It was in physical education class when Laila Gutierrez swapped out self-harm for a new vice. 

The freshman from Phoenix had long struggled with depression and would cut her arms to feel something. Anything. The first drag from a friend’s vape several years ago offered the shy teenager a new way to escape. 

She quit cutting but got hooked on nicotine. Her sadness got harder to carry after her uncle died and she felt she couldn’t turn to her grieving parents for comfort. Bumming fruity vapes at school became part of her routine. 

“I would ask my friends who had them, ‘I’m going through a lot, can I use it?’” Gutierrez, now 18, told ĂÛÌÒÓ°ÊÓ. “Or ‘I failed my test and I feel like smoking would be better than cutting my wrists.’” 

It worked until she got caught. 

Like students across the country, Gutierrez got dragged into a nicotine-fueled war between vape manufacturers — including a company that leveraged online advertisements on the websites of Nickelodeon and Cartoon Network to hook kids on e-cigarettes — and educators, who’ve turned to digital surveillance tools and discipline to crack down on the youngest users. Gutierrez was suspended for a week after she was nabbed vaping in a crowded school bathroom during her lunch hour.

An in-depth investigation by ĂÛÌÒÓ°ÊÓ reveals how nicotine-addicted teens, who often begin vaping under social pressure or, like Gutierrez, to cope with hardship, are routinely kicked out of school instead of receiving meaningful services that could steer them away from tobacco and help them break free of their vape pens. 

Candid interviews with a dozen high schoolers and recent graduates from across the country reveal how vaping has become ubiquitous in schools. The battery-powered nicotine sticks are more than an addiction: They define students’ social status, friend groups and coping strategies years before they’re 21 and legally old enough to buy them. 

“At my school, vaping starts because you want to be part of the popular crowd, you want to get invited to parties, you want to feel like you’re a part of a community,” said Ayaan Moledina, a 16-year-old from Austin, Texas. “And you start doing those things because you’re pressured into doing it.” Moledina says he doesn’t vape and has been excluded socially as a result.

Public records obtained by ĂÛÌÒÓ°ÊÓ from a vape detector pilot program at Minneapolis Public Schools presents a unique window into the severity of the problem and of educators’ efforts to contain it. The main battlefield in the fight is the school bathroom. As they have for generations, teens take cover in the bathroom to socialize and smoke, but because vapes allow them to consume nicotine more discreetly than traditional cigarettes, district leaders are also embracing technological advancements to police them. 

Purchasing records from schools across the country show that districts are spending millions to install sensors in student bathrooms — once considered a privacy no-go for electronic surveillance — to alert them of changes in air quality. ĂÛÌÒÓ°ÊÓ’s analysis of the data from Minneapolis Public Schools reveals that the vape detectors brought a spike in school discipline, but they also produced a near-endless stream of alerts that could overwhelm district administrators. 

For University of Texas master’s student Cameron Samuels, Students Engaged in Advancing Texas when they were a freshman in college, all this means is that schools are spending money on invasive tech — the detectors, often equipped with microphones, are no less intrusive than security cameras, they argued — that could go to mentorship programs “where teachers and educators can support students, meeting us where we’re at.”

“Surveillance is only a diagnosis,” Samuels said of the decision to use sensors to counter student vaping. “It only recognizes symptoms of a failed system without actually solving [them].”

Vaping is ‘everywhere now’

In Minneapolis, the $100,000 pilot program placed sensors in the bathrooms of two high schools and two middle schools with in 2022. The result, ĂÛÌÒÓ°ÊÓ’s investigation reveals, was a marked increase in students being punished for vaping in the months that followed. 

Across the four campuses, a student was disciplined for vaping every 3.1 school days on average in the two years before the devices were activated and inundated administrators with tens of thousands of alerts. In a nine-month period after they were deployed in September 2024, a student was disciplined for the same offense every 1.4 days. 

The increase was particularly pronounced at Anwatin Middle School where, in the 2022-23 school year, there were 15 vape-related disciplinary incidents. During the 2024-25 school year, after the sensors were installed, disciplinary actions for vaping reached 67.

Across the four campuses, at least half of the vape-related disciplinary incidents occurred in school bathrooms. Nearly 81% led to suspensions. Just 7% led to a referral to an alcohol and drug abuse counselor, according to the discipline logs, and after the vape detectors were installed, the rate of treatment referrals declined compared to the average over the two years before.

While the number of alerts were far greater at the two high schools, it was the younger students at the two middle schools who were more likely to be removed from their classrooms.

The escalation in vape-related suspensions in Minneapolis comes as federal Centers for Disease Control and Prevention data show teen nicotine use dropping since a 2019 high that reflected e-cigarettes’ growing hold on the market. In 2024, some 8.1% of middle and high school students reported using tobacco products within the last 30 days, according to the most recent results from the . Nearly reported vaping e-cigarettes.

Stanford Medicine pediatrician Bonnie Halpern-Felsher, who helped create a and curriculum that’s used in schools across the country, has found higher youth vaping rates than the CDC figures. And released in September about student vaping reports the behavior is “everywhere now,” especially at “ground zero”: the bathrooms.

The survey was published by The Truth Initiative, a national nonprofit that is focused on preventing nicotine addiction among youth and young adults and opposes school discipline as a means of combating it. Some students were brazen — vaping openly in school hallways — while others hid e-cigarettes in bathroom fixtures, ceiling tiles and tampon dispensers, the survey found. 

Educators who were polled voiced concern about students’ “distracting preoccupation” with vaping and how constant bathroom breaks interrupted learning, said Jennifer Kreslake, the senior vice president of Truth Initiative’s Schroeder Institute.

“It also takes away from the teacher’s ability to do their jobs,” Kreslake said. “Their primary jobs are not monitoring vapes around campus, and it’s taking them away from what they’re in the school to do.” 

In Lancaster, South Carolina, county health workers spent more than $150,000 on about 70 that are scheduled to go live at local schools next month. Officials said they chose the Triton sensors, in particular, because they go beyond vape detection to identify “aggression,” “keywords associated with vandalism” and “loitering.”

School officials’ previous efforts with vape detection centered on student discipline, said Ashlie Harder, the prevention director at Counseling Services of Lancaster.

“The goal for them was punitive — they wanted to catch the students,” Harder said. “They wanted the students to get whatever the disciplinary action was. That was the plan.” 

Harder, who had already been working with the district to stop schools from sending kids home for vaping, hopes to change that. Her office, which serves as the county’s commission for drug and alcohol abuse, secured the new, high-tech Triton sensors earlier this year with the goal for school officials to “leave it for us” to do in-school tobacco prevention programming based on the Stanford toolkit with young people caught vaping by the devices.

Lancaster County School District officials said they hope the sensors will prevent vaping on campus while also providing a new layer of bathroom security. School-based police officers will have access to the alerts in an effort to prevent fights and to stop students from camping out in the restrooms and skipping class.

Lonnie Plyler, the district’s director of safety and transportation, said nicotine use isn’t the full extent of the problem — students have also been bringing marijuana vapes to school.

“We hope that it will deter these people from actually bringing it into the schools and using it, knowing that we’re actually monitoring it and can see it,” Plyler said. The vape detectors help create a process, he said, where students are “being punished through the school and possibly law enforcement.”

Gutierrez, the student from Phoenix, was suspended in September 2024 after a school security guard caught her vaping in a bathroom stall. It’s also common for schools to station monitors outside bathrooms to sniff out vaping and for some restrooms to be locked altogether as a blanket deterrent.

Getting kicked out of school didn’t make Gutierrez’s  situation any easier. An online quiz she was required to take during those days depicted vaping as ruining her life, she said, offering no help for her depression and making her feel ashamed. 

“When I went back to school, I felt the eyes of the security guards,” she said. “It made me feel like I was in a jail.”

Seven months, 45,000 alerts

It was 2 p.m., in late January when Anwatin Middle School Assistant Principal Nate Lee logged a new disciplinary action against two of his 334 students.

Vaping. 

As part of the pilot program, Anwatin was supplied last year with HALO vape detection sensors. The plastic, ceiling-mounted discs are sold by a subsidiary of the communications giant Motorola and are designed to notify administrators of vapor, smoke and, with certain microphone-equipped models, gunshots. Officials installed the devices in two boys’ and two girls’ bathrooms.

Once all 29 sensors across the two middle schools and two high schools went live in September 2024, administrators began receiving real-time alerts notifying them of suspected vaping, smoking — and evidence of students masking vape plumes with like Axe Body Spray.

At Anwatin, administrators responded to vape sensor alerts with fervor, student disciplinary records show, often resulting in suspensions. In the January incident, a seventh and an eighth grader were suspended after “investigative efforts” found they were in the bathroom “at a time when the vape detector monitoring system alerted staff to illicit activity.”

“Students denied involvement,” disciplinary records note, “but were both found to be in the bathroom.” 

ĂÛÌÒÓ°ÊÓ’s analysis of vape detection alerts suggest the sensors are accurate — or at least go off most when kids are likely to be in the building. Few alerts occurred outside normal school hours, according to the logs. 

Over a seven-month period between September 2024 and April 2025, the HALO sensors went off more than 45,000 times across the four Minneapolis campuses. On any given school day, the data reveal, Minneapolis educators at the four schools received an average of 412 alerts — roughly one every minute. On their most active day, the sensors alerted school officials to vaping 755 times.

The sheer number of alerts raises the question of whether school officials can reasonably respond to them and, if not, whether they’re an effective way to stop students from vaping at school — or curb their habit in general. 

Youth have existed in schools since the 1960s after a linked smoking to deleterious health consequences, including lung cancer and heart disease. Technological advancements in e-cigarettes were sold as healthier alternatives for adult cigarette smokers, but the vapes have been blamed for breeding a new generation of nicotine addicts. By the time the vape detectors emerged on the market, kids were already hooked.

Student interviews reveal the degree to which vaping culture has become fully ingrained in student life, with teens describing the allure of nicotine as so strong that addiction is nearly inevitable. For some teens who are sick of it, vaping has become a reason to avoid school bathrooms altogether. 

“They do it at school, they do it in the bathrooms, they do it with their friends and they think it’s cool but they don’t understand the long-term impacts of it,” said Moledina, the Austin teen and who is the federal policy director for Students Engaged in Advancing Texas. 

Over the summer, he and dozens of other students from across the country convened in a cafeteria at Macalester College in St. Paul, Minnesota, to discuss the of vape detection sensors and other digital surveillance tools increasingly employed in schools. 

Even here, where adults warned teens about vape sensors’ intrusiveness, students offered varying perspectives about the factors that lead to teen vaping — and the best strategies to prevent it. Nathan Wanna, a 14-year-old freshman from St. Paul, said he wished the sensors were installed in the bathrooms at his school. 

“I say it might be an invasion of privacy, but if it’s needed, it should be in there,” Wanna said. “I wouldn’t see my friends tempted by peer pressure or the pain they go through to start doing that.” 

Student-savvy workarounds

The four Minneapolis pilot schools saw a surge in vape alerts just before noon, suggesting students used the lull during lunch break to get their fix. Vaping was by far the most common trigger, the HALO logs show, accounting for 74% of alerts. Smoking cigarettes accounted for another 25%. In just 87 incidents, the sensors were triggered by tetrahydrocannabinol, the mind-shifting compound in cannabis, which can be consumed by vaping or other delivery methods.

The high schools were also overrepresented in the vape logs, even after accounting for their larger student populations, a finding that correlates with a higher percentage of tobacco users among older teens compared to those in middle school. Nearly 93% of vape alerts were registered on the sensors at Camden and Roosevelt high schools while just 7% were logged at Anwatin and Andersen United middle schools. Yet the middle schools accounted for 53% of all disciplinary write-ups for vaping. The disparity in the alert-to-discipline ratio suggests that high school administrators may have gotten buried by the noise. 

ĂÛÌÒÓ°ÊÓ provided Minneapolis Public Schools with a list of key findings from its investigation but officials didn’t agree to an interview or provide a written statement. Plans for vape detection beyond the four-campus pilot program at the district are unclear. But a national network of advocates and researchers that convened the student gathering in St. Paul this summer, has called on the district to give it up. When Minneapolis students are caught by the sensors, “they’re just told to go home,” said local activist Marika Pfefferkorn, a NOTICE Coalition founder. 

“Teachers and administrators have said that with vaping and vape detection, that we’re treating some students as if it’s a mental health issue 
  and then for other students, it’s a behavior issue,” Pfefferkorn said. 

The analysis accounts for a blackout period from early December 2024 through the end of January when the logs provided by Minneapolis Public Schools show zero sensor alerts. The data may have been excluded in error because the student disciplinary records provided to ĂÛÌÒÓ°ÊÓ show some vape-related incidents during that same period, including several that cite the sensors.

While a single vaping session could trigger multiple alerts, records indicate such occurrences are rare. Fewer than 5% of alerts were within 10 seconds of another notification from the same device. Of the pings across the four schools, just over half occurred 60 seconds or more after another alert on the same device, meaning it’s likely the sensors were picking up separate vaping incidents. 

IPVM, a surveillance industry research firm that runs a 12,000-square-foot testing facility in Bethlehem, Pennsylvania, has conducted audits on the HALO sensors, alongside similar devices, for several years and found they’re at their intended purpose: detecting plumes of vapor. 

But the sensors aren’t foolproof — they could be beaten by blowing the vapor into a bottle or a jacket sleeve — and there were other drawbacks, including alerts delayed by more than 20 seconds, the firm found. The detectors’ efficacy is highly dependent on where they’re installed, said Nikita Ermolaev, an IPVM senior research engineer.

In Minneapolis, the number of vape detections decreased over time, though it’s unclear if that’s because the sensors were a deterrent for students or if their placement was fine-tuned. 

“How big is the school bathroom, how high are the ceilings?” Ermolaev said. “How savvy are the students when it comes to workarounds? Are there windows in the bathroom that you can blow vape to?”

After asking ĂÛÌÒÓ°ÊÓ for a list of detailed questions, Motorola did not provide answers in writing or otherwise and did not respond to follow-up requests for comment.

In its marketing efforts to schools, Motorola has highlighted as a resource districts could use to finance the HALO sensors, each of which cost about $1,000. The company has also from lawsuits against e-cigarette maker Juul. In 2022, Juul reportedly agreed to more than 5,000 lawsuits, including by school districts. Many alleged it knowingly and unlawfully advertised tobacco to minors.

School systems identified by Motorola as using Juul settlement money to buy the sensors include those in Stockton, California, and Fairfax, Virginia, from the tobacco company.  

Vape City

These days, Elijah Edminster works at Vape City, a chain with more than 250 locations in multiple states and ambitions to become “the #1 vape shop in the USA.” 

But a few years before he started selling vapes at the shop north of Austin — Edminster said he’s required to ID all his customers and none are underage — he was a high schooler who got sent to an alternative school as punishment for vaping. It all happened after he took a hit his junior year in the school’s main bathroom.

“None of our bathrooms have doors or anything so, you know, it’s all pretty open,” said Edminster, now 21. He said he met up with a classmate in a stall to buy a THC vape pen, “tested out the little thing,” and got caught by school staff on his way out the door. 

The school official “pulls us off to the side and starts questioning us, basically talking about how it was suspicious that we were in there,” said Edminster, who was 18 at the time. “And he was like, ‘Oh, I have this vape detector that goes off, yada yada, and it went off. So what does that mean?’” 

Edminster said he confessed after school officials threatened to call the police. Under a new state law, he was assigned to an alternative program housed in an “inactive, old elementary” school for a month. 

Thirty days is a long time to be away from regular classes, and the impact of schools’ punitive vaping crackdown has been particularly pronounced in Texas. School districts in the state have spent hundreds of thousands of dollars to deploy sensors across hundreds of campuses, district procurement records show.  In 2023, Texas state leaders passed a law requiring that students, like Edminster, be placed in an alternative school if caught vaping on campus. 

The number of kids removed from traditional classrooms after the law was enacted — so high that state lawmakers backtracked this spring and returned vape-related disciplinary decisions to local districts. 

Andrew Hairston, the director of the Education Justice Project at the nonprofit Texas Appleseed, said the state’s two-year, anti-vaping enforcement effort has become “one of the most pressing things that we’re working on.” 

“A lot of parents are reaching out to us — or young people — and telling us that their entry into the school-to-prison pipeline is fueled by vaping,” Hairston said. “It’s just a really unfortunate reality, especially for so many working-class Black and brown families across the state who are disproportionately impacted by punitive vaping policies.”

A year after his first offense, Edminster said school administrators used a detector to bust him again, this time for trying to mask a vape cloud with cologne. He was suspended for three days. 

“I still smoke, I still vape, you know what I mean?” he said. “I’m trying to quit vaping, but ya, [getting suspended] didn’t really do too much. It definitely just made me try and stop at school — but not even that much.” 

Students should not be suspended for vaping but instead made to attend tobacco cessation programs, said Halpern-Felsher, the pediatrics professor behind the widely used tobacco prevention toolkit and director of . And even if kids are sent home — where they’re likely to vape more, she points out — they should still be offered help quitting in school.

Halpern-Felsher’s own data suggests the CDC’s teen vaping numbers are an undercount and, based on her conversations with educators, she’s challenged the narrative that the country is “going in the right direction.” 

She worries the vape detectors in school bathrooms could be tripped up by both false positives and negatives. While something as simple as hairspray could trigger an alarm, she said, delayed alerts could give school administrators bad information that could lead to disciplinary action against the wrong student. 

Minnesota’s own state health department has to stop youth vaping, as have two leading tobacco prevention organizations, and the American Lung Association. Last year, American Lung Association president and CEO Harold Wimmer called out vape detectors in particular. 

“Students need additional education about the health risks and to be provided with resources to help them quit for good,” he said in a statement. “Teens should not be punished for being addicted to a product that was aggressively marketed to them on social media, through celebrities and with kid-friendly flavors.”

‘I stopped, but it wasn’t a good stop’

Garrison Parthemore observed the prevalence of vaping in his Pennsylvania high school and felt the bad habit was changing the lives of his peers for the worse. So he teamed up with his brother and a friend to do something about it. 

 â€œEvery time we’d walk into the school bathroom we were met with a cloud of smoke,” Parthemore told ĂÛÌÒÓ°ÊÓ in an interview. “We knew if there’s a problem at our school, it’s probably a problem everywhere.” 

In 2020, the trio built a vape detector and entered their creation into a state STEM competition. The device came in third place and quickly found success after hitting the market in 2022. After undergoing a few upgrades, vape detectors became the flagship product of his company Triton Sensors, which claims it offers “the most accurate sensor to detect Vape, THC, Loitering, Crowding, Keywords, Aggression, Gunshots and More.” There are thousands of them in campus bathrooms across the country, including in the nation’s two largest school districts, New York City and Los Angeles. 

But don’t call Triton Sensors “vape detectors”: Pathemore said the label is “one of my pet peeves, honestly.” They’re much more than that, he maintains. He called vape detection the company’s “low-hanging fruit,” as it pursues a more ambitious goal of promoting safety in public bathrooms and other private spaces where cameras are prohibited and authorities “have no idea of really what’s going on.” 

He claimed Triton sensors allow school officials to know how many students are in the restrooms at any given time, even without a video feed. With sensors that pick up 20 different environmental factors — from air quality to gunshots —Parthemore said they’re able to capture “about 90% of what a camera can.” 

“I can tell you where they’re at in the room, I can tell you how long they’ve been there, so we can detect things like class cutting or overcrowding,” he said. A keyword detection feature allows the sensors to notify officials of an emergency. “If someone’s in trouble, they can yell ‘help me,’ or ‘stop it,’ or ‘emergency.’” 

Equipping the sensors with cameras, he said, is outside the equation and that the devices don’t collect “any personally identifiable information,” so while they can zero in on how many students might be in a bathroom at any given time, they don’t attempt to pinpoint individual students. 

Yet as manufacturers like Triton and HALO branch out beyond flagging fragrant vape plumes, they raise additional privacy concerns. A massive vulnerability in the latest Motorola-owned HALO sensors, which include the microphones designed to alert school staff to fights, school shootings and “aggression,” . 

At a conference in Las Vegas, hackers revealed how the devices suffered from a flaw that allowed them to hijack the HALO sensors’ microphones. Once that weakness was exploited, the duo were able to eavesdrop remotely and create fake alerts. Motorola responded almost immediately, it was rolling out updates after the sensors suffered “critical vulnerabilities” that allowed hackers to take control of the sensors “through brute-force attacks.” 

It’s this creeping surveillance that gives some students pause, even those who told ĂÛÌÒÓ°ÊÓ they otherwise support vape detectors in bathrooms. The possibility of unknown capabilities with the sensors is “very scary to me” said Moledina, the Austin teen, who worries about a future where bathrooms come with cameras.

“Just knowing that there is vape smoke in the bathroom doesn’t really help you because the administrators already know it’s happening and just by knowing that it’s there isn’t going to help them find out who is doing it,” he said. “So my concern is that, at the end of the day, we’re going to end up having cameras in bathrooms, which is definitely not what we want.” 

Minneapolis educators have used surveillance cameras in conjunction with the sensors to identify students for vaping in the bathrooms, discipline logs show.  

In February, for example, a Roosevelt High School senior was suspended for a day based on accusations they hit a weed vape in the bathroom. Officials reviewed footage from a surveillance camera outside the bathroom and determined the student was “entering and exiting the bathroom during the timeframe that the detector went off.” They were searched and administrators found “a marijuana vape, an empty glass jar with a weed smell and a baggie with weed shake in it.” 

That same month, educators referred a Camden High School student to a drug and alcohol counselor for “vaping in the single stall bathrooms.” 

“After I reviewed the camera it does show [a] student leaving out that same stall bathroom,” campus officials reported. 

Gutierrez, the 18-year-old from Arizona, said she quit vaping after she was suspended and now copes with depression through positive means like painting. What she didn’t do, however, was quit because she received help at school for the mental health challenges that led her to vape in the first place.

She stopped vaping while she was suspended, she said, because she was away from her friends and lacked access. She was frightened into further compliance, Gutierrez recalled, by the online lessons depicting vaping as a gross, gooey purple monster that would poison her relationships. 

“Yes I stopped, but it wasn’t a good stop,” she said. “I didn’t get no support. I didn’t get no counseling. I stopped because I was scared.”

Pinellas County Schools Superintendent Kevin Hendrick was looped in on a Feb. 24 directive from his police chief ordering campus officers to detain and question anybody they encounter with a federal deportation order and to alert U.S. Immigration and Customs Enforcement, obtained through a public records request. Hendrick was also notified by district police Chief Luke Williams of plans to deputize school-based officers under a federal program that grants immigration arrest authority to local law enforcement agencies and that’s experienced since the beginning of Trump’s second term — in large part from new partnerships in Florida.

Immigrant rights groups and privacy advocates have for years warned that school-based police officers could share information about undocumented students and their families with federal immigration officials and that the program to deputize local cops, known as 287(g), could give immigration agents a foothold in schools. 

The revelations in Pinellas County, advocates said, offer clear evidence of collaboration on immigration matters between the law enforcement division of the country’s 28th-largest school district and outside police agencies. The instructions given to school resource officers, they assert, could violate constitutional protections against unreasonable detention and children’s legal right to a free public education regardless of their immigration status. 

“It should alarm and enrage every parent, teacher, and taxpayer in Florida that school police are being pressured to become informants for ICE and unconstitutionally detain members of our school community,” attorney Alana Greer, the director and co-founder of the Miami-based Community Justice Project, told ĂÛÌÒÓ°ÊÓ. 

Greer noted the school district police department’s directive to assist ICE, and , were voluntary decisions that undermine community trust and its mission to promote campus safety. “We don’t need or want armed cops in our schools doing ICE’s bidding. ​​These efforts do nothing to keep our kids safe.”

The Florida Phoenix that the Pinellas County school district had applied to take part in 287(g), the nation’s first K-12 school district to take that step. In response to the resulting public outcry, Hendrick, the superintendent, said the district police chief acted in error and without his or the school board’s approval. The district didn’t respond to questions last week from ĂÛÌÒÓ°ÊÓ about emails Hendrick and other district leaders received from Williams outlining the police chief’s intention to participate. 

Records show the school district’s lawyers had planned to meet to discuss the 287(g) application before it became public and Isabel Mascaranes, the district spokesperson, was listed on the form as the point of contact for ICE “to coordinate any release of information to the media” regarding immigration enforcement actions. Asked by ĂÛÌÒÓ°ÊÓ what knowledge she had of the 287(g) application before it was submitted to ICE, Mascaranes responded, “Can I get back to you on that?”

In a follow-up email, Mascaranes didn’t elaborate on when she first learned of the agreement, simply noting that she routinely handles “all media requests and releases.” She acknowledged the district police chief “maintains ongoing communication” with the sheriff’s office and other local law enforcement agencies and his decision to submit the 287(g) application was “guided by state and federal directives, intending to remain fully compliant with the law.” 

ICE and the Florida governor’s office didn’t respond to requests for comment. The Pinellas County Sheriff’s Office also declined an interview request.

Voicemail records obtained by ĂÛÌÒÓ°ÊÓ show it was ICE — not the district — that withdrew Pinellas school police from 287(g) consideration. 

“ICE will not be entering into an agreement” with the district, Melanie White, an ICE deportation officer, said in a voicemail to Williams, adding that the immigration enforcement agency “will not extend the program in that way” to include K-12 school district police departments “at this time.” 

‘An absolute priority of the Governor’

Perhaps nowhere more than Florida, home to an residents, has Trump’s immigration agenda been so forcefully embraced, with state and local officials looking for ways to bolster ICE enforcement. That includes Pinellas County Sheriff Bob Gualtieri, who was tapped by Gov. Ron DeSantis to lead a new State Immigration Enforcement Council. The council was tasked with carrying out a state law extending immigration enforcement far into the realm of state and local police.

Records obtained by ĂÛÌÒÓ°ÊÓ show Gualtieri threatened Williams and others to get on board or face the governor’s wrath.

While “immigration stuff is confusing,” Gualtieri said in a Feb. 25 email to Williams and the heads of other Pinellas County law enforcement agencies, “it is also at the forefront of Florida politics and an absolute priority of the Governor.”

“The new law puts legal obligations on all of us to ensure we do certain things and the consequences for not doing so include removal from office by the Governor, including his power to remove police chiefs, city managers, mayors and commission/council members,” he continued, adding that he would hold a call to “on how to best comply with the new Florida law.”

DeSantis, who claims he’s created for mass deportations, signed the law in February that establishes prison sentences for undocumented immigrants who cross into Florida after illegally entering the U.S. and requires jails and sheriff’s offices in the state’s 67 counties to participate in the 287(g) program and facilitate arrests. A police agencies to stop enforcing the state law in April, saying it likely violates the Constitution’s Supremacy Clause and “unlawfully encroaches” on the federal government’s authority to enforce federal immigration laws. DeSantis and the Florida state attorney general are  

Florida lawmakers failed to pass a stricter bill this year which would have required all law enforcement agencies with at least 25 officers to form ICE partnerships. That law would have required Pinellas County school district police and other law enforcement agencies outside of sheriff’s and corrections departments to join forces with ICE. Even though that more far-reaching mandate did not pass, dozens of Florida law enforcement agencies voluntarily formed federal immigration enforcement partnerships, including the police departments at .

Pinellas County Schools Police Chief Luke Williams signed the 287(g) agreement with Immigration and Customs Enforcement under pressure from the county sheriff, public records obtained by ĂÛÌÒÓ°ÊÓ show. (Source: Pinellas County Schools)

And even though the Pinellas school police were not legally required by the law that did pass to pursue 287(g) or to act in concert with ICE when coming into contact with someone with a deportation warrant, Williams, the police chief, told the superintendent, the school board’s attorney and other districts leaders that they were.

Gualtieri “gave instructions on how deputies and officers should respond to the new law with respect to immigration and immigration enforcement,” Williams wrote in a March 5 email outlining his decision to submit the 287(g) application. “As you know we are bound to follow the law and during the conversation we were all advised that the expectation is that we do so.”

In that same email, Williams said he related Gualtieri’s directions about filing the 287(g) form to school board attorney David Koperski and “and we both agree we must follow the law.” The chief filed the form on Feb. 26.

Even without 287(g) arrest authorities, Williams told the superintendent that school-based officers would follow procedures outlined by Gualtieri to question and detain for up to an hour anyone they encounter with a federal arrest deportation order but who was not otherwise wanted on a criminal charge. 

Gualtieri’s Feb. 24 order came after ICE added some 700,000 people with federal deportation orders to the massive National Crime Information Center, a centralized database that law enforcement agencies nationwide use to track and act on criminal warrants. Without 287(g) powers, the sheriff wrote, local officials lacked authority to arrest people with deportation orders alone. Instead, local officers should contact the local ICE office “to have someone respond to the scene.” 

More than 1.4 million people nationwide have — a third of whom live in Texas or Florida and include longtime residents, people without criminal records and those with U.S.-born spouses and children. A heightened focus on people with final deportation orders regardless of their criminal histories is part of the Trump administration’s broader immigration crackdown. 

“If an ICE officer cannot arrive at the scene within one hour, then collect as much information from the person as you can and release the person and ICE will have to try to find them through their fugitive operations,” Gualtieri said. After forwarding the message to school-based officers, Williams told the superintendent that “Schools Police will do the same.” 

Schools have for decades been considered a safe haven for undocumented students and their families after the 1982 Plyler v. Doe Supreme Court decision enshrined childrens’ access to public schools regardless of their immigration status — a right Trump-aligned conservatives in several states are now actively trying to undo. 

On the second day of Trump’s second term, the president scrapped that instructed immigration agents to avoid making arrests at schools and other  

Trump border czar Tom Homan defended the policy shift in February, claiming Central and South American gang activity in the nation’s schools required there be “no safe haven for public safety threats and national security threats.”

“People say ‘Well, will you really go into a high school?” Homan said in . “Well, people need to look at the MS-13 members and Tren de Aragua members who enter this country, a majority of them between the ages of 15 and 17. Many are attending our schools and they’re selling drugs in the schools and they’re doing strong-armed robberies of other students.” 

On the same day that the Pinellas schools 287(g) application became public, Chief Williams wrote that he had no desire to ferret out the immigration status of students and families, despite his stated intention to facilitate ICE arrests.

“I do not know the status of any of our students, or parents and do not care to,” Williams said in his March 5 email to Hendrick. “I do not want to place yourself or the School Board under scrutiny because I followed my beliefs but failed to follow the law.”

‘A new chilling dimension’

A week after Trump’s inauguration, dispelling social media posts claiming immigration agents had visited a Pinellas high school and outlined how school principals should respond if they were to show up in the future. 

Certain educational records should not be released to federal officials without a subpoena, the memo noted, but ICE agents were in their authority to “bring a student to the front office for an interview” and make arrests. “We recommend cooperating” with ICE’s requests, the memo advises, and educators “should make an effort to contact the student’s parents before the school makes the student available to the Agent, unless the Agent directs the staff otherwise.”

Other districts have adopted starkly different policies. In April, the Department of Homeland Security said agents to conduct wellness checks on unaccompanied minor children who arrived at the border without their parents. Superintendent Alberto Carvalho told NPR the officials were denied entry onto the campuses and that school principals followed “a fairly rigid set of protocols specific to these types of actions.”

Renata Bozzetto, the deputy director of the nonprofit Florida Immigrant Coalition which filed the lawsuit against the state immigration law, said the communications between the school district police chief and the county sheriff were “absolutely horrible” and could deter children from enrolling. She said she was particularly alarmed to learn that school district law enforcement officials had access to data about people with deportation orders and questioned to what degree “parents are being run through the system.” 

Federal law restricts the types of student information that public school districts can share with third parties. However, records , like logs of campus crimes, . 

School districts have for decades been navigating how much information they should share about students with law enforcement “but adding ICE to the mix is a new chilling dimension to that relationship,” said Cody Venzke, a senior policy counsel at the American Civil Liberties Union focused on surveillance, privacy and technology. 

That Williams acted on the 287(g) application without formal approval from the superintendent or school board, Venzke said, highlights a lack of district control over its police department to ensure a “student’s right to an education is protected.” The directive to detain anyone with an administrative deportation order absent evidence of a crime, he said, “raises significant equity and constitutional concerns.” 

If school-based officers are “roaming school hallways looking for students that have administrative warrants out against them,” Venzke said, “that is not an educational atmosphere in which students can feel safe and can learn.”

Following that heartbreaking tragedy, I saw the outline of an approach that has developed further since my time operating on the frontlines of trauma response and recovery. The steps we take to prevent violence and tragedy in schools matter. These steps matter because prevention makes terrible situations less likely to occur; and when they do happen, the prevention protocols in place minimize physical and psychological harm.

We call this planning “precovery,” which can be defined as strategies and actions to prevent and to limit harm to the school community. It has in the aftermath of disasters and mass violence that students and adults suffer from emotional distress, cognitive impairment, and a range of behavioral changes. In students, the reactions include school absence, emotional withdrawal, depression, and traumatic stress. In some cases, abusive, hostile, and aggressive behaviors develop after students are victim or witness to violence or the threat of violence.

This is no small problem. In 2020, the National Center for Education Statistics found that 77% of all schools in the U.S. grappled with at least one act of violence on the school campus. In addition, the rate of school shootings has risen over the past 20 years. Natural disasters like wildfires have increased in numbers and intensity, destroying homes, hospitals, churches, and schools as well as other vital institutions representing places of safety. As one of those institutions that function ‘in loco parentis’, schools must make precovery a watchword. 

Michelle Kefford, principal of Marjory Stoneman Douglas High School in Parkland Florida, gave this sage advice after commemorating the seventh year after the massacre of students and staff in her high school: “Don’t wait until tragedy takes place. Take precovery seriously. Start now!” 

Recognizing this, the policy and procedures bulletin for the LAUSD Crisis Intervention in Schools has been regularly revised and updated since originally written in 1984. Annual training of the crisis teams is based on the updated policy bulletin.ÌęÌę

inline_story url=”/article/7-school-security-storylines-that-topped-2024-and-will-evolve-in-2025/”]

Any precovery work must have the following essential elements: a clear action plan shared with staff, a process to put policies and procedures in place to prevent harm, a review process to improve established procedures using lessons learned from schools that have suffered from mass violence or destructive natural disasters, and training for educators to prepare them to participate in the recovery process and maximize the return of all students to the classroom. 

A prominent survey in my field once asked educators about their school safety plans. At the administrative level, everything appeared to be in order: School leaders reported that the plans were in place, they were updated, and they were understood. The plan was located in a binder in the front office.

However, as researchers posed the same questions to faculty and other staff, massive gaps in communication became clear. Although staff members knew that there was a plan, somewhere out there, they did not know what it contained or what their role was should a shooting or disaster occur. Many indicated that in a widespread disaster they would be torn between their responsibility to the students in their classrooms and their responsibility to ensure the safety of their own children and families. 

Building and maintaining a strong foundation for precovery requires:

•  Establishing trusting relationships with all school stakeholders – students, educators, parents, and the community.
• Establishing open channels of calm and helpful communication.
•  Building and maintaining crisis response and recovery infrastructure with meaningful policies, roles and responsibility that are spelled out in advance, giving educators the opportunity to plan for both classroom and family safety.
• Expanding capacity to train staff in their individual roles as well as in a variety of prevention and intervention scenarios.
  

For students, open communication and meaningful connections are invitations to seek help when they’re in distress, reducing the feelings of isolation that can lead to harmful behaviors. Simultaneously, these relationships enhance an entire school community’s capacity for early intervention, as teachers and peers are more likely to recognize warning signs of trauma and to reach out to troubled students with help and support.

At a time when roughly are reporting at least one violent incident each school year and natural disasters are intensifying, we need more proactive safety measures in place. Precovery strategies offer schools the means to reduce or nullify potential threats and extreme anxiety, social and emotional pain before they escalate. 

Being able to navigate both personal and community crises with the support of a school system that protects all members of the learning community and plans ahead builds resilience in the face of future adversity. Over the past 40 years, the Los Angeles Unified School District has been exemplary in these efforts.

The most recent example of precovery can be seen in the many steps that the Pasadena Unified School District (PUSD) took in advance of the devastating Eaton Wildfire that destroyed homes, businesses, and schools. In the past three years, district leaders created and maintained effective school and district-level crisis teams. They implemented training for staff in that expanded knowledge about trauma recovery.

They provided training to staff in an evidence-based intervention designed to reduce the distress of students who have experienced a traumatic event and restore their ability to return to school in a safe and supportive environment. All of these actions created a comprehensive precovery action agenda that prepared the district and its educators to welcome 9,000 students who had experienced evacuations and, for some, the loss of their homes and schools.

We may not know how long recovery from this widespread disaster will take, but we do know that putting precovery into action not only prevents trauma from becoming worse, it also helps to heal it.

The latest casualty in President Donald Trump’s war on diversity, equity and inclusion is a $1 billion federal grant program to train school counselors and thwart mass shootings.

The U.S. Department of Education notified grant recipients this week it was ending funds to train and hire K-12 school mental health professionals included in a 2022 law that passed with bipartisan support following the mass shooting in Uvalde, Texas, which led to the deaths of 19 elementary school students and two teachers. 

The grants, which were included in a bipartisan gun control law approved by then-President Joe Biden, don’t align with the Trump administration’s goals, according to sent to grant recipients Tuesday evening and obtained by ĂÛÌÒÓ°ÊÓ. Grantees include local school districts, state education agencies and colleges tasked with training some 14,000 mental health professionals and placing them in K-12 schools in virtually every state. 

“Those receiving these notices reflect the prior Administration’s priorities and policy preferences and conflict with those of the current administration,” Murray Bessette, a senior advisor in the Education Department’s Office of Planning, Evaluation and Policy Development, wrote in the letter. Affected programs, Bessette wrote, “violate the letter or purpose” of federal civil rights laws, run counter to the department’s priority on “excellence in education” and “undermine the well-being of the students these programs are intended to help.”

Proponents of the grant program said they were caught off guard by the move, especially since , have attributed the unprecedented surge in school shootings to a student mental health crisis.

“Ending these mental health investments will hurt students and families and make our schools less safe,” Mary Wall, who was the Education Department’s deputy assistant secretary for P-12 education during the Biden administration, told ĂÛÌÒÓ°ÊÓ. “It’s not an exaggeration to say that mental health supports save lives.”

An Education Department spokesperson confirmed it would not renew $1 billion in grants, a move that appears to impact the entirety of the largest-ever federal effort to train school mental health professionals included in the 2022 Bipartisan Safer Communities Act. The law also created the first significant federal gun control measures in decades, including background checks on firearm purchases for anyone younger than 21 years old. 

Spokesperson Madi Biedermann said in a statement the grants didn’t live up to their goal of improving schools’ mental health support services — and suggested the cuts were part of a broader Trump administration effort to derail programs that support diversity, equity and inclusion in education. 

“Under the deeply flawed priorities of the Biden Administration, grant recipients used the funding to implement race-based actions like recruiting quotas in ways that have nothing to do with mental health and could hurt the very students the grants are supposed to help,” Biedermann said. 

Biedermann’s statement echoed by conservative pundit Christoper Rufo, who turned to X this week to accuse the Biden administration of using the grants “to advance left-wing racialism and discrimination.” 

“No more slush fund for activists under the guise of mental health,” wrote Rufo, a senior fellow at the Manhattan Institute. Rufo didn’t immediately respond to a request for comment from ĂÛÌÒÓ°ÊÓ. 

Wall said the Education Department during the Biden administration “offered a voluntary competitive priority” to applicants who worked to ensure mental health professionals reflected the school communities they serve, but rejected the idea that the grants were a DEI initiative. Instead of creating a plan to support students’ well-being, she said the Trump administration has sought to “rob school districts who have made important groundwork to have clinical services available to children and interrupt them midstream.”

“We in no way required any of this to be focused on race or gender or sexuality or anything,” Wall said. “We were deliberately looking to set these up to be long-lasting, high-impact programs, where we would get the maximum amount of benefit.”

Sen. Chris Murphy, a Democrat from Connecticut who introduced the 2022 law, accused the Trump administration Thursday of killing the grant program “in order to fund a giant tax cut for the crazy wealthy.”

“I thought we had a bipartisan consensus around trying to support kids with really serious traumas and mental illnesses with support services in our schools,” Murphy said in a statement to ĂÛÌÒÓ°ÊÓ. “But there’s not consensus on anything that helps people in this administration.”

Lauren Levin, the chief advocacy officer at the nonprofit Sandy Hook Promise, said the cuts hinder students’ access to those services in schools that are already under-resourced. Though the has been long debated, student rates of depression, anxiety and loneliness. 

Nationally, there is an average of about , significantly lower than the 250-to-1 recommended by the American School Counselor Association. School psychologists are , with a national average of 1 for every 1,127 K-12 students, according to the American Psychological Association.  

“After school shootings, we hear a lot of important conversations about the mental health needs and gaps in this country for youth,” including from Republican lawmakers, Levin told ĂÛÌÒÓ°ÊÓ. “In many of these cases with these grants, it means children who are currently receiving mental health services in schools are going to stop getting that help.”

In the first few months of the Trump administration, several federal initiatives designed to prevent mass school shootings have faced a similar fate. A 26-person committee of violence prevention experts — also approved as part of the Bipartisan Safer Communities Axe — was gutted. 

Levin said Sandy Hook Promise, founded after the 2012 mass shooting in Newtown, Connecticut, has also begun to track cuts to grants authorized under the federal Trump approved that law in 2018 in response to the high school shooting in Parkland, Florida, which resulted in the deaths of 17 people. So far, Levin said they’ve documented cuts to about a dozen grant recipients totaling nearly $20 million, including funding designed to help schools address social isolation among students and prevent bullying.  

“One of the reasons that students or any of these shooters are not getting the help that they need is that we have a gap in access to mental health care,” said Levin, who noted that schools are among the most consistent places for young people to get help. 

“If someone is showing signs of wanting to hurt themselves or others, if they are socially isolated, if we see changes in behavior and if there is a school counselor, that school can be their lifeline,” Levin said. “That could make all the difference.” 

The lawsuit is one in a barrage of legal challenges that have emerged since the company announced in early 2025 it was the target of a December cyberattack that, , led to a global breach of some 62.4 million students’ and 9.5 million educators’ personal information. Though the company hasn’t acknowledged how many people were affected, exposed sensitive files Social Security numbers, special education records and detailed medical information.

The St. Croix Falls breach of contract, unjust enrichment and false advertising, which sets it apart from other class action lawsuits charging negligence against the education technology company whose cloud-based student information system dominates the K-12 market.

“At the end of the day, we believe that there were fraudulent misrepresentations made to the clients to induce them to go and be in these contracts with PowerSchool,” attorney William Shinoff, whose firm represents the St. Croix Falls district, told ĂÛÌÒÓ°ÊÓ in an interview.

PowerSchool spokesperson Beth Keebler said in a statement the company “acted swiftly and effectively to protect our customers in compliance with the law.”

“PowerSchool believes the claims are without merit and will defend itself,” Keebler said. “However, our focus as a business continues to be our customers, ensuring they have the information and support they need while informing them of the steps we have taken to set a higher standard in cybersecurity for the entire industry.”

Students and parents nationwide have filed more than 30 federal class action lawsuits against PowerSchool in connection to the December breach. The lawsuits, which could soon be consolidated, collectively allege PowerSchool was negligent when it failed to protect sensitive data and opened victims to potential identity theft. 

But because these center on the data breach’s potential for future harms, legal experts said, the cases could be dismissed almost as quickly as they were filed. The lawsuit filed by St. Croix Falls schools, meanwhile, alleges PowerSchool broke contractual obligations to keep data secure — and failed to provide schools the services they were promised. 

“A cornerstone of the commercial relationship between” the school district and the company was educators’ “reliance on PowerSchool’s representation that it would adequately protect” students’ and educators’ sensitive information, according to the complaint filed in federal district court in Sacramento. Instead, PowerSchool “has done little to help” the school district and people whose information was compromised. 

Courts nationwide could soon be flooded with similar complaints. Shinoff said his firm, the Frantz Law Group, plans to “file thousands” of them on behalf of school districts across the country. The precise number of districts affected by the breach is unknown. 

“What I can tell you is we’ve already spoken to hundreds of districts,” Shinoff said. “Our hope is that they will all get involved in this to ensure that PowerSchool is held accountable, that they can ensure that this information moving forward is indeed protected, and to make sure they’re reimbursed these public dollars that were spent for their programs.” 

Shinoff represents large groups of school districts in several recent high-profile lawsuits, including against Facebook’s and Instagram’s and the . The lawsuits alleging that the social media giant Meta exacerbated the youth mental health crisis involve nearly 1,000 districts, according to the firm. 

PowerSchool has the hacker used a compromised password belonging to “an authorized support engineer” to breach PowerSource, its customer support portal for school staff seeking help with its software tools. The PowerSource portal reportedly lacked multi-factor authentication, according to and other records obtained by NBC News. 

The full audit, , found its systems were breached in August — months earlier than previously disclosed — but couldn’t say for certain it was by the same threat actors. 

The company “failed to implement the bare minimum security measures that are commonly utilized by similarly situated companies,” the complaint alleges. “Something as simple as providing for a multi-factor authentication log-in method would have been easily accomplished and would have prevented the Data Breach altogether.”

The that the Wisconsin district is accusing PowerSchool of breaching requires that the company employ multi-factor authentication and data encryption, standard industry security measures. Its reported failure to do so also made PowerSchool one of only a handful of companies to be removed from the Student Privacy Pledge, a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. The company was Feb 13.

In an earlier statement to ĂÛÌÒÓ°ÊÓ, Keebler, the PowerSchool spokesperson, said the company “has and will continue to implement [multi-factor authentication] across all internal systems as part of its robust and ongoing security protocols.”Ìę

“PowerSchool is accessed by tens of thousands of customers, posing challenges to MFA management,” the statement continued. “However, following the incident, PowerSchool has implemented additional hardening efforts, including MFA for any PowerSchool employee and contractor access to customer data on PowerSource.” 

‘Devil and the deep blue sea’

Despite PowerSchool’s promise to bolster security measures, its customer districts have lost confidence in the company, attorney Mark Williams, who is assisting school districts in filing suits against the company, told ĂÛÌÒÓ°ÊÓ. 

But because its student information system plays such a significant role in day-to-day operations — and contains so much information about students — he said that switching to a competitor could become a logistical nightmare. 

“Many school districts are between the devil and the deep blue sea,” Williams said. “Many of them don’t have confidence in PowerSchool to secure their data but they are very hesitant to change the vendor of their [student information system] because it is extraordinarily expensive and burdensome to do so.” 

While the company may not be a household name — save for a flood of recent press following the breach — its student information system is one of the largest ed tech services in the U.S. with teachers nationwide using it every day to track grades, attendance and other performance metrics. 

The company claims its software is used to support the learning for 60 million students globally at more than 18,000 institutions, including 90 of America’s 100 largest school districts. 

PowerSchool was by the Boston-based private equity firm Bain Capital for $5.6 billion. The company, which also owns the college- and career-readiness platform , has acquired , such as Schoology and SchoolMessenger, in recent years, furthering its reach into the nation’s K-12 classrooms.

Williams is the author of the central to the Wisconsin district’s claims against PowerSchool. Created by the , a collaborative effort between school districts and technology vendors to keep students’ information secure, the agreement is used by school districts in more than half of states to ensure the tech companies they contract with — — follow stringent security practices. 

Among its provisions is a requirement for companies to notify school district customers within 72 hours of learning data was accessed or obtained by an unauthorized third-party like a hacker. 

PowerSchool was reportedly unaware it had fallen victim to the December attack until the hacker came forward with a ransom demand, according to NBC’s reporting. The company then paid the hacker an undisclosed sum to prevent the stolen records from being shared publicly, the outlet reported, and was given a video by the threat actor apparently deleting the stolen files in their possession. 

Through the agreements, PowerSchool also vowed to “abide by and maintain adequate data security measures, consistent with industry standards” for the storage of sensitive records. 

Williams accused the company of breaching those requirements — laying the groundwork for a first-of-its-kind legal battle for the data privacy consortium. 

“We just felt that at some point you have to police the process, at some point you have to draw a red line,” Williams told ĂÛÌÒÓ°ÊÓ. “We’ve got to protect the contract because it protects schools and it protects kids. So that’s not negotiable for us.” 

Given the difficulty school districts face in migrating to different student information services, St. Croix Falls seeks a commitment from PowerSchool — and court-ordered accountability — to ensure the company follows stringent cybersecurity standards in the future, said Shinoff, its attorney.

“At this point their word, to us, can’t be trusted,” Shinoff said. “For them to have someone that they’re reporting to for a period of time is something that’s essential — especially when we’re dealing with thousands and thousands of districts across the country.”

Data practices under a microscope

Prior to the data breach, PowerSchool positioned itself as a national leader in K-12 education data security — and its CEO appeared at a White House event in 2023 to boast of its efforts to keep students’ personal information out of the hands of malicious actors. 

As an early adopter of a to design products with security at the forefront, CEO Hardeep Gulati spoke alongside then-First Lady Jill Biden at the first-ever White House summit on K-12 school cybersecurity, where PowerSchool and other technology companies highlighted the need to strengthen digital safeguards at schools nationwide. 

Watch: PowerSchool CEO Hardeep Gulati speaks at the first-ever White House summit on K-12 cybersecurity in 2023.

During the event, the company free webinars, training videos and other resources to help schools better secure their systems. 

In the year prior to the summit, Gulati said, the company successfully fended off 1 billion cyberattacks on its servers while ensuring schools were kept safe through a “relentless investment and focus on every element of security.” 

Now, the company has found itself under scrutiny by the tech industry, lawmakers and other elected officials. In North Carolina, state Attorney General Jeff Jackson into the PowerSchool breach, which exposed the sensitive information of nearly 4 million people in his state, “to determine if they broke any laws.”

The company is also facing bipartisan federal questioning. In , senators from New Hampshire, Indiana and Oklahoma blasted PowerSchool for maintaining inadequate cybersecurity measures and accused it of offering delayed notifications and insufficient information to affected individuals. 

“School district leaders who we have spoken with raised serious concerns about delays in your company’s response to the cybersecurity incident, including delayed notifications to impacted schools,” wrote Sens. Maggie Hassan, Jim Banks and James Lankford. Sufficient use of basic cybersecurity safeguards like multi-factor authentication, they wrote, could have prevented the breach. 

PowerSchool says it will provide two years of identity protection services to students and educators affected by the breach and credit monitoring services to “adult students and educators.” Keeber, the PowerSchool spokesperson, said in the statement the company has seen “no evidence of fraud or further misuse of the information involved to date.” 

But the senators wrote that PowerSchool “has not clearly communicated a date by which impacted individuals will receive” the services. 

“Your delayed and unclear communication is unacceptable,” the letter continued, “especially given the sensitive nature of the personal data that was stolen.”

Information PowerSchool takes is ‘virtually unlimited’

Even before the breach, PowerSchool has faced criticism for its data collection, use and security practices. In the last five years, it has been named as a defendant in numerous federal lawsuits related to its data collection and use practices, a review of federal court records shows.

They include complaints accusing the company of subjecting people to persistent and unsolicited robocalls and of failing to properly identify children experiencing homelessness.

One brought by a Seattle mother and former middle school teacher accuses the company of selling student data collected through Naviance and other services to more than 100 third-party “partners” with inadequate consent from students or their parents. That lawsuit, filed in May 2024 in San Francisco, also alleges the company has leveraged the data it collects on students to train an AI chatbot. 

“The information PowerSchool takes from students is virtually unlimited,” the complaint alleges. “It includes everything from education records and behavioral history to health data and information about a child’s family circumstances. PowerSchool collects this highly sensitive information under the guise of educational support, but in fact collects it for its own commercial gain.”

In a motion to dismiss the lawsuit, PowerSchool’s attorneys claimed Cherkin’s complaint relied on “broad, general social critiques condemning surveillance capitalism, cybercrimes and manipulative digital product design, in an apparent attempt to mask that they cannot make specific allegations of wrongdoing by PowerSchool.” 

Keebler, the company spokesperson, denied Cherkin’s claims that it sells data or uses personal data to train its chatbots. 

But Cherkin argues the vast amount of data PowerSchool collects and shares about millions of students have made it an attractive target for cybercriminals — and should have been a red flag all along. She compared Powerschool’s business model to that of social media companies that are built to amass and monetize user data. 

“I’m truly not at all shocked that this happened,” she said of the breach. “The only way, really, to keep data safe is to not collect it and stockpile it in the first place.”

Education technology – or edtech – software is often the entry point for these cybercriminals, accounting for of K-12 school data breaches between 2016 and 2021. As one can imagine, the COVID-19 pandemic forced school districts across the country to shift to remote learning; they received significant federal and state funding to support this transition, of which was spent on acquiring new software.

The average district now uses edtech products – nearly the number from 2018 – increasing the attack surface for cybersecurity threats at a time when only school districts employ a full-time IT staff member.

To further complicate the matter, K-12 school districts are chronically understaffed and underfunded on the this front, with the average school spending less than of its IT budget on cybersecurity, and one in five schools dedicating less than . 

Schools are not equipped to secure all of the edtech products they depend on, but these software products are critical to running a modern school. Most critical school functions – including attendance, bus routing, lunch information, learning and grading systems, staff management and finance – all rely on edtech products to operate. 

That puts edtech software manufacturers in a unique position to improve cybersecurity outcomes for K-12 schools by integrating more security features into their products, shifting the burden from schools to industry.  

A forum held last October by UC Berkeley’s Center for Long-Term Cybersecurity, conducted in partnership with the U.S. Department of Education, convened representatives from 12 software manufacturers serving a large portion of U.S. school districts to discuss measures to help strengthen K-12 cybersecurity. Two key themes emerged again and again during the discussion, which are top of mind for industry as we go into 2025.

First, edtech software manufacturers need to take a greater responsibility for improving security outcomes for their K-12 customers.

The use of multi-factor authentication (MFA), an essential security feature in edtech products, is seldom enforced as a mandatory requirement, even for privileged users. However, some software manufacturer participants demonstrated industry leadership by requiring it for all administrative accounts. 

One provider, inspired by Microsoft’s forthcoming requirements in and , implemented mandatory MFA for administrative accounts and financial staff and adopted phishing-resistant authentication. But the rollout was difficult; despite many advance notifications of the change, the provider described the transition as disruptive for customers, even though the change ultimately provided better security. 

Software manufacturers who have implemented mandatory MFA recommended other providers try a phased approach, such as extending authentication prompt intervals to once every one to two weeks to allow school administrators, IT staff, and teachers adequate time to adapt to the new requirements. They also recommended deploying changes during the summertime when school districts’ IT demands are at their lowest. 

Some are experimenting with new MFA tactics and security features, like authentication based on suspicious account activity and tracking data changes in their systems. Other solutions discussed include monitoring the dark web to identify stolen passwords and systems that prompt users to choose stronger alternatives, as well as solutions tailored for schoolchildren and parents, such printable QR code badges that students can scan to authenticate during login.

Second, vendors must overcome obstacles to integrating basic security controls into their products.

One of the biggest obstacles software manufacturers face in launching mandatory security features is balancing security with user convenience. They cite feeling pressured to prioritize ease of use, fearing that customers would switch to competitors with “simpler” but less secure solutions. 

Vendors shared case studies of schools that resisted platform changes that introduced friction into their operations or student learning, such as requiring an additional step to log on. For example, some providers observed that K-12 users prefer less secure authentication methods, such as email and text messaging services, over more phishing-resistant methods, such as app-based tokens or hardware keys.

Technical hurdles pose another barrier. Providers noted that some school districts rely on legacy software for HR, payroll, and bus routing that may be incompatible with modern authentication protocols such as SAML or OAuth. Some systems lack support for these protocols altogether or only offer them as paid features, especially for mobile applications. This makes integration challenging, requiring extensive testing to resolve compatibility issues, making the process resource- and time-intensive for software manufacturers. 

What’s Next

Incidents like the PowerSchool breach demonstrate the urgent need for edtech software vendors to do more to protect K-12 student and teacher data. Fortunately, the federal government has made headway on the issue in recent years.

For example, the Cybersecurity and Infrastructure Security (CISA) agency’s initiative, launched in September 2023, expanded from a K-12 specific pledge with 12 signatories into an enterprise-wide pledge by May 2024, with over 260 industry signatories. CISA also recently released a guidance for software manufacturers.

The growing industry interest in prioritizing cybersecurity is encouraging. Evidence from our roundtable conveys that there’s an appetite from K-12 and companies to do more to relieve the burden on schools and secure edtech products. It is critical to continue this momentum; the edtech industry must pursue product changes that improve security, and federal agencies like CISA should continue building a coalition of companies who do so. 

Secure products benefit everyone, from teachers, to parents, to school children. Let’s double down on our progress before the next breach happens.

This article is published in partnership with

Schools have faced an onslaught of cyberattacks since the pandemic disrupted education nationwide five years ago, yet district leaders across the country have employed a pervasive pattern of obfuscation that leaves the real victims in the dark, an investigation by ĂÛÌÒÓ°ÊÓ shows. 

An in-depth analysis chronicling more than 300 school cyberattacks over the past five years reveals the degree to which school leaders in virtually every state repeatedly provide false assurances to students, parents and staff about the security of their sensitive information. At the same time, consultants and lawyers steer “privileged investigations”, which keep key details hidden from the public. 

In more than two dozen cases, educators were forced to backtrack months — and in some cases more than a year — later after telling their communities that sensitive information, which included, in part, special education accommodations, mental health challenges and student sexual misconduct reports, had not been exposed. While many school officials offered evasive storylines, others refused to acknowledge basic details about cyberattacks and their effects on individuals, even after the hackers made student and teacher information public. 

The hollowness in schools’ messaging is no coincidence. 

That’s because the first people alerted following a school cyberattack are generally not the public nor the police. District incident response plans place insurance companies and their phalanxes of privacy lawyers first. They take over the response, with a focus on limiting schools’ exposure to lawsuits by aggrieved parents or employees. 

The attorneys, often employed by just a handful of law firms —&ČÔČúČő±è;»ćłÜČúČú±đ»ć  by one law professor for their massive caseloads — hire the forensic cyber analysts, crisis communicators and ransom negotiators on schools’ behalf, placing the discussions under the shield of attorney-client privilege. is for these specialized lawyers, who work to control the narrative.

The result: Students, families and district employees whose personal data was published online — from their financial and medical information to traumatic events in young people’s lives — are left clueless about their exposure and risks to identity theft, fraud and other forms of online exploitation. Told sooner, they could have taken steps to protect themselves.

Similarly, the public is often unaware when school officials quietly agree in closed-door meetings  to pay the cybergangs’ ransom demands in order to recover their files and unlock their computer systems. Research suggests that has been fueled, at least in part, by insurers’ willingness to pay. Hackers themselves have that when a target carries cyber insurance, ransom payments are “all but guaranteed.” 

In 2023, there were 121 ransomware attacks on U.S. K-12 schools and colleges, according to , a consumer-focused cybersecurity website whose researchers acknowledge that number is an undercount. An analysis by the  reported 265 ransomware attacks against the education sector globally in 2023 —  a 70% year-over-year surge, making it "the worst ransomware year on record for education."

Daniel Schwarcz, a University of Minnesota law professor, wrote criticizing the confidentiality and doublespeak that shroud school cyberattacks as soon as the lawyers — often called breach coaches — arrive on the scene. 

“There’s a fine line between misleading and, you know, technically accurate,” Schwarcz told ĂÛÌÒÓ°ÊÓ. “What breach coaches try to do is push right up to that line — and sometimes they cross it.”

When breaches go unspoken

ĂÛÌÒÓ°ÊÓ’s investigation into the behind-the-scenes decision-making that determines what, when and how school districts reveal cyberattacks is based on thousands of documents obtained through public records requests from more than two dozen districts and school spending data that links to the law firms, ransomware negotiators and other consultants hired to run district responses. It also includes an analysis of millions of stolen school district records uploaded to cybergangs’ leak sites. 

Some of students’ most sensitive information lives indefinitely on the dark web, a hidden part of the internet that’s often used for anonymous communication and illicit activities. Other personal data can be found online with little more than a Google search — even as school districts deny that their records were stolen and cyberthieves boast about their latest score.

ĂÛÌÒÓ°ÊÓ tracked news accounts and relied on its own investigative reporting in Los Angeles, Minneapolis, Providence, Rhode Island and St. Landry Parish, Louisiana, which uncovered the full extent of school data breaches, countering school officials’ false or misleading assertions. As a result, district administrators had to publicly acknowledge data breaches to victims or state regulators for the first time, or retract denials about the leak of thousands of students’ detailed psychological records. 

In many instances, ĂÛÌÒÓ°ÊÓ relied on mandated data breach notices that certain states, like Maine and California, report publicly. The notices were sent to residents in these states when their personal information was compromised, including numerous times when the school that suffered the cyberattack was hundreds, and in some cases thousands, of miles away. The legally required notices repeatedly revealed discrepancies between what school districts told the public early on and what they disclosed to regulators after extensive delays.

Some schools, meanwhile, failed to disclose data breaches, which they are required to do under state privacy laws, and for dozens of others, ĂÛÌÒÓ°ÊÓ could find no information at all about alleged school cyberattacks uncovered by its reporting — suggesting they had never before been reported or publicly acknowledged by local school officials.

Education leaders who responded to ĂÛÌÒÓ°ÊÓ’s investigation results said any lack of transparency on their part was centered on preserving the integrity of the investigation, not self-protection. School officials in Reeds Spring, Missouri, said when they respond “to potential security incidents, our focus is on accuracy and compliance, not downplaying the severity.” Those at Florida’s River City Science Academy said the school “acted promptly to assess and mitigate risks, always prioritizing the safety and privacy of our students, families and employees.” 

In Hillsborough County Public Schools in Tampa, Florida, administrators in the nation’s seventh-largest district said they notified student breach victims “by email, mail and a telephone call” and “set up a special hotline for affected families to answer questions.”

Hackers have exploited officials’ public statements on cyberattacks to strengthen their bargaining position, a reality educators cite when endorsing secrecy during ransom negotiations.

“But those negotiations do not go on forever,” said Doug Levin, who advises school districts after cyberattacks and is the co-founder and national director of the nonprofit K12 Security Information eXchange. "A lot of these districts come out saying, 'We're not paying,'” the ransom.

“All right, well, negotiation is over,” Levin said. “You need to come clean."

Confidentiality is king

The paid professionals who arrive in the wake of a school cyberattack are held up to the public as an encouraging sign. School leaders announce reassuringly that specialists were promptly hired to assess the damage, mitigate harm and restore their systems to working order. 

This promise of control and normality is particularly potent when cyberattacks suddenly cripple school systems, for days and disable online learning tools. News reports are fond of saying that educators were forced to teach students “

But what isn’t as apparent to students, parents and district employees is that these individuals are not there to protect them — but to protect schools from them.

The extent to which this involves keeping critical information out of the public’s hands is made clear in the advice that Jo Anne Roque, vice president of risk services account management at Poms & Associates Insurance Brokers, gave to leaders of New Mexico’s Gallup-McKinley County Schools after a 2023 cyberattack.

The district had hired Kroll, which conducts forensic investigations and intelligence gathering. Contracting with a privacy attorney was also necessary, Roque wrote, to shield Kroll’s findings from public view. 

“Without privacy counsel in place, public records would be accessible in the event of an information leak,” she wrote in an email to school leaders that was obtained by ĂÛÌÒÓ°ÊÓ through a public records request. School districts routinely denied ĂÛÌÒÓ°ÊÓ’s requests for cyberattack information on the very same grounds of attorney-client privilege.

Records obtained by ĂÛÌÒÓ°ÊÓ reveal Gallup-McKinley officials never notified the school community, state regulators or law enforcement about the attack, even after threat actors with the Hunters International ransomware gang listed the New Mexico district on its leak site in January 2024. 

In California’s Sweetwater Union High School District, administrators told the public at first that a February 2023 attack was an “information technology system outage” — and then went on to pay a $175,000 ransom to the hackers who encrypted their systems. The payoff didn’t stop the leak of data for more than 22,000 people, nor did the district’s initially foggy phrasing allay public suspicion for very long. 

During a , angry residents accused Sweetwater of being misleading and cagey. One, Kathleen Cheers, questioned whether lawyers or public relations consultants had advised school leaders to keep quiet. 

“What brainiac recommended this?” asked Cheers, who wanted the district to create a presentation within 30 days outlining  how the breach occurred and who “recommended the deceitful description.”

It wasn’t until June 2023 — four months after the attack — that Sweetwater their records were compromised. But the district’s breach notice never says what specific records had been taken, refers to files that “may have been taken” and tells those receiving the notice that their “personal information was included in the potentially taken files.”

“Well, was my information taken or not?” April Strauss, an attorney representing current and former employees in a class action lawsuit against Sweetwater, asked ĂÛÌÒÓ°ÊÓ. 

Strauss, the Las Vegas district in a similar lawsuit, accused school officials of downplaying cyberattacks “to avoid exacerbating their liability, quite frankly,” in a way that prevents families from being able to “assert their rights more competently.” 

¶ÙŸ±ČőłÙ°ùŸ±łŠłÙČő’ vaguely worded breach notification letters to victims serve more to confuse than inform, she said. 

“The wording in notices is disheartening,” Strauss told ĂÛÌÒÓ°ÊÓ. “It’s almost like revictimization.”

Who’s in charge

Such hedged language used in required breach notices echoes the hazy descriptions districts give the public right after they’ve been hacked. Cyberattacks were called an  “encryption event” in Minneapolis; a “network security incident” in Blaine County, Idaho; “temporary network disruptions” in Chambersburg, Pennsylvania, and “anomalous activity” in Camden, New Jersey. 

In several cases, consultants advised educators against using words like “breach” and “cyberattack” in their communications to the public. Less than 24 hours after school officials in Rochester, Minnesota, discovered a ransom note and an April 2023 attack on the district’s computer network, they notified families but only after accepting input from the public relations firm FleishmanHillard.

“ ‘Cyberattack’ is severe language that we prefer to avoid when possible,” the firm’s representative wrote .

The district called it “irregular activity” instead. 

In cases where schools are being attacked, threatened and extorted by some of the globe’s most notorious cybergangs — many with known ties to Russia — officials have claimed in arresting and indicting some of the masterminds. Yet ĂÛÌÒÓ°ÊÓ identified instances where police took a secondary role.

In positioning themselves at the helm of cyberattack responses, attorneys have they should contact law enforcement only “in conjunction with qualified counsel.” 

In some cases, including one involving the Sheldon Independent School District in Texas, insurers have approved and covered costs associated with ransom payments, often harder-to-trace bitcoin transactions that have come under law enforcement scrutiny.

Biden's Deputy National Security Advisor Anne Neuberger,  writing in in the Financial Times, said insurers are right to demand their clients install better cybersecurity measures, like multi-factor authentication, but those who agree to pay off hackers have incentivized “payment of ransoms that fuel cyber crime ecosystems.” 

“This is a troubling practice that must end,” she wrote.

Records obtained by ĂÛÌÒÓ°ÊÓ show that in Somerset, Massachusetts, Beazley, the school district’s cybersecurity insurance provider, approved a $200,000 ransom payment after a July 2020 attack. The insurer also played a role in selecting other outside vendors for the district’s incident response, including Coveware, a cybersecurity company that specializes in negotiating with hackers.

If police were disturbed by the district’s course of action, they didn’t express it. In fact, William Tedford, then the Somerset Police Department’s technology director, requested in a July 31 email that the district furnish the threat actor’s bitcoin address “as soon as possible,” so he could share it with a Secret Service agent who “offered to track the payment with the hopes of identifying the suspect(s).” 

But he was quick to defer to the district and its lawyers.

“There will be no action taken by the Secret Service without express permission from the decision-makers in this matter,” Tedford wrote. “All are aware of the sensitive nature of this matter, and information is restricted to only [the officers] directly involved.”

While ransom payments are “ethically wrong because you’re funding criminal organizations,” insurers are on the hook for helping districts recover, and the payments are a way to limit liability and save money, said Chester Wisniewski, a director at cybersecurity company Sophos. 

“The insurance companies are constantly playing catch-up trying to figure out how they can offer this protection,” he told ĂÛÌÒÓ°ÊÓ. “They see dollar signs — that everybody wants this protection — but they’re losing their butts on it.” 

Similarly, school districts have seen their premiums climb. In by the nonprofit Consortium for School Networking, more than half said their cyber insurance costs have increased. One Illinois school district reported its 334% between 2021 and 2022.

Many districts told ĂÛÌÒÓ°ÊÓ that they were quick to notify law enforcement soon after an attack and said the police, their insurance companies and their attorneys all worked in concert to respond. But a pecking order did emerge in the aftermath of several of these events examined by ĂÛÌÒÓ°ÊÓ â€” one where the public did not learn what had fully happened until long after the attack.

When the Medusa ransomware gang attacked Minneapolis Public Schools in February 2023, it stole reams of sensitive information and demanded $4.5 million in bitcoin in exchange for not leaking it. District officials had a lawyer at Mullen Coughlin .  But at the same time school officials were refusing to acknowledge publicly that they had been hit by a ransomware attack, their attorneys were telling federal law enforcement that the district almost immediately determined its network had been encrypted, promptly identified Medusa as the culprit and within a day had its “third-party forensic investigation firm” communicating with the gang “regarding the ransom.”

Mullen Coughlin then told the FBI that it was leading “a privileged investigation” into the attack and, at the school district’s request, “all questions, communication and requests in connection with this notification should be directed” to the law firm. Mullen Coughlin didn’t respond to requests for comment. 

Minneapolis school officials would wait seven months before notifying more than 100,000 people that their sensitive files were exposed, including documents detailing campus rape cases, child abuse inquiries, student mental health crises and suspension reports. As of Dec. 1, all schools in Minnesota are now to the state but that information will be anonymous and not shared with the public.

One district took such a hands-off approach, leaving cyberattack recovery to the consultants’ discretion, that they were left out of the loop and forced to issue an apology.

When an April 2023 letter to Camden educators arrived 13 months after a ransomware attack, it caused alarm. An administrator had to assure employees in an email that the New Jersey district wasn’t the target of a second attack. Third-party attorneys had sent out notices after a significant delay and without school officials’ knowledge. Taken by surprise, Camden schools were not “able to preemptively advise each of you about the notice and what it meant.”

Other school leaders said when they were in the throes of a full-blown crisis and ill-equipped to fight off cybercriminals on their own, law enforcement was not of much use and insurers and outside consultants were often their best option. 

“In terms of how law enforcement can help you out, there’s really not a whole lot that can be done to be honest with you,” said Don Ringelestein, the executive director of technology at the Yorkville, Illinois, school district. When the district was hit by a cyberattack prior to the pandemic, he said, a report to the FBI went nowhere. Federal law enforcement officials didn’t respond to requests for comment. 

District administrators turned to their insurance company, he said, which connected them to a breach coach, who led all aspects of the incident response under attorney-client privilege.

Northern Bedford County schools Superintendent Todd Beatty said the Pennsylvania district contacted the federal to report a July 2024 attack, but “the problem is there’s not enough funding and personnel for them to be able to be responsive to incidents.” 

Meanwhile, John VanWagoner, the schools superintendent in Traverse City, Michigan, claims insurance companies and third-party lawyers often leave district officials in the dark, too. Their insurance company presented school officials with the choice of several cybersecurity firms they could hire to recover from a March 2024 attack, VanWagoner said, but he "didn’t know where to go to vet if they were any good or not.”

He said it had been a community member — not a paid consultant — who first alerted district officials to the extent of the massive breach that forced school closures and involved 1.2 terabytes — or over 1,000 gigabytes — of stolen data.

“We were literally taking that right to the cyber companies and going, ‘Hey, they’re finding this, can you confirm this so that we can get a message out?’ ” he told ĂÛÌÒÓ°ÊÓ. “That is what I probably would tell you is the most frustrating part is that you’re relying on them and you’re at the mercy of that a little bit.”

The breach coach

Breach notices and other incident response records obtained by ĂÛÌÒÓ°ÊÓ show that a small group of law firms play an outsized role in school cyberattack recovery efforts throughout the country. Among them is McDonald Hopkins, where Michigan attorney Dominic Paluzzi co-chairs a 52-lawyer data privacy and cybersecurity practice. 

Some call him a breach coach. He calls himself a “quarterback.” 

After establishing attorney-client privilege, Paluzzi and his team call in outside agencies covered by a district’s cyber insurance policy —  including forensic analysts, negotiators, public relations firms, data miners, notification vendors, credit-monitoring providers and call centers. Across all industries, the cybersecurity practice handled , 17% of which involved the education sector — which, Paluzzi noted, isn’t “always the best when it comes to the latest protections."

When asked why districts’ initial response is often to deny the existence of a data breach, Paluzzi said it takes time to understand whether an event rises to that level, which would legally require disclosure and notification.  

“It’s not a time to make assumptions, to say, ‘We think this data has been compromised,’ until we know that,” Paluzzi said. “If we start making assumptions and that starts our clock [on legally mandated disclosure notices], we’re going to have been in violation of a lot of the laws, and so what we say and when we say it are equally important.” 

He said in the early stage, lawyers are trying to protect their client and avoid making any statements they would have to later retract or correct.

“While it often looks a bit canned and formulaic, it’s often because we just don’t know and we’re doing so many things,” Paluzzi said. “We’re trying to get it contained, ensure the threat actor is not in our environment and get up and running so we can continue with school and classes, and then we shift to what data is potentially out there and compromised.”

A data breach is confirmed, he said, only after “a full forensic review.” Paluzzi said that process can take up to a year, and often only after it’s completed are breaches disclosed and victims notified. 

“We run through not only the forensics, but through that data mining and document review effort. By doing that last part, we are able to actually pinpoint for John Smith that it was his Social Security number, right, and Jane Doe, it's your medical information,” he said. “We try, in most cases, to get to that level of specificity, and our letters are very specific.”

Targets in general that without the help of a breach coach, according to a 2023 blog post by attorneys at the firm Troutman Pepper Locke, often fail to notify victims and, in some cases, provide more information than they should. When entities over-notify, they increase “the likelihood of a data breach class action [lawsuit] in the process.” Companies that under-notify “may reduce the likelihood of a data breach class action,” but could instead find themselves in trouble with government regulators. 

For school districts and other entities that suffer data breaches, legal fees and settlements are often . 

Law firms like McDonald Hopkins that manage thousands of cyberattacks every year are particularly interested in privilege, said Schwarcz, the University of Minnesota law professor who wonders whether lawyers are necessarily best positioned to handle complex digital attacks.

In his , Schwarcz writes that  the promise of confidentiality is breach coaches’ chief offering. By elevating the importance of attorney-client privilege, the report argues, lawyers are able to “retain their primacy” in the ever-growing and lucrative cyber incident-response sector. 

Similarly, he said lawyers’ emphasis on reducing payouts to parents who sue overstates schools’ actual exposure and is another way to promote themselves as “providing a tremendous amount of value by limiting the risk of liability by providing you with a shield.”

Their efforts to lock down information and avoid paper trails, he wrote, ultimately undermine “the long-term cybersecurity of their clients and society more broadly.”

Who gets hurt

School cyberattacks have led to the widespread release of records that heighten the risk of identity theft for students and staff and trigger data breach notification laws that typically center on preventing fraud. 

Yet files obtained by ĂÛÌÒÓ°ÊÓ show school cyberattacks carry particularly devastating consequences for the nation’s most vulnerable youth. Records about sexual abuse, domestic violence and other traumatic childhood experiences are found to be at the center of leaks. 

Hackers have leveraged these files, in particular, to coerce payments. 

In Somerset, Massachusetts, a hacker using an encrypted email service extorted school officials with details of past sexual misconduct allegations during a district “show choir” event. The accusations were investigated by local police and no charges were filed.

“I am somewhat shocked with the contents of the files because the first file I chose at random is about a predatory/pedophilia incident described by young girls in one of your schools,” the hacker alleges in records obtained by ĂÛÌÒÓ°ÊÓ. “This is very troubling even for us. I hope you have investigated this incident and reported it to the authorities, because that is some fucked up stuff. If the other files are as good, we regret not making the price higher.”

The exposure of intimate records presents a situation where “vulnerable kids are being disadvantaged again by weak data security,” said digital privacy scholar Danielle Citron, a University of Virginia law professor whose 2022 book, , argues that a lack of legal protections around intimate data leaves victims open to further exploitation. 

“It’s not just that you have a leak of the information,” Citron told ĂÛÌÒÓ°ÊÓ. “But the leak then leads to online abuse and torment.”

Meanwhile in Minneapolis, an educator reported that someone withdrew more than $26,000 from their bank account after the district got hacked. In Glendale, California, more than 230 educators were required to verify their identity with the Internal Revenue Service after someone filed their taxes fraudulently. 

In Albuquerque, where school officials said they prevented hackers from acquiring students’ personal information, a parent reported being contacted by the hackers who placed a “strange call demanding money for ransoming their child.”

Blood in the water

Nationally, about 135 state laws are devoted to student privacy. Yet all of them are “unfunded mandates” and “there’s been no enforcement that we know of,” according to Linnette Attai, a data privacy compliance consultant and president of . 

that require businesses and government entities to notify victims when their personal information has been compromised, but the rules vary widely, including definitions of what constitutes a breach, the types of records that are covered, the speed at which consumers must be informed and the degree to which the information is shared with the general public. 

It’s a regulatory environment that breach coach Anthony Hendricks, with the Oklahoma City office of law firm Crowe & Dunlevy, calls “the multiverse of madness.” 

“It's like you're living in different privacy realities based on the state that you live in,” Hendricks said. He said federal cybersecurity rules could provide a “level playing field” for data breach victims who have fewer protections “because they live in a certain state.” 

By 2026, proposed federal rules to the Cybersecurity and Infrastructure Security Agency, a division of the Department of Homeland Security. But questions remain about what might happen to the rules under the new Trump administration and whether they would come with any accountability for school districts or any mechanism to share those reports with the public. 

about the extent of cyberattacks and data breaches can face Securities and Exchange Commission scrutiny, yet such accountability measures are lacking for public schools.

The Family Educational Rights and Privacy Act, the federal student privacy law, prohibits schools from disclosing student records but doesn’t require disclosure when outside forces cause those records to be exposed. Schools that have “a policy or practice” of routinely releasing students‘ records in violation of FERPA can lose their federal funding, but such sanctions have never been imposed since the law was enacted in 1974. 

The patchwork of data breach notices are often the only mechanism alerting victims that their information is out there, but with the explosion of cyberattacks across all aspects of modern life, they’ve grown so common that some see them as little more than junk mail.  

Schwarcz, the Minnesota law professor, is also a Minneapolis Public Schools parent. He told ĂÛÌÒÓ°ÊÓ he got the district’s September 2023 breach notice in the mail but he "didn't even read it." The vague notices, he said, are “mostly worthless.” 

It may be enforcement against districts’ misleading practices that ultimately forces school systems to act with more transparency, said Attai, the data privacy consultant. She urges educators to “communicate very carefully and very deliberately and very accurately” the known facts of cyberattacks and data breaches. 

“Communities smell blood in the water,” she said, “because we’ve got these mixed messages.”

Development and art direction by Eamonn Fitzmaurice.  Illustrations by  for ĂÛÌÒÓ°ÊÓ.

This story was supported by a grant from the Fund for Investigative Journalism.

When a broad group of parents, educators and activists met in late October at a government office building in Arlington, Virginia, they gathered around a shared goal: Make America’s schools safer. 

There, three parents whose children were killed in mass school shootings sought to bolster student mental health and crisis intervention services. Some advocates favored increased school policing and physical security while others sought to limit how those hardening measures can harm children’s civil rights. Each was there as a check on recommendations being made by the federal government.

But membership on the 26-person committee, which was created through the — passed in the wake of mass shootings at a Uvalde, Texas, elementary school and a Buffalo, New York, supermarket — was short-lived. On Monday, the first day of President Donald Trump’s second term, all members were terminated. For members of the Federal School Safety Clearinghouse External Advisory Board, the October gathering was the group’s first time meeting — and also its last. 

A letter signed by Acting Homeland Security Secretary Benjamine Huffman and obtained by ĂÛÌÒÓ°ÊÓ said the decision was part of a wider effort to ensure the agency’s “activities prioritize our national security.” 

“Future committee activities will be focused on advancing our critical mission to protect the homeland and support DHS’s strategic priorities,” Huffman wrote in the letter. “To outgoing advisory board members, you are welcome to reapply, thank you for your service.”

In an email to ĂÛÌÒÓ°ÊÓ, a senior official with the Department of Homeland Security said the agency “will no longer tolerate any advisory committee which push[es] agendas that attempt to undermine its national security mission, the President’s agenda or Constitutional rights of Americans.” The official did not elaborate on how the committees may be undermining the new administration’s mission. But Trump and South Dakota Gov. Kristi Noem, the president’s pick for homeland security secretary, have made clear their priorities for DHS are and to the Cybersecurity and Infrastructure Security Agency, which steers the school safety clearinghouse. 

In fact, DHS this week to eliminate what it deemed as “the misuse of resources,” including those focused on emergency preparedness and cybersecurity. The move comes as schools and nationwide face .

But school safety committee members who spoke with ĂÛÌÒÓ°ÊÓ said the group included experts from diverse perspectives — all focused on ensuring the effectiveness of a federal school safety initiative created during Trump’s first term. While the advisory board was created by the Bipartisan Safer Communities Act, a sweeping $1.4 billion law that includes stricter gun control measures and violence prevention programs, its purpose was to provide expertise and best practices to the Federal School Safety Clearinghouse. The clearinghouse is an interagency effort the to improve national school safety efforts. It includes the creation of SchoolSafety.gov, a “one-stop shop” of resources for school leaders looking to foster safer campuses. 

New York Democratic Sen. Chuck Schumer, the Senate minority leader, accused the Trump administration of violating the law, stating during a Jan. 26 news conference that the president “should not bow down to the NRA.”

In a press release the following day, Sen. Chris Murphy, a Democrat from Connecticut, similarly criticized the move.

“President Trump doesn’t care about keeping our kids safe from gun violence,” Murphy said. “President Trump should reinstate these members immediately and stop playing politics with our children’s safety.”

Among those who advocated for the committee’s creation — and were ultimately dismissed from it last week — are airline pilot Tony Montalto, whose 14-year-old daughter Gina was killed in 2018 during the mass school shooting at Marjory Stoneman Douglas High School in Parkland, Florida. Montalto is now president of the nonprofit which was created by the parents of the Florida shooting to advance bipartisan campus security efforts. 

In an interview with ĂÛÌÒÓ°ÊÓ on Wednesday, Montalto said he is “disappointed that the members have been dismissed,” and hopes to serve again on the board, which is congressionally mandated. 

“Too often the government gets involved in ‘government speak’, and we wanted to bring this external advisory board to life so that real people from outside of government could come together and have input into the process of keeping students and teachers safe at school,” Montalto said. He said the board members, which were appointed during the Biden administration, represented a “broad cross-section” of experts and opinions with a shared interest in student and teacher safety. 

School shootings in the U.S. have surged to record highs in the last several years, including an Wednesday that led to the deaths of two students, including the alleged gunman. The video streaming platform Kick acknowledged Wednesday evening the shooter had .

Chad Marlow, a senior policy counsel at the American Civil Liberties Union who served on the advisory board until this week, said the varied and wide-ranging viewpoints among members stood out most during their first meeting in October. 

“There was really an effort to get as many perspectives as possible into the room, and I don’t think there was any preconceived notion on where we were going,” Marlow said. “We were not given any instructions, like ‘We would like to see you do X.’” 

During the day-long session, he said, committee members were divided into three groups to discuss improvements to federal school safety grants and to analyze various security interventions like school-based policing. 

Marlow said it’s possible that the Trump administration could appoint new board members who are not in lockstep but fears the shakeup could eliminate experts whose viewpoints don’t align with those of the Trump administration and “handcuff the quality” of the group’s work. 

“I hope it’s not the latter because, at the end of the day, we should be focused on doing the best for keeping our kids safe — or, in the language they’re using, protecting the homeland,” Marlow said. 

Still, Marlow said he plans to reapply for his seat. So, too, does Montalto, who said the Clearinghouse first created by Trump is “actually one of the most efficient programs in the government” with four agencies coming together to provide resources designed to keep students safe. 

Important, too, are the voices of parents who’ve experienced tragedy firsthand. 

“Anybody who has suffered that loss can drive home the point of how important school safety is,” Montalto said. “It’s a nonpartisan issue, we just need to come together as an American family and try to make a difference.”

Inhale. Exhale. 

If you’re reading this, that means you’ve made it through 2024. (Congrats!) But don’t get too comfortable, because in 2025, the student safety and well-being beat is in for some major changes.

With Donald Trump’s second inauguration just weeks away, I figured I’d take a moment to highlight the defining developments in the School (in)Security universe over the last year — and how the landscape could evolve over the next 365 days.

1. The first-of-its-kind sentencing of a school shooter’s parents

Michigan parents Jennifer and James Crumbley became the first in U.S. history to be sentenced on criminal charges stemming from a mass school shooting perpetuated by their child. Each was sentenced to 10 to 15 years in prison for involuntary manslaughter. 

• Prosecutors accused the Crumbleys of ignoring warning signs that their son had a desire for violence when they gave him the gun he used to kill four classmates and injure seven others. | 
• In Georgia, the father of a 14-year-old accused of carrying out a mass shooting that left four dead was arrested on murder charges. Authorities alleged the father “knowingly allowed” the teenager to possess the gun that was used to carry out the attack. 
• Parents not liable in Santa Fe: The parents of a former student accused of killing 10 people at his Texas high school in 2018 were sued for negligence, but a jury found them not responsible. |  
• The big picture: I wrote a deep dive into the history of holding parents accountable for their kids’ bad behavior — and why the Crumbley case was unprecedented. | 

2. An Apology from Big Tech — and a failed bid for new online safety rules

Amid heightened concerns over social media’s impact on youth mental health, Meta CEO Mark Zuckerberg did something this year that perhaps nobody saw coming: He apologized. | 

• The apology to parents who say their kids suffered, or died, because of their social media use came during a heated Senate hearing where lawmakers accused Big Tech of failing to prevent youth suicides and child sexual exploitation. It was part of a larger panic over teens’ TikTok addictions. | 
• Despite the outcry, a federal effort to implement new online safety rules for children has faltered again. And again. And again. | , , 

3. Did somebody say TikTok?

The Supreme Court is set to hear 11th-hour arguments about whether the government’s effort to ban the Chinese social media app violates the First Amendment. Justices will hear the case Jan. 10, nine days before the prohibition is set to go into effect. | 

• Claiming it posed a surveillance threat from the Chinese government, President Joe Biden signed a law in April to ban the enormously popular video-streaming app in the U.S. unless parent company ByteDance relinquished ownership. | 

4. Scrutiny of AI’s role in student well-being

Try going 10 seconds without reading something about artificial intelligence. I dare you. As emerging AI tools promise — or threaten — to disrupt K-12 education as we know it, they’ve also been oversold, misused and unevenly supervised. 

• The Federal Trade Commission reached a settlement with Evolv Technology, the maker of an AI-powered security screening system used in some 800 schools, after accusing the company of making false claims about its ability to detect weapons and keep kids safe. | 
• Joanna Smith-Griffin, the founder and former CEO of the once-celebrated education technology company AllHere, was indicted on charges she defrauded investors of nearly $10 million as the maker of AI chatbots for schools fell into bankruptcy. | 
  • Why you should care: AllHere had only a few customers, court records reveal, before it was hired to build a buzzy, $6 million chatbot for the Los Angeles school district. A former-employee-turned-whistleblower told me the overwhelmed startup took shortcuts that put students’ privacy at risk. | 
• In a first-of-its-kind criminal case, two teenage boys were arrested in Florida and accused of creating AI-generated nude images of middle school classmates without their consent. | 
• ‘Distrust, detection & discipline’: As students increasingly turned to generative AI like ChatGPT for help with assignments, educators said they lacked clear instructions on how to thwart tech-assisted cheating. | 

5. School-based police officers under fire

The Department of Justice released a scathing report on the police response to the 2022 school shooting at Robb Elementary School in Uvalde, Texas. “Cascading failures” defined a slow police response, the report stated, and officers acted with “no urgency” to confront the gunman. | 

• A harrowing investigation found that predatory school resource officers have routinely used their position and authority to meet and groom students. | 
• Impact, baby! In response to the article, the department issued guidance urging that school police be trained on setting appropriate boundaries with children. | 

6. A small school cybersecurity grant program attracted massive interest

As schools and libraries nationwide fell victim to a surge of cyberattacks, the Federal Communications Commission rolled out a $200 million pilot program in a bid to stop the hackers. Illuminating the scale of the problem, demand far exceeded the available federal funds: The commission received more than 2,700 applications for some $3.7 billion in requests. | 

7. The Trump effect comes back into focus

• After Trump faced backlash for his family separation immigration policy in his first term, the president-elect has floated the idea of deporting all members of mixed-status families — a policy with the potential to affect millions of households with at least one U.S.-born child. |   
• The incoming president has pledged to impose wide-ranging restrictions on transgender students and roll back Biden-era civil rights protections. | 

Emotional Support

Editor Bev Weintraub’s party animal Marz rang in the new year with something a little stronger than catnip.

The Federal Trade Commission has accused a company that makes AI-powered security screening systems for some 800 schools across 40 states of promoting false claims about its ability to detect weapons and keep kids safe. 

Evolv Technology, which sells AI-powered “weapons detection” systems to schools and other businesses, made deceptive claims to customers about its ability to detect all weapons accurately and efficiently, the commission alleged in . 

Schools make up half of Evolv’s business, according to the complaint, even though the publicly traded company may be best known as a security staple at stadiums and for a pilot program in New York City’s subways earlier this year that yielded dismal results.

“The FTC has been clear that claims about technology — including artificial intelligence — need to be backed up, and that is especially important when these claims involve the safety of children,” Samuel Levine, director of the commission’s bureau of consumer protection, said in a media release. “If you make those claims without adequate support, you can expect to hear from the FTC.”

Evolv’s marketing materials promote its scanners as high-tech alternatives to metal detectors, but the complaint argues the company made inaccurate assurances about the product’s ability to reduce false alarms, cut labor costs, eliminate the need for people to remove innocuous items from their pockets — and its capability to detect all weapons.

The company it had reached a settlement with the commission that did not involve any admission of wrongdoing or monetary penalties but would give certain K-12 customers a 60-day window to cancel the remainder of their current contracts.

The eligible districts account for 8% of all Evolv customers, according to a media release, and deploy 4% of its scanners. Cancelling those contracts could impact $3.9 million of its annual revenue.

“This resolution allows us to focus on a small segment of our school customers to ensure they remain satisfied with” Evolv’s scanners “and allows us to move forward without distraction,” Mike Ellenbogen, the company’s interim president and CEO, said in the statement.

Evolv has that it uses AI to scan for the unique “signatures” of tens of thousands of weapons, allowing it to distinguish “all the guns, all the bombs and all the large tactical knives” out there from everyday items like keys and laptops. 

In its release, Evolv framed the FTC inquiry as focusing on past marketing materials and not the efficacy of its AI technology, but it also said the company would “refine the way it markets its technology, highlighting capabilities and limitations.”

School safety consultant Kenneth Trump, president of National School Safety and Security Services, told ĂÛÌÒÓ°ÊÓ that school leaders have increasingly turned to weapons detection systems to signal to parents that they’re taking proactive steps to keep students safe. 

“Some may have unknowingly created the very result they hoped to prevent: A quandary, as they may have to explain to their school communities why they bought technology that may not be delivering what was implied or promised to them and their school community,” he said. 

The — including its — has faced pushback for several years, particularly by IPVM, an independent security and surveillance industry research group that tests and evaluates products. Some of the schools the group researched had false alarm rates of up to 60%. 

Last year, a high school student in Utica, New York, after he was stabbed in a campus hallway by a classmate who brought a knife past an Evolv scanner without detection. The school district had spent $3.7 million on the scanners from Evolv, a Massachusetts-based company backed by big-name investors including Bill Gates and Peyton Manning. The company boasts its artificial intelligence-equipped devices can screen up to 1,000 students in 15 minutes — 10 times faster than traditional metal detectors.Ìę

New York City Mayor Eric Adams of Evolv’s scanners inside some New York City subway stations this year, which was met with opposition from civil rights groups who argued it was unconstitutional and impractical to screen millions of transit users daily. Over the course of a month, the scanners across 20 subway stations had 118 false positives and recovered 12 knives. They didn’t detect a single firearm. 

The company on Tuesday pointed to two incidents last month where Evolv scanners detected guns that students were attempting to bring into their and high schools.

As AI becomes a buzzword in education technology, the FTC in February the prowess of their artificial intelligence offerings, adding that “false or unsubstantiated claims about a product’s efficacy are our bread and butter.” 

A ransomware gang uploaded those and other sensitive student information to an instant messaging service after Providence Public Schools did not pay their $1 million extortion demand, an investigation by ĂÛÌÒÓ°ÊÓ revealed. Though the files have been available online for nearly a month, parents and students are likely unaware that their private affairs have entered the public domain — and district officials have denied the leaked records exist. 

Earlier this month, the school district notified 12,000 current and former employees that personal information, such as their names, addresses and Social Security numbers, had been compromised and offered them five years of credit-monitoring services. But the letter never made mention of students’ sensitive records and, district spokesperson Jay WĂ©gimont told reporters at the time that an ongoing investigation had uncovered that any personal information for students has been impacted.”

An analysis by ĂÛÌÒÓ°ÊÓ of the stolen files — posted by the threat actors to the messaging platform Telegram  — indicates otherwise. Included in the 217 gigabyte data leak are students’ specific special education accommodations and medications. Other files offer detailed insight into district investigations into sexual misconduct allegations naming both educators and students. 

In one complaint, a middle school girl accused a male classmate of showing her unsolicited sexual videos on his cellphone, lifting up her skirt, snapping her bra strap and pulling her hair. In another, a mother accused two high school boys of putting their hands into her disabled daughter’s underwear. After one incident, a boy uttered a threat: “Don’t tell nobody.” 

In a statement to ĂÛÌÒÓ°ÊÓ on Wednesday, WĂ©gimont said the district has “been able to confirm that some files” stored on the district’s internal servers were accessed by an “unauthorized, third party,” and that “security consultants are going through a comprehensive review” to determine whether the leaked files contain personal information “for individuals beyond current and former staff members.” 

WĂ©gimont’s statement doesn’t acknowledge that students’ records had been compromised. 

The district’s failure to acknowledge the breach affected students and parents — even after being informed otherwise — is “a massive violation of trust with communities,” student privacy expert Amelia Vance told ĂÛÌÒÓ°ÊÓ.

“People should be aware — especially when particularly sensitive information is being released in ways that could make it findable and searchable later,” said Vance, the founder and president of Public Interest Privacy Consulting. As cybercriminals turn their focus beyond financial records to sensitive information like sexual misconduct allegations, breaches like the one in Providence “are likely to have a substantial impact on people’s future lives, whether it be their opportunities, their ability to get a job or their relationships with others.” 

The school district acknowledged in an Oct. 4 letter to the state attorney general’s office — and in letters to the individuals themselves — that the sensitive information of 12,000 current and former employees was “potentially impacted” in the attack. A spokesperson for the AG’s office shared the letter that Providence Superintendent Javier Montañez submitted “as required by statute,” but declined to comment further on the students and families who were also victimized in the breach.

Under the , schools and other municipal agencies are required to notify affected individuals within 30 days — but the breach “poses a significant risk of identity theft.” Covered records include individuals’ names, Social Security numbers, driver’s license numbers, financial information, medical records, health insurance information and email log-in credentials. 

It’s unclear how the district determined as many as 12,000 current and former educators were affected. Nobody, including the school district, was previously able to access the breached records, Victor Morente, the state education department’s spokesperson, said in a phone call on Wednesday. 

“No one had actually gone in to see the files,” he told ĂÛÌÒÓ°ÊÓ, although the district had said it was conducting an ongoing analysis. 

The state took control of the 20,000-student Providence district in 2019 after a report found it was among the lowest performing in the country. State education officials are “working closely with the district” on its ransomware recovery, Morente said. 

Thousands of students impacted

Included in the leak is the 2024-25 Individualized Education Program for a 4-year-old boy who pre-K educators observed had “significant difficulty sustaining attention to task” and who “wandered around the classroom setting without purpose.” Another special education plan notes a 3-year-old boy “randomly roamed the room humming the tune to ‘Wheels on the Bus,’ pushed chairs and threw objects.” 

A single spreadsheet lists the names of some 20,000 students and demographic information including their disability status, home addresses, contact information and parents’ names. Another includes information about their race and the languages spoken at home.

A “termination list” included in the breach notes the names of more than 600 district employees who were let go between 2002 and 2024, including an art teacher who “retired in lieu” of being fired and a middle school English teacher who “resigned per agreement.” Another set of documents revealed a fifth-grade teacher’s request — and denial — for workplace accommodations for obsessive compulsive disorder, anxiety and panic attacks that make her “less effective as an educator if I am not supported with the accommodations because I can not sleep at night.” 

In one leaked April 2024 email, a senior central office administrator sought a concealed handgun permit from the state attorney general, noting they “have a safe at work as well as one at home.”

Threat actors with the ransomware gang Medusa, believed by cybersecurity researchers to be Russian, took credit for the September attack. The group, which has repeatedly used highly personal student records as part of its extortion scheme, posted Providence public schools to its dark web blog where it demanded $1 million. 

While ransomware gangs have long restricted their activities to the dark web, according to the cybersecurity company Bitdefender. After Medusa outs its latest target on its dark web “name and shame blog,” it then previews the victim’s stolen records in a video on a faux technology blog that appears to be directly tied to the attackers.

The files are then made available for download on Telegram. While the dark web requires special tools and some know-how to access, the preview video and download link to the Providence files and those of other Medusa victims are available with little more than a Google search. 

Medusa’s many tentacles 

The Medusa attack and Providence’s response is similar to those of other school districts in the last two years. After Medusa claimed a 2023 ransomware attack on the Minneapolis school district — what officials there vaguely called an “encryption event” — the threat actors leaked an extensive archive of stolen files, including school-by-school security plans and documents outlining campus rape cases, child abuse inquiries, student mental health crises and suspension reports.

In St. Landry Parish, Louisiana, school officials waited five months to notify people their information was stolen in a July 2023 Medusa cyberattack — and only after a joint investigation by ĂÛÌÒÓ°ÊÓ and The Acadiana Advocate prompted an inquiry from the Louisiana Attorney General’s Office. 

The Providence district records available on Telegram are extensive, totaling more than  337,000 individual files and 217 gigabytes of data. Even the 24-minute video preview exposes an extensive amount of personally identifiable information. Though the group focuses on the theft of sensitive records — like those pertaining to student civil rights investigations, security plans and financial records — a tally of the total number of affected Providence district data breach victims is unknown. 

Personally identifiable information is intertwined with more mundane documents housed on the breached school district server, including veterinarian bills for a high school teacher’s German Shepherd named Sheba and a recipe for pulled BBQ chicken sliders with pineapple coleslaw. 

Indicators of a cyberattack on the Providence district first appeared in September when the school system was forced to go several days without internet due to what “irregular activity” on its computer network but on whether they’d been the target of ransomware. In — and the same day that Medusa’s ransom deadline expired — Superintendent Montañez acknowledged that “an unverified, anonymous group” had gained “unauthorized access” to its computer network and claimed to have stolen sensitive records. 

“While we cannot confirm the authenticity of these files and verify their claims,” Montañez wrote, “there could be concerns that these alleged documents could contain personal information.”

Three days later, on Sept. 28, hundreds of thousands of files became available for download on Telegram.

This story was supported by a grant from the Fund for Investigative Journalism.

Former Uvalde schools police Chief Pete Arredondo asked a state district court on Friday to quash ten felony charges of child endangerment for his response to the 2022 Robb Elementary School shooting.

Arredondo is one of two law enforcement officers who face criminal charges for their response to Texas’ deadliest school shooting, which left nineteen children and two teachers dead on May 22, 2022. An indictment handed down in June by a Uvalde County grand jury called Arredondo the incident commander and accused him of to ten children by delaying law enforcement’s response to the active shooter and not responding as trained.

In their motion to toss out the indictment, Arredondo’s lawyers say school districts and their employees don’t have a duty to protect students from third-party threats. The lawyers also point out that the children were already in danger when Arredondo responded.

“The indictment does not allege that Mr. Arredondo engaged in any conduct that placed a child in imminent danger of death, bodily injury, or physical or mental impairment,” the filing states. “To the contrary, the language in the indictment itself makes clear that when Mr. Arredondo responded as part of his official duties, an active shooter incident was already in progress.”

Arredondo that he did not think he was the incident commander and that he did not give any orders. Nearly 400 local, state and federal law enforcement officers descended upon the school but failed to act decisively, instead waiting for more than an hour to confront the gunman.

Border Patrol agents ultimately decided to breach the classroom and killed the shooter.

Since the school shooting, families of Uvalde victims have called on local and state elected officials to hold officers accountable for their failures in leadership. Many said they were disappointed that the grand jury indicted only two officers.

In addition to Arredondo, former district officer Adrian Gonzales was indicted on 29 counts of child endangerment. Gonzales violating school district policy or state law. Both officers were released from Uvalde County Jail on bond.

Uvalde District Attorney Christina Mitchell did not immediately respond to a request for comment.

As The Texas Tribune’s signature event of the year, brings Texans closer to politics, policy and the day’s news from Texas and beyond. Browse on-demand recordings and catch up on the biggest headlines from Festival events at the Tribune’s .

This article originally appeared in at . The Texas Tribune is a member-supported, nonpartisan newsroom informing and engaging Texans on state politics and policy. Learn more at texastribune.org.

Update: The bill was ordered to the inactive file on the last night of the session Aug. 31. It had been amended to keep mandatory police notification requirements if a student assaults or threatens a teacher. The bill would have still let teachers choose to call the police if a student is using or possessing controlled substances, and it would also decriminalize willful disturbance by students.

During Zuleima Baquedano’s first year as a teacher, she faced an important choice. 

One of her students had difficulty controlling her emotions. One day, she had a meltdown and kicked Baquedano down.

The principal asked Baquedano if she wanted to call the police, because the incident legally counted as assault. But not long before, the student had moved in with her family after being in and out of foster care, was beginning the diagnostic process for her disability and had been working with Baquedano on coping mechanisms. 

“Any contact with police would have really put all of that in jeopardy,” Baquedano said. “Calling the police, getting Child Protective Services involved and all that would have completely just ruined any kind of progress she’d made.” 

Baquedano decided against calling the police. “I’m never going to regret advocating for her, despite the fact that several teachers told me I couldn’t let her get away with it, and that she did this on purpose when they didn’t even know her,” she said. 

She had a choice because she worked at a charter school in Los Angeles. Staff at traditional public schools don’t have the same freedom: Under California law, they are required to make a police report if a student assaults them — and can be prosecuted if they don’t. 

A bill before the Legislature in its final week . 

But what supporters see as a common sense bill, opponents see as going too far, raising partisan tensions in an election year in which crime and education are top of mind for many voters. 

A difficult path to the Senate

, a San Jose Democrat, has been trying to get similar legislation passed for four years.

“The data very clearly shows that when law enforcement is required to come onto campus, those that they choose to arrest are disproportionately people with disabilities and students of color,” Kalra said in an interview. 

 found that students with disabilities make up 26% of school arrests, despite being 11% of total enrollment. According to a , students of color are handcuffed by police at a disproportionate rate — 20% of Black students compared to 9% of white students. 

“This bill is really a turning point in addressing issues around school climate,” said Oscar Lopez, an associate managing attorney at Disability Rights California, a sponsor of the bill. 

This is the first time Kalra’s bill has made it to the Senate, and it wasn’t easy. It barely squeaked out of the Assembly by a vote of just 41-22, with seven Democrats voting “no.” 

“It’s unfortunate that a common sense bill like this has struggled so hard to make it through the Legislature,” Kalra said. 

And opposition is organizing.

Last week, Senate Republicans , listing concerns about school safety, drug possession and the relationship between schools and law enforcement. 

“The bottom line is this is going to make our school campuses less safe,” Senate GOP Leader  of San Diego told CalMatters. “It’s going to endanger our students, teachers, administrators and even the law enforcement professionals who have to serve on these campuses.”

Law enforcement officials worry that AB 2441 could open the door to eliminating school resource officers. 

“School officials and law enforcement should work together, especially when it comes to pupils whose behavior violates the law and puts school safety in jeopardy,” said Cory Salzillo, legislative director of the California State Sheriffs’ Association. “Removing requirements just runs counter to that notion.”

If AB 2441 were to pass, there would still still be times when staff are required to call the police. Under federal law, local education agencies must call law enforcement if a student has a firearm or is caught selling controlled substances. 

Some opponents have also raised concerns about school administrators’ ability to discern between students who are selling controlled substances or just possessing them — a task they think should be left to law enforcement, particularly .

“Schools are not isolated in the community, so when there are crimes being committed, even if it’s simple possession of a controlled substance, that’s something that law enforcement should be aware of,” Salzillo said. 

The California Department of Public Health plans to announce a new fentanyl education campaign on Wednesday. 

“Fentanyl is so dangerous that we need to be all hands on deck on dealing with that crisis on our school campuses,” Jones said. “Removing this requirement of reporting is just unbelievable to me at this point in time.” 

Because of an amendment to the bill, staff would also need to notify law enforcement if someone needed immediate medical attention. 

After the Senate Republican Caucus released its analysis — and sent it to its entire press list for the first time â€” supporters of the bill accused them of fear mongering and spreading misinformation. 

“There’s been a lot of untruths shared and promoted by the opposition to this bill,” said Rachel Bhagwat, legislative advocate at ACLU California Action, a bill sponsor. 

Jones denied that’s what’s happening. 

“California voters and taxpayers are fed up with the criminal justice system in California right now,” he said. “They’re fed up with the progressive wing that’s continuing to decriminalize crime.” 

Preventing the school-to-prison pipeline

 that when young people face severe discipline at school — such as police interaction, suspension or expulsion — they are less likely to graduate high school and more likely to go to prison. 

“The interpretation of normal, age-appropriate behaviors as being threatening and criminal and dangerous is leading to a situation where young people are not getting educational opportunities in school, and they’re being funneled into further criminal contact and the criminal system,” Bhagwat said. 

Under current state law, staff are required to try other methods — such as meeting with parents, speaking with a psychologist, creating an individualized education plan or restorative justice programs — before resorting to something more severe. 

“Between counseling and other programs, there are methods to use that don’t involve punitive consequences such as a misdemeanor crime,” Naj Alikhan, senior director of marketing and communications for the Association of California School Administrators, wrote in a statement to CalMatters.

The bill would also get rid of a clause that makes it a crime to “willfully disturb” public schools and meetings. Under this provision, students could be criminally prosecuted for running in hallways or knocking on doors. 

“It’s somewhat of a vague term,” Kalra said, “and it’s been used against students who might have behavior issues. There’s a lot of different reasons why a student may be causing a disturbance and we want to give schools the ability to decide how they want to handle those situations.” 

An amendment to the bill would make it an infraction for someone to prevent a school staff member from calling the police. 

Baquedano — who  before the Senate education committee in July and now teaches in Santa Ana — said that if the bill passes, there are serious situations, like having a deadly weapon or being in possession of drugs, where she would still call.  

“There’s an assumption that we’re going to stop calling the police, and that’s not the case,” she said. “The idea that we wouldn’t have that common sense is a little insulting.” 

It’s a decision Baquedano said teachers deserve to have. 

“People should trust us — the professionals in the situation, who’ve been trained, who’ve gone through education to do this — they should be trusting our judgment,” she said. “We’re the ones who best know our students. We spend all these hours with them a year, sometimes more than parents do.”

Kalra remains optimistic that AB 2441 will pass the Senate this week and make it to Gov. Gavin Newsom’s desk. 

“You would hope,” he said, “that legislators would understand the need for us to support all students, and I’m hopeful that at least we can get this bill through to see that it’s not going to create some doomsday outcome.”

This was originally published on .

With Joe Biden out and Kamala Harris in, the Democrats’ last-minute, presumptive presidential nominee will once again have to reckon with her — and their nationwide surge since the pandemic — as she faces off against Donald Trump between now and November. 

Elected first as San Francisco district attorney and then California attorney general, Harris has offered her tough-on-crime bonafides on the newly forged campaign trail as an alternative to Trump, a convicted felon. Yet just five years ago, her signature education issue as California’s top cop — as she sometimes called herself — was . 

By portraying a crackdown on student truancy as a way to avert future criminals, Harris championed a California truancy law that set into motion a hold-parents-accountable approach that leveraged fines and jail time for chronic absences that are including health problems and homelessness.

Parents, as a result, wound up behind bars. Such an outcome, Harris said during her failed presidential bid in 2019, was an “unintended consequence.” 

• Fast forward to 2024: A coalition of education nonprofits launched a bipartisan effort last week to slash chronic absenteeism in half over the next five years, with one expert noting that punitive measures “do nothing but burden families.” 

In the news

A Big Tech reckoning on child safety? Senate Democrats renewed efforts this week to pass the most sweeping tech industry regulations in decades, with the goal of formalizing new online privacy protections for children before their August recess. Taken together, two bills would ban companies from feeding content and targeted ads to teens with algorithms and hold tech firms to a “duty of care” to ensure their products don’t harm kids. |

The White House isn’t waiting for Congress to act. In new guidance, a Biden administration task force outlines strategies parents can use to ensure their children are using the internet safely. |

From AllHere to where? The Los Angeles superintendent plans to appoint a task force to examine what went wrong — and how to move forward — after a company that built its $6 million AI chatbot went kaput. The task force will look into allegations that the company misused L.A. students’ data before it collapsed under financial strain. The allegations were first reported by yours truly. |

• Superintendent Alberto Carvalho remains committed to the supposed AI revolution in education, but Los Angeles parents are urging the rhetorically high-flying schools chief to pump the brakes and focus on pressing issues including a literacy crisis and student homelessness epidemic. |

New York educators must alert parents at least a week in advance of lockdown drills under new regulations that require the safety routines be conducted in “a trauma-informed, developmentally and age-appropriate manner.” |

Ending ‘forced disclosure’: A new California law prohibits school districts from imposing rules that require teachers to notify parents when a student changes their gender identity. |

A Justice Department lawsuit alleges that employees at Southwest Key, a nonprofit that serves as the largest operator of shelters for unaccompanied migrant children, repeatedly subjected minors under its care to sexual abuse and harassment. |

No qualified immunity: Three Honolulu police officers can be sued on excessive force allegations that stem from a 2020 incident in which the cops handcuffed and arrested a 10-year-old girl at her elementary school. “No reasonable official could have believed that the level of force employed against” the student was necessary, a panel of federal judges wrote in their decision. |

A ransomware attack targeting the Pueblo, Colorado, school district led to a massive data breach that exposed the sensitive information of students over a 15-year period. |

The high cost of cyber crime: About two-thirds of K-12 schools were hit by ransomware in the last year, according to a new report by the cybersecurity company Sophos. That’s a significant decrease from 2023, when 80% were targets. But recovery costs have surged over the last year — from $1.6 million to more than $3.75 million. |

ICYMI @THE74

• Advocates Fear Minnesota Students Will Again Be Subject to Restraint Used on George Floyd

• Youngkin Signs Order on ‘Cell Phone-Free Education’ in Virginia Public Schools

• Parents of Children with Special Needs Charge LAUSD Limiting Services, Holding Back Information

Emotional Support

I’m pleased to announce that Mika has joined the School (in)Security team after an exhaustive, nationwide search. I’m told that Mika — who was hired alongside ĂÛÌÒÓ°ÊÓ’s new editor-in-chief Nicole Ridgway — offers extensive experience and “sonar dish” ears that detect news leads with unrivaled precision. 

(Send Mika a news tip)

The found that when “race, gender and disability statuses overlap” — a concept often known as intersectionality — students “can experience even greater adverse consequences.”

“Race, gender and disability all figure prominently when it comes to arrests, but they matter differently for different groups of students,” report author Jacqueline Nowicki, the GAO’s director of education, workforce and income security, told ĂÛÌÒÓ°ÊÓ.

The GAO’s analysis of federal student arrest data found that Black and indigenous students faced school-based arrests at rates two to three times higher than those of their white counterparts. Among demographic groups, the report found, the arrest rate was particularly stark for boys with disabilities.Ìę

Students with disabilities are arrested at higher rates than students of the same gender who did not receive special education services, researchers found, however, Black girls without disabilities are arrested at a greater rate than white girls with disabilities. 

The GAO report adds the latest insight into the ongoing debate over whether police make schools safer or whether their presence feeds the school-to-prison pipeline, particularly for students of color and those with disabilities. After a Minneapolis police officer murdered George Floyd in 2020, some school districts cut ties with their local police agencies in the face of student and community protests. But many of them brought cops back after students returned post-pandemic with heightened mental health and behavioral issues. 

The report, which was mandated by Congress, found that student arrests were particularly high in schools where police officers engaged in routine student discipline — something that education and law enforcement leaders say is outside the scope of how school-based police should function. 

To reach its conclusions, the federal watchdog analyzed recent, pre-pandemic data on student arrests nationally collected by the U.S. Education Department and conducted site visits at three unidentified school districts in California, Maryland and Texas. It was on the site visits that researchers “got a flavor for what it looks like to have police in schools,” Nowicki said. On paper, the officers were not supposed to participate in routine student discipline, like acting out in class, she said, but researchers found that school officials often lacked a clear understanding “of what it means to involve police appropriately.” 

“There were districts that explicitly were not supposed to have police involved in discipline but the police were telling us that teachers and administrators were calling them for discipline issues,” she said. “There’s not necessarily a common or a clear understanding all the time about the roles and responsibilities of police in schools, even in districts that have police.” 

Mo Canady, executive director of the nonprofit National Association of School Resource Officers, said that while school policing models differ in districts across the country, they’re generally trained to refrain from getting involved in student disciplinary incidents. However, he noted that there are no national rules that specify how officers are trained or selected.

“There are national best practices or recommendations, but there are no required national standards,” said Canady, whose group provides training to school-based officers. “I think this speaks more loudly to the lack of national standards than anything else.” 

Research has for years called attention to longstanding racial disparities in student suspensions, expulsions and arrests. In one recent report, researchers found that officers perceived students as more threatening in schools where students of color made up the largest share of enrollment compared to officers who worked at campuses where students were predominantly white. 

Among academic researchers, officers’ role in preventing campus crime and violence is an ongoing question. Another paper found that placing school resource officers on campuses led to a marginal decline in some forms of school violence including fights, and a stark uptick in student disciplinary actions, especially among Black students and those with disabilities. 

In Chicago, the removal of police officers in some of the city’s high schools beginning in 2020 has shown promising results, according to new , which found that taking school cops out of the equation “was significantly related to having fewer high-level discipline infractions.” 

To the GAO’s Nowicki, the gap in arrest rates is unlikely explained by “the idea that police are just responding to significant behavioral incidents more” often in schools with a regular police presence compared to those without one.

“I am not convinced,” she said, “that the answer is, ‘Well, there’s just more crime in schools with police.’ ”

This is our biweekly briefing on the latest school safety news, vetted by Mark Keierleber.ÌęSign up below.

A Los Angeles Unified School District spokesperson confirmed they’re investigating a listing on a notorious dark web marketplace, posted Thursday by a user named “The Satanic Cloud,” which seeks $1,000 in exchange for what they claim is a trove of more than 24 million records. The development comes nearly two years after the district fell victim to a ransomware attack that led to a widespread leak of sensitive student records, some dating back years. 

Simultaneously, federal officials were citing that earlier ransomware attack in L.A. and subsequent breaches, with FCC Chairwoman Jessica Rosenworcel noting that they’ve become a growing scourge for districts of all sizes.

“School districts as large as Los Angeles Unified in California and as small as St. Landry Parish in Louisiana were the target of cyberattacks,” Rosenworcel said, adding that these events lead to real-world learning disruptions and sometimes millions in district recovery costs. “This situation is complex, but the vulnerabilities in the networks that we use in our nation’s schools and libraries are real and growing.”

“So today, we’re going to do something about it,” she said.

The five-person FCC voted 3-2 to approve the pilot, which will provide firewalls and other cybersecurity services to eligible school districts and libraries over a three-year period. While the pilot aims to study how federal funds can be deployed to bolster the defenses of these vulnerable targets, some have criticized the initiative for being too little, too late. When Rosenworcel first outlined the proposal in July, education stakeholders demanded a more urgent and substantive federal response.

Districts selected to participate in the newly approved pilot will receive a minimum of $15,000 for approved services and the commission aims to “provide funding to as many schools and school districts as possible,” it . While the funding “will not, by itself, be sufficient to fund all of the school’s cybersecurity needs,” the fact sheet notes, the commission seeks to ensure that “each participating school will receive funding to prioritize implementation of solutions within one major technological category.”

The Satanic Cloud, which posted the most recent batch of LAUSD data, told ĂÛÌÒÓ°ÊÓ it’s entirely separate from what was stolen in the September 2022 ransomware attack on the nation’s second-largest school district. An executive at a leading threat intelligence company said his team suspects the data did originate from the earlier event.

The Los Angeles district is aware of the threat actor’s claims, a spokesperson told ĂÛÌÒÓ°ÊÓ in an email Thursday, and “is investigating the claim and engaging with law enforcement to investigate and respond to the incident.”

‘It’s definitely sensitive data’

In an investigation last year, ĂÛÌÒÓ°ÊÓ found that thousands of L.A. students’ psychological evaluations had been leaked online after cybercriminals levied a ransomware attack on the system. The district had categorically denied that the mental health records had been compromised, but within hours of the story, acknowledged that they had.Ìę

Just last month, a joint investigation by ĂÛÌÒÓ°ÊÓ and The Acadiana Advocate revealed that officials at the 12,000-student St. Landry Parish School Board, located some 63 miles west of Baton Rouge, waited five months after a ransomware attack to inform data breach victims that their sensitive information had been compromised. The notice came after an earlier investigation by the news outlets uncovered that personally identifiable student, employee and business records had been exposed, despite the district’s assertion otherwise, and that St. Landry had likely violated the state’s breath notification law. Within hours of the first story publishing, the Louisiana Attorney General’s Office issued a notification warning to the district. 

The latest Los Angeles files were listed Thursday on the dark web marketplace BreachForums, briefly last month after it came under the control of federal law enforcement officials. The Federal Bureau of Investigation first targeted BreachForums in March 2023 when it, 20-year-old Conor Brian Fitzpatrick, at his home in Peekskill, New York. At the time, BreachForums was among the largest hacker forums and claimed more than 340,000 users. 

A sample file included in the L. A. listing is a spreadsheet with the names, student identification numbers and other demographic information of more than 1,000 students and their parents. Data disclose students who receive special education services, their addresses and their home telephone numbers. A list of file names suggest the records include similar information about teachers. 

Reached for comment through the encrypted messaging app Telegram, the BreachForums user who listed the Los Angeles data told ĂÛÌÒÓ°ÊÓ â€œthere is no connections” to the previous ransomware attack. The breach, the threat actor said, originated via the Amazon Relational Database Service, which allows businesses to create cloud-based databases. The service has been the that led to the public disclosure of troves of sensitive information. 

Kaustubh Medhe, the vice president of research and threat intelligence at the threat intelligence company Cyble, said the latest threat actor has a history of engaging in discussions about cryptocurrency scams on Telegram but this is the first time they’ve sought to sell stolen data. Cyble’s research team, he told ĂÛÌÒÓ°ÊÓ, sees “a high likelihood” that the data was sourced from files exposed in the earlier ransomware attack. 

“Historically, we have seen this kind of activity where old data leaks are recirculated on dark web forums by different actors,” Medhe said. Either way, Medhe said it’s incumbent on district officials to take urgent action. The files, he said, could be useful for “some kind of profiling or some kind of targeted phishing activity.

“It’s definitely sensitive data, for sure,” he said, adding that district officials should analyze the sample data set available online and confirm if the records align with their internal databases and, perhaps, those stolen in 2022. “They would need to do a thorough incident response and investigation to rule out the possibility of a new breach.” 

‘An important step forward’

During Thursday’s FCC meeting, Commissioner Anna Gomez said the pilot program was an issue of educational equity. She cited a federal Cybersecurity and Infrastructure Security Agency , which noted that as ransomware attacks and data breaches at K-12 districts have surged in the last decade, districts with limited cybersecurity capabilities and vast resource constraints have been left most vulnerable. Connectivity, she said, is “essential for education in the 21st century.”

“Technology and high-speed internet access opens doors and unbounded opportunity for those who have it,” Gomez said. “Unfortunately, our increasingly digital world also creates opportunities for malicious actors.” 

Faced with a growing number of cyberattacks, educators have for years s with money from the federal E-rate program, which offers funding to most public schools and libraries nationwide to make broadband services more affordable. It’s a move that more than 1,100 school districts endorsed in a joint 2022 letter — but one the commission declined to adopt. In a press release, the commission said the pilot was kept separate “to ensure gains in enhanced cybersecurity do not undermine E-rate’s success in connecting schools and libraries and promoting digital equity.” The pilot will be allocated through the Universal Service Fund, which was created to subsidize telephone services for low-income households. 

In , the American Library Association, Common Sense Media, the Consortium for School Networking and other groups said the selection process for eligible schools and libraries was unclear and could confuse applicants. On Thursday, the library association nonetheless expressed its support.Ìę

“The FCC’s decision today to create a cybersecurity pilot is an important step forward for our nation’s libraries and library workers, too many of whom face escalating costs to secure their institution’s systems and data,” President Emily Drabinski said in a statement. “We remain steadfast in our call for a long-term funding mechanism that will ensure libraries can continue to offer the access and information their communities rely on.”

Among the pilot program’s critics is school cybersecurity expert Doug Levin, who told ĂÛÌÒÓ°ÊÓ that many school districts lack sufficient cybersecurity expertise and, as a result, the advanced tools that the pilot seeks to provide may not be “a good fit for school systems with scarce capacity.”

“There’s no argument that schools need support,” said Levin, the co-founder and national director of the K12 Security Information eXchange. But the FCC’s “techno-solutions point of view to the problem,” he said, is far too small to make a meaningful impact and could instead prompt a vendor marketing surge that “may end up convincing some [schools] to buy solutions that, frankly, they don’t need.” 

More than 7,000 cameras equipped with artificial intelligence capabilities will be installed in Newark schools, under a $12 million contract approved Thursday by the Newark Board of Education.

District officials say the high-tech surveillance system is meant to make schools safer, but that systems with such capabilities could result in an invasion of privacy or could potentially misidentify items or students.

Turn-Key Technologies Inc., based in Sayreville, N.J., will install the cameras and their required servers and storage across schools this summer as part of a two-year contract. Approving the contract was “time-sensitive,” said Valerie Wilson, Newark’s school business administrator, as district officials want the 7,700 cameras – roughly one for every five students – in place by Aug. 31, before the start of the new school year.

Get stories like this delivered straight to your inbox. Sign up for ĂÛÌÒÓ°ÊÓ Newsletter

The project will be funded in part by federal COVID relief dollars, specifically, American Rescue Plan dollars that expire at the end of September, in conjunction with local funds and grants, Wilson added.

Board member Vereliz Santana said the project was “comprehensive and ambitious” and asked for routine updates as installation begins in June. Other members raised questions about how the system would work to detect vaping.

“It’s a large bid, as you can see from the funds that are being allocated, but we want to make effective use of our federal funding,” said Wilson during Thursday’s meeting.

The new system comes as city leaders and advocates call for measures to reduce violence among youth in Newark.

The city will begin enforcing a youth curfew on Friday. The rule is in response to an increase in youth violence, said , which includes two shooting incidents this school year. In November, a 15-year-old Central High School student was shot during a drive-by and in March, another two students were shot outside West Side High School.

Turn-Key’s new system will expand the district’s surveillance capabilities, going beyond its current camera system to detect weapons and track people and cars across schools by using license plate and facial recognition. Last year, Newark schools said new technology was needed because its current security set-up is “outdated, inefficient,” pointing to no remote access, storage, and other limitations.

In May 2023, the district said it expected to install cameras by the end of that year after requesting bids from surveillance technology companies in September 2023. But the installation was delayed for almost a year after bidders did not meet the New Jersey Alarm or Locksmith License requirement, prompting the district to revise its project specifications and request bids for a second time in April 2024, Wilson said.

In addition to upgrading the district’s surveillance technology, the new setup will use an “Avigilon surveillance system,” a type of framework that allows Newark to expand its systems as security needs change or develop, said Jermaine Wilson, a senior research engineer , a security and surveillance research group.

That system will work with that can detect vape, gun sounds, and abnormal noise in areas where there are no cameras such as bathrooms, according to the district’s request for proposal.

“I want to be very clear to everybody that in no way shape or form will this result in an invasion of privacy of anyone’s students, staff, or otherwise,” Wilson said. “Cameras and devices will not and cannot be placed in areas that are not approved and authorized.”

The contract was approved by all school board members except Crystal Williams who abstained from voting. During the Thursday meeting, board member Josephine Garcia said vaping in schools is an issue the district has “been battling and sounding the alarm on for quite some time.” She requested clarification on the type of vape sensors that will be used in schools, an explanation that would be given during the board’s private operations committee meeting this month due to security concerns, Wilson said.

“So as we talk about our safety and security initiatives, we want to ensure that we do not provide all of our information in the public domain,” Wilson added.

Superintendent Roger León said the district is in conversation with the city’s Office of Emergency Management “about a number of things” that are set to take place this coming school year. He would share more information with the public “once those initiatives are in effect,” León added.

Wilson also said city police officials would not have access to the system, which includes cameras inside and outside of school buildings and other district locations.

The district has spent millions to increase security over the years. The school district to scan students for contraband and weapons and added six new patrol cars for school safety officers. It also provided its security guards with training on bag scanners, active shooter response, and the district’s drug and alcohol policy. Newark plans to hire more security guards and update its software to track school incidents.

Thursday’s contract was approved during May’s reorganization meeting where Haynes, Santana, Helena Vinhas, and Kanileah Anderson were sworn in after winning . Hasani Council was chosen as board president, along with Santana and Allison James-Frison as co-vice presidents.

Jessie GĂłmez is a reporter for Chalkbeat Newark, covering public education in the city. Contact Jessie at jgomez@chalkbeat.org.

This was originally published by Chalkbeat. Sign up for their newsletters at . Chalkbeat is a nonprofit news site covering educational change in public schools.

Pew Research Associate Luona Lin called the findings released Thursday “jarring”: Nearly a quarter of educators said they experienced a lockdown due to a gun — or fears of one — on their campus last school year.

Teachers who work in high schools, and those located in urban areas, were far more likely to experience lockdowns. Among high school educators, 34% reported at least one gun-related lockdown during the 2022-23 school year, as did 31% of those who teach in urban areas.

“One of the most striking findings is just the sheer number of teachers who say they have experienced a lockdown,” Lin told ĂÛÌÒÓ°ÊÓ. Pew sought to probe educators’ perspectives of school gun violence after researchers conducted interviews to understand their “day-to-day lives and their perspectives” on hot-button issues, she said. Gun violence came up again and again. 

“A lot of teachers definitely talked about worrying about school shootings happening in their school,” she said. “One of the teachers we talked about it with actually said, ‘I think about it every day.’”

Though the Pew data don’t offer insight into the frequency that firearms are ultimately found, tallies on campus attacks have shown a staggering upward trend, with record numbers over the last three years.

Just this week, James and Jennifer Crumbley to 10-15 years in prison after being found guilty of involuntary manslaughter for their role in failing to prevent a 2021 school shooting that was carried out by their then-15-year-old son. The shooting at his Oxford, Michigan, high school led to the death of four students. The Crumbleys are the first parents in U.S. history to be sentenced to prison in response to an active shooting perpetrated by their child. More than two-thirds of active shootings at K-12 campuses were carried out by perpetrators between the ages of 12 and 18, . 

For some teachers who participated in the Pew poll — 59% of whom say they worry about a school shooting unfolding at their schools — gun-related lockdowns are frequent. While 15% said they experienced one lockdown last school year, 8% said they were forced to take cover at least twice. 

The new data on the opinions of K-12 teachers comes roughly 25 years after the 1999 Columbine High School shooting in suburban Denver, which became a national flashpoint on school violence after two student gunmen killed 13 of their classmates before taking their own lives. Since then, national spending on school security has surged — and so, too, have the number of campus attacks.

Though school shootings are politically fraught and carry devastating consequences for communities, they remain statistically rare. Between 2000 and 2021, there have been 46 “active shooter incidents” at K-12 campuses, which resulted in 108 deaths and 168 injuries, according to . Active shootings are defined as those where a gunman fires indiscriminately at people in a public place like a school. 

Beyond active shootings like those at Oxford and Columbine, federal data on campus gun incidents indicate 188 shootings that resulted in casualties during the 2021-22 school year— more than twice as many as the year earlier, which at the time was a record high.

While a majority of educators fear school shootings, 39% said their school has done a fair or poor job preparing for one while 30% — particularly those with school-based police officers — said their district has done an excellent or very good job. 

In preventing future attacks, 69% of educators endorsed efforts to improve mental health screenings and treatments for children, 49% supported campus cops and 33% favored metal detectors. 

Just 13% of teachers who participated in the Pew survey said arming educators would be an extremely or very effective approach to prevent the tragedies. 

Teachers’ responses were often similar to those offered by parents and students in previous Pew surveys on school shooting fears and preparation — with all parties being swayed, at least in part, by partisan politics. 

Republican-leaning educators were more likely than their Democratic colleagues to support campus police, metal detectors and arming teachers. Democratic teachers were more likely than GOP educators to support efforts to improve students’ mental health. 

In , two-thirds of parents said they were at least somewhat worried about a shooting unfolding at their child’s school, and 63% endorsed improvements in mental health for students as a way to prevent shootings, a rate higher than any other intervention. 

In , from 2018, 57% of teens said they were somewhat or very worried about a school shooting occurring on their campus. 

Pew’s educator survey included responses from 2,531 public K-12 teachers in October and November who are members of , a nationally representative sample of U.S. educators. 

“Gun violence and all of these gun policy issues, they are definitely partisan,” Lin said. “The views of teachers, the views of parents, are reflective of the overall population’s views on this, and definitely the partisan differences as well.”

The Minnesota House of Representatives voted 124-8 Monday afternoon to approve legislation that removes a ban on school resource officers using prone restraint on students. The bill now moves to the Senate for consideration.

Nearly four years after George Floyd suffocated to death while being pinned face down to the pavement by a police officer, Minnesota Democrats are fast-tracking legislation that would undo a less-than-year-old ban prohibiting school-based cops from using that same type of restraint on students. 

As early as Monday, the state’s House of Representatives is slated to consider a proposal that presents a drastic departure by Democratic Gov. Tim Walz — rules that explicitly barred school resource officers from using face-down “prone restraint.”

The ban was part of a broader police reform movement that followed Floyd’s murder. The fatal physical hold led to the largest civil rights protest in U.S. history, a national reckoning on racism, policy reforms that sought to address police brutality and, in Minneapolis and dozens of districts nationwide, the removal of sworn officers from school campuses. In Minnesota, new state rules barred police officers from using chokeholds on people and prone restraints were banned in the state’s prisons. 

Now, as the state’s Democrats make a 180-degree turn on the campus reform, education equity advocates have accused state leaders of falling to the political pressure of law enforcement groups ahead of a November election where party lawmakers seek to maintain their narrow majority in the state House. The proposal cleared the House Ways and Means committee earlier this week. 

Physical restraints have for children including injury and, in some cases, death. Yet for Republican lawmakers and law enforcement, the change in Minnesota went a step too far. Police departments statewide pulled their cops from schools in protest of the restraint restriction. 

During a recent Senate Judiciary and Public Safety Committee hearing, Democratic Sen. Bonnie Westlin, lead sponsor of the Senate version of the bill that would restore prone restraints in schools, presented it less as a backtrack and more as an opportunity. The issue is about ensuring campus cops remain “important team members in our schools,” Westlin said, while creating uniformity across school resource officers’ duties, their training requirements and accountability.  

Along with removing restraint rules for school-based police and campus security staff, the pending legislation would allocate $150,000 this year to develop consistent, statewide training standards for school resource officers and require police to complete the lessons before working on campuses. The bill also seeks to clarify that school-based police officers should not be involved in routine student discipline. 

“When a local community determines that they would like to engage SROs, we want to make sure there is uniformity about expectations for everyone concerned,” Westlin said.

Advocates who lauded the prone restraint ban, however, say that lawmakers have turned their backs on Floyd’s legacy. 

“How is it that — in the state where this man gets killed and the world erupted — that we are not the leading people who are banning this on our kids?” asked advocate Khulia Pringle, the Minnesota director of the National Parents Union and a steering committee member of the Solutions Not Suspensions Coalition, a group of education nonprofits that has lobbied against the legislation. “It’s banned in prisons, it’s banned for students with disabilities. 

“Why can’t we extend that same courtesy to all children?” 

The ‘fix’

Presented by Democratic leaders as an “SRO fix” bill, the proposal comes after police departments got wind of the restraint ban last fall — an under-the-radar change in a larger education bill that passed without opposition. In response, about 40 law enforcement agencies removed their school resource officers from campuses. 

, school resource officers and campus security personnel are prohibited from using face-down prone restraints and “certain physical holds,” including those that restrict or impair “a pupil’s ability to breathe” or their “ability to communicate distress.” 

The ban represented an extension of state rules that have been on the books for years. In 2015, after that “it is only a matter of time before a Minnesota child is seriously injured or killed while in prone restraint,” lawmakers banned educators from using the technique on children with disabilities. Nationally, that curtail educators from using prone restraints and other tactics that restrict students’ breathing. 

In Washington, D.C., Democratic lawmakers have sought for years to pass . Nationally, about 35,000 students were placed in physical restraints at school during the 2020-21 school year, from the Education Department’s civil rights office. Black students represented 15% of K-12 school enrollment and 21% of those placed in physical holds. Meanwhile, students with disabilities represented 14% of the national enrollment — and 81% of those subjected to restraints. 

After the new changes were put in place in Minnesota and students returned to classes last fall, law enforcement agencies argued it stirred confusion among their ranks, opened their departments to lawsuits and tied their officers’ hands in how they work to keep schools safe and combat crimes like vandalism. Republican lawmakers seized on the furor and demanded a special legislative session to repeal the law. 

The Coon Rapids Police Department, located in a northern Minneapolis suburb, is among the agencies that removed its officers from schools. That decision was reversed and the agency’s four campus cops after the state attorney general issued a clarification on the law’s limits. The school resource officer program was put on hold temporarily last fall in part because of how officers are trained to do their jobs, Captain of Investigations Tanya Harmoning told ĂÛÌÒÓ°ÊÓ. She said she wasn’t sure how often prone restraint had been used by her officers inside schools. Regardless of whether an officer is stationed inside a school building or on a city street, she said, they “are all trained in the same tactics.” 

“Our officers are trained a certain way to handle certain situations,” she said. “Some of these people transition back out onto the road, so to expect them to transition from ‘you can do it here, but you can’t do it here,’ kind of thing, that’s just not how we train our people.”

In last fall, Attorney General Keith Ellison clarified that the ban didn’t restrict officers from using prone restraints in cases involving imminent harm or death, which offered assurances to many law enforcement agencies that agreed to return officers to schools. 

The special session that Republicans and police brass demanded didn’t come to fruition but the issue has become a top priority this year for Gov. Walz and his Democratic-Farmer-Labor Party, which controls both chambers of the state legislature. 

State officials and education leaders have sought to frame the debate as being not about prone restraint, but rather the need to get police back in schools. 

‘The voices of all stakeholders’

When Democratic Rep. Cedrick Frazier appeared before the House Education Policy Committee in mid-February, he acknowledged the timing of his testimony: “We are not far removed,” he said, “from the tragic murder of George Floyd.” 

He pivoted to a state law passed in response that banned police from using chokeholds — rules that he said were critical to their discussions about school-based police. With the chokehold ban in place, he suggested the prone restraint prohibition was unnecessary. 

“The tension and anxiety that has been discussed, in large part, stems from the egregious visual of that tragic day,” Frazier testified. But even without a ban on prone restraints, he said that state law would continue to prohibit school-based officers from pinning students to the ground in ways that restrict breathing.

“Our only focus must be doing everything we can to ensure that while our young people are in our schools, that we ensure that their environment is safe from any type of harm,” Frazier said. “We must ensure our young people have the best environment to have the best possible outcomes.” 

His testimony didn’t explicitly touch on prone restraints or why police needed greater autonomy around their use in classrooms. Representatives for Frazier and the governor didn’t respond to requests for comment and state Sen. Westlin’s office declined an interview request. 

In his testimony, Education Commissioner Willie Jett focused on schools’ need for campus police officers and the bill’s new training requirements. He, too, didn’t touch specifically on restraint procedures. 

“SROs are viewed by many as essential to maintaining safe and secure learning environments and data from the tells us that an overwhelming majority of students from all demographic areas value the SROs in their schools,” Jett said. 

In Minnesota, state education officials have sought to reduce schools’ reliance on restraint tactics for years. The reveal that students with disabilities were subjected to more than 10,000 physical restraints during the 2021-22 school year, with such holds disproportionately used on Black and Indigenous students. Frequently, , these holds result in injuries — and more often for adults than children. During the 2021-22 school year, districts reported 733 staff injuries from placing students in restraints — a rate that equates to about one staff injury for every 14 physical holds. That same year, 161 students were reported injured.  

Frazier’s work leading the reform bill appears to be at odds with his broader championing of policing and public safety. After Floyd’s murder, Frazier became known in the state as in favor or progressive police reforms, often drawing on his personal experiences with inequities growing up as a Black teen on Chicago’s South Side. In September, as police agencies statewide began pulling officers from schools, Frazier signaled his support for the new prone restraint ban. The House People of Color and Indigenous Caucus, which Frazier co-chairs, released a statement expressing that same sentiment.

“The provision in the education bill passed earlier this year related to school personnel is clear: School staff, including school resource officers, are not allowed to use prone restraints,” or other holds that restrict a student’s ability to breathe, the caucus wrote in the statement, which bore Frazier’s name. Given the attorney general’s opinion extending SROs’ authority to restrain kids in serious cases, the group wrote, “changes to the law are not needed.”

In Republican’s unsuccessful bid to force a special legislative session, they found common ground with Education Minnesota, the state teacher’s union, which noted that on how to protect themselves and students during potentially dangerous situations. In 2021, union spokesperson Chris Williams told ĂÛÌÒÓ°ÊÓ the group was concerned about “the ongoing racial disparities that we know exist in the use of restrictive procedures,” and noted support for rules that prohibited prone restraint in classrooms. 

Williams didn’t respond to a list of questions about the pending legislation introduced by Frazier who, along with being a state representative, works as a . 

‘Prone kills kids’

When Matt Shaver testified at the House education committee last month, he opened with a grim warning: “Prone kills kids.”

“We are advocates for kids — and prone kills kids,” said Shaver, the policy director of the nonprofit EdAllies, which is a member of the Solutions Not Suspensions Coalition working to maintain the current prone restraint ban. “This is not about whether SROs belong in schools,” as lawmakers and state education officials have cast the conversation, he said. “This is about whether we believe holds that kill children belong in school.” 

Shaver cited which examined childhood fatalities that stemmed from physical restraints over a 26-year period. Researchers identified 79 incidents where restraints led to deaths in settings including foster homes, psychiatric agencies and schools. Deaths were most common when children were held in the face-down prone restraints — and most often for benign childhood behaviors like failing to remain silent or sit without wriggling. Investigations into the fatalities found that adults routinely failed to follow proper restraint policies and laws. 

“In 15 fatalities, children vomited, urinated or turned blue during the restraint,” researchers concluded in the 2021 study, which was published in the academic journal Child & Youth Care Forum. “These signals should have been detected by an adult monitoring these events and immediately triggered a change in tactics or discontinuation of the restraint.”

Shaver told ĂÛÌÒÓ°ÊÓ he believes the Democrats are reacting to the politics of the police “work stoppage” and a desire not to appear soft on crime ahead of the November election. That has placed them in the position, he said, of wanting to overturn the restraint restriction, but “not in a way that will freak out their base.” 

“They may have failed at doing that,” Shaver said.

In about a third of Florida school districts, and concentrated in rural panhandle enclaves like Daniels’s Liberty County, corporal punishment as a form of student discipline remains deeply ingrained in the culture. It’s why on this morning in early December, school leaders instructed the 18-year-old to bend over a desk.

What came next — a paddling that left deep purple bruises and welts for a minor school offense that Daniels said stemmed from a misunderstanding about Christmas decorations on a campus door — was far beyond routine student discipline, the Liberty County High School senior told ĂÛÌÒÓ°ÊÓ.

It was, she alleges, sexual assault. 

“They were so eager to go in there and spank me,” said Daniels, who said she was struck by Assistant Principal Tim Davis, a former Major League Baseball player who pitched for the , while Principal Eric Willis observed and laughed. “They took their time, they watched me.”

Liberty County School District officials didn’t respond to multiple interview requests. Reached by ĂÛÌÒÓ°ÊÓ on his cell phone, Davis declined to comment on the incident or allegations that his use of force was sexual assault.  

The incident, which has sparked controversy in Florida’s least populous county roughly 50 miles west of Tallahassee, comes as state lawmakers debate the fate of rules that have long permitted teachers to spank students as a disciplinary measure. A significant body of research suggests that corporal punishment has the opposite effect of improving student behaviors and a data analysis by ĂÛÌÒÓ°ÊÓ shows in parts of Florida, it’s most often used to address minor infractions like “excessive talking,” “insubordination” and “horse play.” 

where laws explicitly allow educators to use corporal punishment on students, and the practice is not expressly prohibited by laws in an additional seven states, according to by the U.S. Department of Education. In a letter last year, Education Secretary Miguel Cardona urged state lawmakers and school leaders “to move swiftly toward condemning and eliminating” a practice that “can lead to serious physical pain and injury,” is associated with heightened mental health issues, stunted brain development and hindered academic performance. Nationally, federal data show that corporal punishment is disproportionately used on students of color and those with disabilities. 

Prompted by the advocacy of two Florida college students, there is now , where roughly a third of districts use corporal punishment to discipline kids, that would require educators to get permission from parents each year before spanking their children. The measure would also ban the use of physical force on students with disabilities. The bill garnered unanimous support in a state House subcommittee last month. Yet a companion bill in the Senate has remained stalled and lawmakers worry the effort will falter this legislative session — as similar efforts have for years. 

Rep. Katherine Waldron, a Democrat who co-sponsored the bipartisan bill, said the subcommittee hearing was the furthest any effort to reform state corporal punishment rules has gotten to date. She credited the momentum to student advocacy, and specifically to the University of Florida students who launched a statewide campaign to change the law. 

“It’s great that we have this level of student involvement in the whole process and they’re really helping to push the bill and they’re learning a lot,” Waldron said. “Any time we have that kind of momentum for a good bill like this, I think representatives should pay attention and try to help.” 

In Liberty County, Daniels said that school officials accused her of lying to a substitute teacher and using her position in the school honor society to get her friend out of class to help with the holiday decorating. When school administrators approached her about the incident a week later, they gave her two options: in-school suspension or corporal punishment — a choice she said left her feeling coerced. The entire incident stemmed from an honest misunderstanding, she said, and accepting in-school suspension would have required her to miss an exam for a dual-enrollment college class and to be late for work at Chick-fil-A. 

She chose to get spanked. 

“As soon as it happened, I really just felt sexually assaulted. I felt disgusted with myself that I even kind of gave them permission,” said Daniels, who transitioned to online-only instruction after the incident and fears she may someday run into Davis or Willis at their small-town grocery store. Daniels has spoken out against corporal punishment in Florida schools and her paddling . Her mother calling on lawmakers to ban the “systemic issue prevalent across 19 school districts in Florida.” 

“I felt like they really just got off by it,” Daniels said, adding that a parent could face child protective services investigations for leaving similar bruises on their kid. “I don’t even think I could look them in the eyes now, not even now. And you know about my senior year, after the situation I really truly started realizing, I’m not going to have a senior year anymore.” 

‘You can get a paddling’

In recent years there have been numerous cases in Florida that resemble the one involving Daniels. Yet even in districts where parents can opt their children out of being hit as a form of discipline — and even in incidents where parents accuse educators of going too far — law enforcement officials have pointed to a state law permitting the practice. Kristina Vann, Daniels’s mother, said she had not given Liberty County educators consent to hit her daughter.

That didn’t stop Assistant Principal Davis from drawing the paddle. 

Daniels reported the incident to the Liberty County Sheriff’s Office and, in an interview with ĂÛÌÒÓ°ÊÓ, Undersheriff Robert “Dusty” Arnold acknowledged the agency looked into the case but said they don’t plan to pursue criminal charges. He called the case “a non-issue” involving a permitted form of discipline that Daniels had consented to. The entire incident, he said, was “being blown out of proportion.” 

“It’s the state law,” Arnold said in an interview. “And if you choose to take a paddling, you can get a paddling. My understanding is she was given options and she chose that.”

Sam Boyd, a supervising attorney at the nonprofit Southern Poverty Law Center, which has in Florida and nationally, said he’s aware of “a fact pattern” of corporal punishment incidents “that may be much more of a serious sexual assault than punishment.” 

The case involving Daniels, who is an adult in the eyes of the law, presents its own set of complicated legal questions, he said. 

“To the extent that schools are stepping in for parents, if that’s the theory behind corporal punishment, it’s hard to see how that makes any sense in the context of people who are legally adults,” he said. “As a policy matter, it doesn’t make any sense to be using corporal punishment against adults, although of course it doesn’t in our view, make any sense to be using it against minors either.” 

Florida’s law permitting corporal punishment in schools has been used in previous incidents to shield educators from criminal charges. In 2018, for example, against a Lake County bus monitor who was accused of using in ways that constituted child abuse, including grabbing children by their faces, twisting their heads and pushing them against a wall in the bus. Prosecutors concluded that the state law superseded a school district policy banning corporal punishment. 

Three years later, in 2021, an elementary school principal in Hendry County was caught on video spanking a 6-year-old girl with a wooden paddle despite a district policy prohibiting such actions. Although the state corporal punishment law requires educators to comply with local district rules, prosecutors declined to pursue charges and claimed the girl’s mother — an undocumented immigrant who filmed the encounter and shared the footage with a local television station — had consented to the beating and at no point spoke up to “raise any objection.” 

The Hendry County incident prompted an investigation by ĂÛÌÒÓ°ÊÓ, which revealed numerous incidents where students had been subjected to corporal punishment in school districts across the country where that practice had been outlawed. 

For University of Florida student Graham Bernstein, that investigation served as a wake-up call. The Hendry County incident coincided with another failed legislative effort to ban corporal punishment and he felt that more needed to be done to stop the practice, he told ĂÛÌÒÓ°ÊÓ. He joined up with a classmate, Konstantin Nakov, and wrote the bill now pending in Tallahassee that the duo hopes will persuade state officials to view Florida’s history of corporal punishment in a different light. 

The business of hitting kids

First, Bernstein and Nakov set out to get a better understanding of corporal punishment in Florida which, according to state data, was used to punish 509 students last school year.

Through emails and public records requests with districts statewide, the students found that the practice was being used to discipline the same students repeatedly — about half of whom were in special education — and often for minor classroom infractions. In Columbia County, records shared with ĂÛÌÒÓ°ÊÓ revealed, spanking was primarily reserved for elementary school students. Of the 824 incidents of corporal punishment in the north central Florida county between August 2018 and May 2022, 84% were attributed to minor infractions including the use of inappropriate language, disrupting the classroom environment and inappropriate use of electronic devices. Fewer than 13% of incidents were initiated after a student hit a classmate.

The practice was also used more than a dozen times at Pathways Academy, an alternative education program in Columbia County that it specifically serves students “with behavior, academic and attendance barriers” and those with disabilities who need additional support “to overcome their own barriers.” 

Columbia County school district officials didn’t respond to requests for comment about their corporal punishment practices. 

While previous efforts to ban corporal punishment in Florida schools have focused on the research suggesting it’s an ineffective disciplinary tool and has negative consequences for students, Bernstein and Nakov used another tact to get support from Republicans, who represent the rural, predominantly conservative counties where the practice is primarily used. 

They took a page from GOP Florida Gov. Ron DeSantis’s playbook and presented the issue as one of parental rights.

“I don’t know what it is about conservative Republicans, but some of them just think that it’s a good disciplinary intervention to strike children,” Bernstein said. “A big emphasis has been recently on the whole idea of parental rights and making it so the government doesn’t have the ability to do something without a parent agreeing to it. And so we thought we can apply that here. 
 Especially with some of these more conservative legislators, who are really zealous supporters of this idea of parental rights, let’s test their rhetoric against them and see if it sticks.” 

Still, getting buy-in from lawmakers wasn’t easy, said Nakov, who graduated from the University of Florida last year and now attends medical school in Bradenton, Florida. He and Bernstein have spent the last several years sending emails to legislative offices and taking road trips to the statehouse to speak with potential sponsors. 

Rep. Mike Beltran, a Republican from Apollo Beach who co-sponsored the bill, said the legislation fits in line with other efforts in Florida to bolster parental rights. 

“I don’t think the parents should spank the kids either, but certainly the school should not be doing it and certainly the school should not be doing it without the parents’ approval or knowledge,” Beltran said. “There’s no due process — there’s no due process at all — and you’re going to spank them?”

If Florida bans corporal punishment and educators fail to comply, Beltran said that students and parents should “sue their pants off.” 

‘I took it very easy on her’

Back in Liberty County, Brooklynn Daniels’s mother used a school communication platform to confront Davis on the way he spanked her daughter. In a text chat on the app ParentSquare that she shared with ĂÛÌÒÓ°ÊÓ, Vann offered the assistant principal photographic proof that her daughter’s “butt is red all over,” from the paddling. Davis declined the photo and defended his actions. 

“I can assure you I took it very easy on her,” Davis wrote. “I’m teased by staff in the front office about how soft I swing a paddle and I took it especially easy on Brooklyn, as I do with any female.” 

Vann was floored at his characterization, especially given Davis’s career in professional baseball in the 1990s, which also included stints with the Tampa Bay Devil Rays and . 

“That man went from swinging bats for a living to beating children,” she said. “So how do I know where he went to school to learn how to — instead of hitting a baseball out into the outfield — to gently swing a paddle to hit my kid?” 

Vann sees insular, hometown favoritism at the root of how school leaders handled her daughter and defended Davis, a Liberty County High School alumnus. The family moved to the rural county from urban Tallahassee — and longtime residents, Vann said, resented Brooklynn.

“She’s made homecoming twice, she’s a cheerleader, she’s well known in the community. She’s made her mark here and she’s not from Liberty County,” she said. “We have what they call the good ol’ boys system here. If you’re not born and raised here, they’re not going to protect you and they don’t like you. They don’t like outsiders.” 

To Undersheriff Arnold, a fourth-generation Liberty County resident, the culture of school corporal punishment contributes to a polite community where people refer to others by “sir” and “ma’am.” He recalled the times when he was paddled inside the local schools, where he and other students were sternly punished “if you got out of line.” 

“It’s a lot of what our country is missing now: Too many people get away with too many things and there’s no punishment for anything, there’s no accountability for anything anymore,” Arnold said. “When you’re held accountable, it keeps you in check.” 

Arnold said he isn’t aware of any other instances in the county where a student reported school corporal punishment to law enforcement. He described the incident involving Daniels as one where a high school beauty pageant contestant has sought to rake in views and likes on social media. He offered a steadfast endorsement of local education leaders, adding that he’s “a little bit passionate when it comes to our school district.” 

“I know what kind of school we have, I have children at that school, and I trust those individuals with my kids’ lives,” he said. “They are good people — they are really good people. They don’t want to do anything else in this county but help these children get an education.”

Yet for Daniels, she can’t get away from the thick wooden paddle and the bruises it left on her body.

“It was black and blue and purple and yellow and you could see where all the bruises had already started forming” in just minutes, she said, after she left the principal’s office and rushed into a school bathroom.

“It’s insane how hard they hit me.”

She had just taken her son out to target practice in what she described on social media as a “mom and son day testing out his new Christmas present:” a 9-millimeter pistol the high schooler referred to online as “My new beauty.”

The images were pivotal to an unprecedented conviction this week that legal scholars predict could create a new tool for prosecutors as the nation looks for ways to stem a record-setting uptick in mass shootings.

“This is the last picture we have of that gun until we see it murder four kids on Nov. 30, and the person holding it is Jennifer Crumbley,” Oakland County Prosecutor Karen McDonald said before a jury convicted the mother on four counts of involuntary manslaughter — one for each of the students her son gunned down at Oxford High School. 

“She’s the last person we see with that gun,” McDonald said. 

Crumbley is the first parent to be held directly responsible for a school shooting carried out by their child, turning on its head a bedrock legal principle: People cannot be held responsible for the actions of others.

“Look, I thought this case could go either way and still when the result came out I was a bit stunned because it’s such a deep legal principle,” Ekow Yankah, a University of Michigan law professor, told ĂÛÌÒÓ°ÊÓ.

And if other parents are charged in connection with shootings acted out by their children, Yankah said, the Crumbley conviction may make them more likely to accept a plea deal behind closed doors.

“Prosecutors will be tempted to use this power in ways that we don’t see,” he said. “A prosecutor is going to sit across from a parent when people are crying out for somebody to be held accountable and the prosecutor is going to be able to say, ‘I’m offering you three years to five years in prison, but if you don’t take this deal, I will prosecute for 15 years.’ ” 

For gun control advocates and the parents of children killed in their classrooms, the landmark trial’s outcome was welcomed. Craig Shilling, the father of Oxford shooting victim Justin Shilling, told a local TV station the conviction is “definitely a step towards accountability.” About three-quarters of school shooters obtain their guns from a parent or another close relative, according to a . In about half of cases, the guns had been readily accessible. 

The conviction is in many ways a watershed moment that hinged heavily on portrayals of Crumbley as a neglectful mom who paid more attention to her horses and an affair than to the son she’d gifted a gun to as he struggled with his mental health and exhibited violent behaviors. 

In this case, the gunman was charged as an adult while his mother was found guilty of crimes that stemmed from her role as an egregiously aloof and reckless parent. The gunman pleaded guilty in October 2022 to 24 charges, including first-degree murder and terrorism causing death, and was sentenced to life in prison without parole in December. 

The shooter’s father, James Crumbley, is scheduled to face a similar trial next month. 

Yankah, the UMichigan law professor, told ĂÛÌÒÓ°ÊÓ he wasn’t aware of any other cases where a parent was held liable for the crimes of a child who was simultaneously considered “a legal agent” and therefore responsible for his own actions. 

It’s not the first time a parent has been held legally responsible for crimes committed by their children —including in helping their child secure a firearm later used in a mass shooting. Still, experts said the Crumbley case does present a significant escalation in a generations-long push to hold parents accountable for the misdeed of their kids.

One , published in the Utah Law Review in 2008, noted that such efforts appeared cyclical, noting that “every couple of decades or so” lawmakers claimed to “discover” the idea of holding parents to account for teenage crimes. 

Punishing parents

which impose civil or criminal liability on adults under the premise that their failures to take control as parents led to their kids’ bad acts. There is research that ties youth delinquency to poor parenting. 

One recent parental responsibility law, , specifically addressed guns. It imposed civil liability on parents for negligence or willful misconduct if they allow their minor children to use or possess guns if the child has been adjudicated delinquent, was convicted of a crime, has the propensity to commit violence or intends to use the weapon unlawfully. 

Efforts to hold parents accountable for their children’s behaviors are rooted in the very origins of the nation’s juvenile justice system in the early 1900s, which authorized the state to intervene when parents failed in their duties, and their constitutional implications. By the 1970s, the report notes, lawmakers began to place a greater emphasis on parents as a factor in juvenile crime and turned to

Little is known, however, about whether such efforts have been effective in reducing juvenile crime. Eve Brank, a professor of law and psychology at the University of Nebraska-Lincoln, told ĂÛÌÒÓ°ÊÓ that she is unaware, after decades of researching the emergence of parental responsibility laws, of “any empirical research that shows that imposing punishments on parents because of the actions of the children will decrease juvenile crime.”

She is also unaware of any data indicating how frequently those laws are used. In 2015, she , who reported infrequent enforcement. Through her research, Brank has identified three types of such laws: civil liability, contributing to the delinquency of a minor and parental involvement. 

Under the statutes, parents can be held responsible for helping or encouraging their child to commit a crime and financially liable for damages. They can also be required to pay fines or attend parenting classes due to their children’s criminal acts. 

Among them are truancy laws, which require students to attend school. In New Jersey, for example, parents who don’t compel their children to attend school can face disorderly conduct charges and fines. Such efforts, however, have been heavily criticized — including during the 2016 presidential election when Vice President Kamala Harris was that imposed jail time and fines on parents in truancy cases while she served as state attorney general. 

In 2017, Pennsylvania lawmakers reformed state truancy rules and made them less punitive after a Reading County woman was found dead in 2014 while serving a two-day jail sentence for her children’s truancy because she was unable to pay a $2,000 fine. 

“Many of those statutes came under a lot of strain in the last say 15 years,” including ones around truancy, Yankah said, adding that people were skeptical about whether they addressed the root causes underlying the social problems they sought to address and could uphold long standing racial disparities in the judicial system. “Frankly, communities of color really learned that — as is so often the case — when we pass more criminal statutes the people who are in the crosshairs are politically vulnerable. It was a lot of Black mothers, and so those statutes kind of faded out of popularity.” 

In some cases, parental responsibility laws have failed under court scrutiny. Among them is an ordinance in Maple Heights, Ohio, that for “failing to supervise a minor” if their child committed what would be considered a misdemeanor or a felony if it had been carried out by an adult. The in 2008 after a parent faced charges after her 17-year-old son was accused in juvenile court of carrying a concealed weapon, resisting arrest and failing to comply with a police officer. 

Meanwhile, officials have also sought to hold parents responsible when their children bully other kids. In 2016, the city council in Shawano, Wisconsin, passed an ordinance that on parents who failed to address their child’s harassment directed at other kids. 

In a high-profile cyberbullying case from 2013, a Florida sheriff bemoaned his of a girl who was charged criminally for harassing a 12-year-old classmate so relentlessly online that it led the girl to die by suicide. Among the harassment was an online message encouraging the 12-year-old to “drink bleach and die,” yet the parents continued to give the bully access to social media. 

“I’m aggravated that the parents aren’t doing what parents should do,” Polk County Sheriff Grady Judd told reporters at the time. “Responsible parents take disciplinary action.” 

A new category of parental responsibility

Crumbley’s conviction, Brank said, “doesn’t fit into any of these categories” of traditional parental responsibility laws and is instead a first-of-its-kind extension of the manslaughter statute. 

As officials seek to crack down on mass shootings, the Crumbley case is one of several recent examples where prosecutors sought to hold parents accountable when their children carried out what once were unthinkable acts of violence.

In December, a Virginia mother was for felony child neglect after her 6-year-old son brought a gun to his Newport News elementary school and shot his first-grade teacher. In a separate prosecution, the mother pleaded guilty to using marijuana while owning a firearm and for making false statements about her drug use. 

In a separate prosecution that may have laid the groundwork for the Crumbley case, to misdemeanor reckless conduct on charges that stemmed from a shooting carried out by his son at a 2022 Highland Park Independence Day parade, which left seven people dead. That case centered on how his son, who was 19 at the time, obtained a gun license.Ìę

At the time of the massacre, the gunman was too young to apply for a firearm license so his father sponsored his application despite knowing his son had a history of behaving violently. Several months before the attack, a relative reported to police that the teenager had a large collection of knives and had threatened to “kill everyone.” 

In the Highland Park case, was explicit: The father’s guilty plea, he said, should be a “beacon” to others that parents can be held accountable for the actions of their children. 

“We’ve laid down a marker to other prosecutors, to other police in this country, to other parents, that they must be held accountable,” Lake County State Attorney Eric Rinehart said. “The risk of potentially losing this innovative prosecution — and not putting down any marker — was too great for our trial team.” 

Yankah said it’s important to look at new parental accountability efforts through their historical contexts. 

“Looking back at history,” he said, “shows us that our historical experiments with this kind of liability for parents has rarely solved the underlying problem,” he said. “Maybe this kind of case will have an effect, maybe parents will be more attentive. But to speak honestly, I think what a case like this shows is how many different things we as a society have to work on if we really want to be free of this violence.”

In response to an inquiry by ĂÛÌÒÓ°ÊÓ, the nonprofit Future of Privacy Forum said last week it would review Raptor Technologies’ status as a Student Privacy Pledge signatory after a maintained by the company were readily available without any encryption protection despite Raptor’s claims that it scrambles its data. 

“We are reviewing the details of Raptor Technologies’ leak to determine if the company has violated its Pledge commitments,” David Sallay, the Washington-based group’s director of youth and education privacy, said in a Jan. 24 statement. “A final decision about the company’s status as Pledge signatory, including, if applicable, potential referrals to the [Federal Trade Commission] and relevant State Attorneys General, is expected within 30 days.” 

Should the privacy forum choose to take action, Raptor would become just the second-ever education technology company to be removed from the pledge. 

Texas-based , which counts roughly 40% of U.S. school districts as its customers, offers an extensive suite of software designed to improve campus safety, including a tool that screens visitors’ government-issued identification cards against sex offender registries, a management system that helps school leaders prepare for and respond to emergencies, and a threat assessment tool that allows educators to report if they notice “something a bit odd about a student’s behavior” that they believe could become a safety risk. This means, according to a Raptor guide, that the company collects data on kids who appear ‘unkempt or hungry,” withdrawn from friends, to engage in self-harm, have poor concentration or struggle academically. 
Rather than keeping students safe, however, cybersecurity researcher Jeremiah Fowler said the widespread data breach threatened to put them in harm’s way. And as cybersecurity experts express concerns about , they’ve criticized the Student Privacy Pledge for lackluster enforcement in lieu of regulations and minimum security standards. 

Fowler, a cybersecurity researcher at and a self-described “data breach hunter,” has been tracking down online vulnerabilities for a decade. The Raptor leak is “probably the most diverse set of documents I’ve ever seen in one database,” he said, including information about campus surveillance cameras that didn’t work, teen drug use and the gathering points where students were instructed to meet in the event of a school shooting. 

vpnMentor in December and Fowler said the company was responsive and worked quickly to fix the problem. The breach wasn’t the result of a hack and there’s no evidence that the information has fallen into the hands of threat actors, though Fowler in the last several months. 

The situation could have grown far more dire without Fowler’s audit. 

“The real danger would be having the game plan of what to do when there is a situation,” like an active shooting, Fowler said in an interview with ĂÛÌÒÓ°ÊÓ. “It’s like playing in the Super Bowl and giving the other team all of your playbooks and then you’re like, ‘Hey, how did we lose?’”

David Rogers, Raptor’s chief marketing officer, said last week the company is conducting an investigation to determine the scope of the breached data to ensure “that any individuals whose personal information could have been affected are appropriately notified.” 

“Our security protocols are rigorously tested, and in light of recent events, we are committed to further enhancing our systems,” Rogers said in a statement. “We take this matter incredibly seriously and will remain vigilant, including by monitoring the web for any evidence that any data that has been in our possession is being misused.” 

‘Maybe this is a pattern’

Raptor is currently among more than 400 companies that , a self-regulatory effort designed to ensure education technology vendors are ethical stewards of the sensitive information they collect about children. 

Raptor and the other companies have vowed against selling students’ personally identifiable information or using it for targeted advertising, among other commitments. They also agreed to “maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality and integrity” of student’s personal information against unauthorized or unintended disclosure. Cybersafeguards, the pledge notes, should be “appropriate to the sensitivity of the information.” 

Raptor touts its pledge commitment on its website, where it notes the company takes “great care and responsibility to both support the effective use of student information and safeguard student privacy and information security.” The company that it ensures “the highest levels of security and privacy of customer data,” including encryption “both at rest and in-transit,” meaning that data is scrambled into an unusable format without a password while it is being stored on servers and while it’s being moved between devices or networks. 

Its , however, offers a more proscribed assurance, saying the company takes “reasonable” measures to protect sensitive data, but that it cannot guarantee that such information “will be protected against unauthorized access, loss, misuse or alterations.” 

Districts nationwide have spent tens of millions of dollars on Raptor’s software, according to GovSpend, a government procurement database. Recent customers include the school districts in Dallas, Texas, Broward County, Florida, and Rochester, New York. Under , education technology companies that collect student data are required to maintain a cybersecurity program that includes data encryption and controls to ensure that personally identifiable information doesn’t fall into the hands of unauthorized actors. 

Countering Raptor’s claims that data were encrypted, Fowler told ĂÛÌÒÓ°ÊÓ the documents he accessed “were just straight-up PDFs, they didn’t have any password protections on them,” adding that the files could be found by simply entering their URLs into a web browser. 

Officials at the Rochester school district didn’t respond to requests for comment about whether they had been notified about the breach and its effects on their students or if they were aware that Raptor may not have been in compliance with state encryption requirements. 

Doug Levin, the national director of the nonprofit K12 Security Information eXchange, said the Raptor blunder is reminiscent of a 2022 data breach at the technology vendor Illuminate Education, which exposed the information of at least 3 million students nationwide, including 820,000 current and former New York City students. Levin noted that both companies claimed their data was encrypted at rest and in transit — “except maybe it wasn’t.” 

A decade after the privacy pledge was introduced, he said “it falls far short of offering the regulatory and legal protections students, families and educators deserve.”

“How can educators know if a company is taking security seriously?” Levin asked. Raptor “said all of the right things on their website about what they were doing and, yet again, it looks like a company wasn’t forthright. And so, maybe this is a pattern.” 

State data breach rules have long focused on personal information, like Social Security numbers, that could be used for identity theft and other financial crimes. But the consequences of data breaches like the one at Raptor, Fowler said, could be far more devastating — and could harm children for the rest of their lives. He noted the exposure of health records, which could violate federal privacy law, could be exploited for various forms of fraud. Discipline reports and other sensitive information, including about student sexual abuse victims, could be highly embarrassing or stigmatizing. 

Meanwhile, he said the exposure of confidential records about physical security infrastructure in schools, and district emergency response plans, could put kids in physical danger. 

Details about campus security infrastructure have been exploited by bad actors in the past. After Minneapolis Public Schools fell victim to a ransomware attack last February that led to a large-scale data breach, an investigation by ĂÛÌÒÓ°ÊÓ uncovered reams of campus security records, including campus blueprints that revealed the locations of surveillance cameras, instructions on how to disarm a campus alarm system and maps that documented the routes that children are instructed to take during an emergency evacuation. The data can be tracked down with little more than a Google search. 

“I’ve got a 14-year-old daughter and when I’m seeing these school maps I’m like, ‘Oh my God, I can see where the safe room is, I can see where the keys are, I can see the direction they are going to travel from each classroom, where the meetup points are, where the police are going to be,” Fowler said of the Raptor breach. “That’s the part where I was like, ‘Oh my God, this literally is the blueprint for what happens in the event of a shooting.” 

‘Sweep it under the rug’

The Future of Privacy Forum’s initial response to the Raptor breach mirrors the nonprofit’s actions after the 2022 data breach at Illuminate Education, which was previously listed among the privacy pledge signatories and became the first-ever company to get stripped of the designation. 

The forum’s decision to remove Illuminate followed an article in ĂÛÌÒÓ°ÊÓ, where student privacy advocates criticized it for years of failures to enforce its pledge commitments — and accused it of being a tech company-funded effort to thwart government regulations. 

The pledge, which was created by the privacy forum in partnership with the Software and Information Industry Association, a technology trade group, was created in 2014, placing restrictions on the ways ed tech companies could use the data they collect about K-12 students. 

Along with stripping Illuminate of its pledge signatory designation, the forum referred it to the Federal Trade Commission, which the nonprofit maintains can hold companies accountable to their commitments via consumer protection rules that prohibit unfair and deceptive business practices. The company was also referred to the state attorneys general in New York and California to “consider further appropriate action.” It’s unclear if regulators took any actions against Illuminate. The FTC and the California attorney general’s office didn’t respond to requests for comment. The New York attorney general’s office is reviewing the Illuminate breach, a spokesperson said. 

“Publicly available information appears to confirm that Illuminate Education did not encrypt all student information” in violation of several Pledge provisions, Forum CEO Jules Polonetsky told ĂÛÌÒÓ°ÊÓ at the time. Among them is a commitment to “maintain a comprehensive security program” that protects students’ sensitive information” and to “comply with applicable laws,” including New York’s  “explicit data encryption requirement.” 

After the breach and before it was removed from the pledge, the Software and Information Industry Association recognized Illuminate with the sector’s equivalent of an Oscar. 

Raptor isn’t the only pledge signatory to fall victim to a recent data breach. In December, a cybersecurity researcher disclosed a security vulnerability at Education Logistics, commonly known as EduLog, which offers a GPS tracking system to give parents real-time information about the location of their children’s school buses. A statement the forum provided ĂÛÌÒÓ°ÊÓ didn’t mention whether it had opened an inquiry into whether EduLog had failed to comply with the pledge commitments. 

Despite the forum’s actions against Illuminate Education, and its new inquiry into Raptor, the pledge continues to face criticism for having little utility, including from Fowler, who likened it to “virtue signaling” that can be quickly brushed aside. 

“Pledges are just that, they’re like, ‘Hey, that sounds good, we’ll agree to it until it no longer fits our business model,” he said. “A pledge is just like, “whoops, our bad,” a little bit of bad press and you just sweep it under the rug and move on.” 

Chad Marlow, a senior policy counsel at the American Civil Liberties Union focused on privacy and surveillance issues, offered a similar perspective. Given the persistent threat of data breaches and a growing number of cyberattacks on the K-12 sector, Marlow said that schools should take a hard look at the amount of data that they and their vendors collect about students in the first place. He said Raptor’s early intervention system, which seeks to identify children who pose a potential threat to themselves or others, is an unproven surveillance system that could become a vector for student discrimination in the name of keeping them safe. 

Although he said he has “a great deal of admiration” for the privacy forum and the privacy pledge goals, it falls short on accountability when compared to regulations that mandate compliance.

“Sometimes pledges like this, which are designed to make a little bit of progress, actually do the opposite because it allows companies to point to these pledges and say, ‘Look, we are committed to doing better,’ when in fact, they’re using the pledge to avoid being told to do better,” he said. “That’s what we need, not people saying, ‘On scout’s honor I’ll do X.’”  

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and ĂÛÌÒÓ°ÊÓ.

Nearly 44% of public K-12 schools were staffed with school resource officers at least once a week during the 2021-22 school year, by the Education Department’s National Center for Education Statistics. Between Floyd’s murder in May 2020 and June 2022, ended their school resource officer programs or cut their budgets following widespread Black Lives Matter protests and concerns that campus policing has detrimental effects on students — and Black youth in particular. 

The data reflect an 11% decrease in school policing from the 2019-20 school year, when more than 49% of schools had a regular police presence, according to the nationally representative federal survey. That year, schools underwent an increase in campus policing after the 2018 mass school shootings in Parkland, Florida, and Santa Fe, Texas, prompted a surge in new security funding and mandates, a pattern that could repeat itself when future federal numbers capture the nation’s reaction to the 2022 school shooting in Uvalde, Texas.

“This is the George Floyd effect,” said criminal justice researcher Shawn Bushway, who pulled up a calculator during a telephone interview with ĂÛÌÒÓ°ÊÓ and crunched the federal survey data against that removed cops from their buildings, which collectively served more than 1.7 million students. 

“It’s not seismic, but I think what’s most interesting about it is that it’s the reversal of a trend in a fairly dramatic way,” said Bushway, a University at Albany in New York professor. “It’s been going up quite a bit and now it’s dropped.”

The new federal data were published the same week as Thursday’s release of a damning U.S. Department of Justice report that cited “critical failures” by police during the May 2022 mass shooting at Uvalde’s Robb Elementary School in which 19 students and two teachers were killed. During the shooting, 376 law enforcement officers responded to the scene but waited more than an hour to confront the 18-year-old shooter, a botched reaction that disregarded established police protocols and, investigators said, cost lives.

“Had law enforcement agencies followed generally accepted practices in an active shooter situation and gone right after the shooter to stop him, lives would have been saved and people would have survived,” U.S. Attorney General Merrick Garland said in Uvalde.

“Their loved ones deserved better,” he said. 

Chris Chapman, the associate commissioner of the National Center for Education Statistics, said on a press call Tuesday that the survey data didn’t make clear a definitive reason for the decline in school-based officers. Experts said that several other factors, including campus closures during the pandemic, budget constraints and a national police officer shortage, may have also contributed. 

Either way, the downward trend may be short-lived. 

Multiple districts that cut their school resource officer programs after Floyd’s murder, including those in Denver, Colorado, and Arlington, Virginia, reversed course after educators reported an uptick in classroom disorder after COVID-era remote learning. Mass school shootings have long driven efforts to bolster campus policing, a reality that has played out in the last several years as the nation experienced an unprecedented number of such attacks. 

Despite officers’ grievously mishandled response in Uvalde, the shooting led to renewed efforts in Texas and elsewhere to strengthen police presence in schools. A similar situation played out after the mass shooting at Parkland’s Marjory Stoneman Douglas High School. Federal data show national growth in campus policing even after the school resource officer assigned to the Broward County campus failed to confront the gunman, who killed 17 people. 

The now-former officer, Scot Peterson, was acquitted of criminal negligence and perjury charges but faces a new trial in a civil lawsuit by shooting victims’ families, who allege his failure to intervene during the six-minute attack displayed a “wanton and willful disregard” for students’ and teachers’ safety. Qualified immunity generally protects officers from liability for mistakes made on the job. 

After Parkland, a new Florida law required an armed security presence on every K-12 campus. The Uvalde shooting led to similar . In both states, a police officer labor shortage, which experts said may have contributed to the 2021-22 decline in schools, has hindered officials’ efforts to comply. In Kentucky, more than 40% of schools lack school resource officers, a reality that school officials have blamed on a lack of funding and a depleted applicant pool. 

“It wouldn’t surprise me if, when that data comes back out, we see that spike go back up,” said Mo Canady, executive director of the National Association of School Resource Officers, which offers a training program for campus cops. “It’s not the way I want to gain business, but some of the busiest years we’ve had training wise are 18 months after a school massacre. I can tell you that 2019 was the biggest year in our association’s history by far — and that’s coming right off the Marjory Stoneman Douglas massacre.”

Advocates for police-free schools recognize the headwinds they face. Tyler Whittenberg, the deputy director of the Advancement Project’s Opportunity to Learn initiative, said that while advocates “are proud of the victories that were won” after George Floyd’s murder, educators who removed police from schools “are fighting really hard to hold onto those gains,” some of which face in districts that don’t want them. 

“We’re not really rushing to a conclusion that this represents an overall reduction in police in schools, especially because for many of our partners on the ground this is not their day-to-day experience,” he said. “They’re having to fight back — especially at the state level — against efforts to increase the number of police in their schools.” 

Safety threats on the decline

In the 1970s, just 1% of schools were staffed by police. Decades of efforts since then to swell their ranks have coincided with a marked improvement in campus safety. 

During the 2021-22 school year, 67% of schools reported at least one violent crime on campus, totaling some 857,500 violent incidents. Federal data show the nation’s schools experienced a violent crime rate of 18 incidents per 1,000 students in 2021-22. That’s a steep decline from 1999-00, when schools recorded a violent crime rate of 32 incidents per 1,000, and 2009-10, when the violent crime rate was 25 per 1,000. 

Police officers’ contributions to making schools safer over the past two decades, however, remain the subject of ongoing research and heated debate. In a study last year, which was published in the peer-reviewed Journal of Policy Analysis and Management, Bushway and his colleagues found that placing . And although researchers were unable to analyze officers’ effects on mass school shootings because such tragedies are statistically rare, they were associated with an uptick in reported firearm offenses — suggesting an increased detection of guns. The officers were also associated with a stark uptick in student disciplinary actions, including suspensions and arrests, particularly among Black students and those with disabilities. 

“There’s a cost-benefit here and everybody’s calculus on how you weigh these different things is going to be different,” Bushway said. “There’s no pure answer to that question, different people are going to answer that question differently.”

Previous research suggests that suspensions or improve school safety, but have detrimental effects on punished students’ academic performance, attendance and behavior. Their effects on non-misbehaving students remain unclear. 

Other researchers have reached a much more critical conclusion about the effects of school-based police on students. In in November on the existing literature into school officers’ efficacy, researchers failed to identify evidence that school-based law enforcement promoted safety in schools but reinforced concerns that their presence “criminalizes students and schools.” 

“I think the evidence is increasingly supporting the notion that police don’t belong in schools,” report author Ben Fisher, an associate professor of civil society and community studies at the University of Wisconsin-Madison, told ĂÛÌÒÓ°ÊÓ. Removing officers who have been there for years, he said, may cause problems of its own. “If we’re going to get police out of schools, which I think is the right long-term vision and short-term vision, I think we need to do it thoughtfully with plans in place to make schools welcoming and supportive.” 

The federal survey, which was conducted between Feb. 15 and July 19, 2022, also found large geographical differences in the types of tools that school-based police use on the job. Across the board, officers in urban areas were less likely than their rural and suburban counterparts to carry guns and pepper spray or to be equipped with body-worn cameras. 

Beyond data on campus policing, the new federal survey offers a comprehensive look at the state of campus safety and security, reflecting school leaders’ responses to the pandemic and record numbers of mass school shootings. Other findings include: 

• In 2021-22, about 49% of schools provided diagnostic mental health assessments to evaluate students for mental health disorders. This is a decline from 2019-20, when 55% conducted assessments. Meanwhile, 38% provided students with treatments for mental health disorders in 2021-22, down from 42% in 2019-20. 

• Restorative justice, a conflict resolution technique, was used in 59% of schools in 2021-22, which was similar to 2019-20 but an increase from the 42% that used the approach in 2017-18. 

• The latest data indicate a decline in campus drug and alcohol incidents. In 2021-22, 71% of schools reported at least one incident involving the distribution, possession or use of illegal drugs, down from 77% in 2019-20. Meanwhile, 34% reported at least one alcohol-related incident in 2021-22, down from 41% in 2019-20. 

It was early August when teacher Heather Vidrine first heard about a cyberattack on her former school district in St. Landry Parish, but she didn’t think much about it — even after her Facebook got hacked. 

Now, she’s left to wonder whether the two are connected. 

Her Social Security number and other personal information were stolen in a ransomware attack against her former employer, the St. Landry Parish School Board, an investigation by ĂÛÌÒÓ°ÊÓ and The Acadiana Advocate revealed. The reporting included a data analysis by ĂÛÌÒÓ°ÊÓ of some 211,000 files that a cybercrime syndicate leaked online in August after the district refused to pay a $1 million ransom. 

The some 63 miles west of Baton Rouge told the public in August that its hacked computer servers did not contain any sensitive employee or student information, but the stolen files analysis tells a different story. 

Four months after the attack, the joint investigation revealed that Vidrine was among thousands of students, teachers and business owners who had their personal information exposed online. More than a dozen victims said they were similarly unaware those details were readily available, leaving them vulnerable to identity theft.

The number of cyberattacks on K-12 school districts and breaches of their sensitive student and employee data have reached critical levels — enough to prompt the Biden White House to convene an August summit on how to tackle the threat — and in multiple instances, districts have been accused of withholding information from the public.

“They want to brush everything under the rug,” said Vidrine, who worked for St. Landry schools for eight years before leaving in 2021. “The districts don’t want bad publicity.”

Among the district’s breached documents are thousands of health insurance records with the Social Security numbers of at least 13,500 people, some 100,000 sales tax records for local and out-of-state companies and several thousand student records including home addresses and special education status.

A failure to notify families and educators such personal information was leaked, experts said, could run afoul of Louisiana’s data breach notification rules.

and other entities notify affected individuals “without unreasonable delay,” 60 days after a breach is discovered. 

Breached entities that fail to alert the state attorney general’s office within 10 days of notifying affected individuals can face fines up to $5,000 for every day past the 60-day mark. 

The St. Landry district discovered the cyberattack in late July and reported it to state police and the media within days. District administrators dispute that the hack led to a breach of sensitive information, but also acknowledged last week they haven’t taken steps to understand the scope of what was stolen or to notify individual victims. 

In some circumstances, entities can delay their notice to victims if doing so could compromise the integrity of a police investigation, and law enforcement sources confirmed an active criminal probe. , the state attorney general’s office must approve such disclosure delays. 

Reporters filed a public records request with the state attorney general’s office Oct. 23 asking for any breach notices from the St. Landry district. The office responded Nov. 2 that the request did not yield any results, indicating such a disclosure was never made. The office didn’t respond to further questions about whether it was looking into St. Landry’s apparent failure to file a breach notice or if the district had requested an extension on its notification obligations based on the ongoing state police investigation.

As time drags on, breach victims remain unprotected and unaware of their heightened risk of identity theft. James Lee, the chief operating officer of California-based said a four-month delay is “a long time to not notify somebody of that level of sensitive information.”

“Because the school district hasn’t issued a notice, then it’s hard to know exactly what happened and why,” Lee said. “That’s important because that also leads you to, ‘Well, what does the individual need to do to protect themselves now that their information has been exposed?’”

‘Double extortion’

Ransomware attacks have become a growing threat to U.S. schools and breaches in some of the largest districts have attracted scrutiny. But experts said that small- and mid-sized districts are even more vulnerable to attacks and leaders there face political pressures that could lead them to downplay their far-reaching consequences. 

The first indication of a problem with St. Landry’s computer network came in late July, when an employee in the district’s central office reported spyware on their device, Superintendent Milton Batiste III said in August following the attack.

The ransomware group Medusa, believed by cybersecurity experts to be Russian, has taken credit for the St. Landry Parish leak. The syndicate has leveled multiple school district attacks, including a massive breach in Minneapolis earlier this year.

A district spokesperson confirmed last week that it refused to pay the ransom, in line with what federal law enforcement advises. By mid-August, the trove of stolen files was publicized on a website designed to resemble a technology news blog — a front of sorts — and became available for download on Telegram, an encrypted social media platform that’s been used by terror groups and extremists. 

The threat actors appeared to employ a tactic that’s grown in popularity in recent years called “double extortion.” Hackers gain access to a victim’s computer networks, often through phishing emails, download compromising records and lock them with encryption keys. Criminals then demand the victim pay a ransom to regain access. When victims fail or refuse to pay, the files are published online for anyone to exploit. 

Current and former students were affected by the attack, though the number of exposed records that contain personal information about young people is far narrower than those of current and former district staff. 

One St. Landry mother, who is also a district employee, was outraged when she learned that her son’s information was leaked — especially because he hasn’t attended a district public school for two years. The woman, who asked not to be identified for fears she could lose her job, was livid that the district had claimed employee and student records had been kept safe. She said she was offered free credit-monitoring services after a recent cyberattack on the state Office of Motor Vehicles led to a statewide data breach. 

“If they’re lying about it and our information did get out there, then that’s a whole other situation,” she said. “They’re telling all their employees all of our information did not get messed with.” 

She implored district leaders to notify the parents of children who had their information exposed, including those whose kids are no longer in the school system. If she had known her 17-year-old son was caught up in the breach, she said, she could have already taken steps to protect him.

District officials said they were unaware of the extent of the breach. Tricia Fontenot, the district’s supervisor of instructional technology, said after notifying state police about the attack the board was never told the nature of the data that was stolen or if any data was stolen at all. She said when the board asked state police for updates, it was told an active investigation was in progress and no information could be released. It did not give a timeline for when its investigation would be completed.

“We never received reports of the actual information that was obtained,” she said. “All of that is under investigation. We have not received anything in regards to that investigation.”

The board, Fontenot said, decided to “trust the process.”

As seen in other school district cyberattacks across the country, however, law enforcement’s responsibility is to try and apprehend the cybercriminals not to determine the extent of a breach or provide information needed to notify or protect district employees and students. That work is done by the school districts, who often hire cybersecurity consultants to help carry out those complex tasks.

Byron Wimberly, St. Landry’s computer center supervisor, maintained that the compromised servers had not been used to store personal information. He used the frequency of cyberattacks as grounds to question whether St. Landry was the source of the breached data.

“You know how many people get hacked a year? Can you point that to the school board 100%?” Wimberly said.

However, evidence that the leaked sensitive data is a result of the July cyberattack is overwhelming, namely the more than 200,000 files posted to Telegram that link back to St. Landry schools. In fact, folders that were breached and uploaded to the web point in part to a central office clerk, who saved many of the most sensitive files to one of the least secured places: her computer’s desktop. 

The records identify more than 2,700 current and former St. Landry Parish students, including their full names, race and ethnicity, dates of birth, home addresses, parents’ phone numbers and login credentials for district technology. Spreadsheets listed students who were eligible for special education services and those who were classified as English language learners.

The health records that include Social Security numbers and other personally identifiable information for at least 13,500 people far exceed the number of individuals currently employed by the district. That’s because the records also encompass former employees, retirees and those who have since died, as well as their dependents, including spouses and children. Attached to the records are scanned copies of formal documents about major life events: Births, marriages, divorces and deaths. 

Thousands of people who have received retirement benefits from the school district had their full names published, along with Social Security numbers and health insurance premiums.

Also included are some 100,000 sales tax records for local and out-of-state companies that conducted business in St. Landry Parish, with affected individuals extending far beyond Louisiana borders. Local victims include the owners of a diner, a gun store and an artist who makes soap with goat milk. It also includes a metal pipe company in Alabama, an Indianapolis-based cannabis company and a senior official at Ring, the Amazon-owned surveillance camera company headquartered in Santa Monica, California.

Unlike most states, Louisiana lacks a central sales tax agency. Instead, there are 54 different collection agencies that range from sheriff’s offices to parish governments to school boards. St. Landry Parish’s sales tax collection office is overseen by the St. Landry Parish School Board. Louisiana schools’ is derived from sales taxes. 

Thousands of other files appeared to get captured at random: a limited set of files with student disciplinary records, a collection of wedding photographs, documentation for campus security cameras and artistic renderings of Jesus Christ.

Amelia Lyons, the co-owner of a St. Landry Parish glass business whose information was exposed, said a call from a reporter was the first time she had heard about the breach — a reality she called “alarming.” 

“I feel like I should have gotten a more formal notification about this,” Lyons said.

‘A soft target’

The St. Landry Parish breach is part of a disturbing increase in cyberattacks targeting school districts nationally in the past few years, with victims ranging from rural school systems to those in major metropolitan areas such as Los Angeles, Las Vegas, Minneapolis and suburban Washington, D.C. 

Ransomware in the past year alone, according to a recent report by the nonprofit Institute for Security and Technology. Earlier this year, hackers waged attacks on seven Louisiana colleges over four months, among them Southeastern Louisiana University, which also with the public. 

It’s also not the first time St. Landry schools have fallen victim. , the school board took its system offline for at least two weeks following a similar cyberattack.

While hacker groups have grown more sophisticated, school districts routinely maintain outdated technology and lack expertise and dedicated staff to thwart threats, said Kenny Donnelly, executive director of the Louisiana Cybersecurity Commission, which was created to help schools and other entities bolster their defenses. As a result, schools are “low-hanging fruit,” said Donnelly, who said that educators should expect to see even more attacks in the coming years. 

“Educational entities are going to be a soft target,” he said. “If they’re not being hit, they’re going to be hit if they’re not doing the things they need to do to get their networks and their security in order.” 

Still, experts say leaders at small and mid-sized districts are often surprised when they become the targets of international cybercriminals.

“They’re such a small fish in the ocean, (they think) why would anybody bother with them?” said Doug Levin, the national director of the nonprofit K12 Security Information eXchange. It’s improbable that hackers targeted St. Landry specifically, he said, and more likely that a district employee opened a spam email and clicked on a phishing link. 

“It’s a question of them throwing their fishing hook in the barrel 
 and just waiting to see who bites,” Levin said. “They don’t know who their next victim is going to be and they don’t really care.” 

When a small- or medium-sized district takes the bait, the impact can be substantial because they’re often among their communities’ largest employers. In the roughly 80,000-resident St. Landry Parish, the breached health insurance records represent roughly 1 in 6 residents.

‘A cause of action’

Data breach victims who were contacted for this story said the district should have taken more proactive steps to notify them that their sensitive information had been stolen. 

“I just want (the district) to be professional,” said Vidrine, the former science teacher. “A notification that this happened: ‘We’re tending to it and you need to protect yourself. We made a mistake.’”

The district also faces risks of civil liability, said Chase Edwards, an associate law professor at the University of Louisiana at Lafayette. A failure to notify affected individuals is “what class actions are made of,” Edwards said.  

The school district has a duty to protect any private information they collect, Edwards said, and are both legally and ethically obligated to notify breach victims. 

About are the victims of identity theft each year, according to a recent report by the research firm Javelin. Social Security numbers and other personal information about children are , who can use the records to obtain credit cards and loans without detection for years. 

Because children don’t typically have credit cards, they also don’t receive credit reports that can alert them when something is amiss, Lee said. Dark-web marketplaces that sell personal information often put a premium on children’s Social Security numbers, which Lee said are primarily used by fraudsters to apply for jobs. Once victims learn they’ve been compromised, the problem “is not easy to address and can have lifelong impacts,” he said. 

Death certificates and obituaries included in the St. Landry breach present their own unique set of risks. Even after death, Social Security numbers and other personally identifiable information that can be mined from obituaries is valuable to criminals who carry out a type of identity theft known as “ghosting.”

‘The hacker of today’

People whose information may have been compromised should assume that identity theft criminals will try to use it nefariously and take steps to protect themselves, Lee said. Such criminals, he said, are often part of “very sophisticated networks” based overseas.

“It’s not the Hollywood version of somebody sitting in a dark room in a hoodie with a can of Red Bull and Twinkies,” Lee said. “That’s not the hacker of today. They’re not sitting in their parents’ basement. They’re in call centers in Dubai and in Cambodia and in North Africa.”

It’s important that potential victims freeze their credit, Lee said, and implement robust privacy protections on their online accounts, including two-factor authentication and unique login credentials stored in password managers.

A finance and technology executive whose information was compromised in the St. Landry breach knows firsthand the headaches that come with identity theft: Following a previous incident, he said, someone used his information to file a false tax return. 

The executive, who asked not to be named because he wasn’t authorized to speak with the press, has never stepped foot in St. Landry parish. Yet his data was exposed because his former employer conducts business there. Having stringent security measures in place offered him peace of mind, he said, when he learned from a reporter that his information had again been exposed. 

Fontenot said efforts to notify will begin when state police wrap up their investigation and that district leaders, including the school board attorney, will identify a course of action.

But St Landry should take immediate steps to protect breach victims — including a notification to the state cybersecurity commission, said Donnelly, its executive director. 

“That they didn’t notify us of this, it’s disappointing,” said Donna Sarver, a math teacher who worked for the district for three years before leaving in 2020. She and other victims, she said, now have to fend for themselves. 

“But it’s a poor parish and I don’t think they do anything unless they really, really have to.”

This story was supported by a grant from the Fund for Investigative Journalism.