When ShinyHunters claimed responsibility for pulling 275 million records and 3.65 terabytes of data out of Canvas LMS in May 2026, they didn’t just trigger an incident-response cycle. They triggered a litigation cycle. Within days of Instructure‘s disclosure, at least seven federal class-action complaints had been filed. Active investigations and filings now span 11 states. This article is a companion to the Canvas breach analysis, written specifically for readers who need to understand what the litigation dimensions of that event actually mean for their institution.
If you’re a legal officer, risk committee member, or general counsel trying to work out your exposure, here’s what this piece answers:
- What has been filed, by whom, and on what legal theories?
- What does the PowerSchool Naviance precedent ($17.25M) suggest about settlement ranges?
- What eDiscovery obligations has the breach created for institutions already managing active litigation?
Let’s get into it.
What Class-Action Lawsuits Have Been Filed Over the Canvas Breach?
Six of the seven initial complaints landed in the US District Court for the District of Utah — that’s the presumptive venue because Instructure is headquartered in Salt Lake City. The seventh was filed in the Southern District of New York and it’s the one worth watching: it names KKR & Co. alongside Instructure as a co-defendant. KKR and Dragoneer acquired Instructure in November 2024 for approximately $4.8 billion. The SDNY complaint argues that KKR’s ownership and governance decisions affected Instructure’s security investment posture. If that theory survives a motion to dismiss, it significantly deepens the financial exposure on the defence side.
On 7 May 2026, ClassAction.org confirmed an active Instructure investigation. Chimicles Schwartz Kriner & Donaldson-Smith opened a parallel inquiry the same day. Based on historical breach-litigation patterns, expect filings to compound over the next 30 to 60 days as institutions get publicly tied to the breach dataset and state attorneys general open independent inquiries.
ShinyHunters claimed the breach impacted 275 million students, teachers, and staff across nearly 9,000 institutions. That sector-wide reach is what makes this different from prior single-institution incidents. This vendor reaches close to a majority of education institutions in the country.
How Are Plaintiffs Building Their Cases? The Two Standing Theories
Two primary standing theories are being advanced — and both can attach to institutional defendants, not just Instructure.
💡 “Standing” is the threshold legal requirement that a plaintiff demonstrate they suffered a concrete, particularised harm caused by the defendant’s conduct. Without it, a case is dismissed before merits are examined.
Theory 1: Inadequate Vendor Due Diligence
The argument here is that a school that signed an agreement with Instructure without requiring a breach notification SLA, minimum security standards, or adequate DPA terms created a foreseeable mechanism of harm through its own contracting. Instructure’s breach is the proximate cause; the school’s contractual gaps are the enabling condition. As Fisher Phillips put it directly: “It is likely that schools will also be named in suits under the theory that they could, and should, have done more to protect student information.”
Theory 2: Failure to Maintain Alternate Systems
Canvas serves approximately 41% of North American higher-education institutions by institution count and roughly half of total enrolment. Given that concentration, plaintiffs argue that deciding not to maintain any tested contingency LMS is a foreseeable risk-mitigation failure. The 8,809 institutions named in the affected dataset illustrate why this theory has traction: at near-majority market penetration, failure to plan for Canvas’s unavailability is not niche risk management.
The two theories can compound. An institution with a DPA lacking a breach notification SLA and no LMS contingency plan faces stacked exposure, not stacked defences.
What Does “Inadequate Vendor Due Diligence” Mean in Practice?
Theory 1 is grounded in contract law and regulatory compliance. To understand it, you need to understand what a well-drafted DPA should have contained.
Four DPA gap categories plaintiffs are examining:
- No breach notification SLA: FERPA contains no fixed notification timeline. State statutes do. A DPA that didn’t import those timelines creates a standing-relevant gap.
- No minimum security standard requirement: A DPA that didn’t require SOC 2 Type II, ISO 27001, or equivalent leaves the school unable to demonstrate reasonable due diligence on the vendor’s security posture.
- Liability caps that insulate Instructure: Standard vendor agreements routinely include caps on liability. Accepted without negotiation, they leave the school bearing the downstream cost of the vendor’s failure.
- No incident response documentation requirement: Without a contractual obligation for Instructure to maintain and share incident response documentation, schools can’t demonstrate ongoing oversight — and that’s a gap plaintiffs use to argue the school had no real control.
The FERPA School-Official Exception as plaintiff ammunition
FERPA has no private right of action. But FERPA non-compliance establishes a legally cognisable duty and serves as the predicate violation under state statutes that do create private rights of action. New York Education Law 2-d and California’s SOPIPA are the strongest plaintiff instruments — they impose fixed vendor notification timelines and civil penalties that FERPA alone does not provide. Approximately 130 state student-privacy statutes add layers of obligation across other jurisdictions.
The full statutory framework is developed in FERPA Wasn’t Built for This. Here, the relevant point is that FERPA functions as a plaintiff litigation tool, not just a compliance obligation.
Once you understand the DPA gaps, the next question is what they might actually cost — and for that, there’s a financial precedent to work from.
What Does the PowerSchool Settlement Tell Us About Canvas Exposure?
The PowerSchool Naviance settlement is the primary financial precedent — but it needs to be used carefully, because there are two separate PowerSchool matters and they are not the same thing.
The PowerSchool Naviance settlement ($17.25M, filed August 2023, resolved March 2026) resolved a consent-based claim: that Naviance intercepted confidential student communications without consent. That’s the relevant financial precedent. The PowerSchool 2025 breach MDL is a separate proceeding from a different incident disclosed in January 2025. It’s still in progress and has produced no settlement figure. Don’t conflate them.
Settlement range methodology — transparent, not predictive:
- Records in scope: PowerSchool Naviance ~62 million; Canvas breach ~275 million (claimed)
- Record-count ratio: Canvas is 4.4× larger by raw record count
- State-law amplifiers: Naviance had limited state-law exposure; Canvas faces NY Education Law 2-d and CA SOPIPA private rights of action
- PE co-defendant: Naviance had none; Canvas has KKR
Step 1: Anchor at the Naviance settlement: $17.25M. Step 2: Apply record-count multiplier (275M ÷ 62M ≈ 4.4×): $17.25M × 4.4 = $75.9M. Step 3: Adjust upward for data-type severity — Canvas data includes educational records, private messages, and potentially financial aid data, which carry higher per-record sensitivity than a communication-interception claim. Step 4: Adjust upward for state-law amplifiers — NY Education Law 2-d and CA SOPIPA private rights of action drive per-class-member recovery above FERPA-only baselines. Step 5: Adjust for defendant depth — KKR’s co-defendant status adds settlement capacity the Naviance matter simply didn’t have.
Illustrative result: $75M–$150M is a plausible sector-wide range. That’s not a prediction. Actual settlement depends on class certification, discovery scope, and defendant strategy.
If Theory 2 — failure to maintain alternate systems — survives a motion to dismiss, settlement pressure increases further. It creates a category of institutional defendants whose liability is architectural, not just contractual.
How Does FERPA Non-Compliance Strengthen the Plaintiff’s Hand?
FERPA non-compliance strengthens plaintiff standing through two mechanisms, neither of which requires a private right of action under FERPA itself.
Mechanism 1: Duty establishment. Instructure’s school-official status under 34 C.F.R. § 99.31 has three conditions: the vendor must (a) perform a function the school would otherwise perform itself, (b) operate under the school’s direct control, and (c) use records only for authorised purposes. Plaintiffs argue the breach voided conditions (b) and (c): condition (c) because data was accessed for unauthorised purposes, and condition (b) because the breach demonstrates the school lacked real control over Instructure’s security posture. That voided status supports negligence and negligence-per-se claims, independent of FERPA’s enforcement mechanism.
Mechanism 2: State-law predicate. States that have incorporated FERPA standards into state law — primarily New York and California — create private rights of action where FERPA non-compliance establishes the predicate violation. This unlocks civil penalties and fixed-timeline requirements that federal law alone doesn’t provide.
The critical question for institutional defence is whether the school can demonstrate it actually exercised oversight over Instructure’s security practices. Institutions that accepted Instructure’s standard DPA without negotiation, without security questionnaires, and without periodic review cannot document that oversight. As one legal commentator put it: “If a school did its homework, signed a strong data processing addendum, and asked the right questions about Instructure’s controls, the school is on much firmer ground than one that did not.”
What Is the eDiscovery Problem Institutions Are Not Thinking About?
This angle is missing from most coverage — but it directly affects institutions already in active litigation where Canvas was a custodial evidence source.
💡 “Chain of custody” in eDiscovery refers to the documented record of who has had access to electronically stored information from its creation through its production in litigation. An unbroken, documented chain is required to certify the integrity of produced evidence.
ShinyHunters’ exfiltration created an adversary copy of Canvas data. For any institution managing active Title IX proceedings, academic integrity matters, employment disputes, or faculty-conduct cases where Canvas coursework, private messages, or conduct records were custodial evidence — that evidence is now in both the institution’s custody and an adversary’s hands.
Federal Rules of Civil Procedure Rule 26 and state equivalents require parties to produce electronically stored information with a documented chain of custody. When an adversary holds an undocumented copy of the same data, the producing party can no longer certify an unbroken chain. That creates spoliation risk and potentially undermines the integrity of evidence already produced.
The good news: spoliation arguments are unlikely to land where the institution acted reasonably. The work is in showing the court and case file how the institution acted. Four actions are required:
- Issue an updated litigation hold naming Canvas LMS content — coursework, messaging, and conduct records — as a preserved category.
- Notify opposing counsel that an adversary copy of Canvas data now exists; document the notification in the matter file.
- Request from Instructure or institutional IT a written preservation status confirmation and list of exfiltrated record types relevant to active matters.
- Consult with outside eDiscovery counsel on whether previously produced Canvas evidence requires a supplemental certification or explanatory disclosure.
Ignore this and you’re looking at adverse inference instructions, discovery sanctions, or exclusion of evidence in active matters.
What Should Legal and Risk Offices Do Right Now?
Within 30 Days
DPA gap review. Pull the institution’s current Instructure contract and data processing addendum. Check whether it contains a breach notification SLA, minimum security standards, liability allocation for vendor-side breach, and incident response documentation obligations. Document what you find — the absence of each element is an exposure datapoint.
Litigation hold update. Issue or update litigation hold notices to name Canvas LMS as a preserved evidence category. Distribute to all custodians managing academic integrity, Title IX, employment, and faculty-conduct matters.
Opposing counsel notifications. In all active litigation where Canvas data is a custodial source, notify opposing counsel that an adversary copy now exists. Document the notification.
Board briefing. Prepare a one-page risk summary: litigation scope (11 states, 7+ federal complaints), standing theories (Theory 1 and Theory 2), illustrative settlement range ($75M–$150M sector-wide), and the institution’s DPA status.
Insurance review. Notify cyber-liability and education-sector liability insurers. Confirm class-action defence coverage and co-operation obligations.
Within 30–90 Days
Retain outside counsel with education data breach litigation experience for a formal DPA gap analysis and contract amendment advice. Extend that DPA review to all mission-critical SaaS providers — not just Instructure. Begin a formal vendor risk assessment programme if one doesn’t exist; its absence is a Theory 1 standing amplifier for any future vendor breach. The financial exposure from vendor concentration is developed in detail in Vendor Risk in Mission-Critical SaaS: Lessons from the Canvas Breach.
Frequently Asked Questions
Who can sue over the Canvas breach — students, schools, or both?
Students and parents whose records were exposed are potential class members if they can demonstrate concrete harm. Schools may also have a cause of action against Instructure if negligence or unaddressed vulnerabilities contributed to the breach. At the same time, schools face being named as defendants by students under Theory 1. That creates a dual-exposure position where an institution may be both plaintiff and defendant in different proceedings arising from the same event.
Can a school be sued even though it wasn’t the one that was hacked?
Yes. Theory 1 — inadequate vendor due diligence — doesn’t require the institution to have been hacked directly. The school’s contracting decisions create a causal chain from the school’s own conduct to the student’s harm. Instructure’s breach is the proximate cause; the school’s DPA gaps are the enabling condition that plaintiffs argue made harm foreseeable.
How does Canvas compare to PowerSchool as a litigation precedent, and what might settlements cost?
The PowerSchool Naviance settlement ($17.25M) resolved claims involving approximately 62 million student records. Canvas involves a claimed 275 million — 4.4 times larger by record count. Scaled to that multiple, with upward adjustments for data-type severity, state-law amplifiers (NY Education Law 2-d, CA SOPIPA), and KKR’s deep-pockets co-defendant status, a sector-wide illustrative range of $75M–$150M is plausible. This is an illustration, not a prediction.
What is the eDiscovery implication for institutions already in Title IX or academic integrity litigation?
ShinyHunters now holds an adversary copy of Canvas data. For institutions managing active matters where Canvas was a custodial source, the producing party can no longer certify an unbroken chain of custody for that evidence. Issue an updated litigation hold naming Canvas content as a preserved category, notify opposing counsel, and consult with eDiscovery counsel on whether previously produced evidence requires supplemental certification.
What is a Data Processing Agreement and why does it matter for litigation exposure?
A DPA is a contractual addendum governing how a vendor processes, stores, and secures student data. The absence of key DPA terms — breach notification SLAs, security standards, liability allocation — is the mechanism through which plaintiffs attach the inadequate vendor due diligence theory to institutional defendants. Institutions that accepted Instructure’s standard terms without negotiation are substantially more exposed than those that required documented security obligations.
Which states give plaintiffs the strongest tools in a Canvas class action?
New York (Education Law 2-d) and California (SOPIPA) provide private rights of action and fixed vendor notification timelines — the strongest plaintiff tools in the current filing landscape. Federal FERPA has no private right of action; it functions as a duty-establishing mechanism. States without their own student-data statutes rely on general breach notification laws, which typically carry lower per-record exposure.
For a complete overview of all dimensions of the Canvas incident — technical, regulatory, operational, and strategic — see the Canvas breach hub page.
