the “authorised purposes under institutional control” condition in 34 C.F.R. § 99.31.

  3. Sub-processor controls. A list of authorised sub-processors, and advance notification requirements before new ones are added. Required under GDPR Article 28 and COPPA’s updated third-party oversight obligations.

  4. Data subject rights support. Vendor obligations to assist the institution in fulfilling student and parent access, correction, and deletion requests.

  5. Data deletion and return. Specific timelines and methods for returning or destroying your data at contract termination, aligned with COPPA’s deletion mandate.

  6. Minimum security standards. Encryption standards, access controls, penetration testing cadence, and incident response plan requirements. The COPPA April 2026 amendments require a written security programme — your DPA should confirm Instructure’s meets that bar.

  7. Contractual remedies. Audit rights, termination rights, and indemnification provisions that allocate breach-related losses between your institution and the vendor.

The pressure test is simple: would your current DPA have required Instructure to notify you within 72 hours of the April 25 initial compromise? If the answer is no — or if you can’t even find the DPA to check — the contract is inadequate.

For a full vendor risk framework that treats DPA structuring as a procurement requirement rather than an afterthought, see the vendor risk management guide for mission-critical SaaS.

What Should Institutions Do Right Now?

Here is the clearest post-breach action sequence for institutions not yet formally notified by Instructure:

  1. Wait for and document Instructure’s formal notification. Don’t treat media reporting as the trigger for formal compliance obligations.

  2. Engage cybersecurity counsel immediately. Before issuing any external communications or initiating internal investigations, get counsel involved. Incident response conducted under attorney-client privilege is materially more defensible.

  3. Notify your cyber insurance carrier. Most policies require timely notice of a cybersecurity event as a condition of coverage. Late notice is a common basis for denial.

  4. Document your pre-breach vendor due diligence. Pull the Instructure contract, the DPA, and any security questionnaires. This matters for both regulatory response and litigation defence.

  5. Map the data in scope. Identify what student records Canvas held for your institution — minor records (COPPA trigger), special education records, counselling communications, records for students in New York or California.

  6. Review state student privacy law obligations. If you have students or campuses in New York or California, assess whether your DPA satisfies those requirements — not just the FERPA baseline.

If you process data for EU-campus users: The Article 33 clock may already be running from public disclosure on May 1–3, 2026. Seek immediate legal counsel. The Autoriteit Persoonsgegevens handles Dutch institutions; the ICO handles UK institutions including Oxford.

If you have students under 13 enrolled: Assess COPPA April 2026 compliance — your written security programme, data minimisation practices, and DPA terms. Civil penalties of up to $51,744 per affected child per violation apply.

Frequently Asked Questions

Does FERPA require Instructure to notify schools within a set timeframe?

No. FERPA imposes no fixed notification timeline on either schools or vendors. The obligation on Instructure flows from the Data Processing Addendum. NY Ed Law 2-d requires seven-calendar-day vendor notification; GDPR Article 33 requires 72-hour supervisory authority notification for EU-campus users. No DPA notification clause means no contractual remedy for delay.

Can students or parents sue Instructure directly under FERPA?

No. FERPA confers no private right of action. Enforcement is limited to a DoE complaint — a remedy that has never resulted in actual funding loss. Class-action suits are proceeding under state student privacy laws and common law negligence, not FERPA.

What is the FERPA School-Official Exception, and does it protect Instructure after the breach?

34 C.F.R. § 99.31(a)(1) permits schools to share student records with vendors functioning as school officials with a legitimate educational interest, provided data is used only for authorised purposes under institutional control. Whether the breach violates the exception — specifically the “under institutional control” condition — remains an unresolved legal question and a potential plaintiff theory.

Does the GDPR apply to the Canvas breach?

Yes, for EU-campus data. GDPR applies regardless of where the processor is located. The 44 named Dutch institutions, the University of Oxford (UK GDPR), and Spanish institutions are all within scope. Article 33 requires supervisory authority notification within 72 hours of awareness; Article 34 may require direct data subject notification for high-risk breaches.

What changed in COPPA’s April 22, 2026 rule update?

The FTC’s April 2026 amendments added: written security programme requirements, data minimisation mandates (prohibiting indefinite retention), standardised deletion obligations with public retention policies, and heightened parental consent mechanics including separate consent for third-party sharing. Civil penalties of up to $51,744 per affected child per violation apply.

What is the difference between FERPA’s breach notification obligation and a state law’s?

FERPA: no fixed timeline, no private right of action, DoE-only enforcement never applied in full. NY Ed Law 2-d: seven-calendar-day vendor notification, private right of action, mandatory DPA language. CA SOPIPA: private right of action, strict restrictions on vendor data use. GDPR Article 33: 72-hour supervisory authority notification from awareness, with Article 34 data subject notification for high-risk breaches.

What should an adequate Data Processing Addendum include?

A defined breach notification timeline (72 hours of awareness); precise specification of data the vendor may access and for what purposes; sub-processor controls and advance notification requirements; data subject rights support; data deletion and return timelines; minimum security standards; and contractual remedies including audit rights, termination rights, and indemnification provisions.

What is the DoE Student Privacy Policy Office, and what can it actually do?

The sole FERPA enforcement body. Individuals cannot file civil suits — only complaints with the SPPO. Its main tool is withholding federal funding, a remedy never applied in over 50 years. Enforcement resolves through corrective action agreements — which is exactly why class-action litigation routes through state law instead.

What does “no private right of action” mean for a student whose records were breached?

It means a student cannot sue under FERPA — not the school, not the vendor. Their only federal option is a DoE complaint that pays nothing. State laws — NY Ed Law 2-d, SOPIPA — and common law negligence are how affected students pursue financial relief. That is why plaintiff firms are running class actions.

How does COPPA apply differently to K-12 versus higher education?

COPPA applies to operators collecting personal information from children under 13. Most higher education students are over 13, so COPPA’s direct scope largely doesn’t reach them. K-12 districts face COPPA obligations because their student populations routinely include children under 13. Higher education institutions should focus on FERPA, state law, and GDPR where applicable.

The Regulatory Architecture Has a Gap — and It Is the Gap That Matters

The Canvas breach will likely sit alongside the PowerSchool breach (62 million records, 11 states, $17.25 million settlement) as a defining precedent for the sector. At 275 million records and 8,809 institutions, it is roughly 4.4 times the scale — with larger regulatory exposure, more jurisdictions, and a more complex international dimension.

What the breach has confirmed is straightforward: FERPA’s framework, designed for school-level incidents before cloud-hosted learning platforms existed, is not adequate for what has actually occurred. The notification obligations with teeth are in state law and GDPR. The private rights of action are in state law. The contractual mechanisms through which vendor obligations become enforceable are in the DPA — not the statute.

Institutions whose compliance planning begins and ends with FERPA are underprotected. The frameworks that matter most right now are the ones FERPA never addressed. For a complete overview of the breach’s regulatory, operational, and strategic dimensions, see the Canvas breach analysis.

AUTHOR

James A. Wondrasek James A. Wondrasek

SHARE ARTICLE

Share
Copy Link
Copy Successfully

Related Articles

See more

Agile in the Age of AI

Generative AI

May 7, 2026
There’s a better way to spend your hiring budget

There’s a better way to spend your hiring budget

Business

Nov 15, 2024

How to Use Permissions To Minimise the Damage When Your Security is Breached

Security

May 26, 2025
See more

Need a reliable team to help achieve your software goals?

Drop us a line! We'd love to discuss your project.

GET IN TOUCH
Offices Dots
Offices

BUSINESS HOURS

Monday - Friday
9 AM - 9 PM (Sydney Time)
9 AM - 5 PM (Yogyakarta Time)

Monday - Friday
9 AM - 9 PM (Sydney Time)
9 AM - 5 PM (Yogyakarta Time)

Linkedin X-Thread Facebook Instagram
Sydney

SYDNEY

55 Pyrmont Bridge Road
Pyrmont, NSW, 2009
Australia

55 Pyrmont Bridge Road, Pyrmont, NSW, 2009, Australia

+61 2-8123-0997

Yogyakarta

YOGYAKARTA

Unit A & B
Jl. Prof. Herman Yohanes No.1125, Terban, Gondokusuman, Yogyakarta,
Daerah Istimewa Yogyakarta 55223
Indonesia

Unit A & B Jl. Prof. Herman Yohanes No.1125, Yogyakarta, Daerah Istimewa Yogyakarta 55223, Indonesia

+62 274-4539660
Bandung

BANDUNG

JL. Banda No. 30
Bandung 40115
Indonesia

JL. Banda No. 30, Bandung 40115, Indonesia

+62 858-6514-9577

Subscribe to our newsletter

© 2026 SoftwareSeni all rights reserved.

Privacy PolicyDisclaimerTerms & ConditionsSitemap