Student Online Personal Protection Act (SOPPA)

Lisle 202 partners with educational technology companies to provide educational content and support to our students. The District takes the privacy and online safety of our students seriously and carefully protects our student data in accordance with the Student Online Personal Protection Act (SOPPA). This Act goes into effect on July 1, 2021 for the State of Illinois and protects the privacy and security of student data when collected by companies operating websites, online services, or online/mobile applications primarily used for K-12 school purposes.

Online Vendors

Lisle 202 verifies that the vendor is compliant with the Family Educational Rights and Privacy Act (FERPA), Children’s Online Privacy Protection Rule (COPPA) and SOPPA before establishing a relationship with a company/service provider.

The approved vendor list below includes:

online services or applications that the District uses
contracts signed by the District
any data collected by those tools or by the District

SOPPA is the Student Online Personal Protection Act and protects the privacy and security of
student data.

Click here for a list of Approved Vendors

Data Privacy Laws Overviews

What is SOPPA?

The Student Online Personal Privacy Act, or SOPPA, is "...intended to ensure that student data will be protected when it is collected by educational technology companies and that the data may be used for beneficial purposes such as providing personalized learning and innovative educational technologies," according to the Illinois General Assembly.

Additional Information

What is COPPA?

The Children's Online Privacy Protection Rule, or COPPA, "...imposes certain requirements on operators of websites or online services directed to children under 13 years of age, and on operators of other websites or online services that have actual knowledge that they are collecting personal information online from a child under 13 years of age," according to the Federal Trade Commission. Watch the video below for more information.

What is CIPA?

The Children's Internet Protection Act, or CIPA, "was enacted by Congress in 2000 to address concerns about children's access to obscene or harmful content over the Internet. CIPA imposes certain requirements on schools or libraries that receive discounts for Internet access or internal connections through the E-rate program – a program that makes certain communications services and products more affordable for eligible schools and libraries," according to the Federal Trade Commission. Watch the video below for more information.

What is FERPA?

The Family Educational Rights and Privacy Act, or FERPA, is "...a federal law that affords parents the right to have access to their children’s education records, the right to seek to have the records amended, and the right to have some control over the disclosure of personally identifiable information from the education records," according to the US Department of Education. Watch the video below for more information.

Data Breaches

Lisle 202 will post details here about data breaches involving 10% or more of the District's students. Details about the breach, including the type of information involved, the date (or an estimate), and the name of the service or operator affected, will be made available here. Families will also be contacted directly as needed. If you have questions or concerns, please contact our Data Security Officer, Trent Schalk, at tschalk@lisle202.org.

PowerSchool Data Security Incident

February 2nd - School Newsletter Communication

The following information has been provided by PowerSchool:
PowerSchool has engaged Experian, a trusted credit reporting agency, to provide complimentary identity protection and credit monitoring services to current and former students and educators who had information exfiltrated from PowerSchool SIS. PowerSchool is doing this regardless of whether an individual’s Social Security Number was exfiltrated. In the coming weeks, Experian (on behalf of PowerSchool) will be distributing direct email notifications to involved individuals (or their parent/guardian, as applicable) for whom PowerSchool has sufficient contact information.

Additionally, PowerSchool has worked with Experian to set up a dedicated, toll-free call center to answer any questions associated with these offerings and the incident. All the information regarding the activation of and access to these services will be included in the email sent to you by Experian. Whether or not you receive an email, you may also visit PowerSchool’s website to learn how to activate the offering from Experian, linked here.

January 17th - District Communication Update

Dear Lisle 202 Families,
We would like to provide an update regarding the recent PowerSchool Data Security Incident. Since being notified of this situation, our Technology Team has conducted a thorough review of our systems and data. Unfortunately, we have identified that portions of Lisle 202’s current and former student and parent records were accessed in the timeframe of 2016 to the present.

What information was accessed?
Lisle 202 does not collect or store student or parent Social Security numbers; therefore, this information was not accessed.
General information from one or more of the following types of data housed in PowerSchool may have been retrieved for our students and/or families:

Name
Address
Date of Birth
Ethnicity
Gender
Graduation Year
GPA
Entry/exit dates
Grade
General discipline alerts
General medial alerts (Ex: allergies, life-threatening conditions)
Guardian alerts
IEP and 504 status
Free and reduced lunch status (only represented by a letter, not a description)
Guardian email for inactive students only
If sensitive information was accessed, Lisle 202 will contact affected families directly.

Next Steps in Response to the Data Security Incident

PowerSchool will be offering two years of complimentary identity protection and credit monitoring services for all students and educators whose information was accessed in the data security incident. The company will share more information in the coming weeks about how to take advantage of this offer.

Our Commitment to Data Security

We take the data security of our students, families, and staff very seriously. Lisle 202 employs rigorous security protocols to safeguard data, including:

Following Best Practices: We follow security best practices including regular system updates, strong password policies, and other measures to protect our data.
Implementing Two-Factor Authentication: All employee users must verify their identity with a second factor (ex: security key, confirmation prompt, or text message authentication) in addition to their password.
Utilizing Automated Access Management: Integration between PowerSchool and our staff information system ensures that access for employees is promptly removed when they leave the organization.

PowerSchool implements robust processes and protocols to secure its systems and the data they house. Here is more information about the security measures they implement. For this data security incident, the company has engaged CrowdStrike, a third-party, cybersecurity firm, to investigate and is actively making further enhancements to their cybersecurity defenses.

Thank you for your patience as we continue working closely with PowerSchool and provide updates as new information becomes available. If you have any questions, please contact us at info@lisle202.org.

January 9th - District Communication

Lisle 202 was notified late Tuesday, January 7th by PowerSchool, the company that provides our student information system, that they experienced a nationwide data security incident in late December 2024.

According to PowerSchool, an unauthorized party used a compromised PowerSchool support credential to access the platform’s support tool, which allowed access to school districts’ student information systems nationwide, including Lisle 202. This allowed the bad actor to export student, family, and staff data.
PowerSchool has shared that the data security incident has been contained. The company believes that this data has been deleted and has not and will not be shared anywhere publicly.

Although PowerSchool has provided no evidence that any data was misused, our district wants to make you aware of this incident out of an abundance of caution. It is important to note that this data breach does not affect any of our other systems.

As a school district, we take the security of all student, family, and staff data very seriously. Contracts with outside vendors are closely vetted to ensure measures are in place at all times to safeguard that data. PowerSchool has assured us that they have implemented cybersecurity response protocols and have taken all appropriate steps to prevent the data involved from further unauthorized access or misuse, and are continuing to investigate the data security incident.

Lisle 202 will be working closely with PowerSchool to determine the impact, if any, on our learning community. We will provide more information once it becomes available. If you have any questions, please contact us at info@lisle202.org.

Additional Information

Illinois Principal's Association School Handbook
- 7:345 Use of EdTech
- 7:4 Annual SOPPA notices
Lisle 202 Board Policies pertaining to student privacy, security, and safety