A former federal privacy commissioner says PowerSchool is “not off the hook” over the massive data breach that affected millions of kids, teachers and parents despite the end of an investigation into the company’s cybersecurity practices, noting the improvements PowerSchool has committed to making.
Chantal Bernier, who was assistant federal privacy commissioner from 2008 to 2014 and held the role of interim commissioner in 2014, told Global News the agreement announced Tuesday was the most effective way for the Office of the Privacy Commissioner (OPC) to hold PowerSchool accountable, given the deadlines the company now has to boost its security and prove it can prevent future cyberattacks.
“It keeps alive the right for the OPC to initiate a complaint and then go into a full investigation should PowerSchool not come through,” Bernier said in an interview.
“PowerSchool is not off the hook at all.”
The OPC said Tuesday that privacy commissioner Philippe Dufresne had decided to end his investigation into the breach after PowerSchool “took measures to contain the breach, notify affected individuals and organizations and offer credit protection, and has voluntarily committed to additional actions to support its security safeguards.”
According to a letter of commitment with the OPC signed last week, PowerSchool has until the end of July to provide any additional information related to the data breach to the commissioner, and will need to provide evidence by the end of this year that it has strengthened its monitoring and detection tools.
By March 2026, the education software company will also need to get recertified under global information security standards and provide an independent, third-party security assessment and report to the OPC on PowerSchool’s updated safeguards to protect personal information, prevent and respond to potential breaches, and other cybersecurity measures.
Get breaking National news
For news impacting Canada and around the world, sign up for breaking news alerts delivered directly to you when they happen.
Dufresne will have to review and approve PowerSchool’s plans to accept or reject any recommendations from that report, as well as ensure the company meets its other commitments.
The December 2024 hack accessed the personal data — including medical information and social security numbers — of millions of current and former students and thousands of staff across Canada whose schools use PowerSchool’s platform.
Nearly 90 school boards across Canada confirmed to Global News they had been affected by the breach, with some later receiving ransom demands.
A Massachusetts college student, 19-year-old Matthew Lane, agreed in May to plead guilty to criminal charges related to the data breach, including cyber extortion, according to U.S. prosecutors.
Bernier said PowerSchool, unlike some companies that have faced OPC investigations, has so far appeared to be “open and transparent” with parents, school boards and the OPC in its response to the hack, which helped bring the federal case to an end for now.
She pointed out that the OPC’s latest annual report, released in June, committed to ensuring companies comply with privacy regulations “more strategically, using measures that are the most relevant and efficient for any given situation,” quoting Dufresne’s opening message from the report.
“That’s why I reacted to the announcement (of the agreement) with great satisfaction, because I thought, well, the OPC is making good on its commitment,” said Bernier, who currently works in privacy and cybersecurity law at Dentons in Ottawa and was not involved in the PowerSchool case.
“We already know what happened here. Why would (the OPC) spend Canadian taxpayers’ money investigating any further? So let’s cut to the chase and say, ‘This is what we want to see from you.’”
A spokesperson for PowerSchool told Global News it was “grateful for the Commissioner’s collaboration in helping us strengthen our safeguards even further,” after working with the OPC “to respond swiftly, transparently, and responsibly” to the data breach.
A separate investigation by the Information and Privacy Commissioner of Ontario, which is looking into what role, if any, was played by provincially mandated school boards in the protection of the leaked data, remains ongoing.
Bernier said that during her time at the OPC, companies “surprisingly” followed through with their commitments to improve their privacy and security protections that brought investigations to an end in a similar way.
“The reason I say ‘surprisingly’ is because you always have a doubt,” she said. “They’re so powerful that you can’t help but wonder, do they really submit to those?
“What you discover … is that consumer pressure is so strong that yes, when the organizations are found in default of privacy protection — particularly when it’s made public — they get into line, because they want to maintain or restore customer trust.”
However, she added she wants to see renewed efforts to give the OPC additional powers under federal privacy laws, particularly through the enforcement of fines and other penalties.
Efforts to amend the Personal Information Protection and Electronic Documents Act to give the OPC such powers died in the House of Commons in 2020 and 2022.
“It’s absolutely necessary, in a context where the use of personal information is so highly profitable, that the misuse must entail proportionate financial consequences,” Bernier said.
“If you’re going to make a lot of money using personal data, you have to be subject to paying a lot of money for misusing it.”
© 2025 Global News, a division of Corus Entertainment Inc.
