Back to Learn
explainer

What To Do When Your School Gets Breached

A step-by-step response guide for school administrators dealing with a data breach. Covers the critical first 72 hours and beyond.

8 min readbreach response, incident response, NPC

Respond Quickly and Methodically

If your school has experienced a data breach, you have a legal obligation to respond correctly. The Data Privacy Act requires NPC notification within 72 hours of becoming aware of the breach. Here's a practical guide.

Important: These timelines are guidelines. If your school discovers a breach outside business hours (weekend, holiday), focus on containment first and begin the formal process as soon as your team is available. The 72-hour clock starts when you become aware of the breach.

Step 1: Contain the Breach (First Priority)

Do immediately, regardless of time of day:

  • Do NOT turn off or destroy affected systems (you may need forensic evidence)
  • Disconnect compromised systems from the network (unplug the ethernet cable or disable WiFi)
  • Change all passwords for affected accounts
  • Document everything — take screenshots, note timestamps

Alert your response team as soon as possible:

  • School administrator / principal
  • IT coordinator
  • Data Protection Officer (DPO)
  • Legal counsel (if available)

If the breach is discovered after hours, at minimum disconnect compromised systems and alert your principal and DPO by phone.

Step 2: Assess the Damage

Once containment actions are taken, determine:

  • What data was affected? (student records, grades, medical, financial?)
  • How many records? (approximate count is acceptable initially)
  • Who is affected? (students, parents, staff?)
  • How did it happen? (phishing, hack, misconfiguration, insider?)
  • Is the breach ongoing? (still happening or already contained?)
  • Was sensitive personal information involved? (health, financial, minors' data?)

Step 3: Document Everything

Create a breach incident report including:

  • Date and time the breach was discovered
  • Date the breach likely occurred (if different)
  • Nature and scope of the breach
  • Types of personal data involved
  • Number of affected individuals
  • Actions taken to contain the breach
  • Assessment of likely harm to affected individuals

The First 72 Hours: NPC Notification

When You Must Notify the NPC

You must notify the NPC if the breach involves personal data that is likely to adversely affect the data subjects. In practice, this means:

  • The breach involves sensitive personal information (health, education, financial data of minors)
  • The breach affects 100 or more individuals
  • There is a likelihood that the breach could adversely affect data subjects (identity theft, discrimination, financial loss, etc.)

For schools: Because student data typically includes sensitive personal information belonging to minors, most breaches involving student records will meet these notification thresholds.

How to Notify the NPC

  1. 1Use the NPC's official breach notification form
  2. 2Submit within 72 hours of discovering the breach
  3. 3Include:

- Description of the breach

- Types of data involved

- Approximate number of affected individuals

- Steps taken to address the breach

- Contact details of your DPO

Notifying Affected Individuals

After notifying the NPC, notify affected individuals (parents/guardians for students) when there is a real risk of harm.

Your notification should include:

  • What happened (in plain language)
  • What data was involved
  • What you're doing about it
  • What they should do (change passwords, monitor accounts, etc.)
  • Who to contact for questions

Template:

Dear [Parent/Guardian],

We are writing to inform you of a data security incident at [School Name] that may have affected your child's personal information.

What happened: [Brief, factual description]

What information was involved: [List specific data types]

What we are doing: [Steps taken to contain and investigate]

What you can do: [Specific, actionable recommendations]

We take the protection of student data very seriously and sincerely apologize for this incident. For questions, please contact [DPO Name] at [email/phone].

Sincerely,

[School Administrator]

After the Crisis: Recovery

Week 1-2: Investigate Root Cause

  • How did the breach occur?
  • What controls failed?
  • Was it preventable?
  • Consider engaging a cybersecurity professional

Week 2-4: Fix the Vulnerabilities

  • Patch the specific vulnerability that was exploited
  • Review and strengthen related security controls
  • Implement additional monitoring
  • Consider whether your current systems need replacing

Month 1-3: Improve Your Security Posture

  • Conduct a full security assessment (the Security Scorecard can help)
  • Implement staff training on the specific attack type
  • Review and update your incident response plan
  • Consider cyber insurance

Ongoing: Monitor and Report

  • Monitor for misuse of exposed data
  • Provide updates to affected individuals
  • Cooperate with NPC investigation
  • Document lessons learned
  • Share anonymized lessons with the education community

Common Mistakes During a Breach

  1. 1Destroying evidence — Don't wipe systems before investigation
  2. 2Delaying notification — The 72-hour clock is real
  3. 3Minimizing the breach — Be honest about scope and impact
  4. 4No communication plan — Parents hearing about it from media is worst-case
  5. 5Blaming individuals — Focus on systemic fixes, not blame
  6. 6Not learning from it — Every breach should result in improved security

Prevention Is Better Than Response

Related resources to help identify and fix vulnerabilities:

More ArticlesTry Free Tools