Student data and privacy is protected at school, right? Not so fast.

While technology has long been commonplace in schools throughout the country, the largest school district in the United States has been exposed for its egregious lack of student data privacy oversight in a recent audit.

The April 2026 audit from the New York State Comptroller’s Office cites multiple instances of mismanagement by New York City Public Schools (NYCPS) of privacy and security of student data between March 2020 and September 2025. Among the findings, the audit cites weaknesses in technical controls that need to be corrected to ensure information systems and their associated data are not at risk, which includes issues with system monitoring, unsupported systems and firewalls.

Mismanagement of Student Data and Privacy

Additionally, the New York State Comptroller’s audit found a range of mismanagement of student data and privacy:

• The school district’s policies do not fully align with the National Institute of Standards and Technology Cybersecurity Framework (NIST CSF).
• Certain fundamental areas related to data privacy and security are not covered or described in the school district’s policy, and in some instances, not only is this information not published on its website, but the school district does not have an existing policy. For example, NYCPS does not have written policies covering the areas of data classification, risk assessment, and backup and recovery.
• The school district does not always report breaches or notify affected parties within the required time frames; upon review of 141 breaches of unauthorized data releases from Jan. 5, 2023 through Feb. 27, 2025 that NYCPS reported to the State Education Department (SED), the district delayed reporting 48% (67 of 141) of breaches and delayed notifying affected individuals and families about 11% (16 of 141) of breaches.
• The school district does not have a documented data classification policy, meaning that it may be unable to identify in a timely manner what, if any, sensitive and/or critical data was involved and may have been compromised.
• The school district does not maintain a comprehensive list of all applications used by each school, and therefore lacks a clear understanding of its environment, the type of information being stored in these applications, and the various risks associated with the data.
• While the school district requires employees with access to personally identifiable information to complete training on their data privacy and security responsibilities on an annual basis in 2024, only 73% (117,763 of 161,337) of employees completed the training.

Additionally, the audit states that there were problems obtaining information and setting up meetings with NYCPS, with some documentation requests taking over five months to fulfill, and meeting requests taking two months to be scheduled, despite repeated requests from the comptroller’s office.

Technology, AI in Schools: At What Cost?

The State Comptroller’s audit coincides with the NYCPS’ recent release of guidelines for artificial intelligence (AI) in schools and its plans — and then postponement — to open New York City’s first artificial intelligence-focused high school, which drew community opposition.

The proposed AI-centered high school sparked debate among parents, some viewing it as a necessary step toward future workforce readiness, while others questioned whether schools are equipped to manage the legal and ethical risks tied to artificial intelligence in education. Artificial intelligence is increasingly being used in grading systems, personalized learning platforms, disciplinary monitoring, and student support tools. Yet many school districts have not updated policies to address how these technologies intersect with existing legal obligations.

AI platforms that are used in schools can collect and analyze student data which can raise concerns for parents who are worried about compliance with the Family Educational Rights and Privacy Act (FERPA), as discussed below. Many AI tools are developed by private companies and schools need to make sure any contracts with these companies clearly define data ownership, usage rights, and liability protections. As schools continue to rely on technology, in addition to increasing use of AI detection tools to identify cheating, students may face discipline based on flawed or unverified outputs, raising due-process concerns.

Privacy and Security of Student Data

Policymakers around the nation have taken action to protect student privacy and data in recent years. Since 2014, over a thousand student privacy bills have been introduced in all 50 states, and state policymakers have passed nearly 150 student privacy laws in 47 states and Washington, D.C., according to the Public Interest Privacy Center

There are several federal laws that establish student privacy and protections, according to the Public Interest Privacy Center. They include:

• FERPA: The Family Educational Rights and Privacy Act (FERPA) is the primary federal law establishing student privacy rights in the education system, requiring schools to protect the privacy of students’ personally identifiable information in education records and to give parents and eligible students certain rights, such as the right to access education records. FERPA applies directly to all educational agencies and institutions that receive federal funding.

• PPRA: The Protection of Pupil Rights Amendment (PPRA) establishes parental engagement requirements for certain data collection from students (and requires schools to give parents access to instructional materials upon request. It applies directly to all educational agencies and institutions that receive federal funding.

• COPPA: The Children’s Online Privacy Protection Act (COPPA) establishes parental consent requirements before personal information can be collected online from children under 13. COPPA does not directly regulate schools; but establishes privacy safeguards in the education sector by directly regulating technology providers used by schools, such as educational technology companies.

In addition to the above protections, New York state student data privacy is also governed by Education Law §2-d, which requires all school districts, BOCES, and charter schools to protect student data from unauthorized access, use, or disclosure. Schools must adopt a data security and privacy policy aligned with NIST cybersecurity standards, appoint a data protection officer, and ensure all third-party vendors sign a data privacy agreement before accessing student data. The law also prohibits the sale or commercial use of student data and mandates encryption of students’ personal information both in transit and at rest.

While technology can transform education in positive ways, it also creates privacy risks that can put students’ personal and private information at risk. If your student’s data and privacy have been violated at school, it’s time to talk to an education attorney.

Tully Rinckey education lawyers have experience helping students, parents, educators, and school districts with their unique education law matters. Our attorneys understand that issues involving your education or employment can have serious impacts on your life and will handle your legal matter with the attention and tact it deserves. Contact Tully Rinckey today for a consultation at 8885294543.

 Greg T. Rinckey is one of Tully Rinckey PLLC’s two founding partners. He worked with Founding Partner and fellow Hofstra University alum Mathew B. Tully in 2004 to build the firm from the ground up into the coast-to-coast, full-service powerhouse that it is today. As Founding Partner, Greg collaborates with Mat in all areas of strategic planning and law practice management to develop and deploy innovative business solutions that continue to grow the firm.