Estimated reading time: 5 minutes
States Step Up on School Cybersecurity as Attacks Surge –
K-12 schools across the U.S. face mounting cyber threats. Like businesses, they face an onslaught of ransomware, phishing, and data breaches that disrupt classrooms and community services. A new report highlights how states are moving to close the security gap.
School Cyberattacks – A Breach of 60 Million Records
The PowerSchool hack underscored the scale of the K-12 school cybersecurity crisis. Hackers compromised nearly 60 million student and staff records. Names, grades, addresses, and sensitive details spilled onto criminal markets. The breach showed how one vendor failure can ripple across thousands of schools. It turned a private system flaw into a national education emergency.
Grim Numbers Drive Urgent Action
The 2025 CIS MS-ISAC K-12 Cybersecurity Report found that 82% of districts faced cyber incidents in the past year. Nearly 14,000 security events were recorded. More than 9,300 confirmed attacks disrupted school systems. The attacks hit meal programs, counseling services, and even testing systems.
Parents scrambled for childcare when systems went dark. Staff could not access student records. The fallout extended well beyond lost data. Communities felt the weight of disruption.
“Digital Snow Days” Become Reality
Our earlier reporting on this issue warned of the rising risk of a so-called “digital snow days.” A ransomware attack can now shut schools down for days or weeks. Unlike weather closures, these attacks destabilize critical operations. Families lose meals and childcare. Students lose instruction time. Local economies suffer. School cyberattacks have broad and lasting consequences.
This reality fuels new calls to treat K-12 education as critical infrastructure. A system failure does not just affect data. It affects daily life.
The Legislative Push
The 2025 State Cybersecurity Legislation Report by CoSN examined new state laws in Arkansas, Massachusetts, Oregon, Pennsylvania, and Texas.
Lawmakers introduced 18 bills directly targeting K-12 cybersecurity. Common strategies included:
- Expanding access to cyber insurance.
- Requiring cyber risk assessments.
- Funding incident response programs.
- Standardizing student data practices.
- Embedding cybersecurity into school improvement plans.
Seven bills passed, with Arkansas and Texas leading the way. Twelve others remain are pending or stalled.
Arkansas: Leading With Insurance and Response
Arkansas enacted multiple measures. One law requires public schools to carry cybersecurity insurance. Another funds a state-run Cyber Response Program to help districts recover after attacks. A separate bill forces schools to adopt policies on the use of artificial intelligence.
These moves reflect recognition that schools cannot face attacks alone. Insurance cushions the financial blow. State programs provide critical backup when local capacity fails.
Texas: Creating Cyber Command
Texas took a different path. Lawmakers created the Texas Cyber Command to centralize oversight. The new agency sets cybersecurity standards, coordinates responses, and ensures schools align with statewide security practices.
Texas also provided funding to schools for specific IT and cybersecurity projects. However, some proposed studies on district cybersecurity needs stalled in committee.
Massachusetts and Oregon: Pending but Promising
Massachusetts focused on employee privacy, infrastructure grants, and school improvement planning that includes cybersecurity. None of its bills have passed yet, but they signal a policy shift.
Oregon pushed for standardized student data practices and statewide risk analysis. One bill awaits the governor’s signature. If enacted, Oregon would join Arkansas and Texas in embedding cybersecurity into education law.
Watch – Redefining Critical Infrastructure: Cybersecurity & Schools, Is It Critical?
Pennsylvania: No Direct K-12 Bills
Pennsylvania considered broader government cybersecurity reforms but did not introduce K-12-specific measures. The state instead looked at creating an Office of Information Technology and a Joint Cybersecurity Oversight Committee.
Beyond K-12: Systemwide Strategies
The legislative trend goes beyond schools. States are setting up centralized cyber offices, statewide incident reporting, and workforce development programs to prepare for school cyberattacks. Many proposals create shared security services, training pipelines, and insurance pools.
For schools, this broader focus means access to resources once out of reach. Regional security centers and university partnerships could provide districts with training, monitoring, and emergency support.
Funding Gaps Persist
Despite new laws, funding remains a barrier. The CoSN report found that 61% of districts use general funds for cybersecurity. Dedicated budgets are rare. Many districts outsource monitoring to save costs. Most lack staff with deep security expertise.
This gap mirrors findings in the CIS report, which showed that 86% of schools have fewer than five employees handling cybersecurity. Nearly 40% lack any documented cybersecurity strategy.
Get The Cyber Insurance Upload Delivered
Every Sunday
Subscribe to our newsletter!
The Case for Cyber Insurance
Cyber insurance plays a growing role in these debates. Arkansas now mandates coverage. Other states are considering similar requirements.
The PowerSchool breach adds weight to this trend. After the hack, PowerSchool’s Chief Legal Officer urged schools to engage brokers proactively. He stressed the importance of comprehensive coverage tailored to education systems.
K-12 cyber insurance wouldn’t prevent attacks. But it provides financial resilience when districts face multimillion-dollar breaches. Given limited funding, it is one of the few immediate safeguards schools can secure.
What’s Next?
Lawmakers face tough choices when it comes to school cyberattacks. Should K-12 schools be legally defined as critical infrastructure? Should states mandate insurance and workforce development? Or should local districts carry the responsibility?
For now, states like Arkansas and Texas show that policy action is possible. The stakes are clear. Without stronger defenses, communities will face more “digital snow days.”
Related Posts
