It was a “slip of the mouse,” as described by Mike Tassey, data security adviser with the Privacy Technical Assistance Center at the U.S. Department of Education. But instead of the “BCC” field, the addresses were pasted into
“CC.” In an instant, the privacy of every family on that list was compromised. While an email address itself might not always be protected, the context was undeniable: Every parent now knew that every other recipient’s child had a specific disability.
“That CC instead of BCC means that now every parent can see every other parent,” Tassey said April 14 during a session at the 2026 Consortium for School Networking (CoSN) conference. “That little mistake goes from ‘no big deal’ ... to, ‘oh boy, this is going to be a bumpy ride.’”
The scenario was one of several FERPA fiascos Tassey unpacked to illustrate that in an era of sophisticated cyber defenses, the greatest risk to student privacy remains the human element. Amid a rise in school cyber attacks and districts across the U.S. hardening their digital environments, the session served as a stark reminder that compliance with the Family Educational Rights and Privacy Act (FERPA) — which legally protects student education records — is not just a technical check box for schools to tick, but a continuous exercise in culture, communication and caution.
During the session, Tassey, a self-identified former hacker himself, emphasized that FERPA violations are rarely born of malice. Instead, he said they are typically the result of unintentional human error, systemic misunderstandings of data ownership and dangerous assumptions about vendor security. When these “whoops” moments inevitably occur, the difference between a manageable incident and a “dumpster fire,” he said, often comes down to transparency and response time.
“It’s not the technical stuff we do to respond to the breach. We’ve got that down,” Tassey said. “The problem is in the messaging. The problem is in the communication.”
The email CC blunder highlights a nuance sometimes lost in daily workflows in school settings: While directory information like names and emails might be public under certain policies, linking those details to a sensitive status, like receiving special education services, transforms them into protected student records.
“We send emails all day, every day, and at no point were they thinking, ‘hey, this could turn into a FERPA issue,’” Tassey said. Because privacy risk is deeply embedded in the most mundane tasks, such as a routine email, he said staff need to slow down and look carefully at what they’re doing.
Another observation Tassey shared was that many school staff lack a fundamental misunderstanding of who, or what, owns student data. He referred to a teacher who, upon leaving for a new position, copied a massive cache of files — including individualized education programs, evaluations and progress notes — to a personal Gmail account. A court eventually ruled in favor of the school district, reinforcing that “this data was not that teacher’s to take.”
“Student records are misunderstood, and it doesn’t necessarily take a malicious act to violate the law,” Tassey said.
Districts often fall into the trap of assuming that large ed-tech vendors have security covered, according to Tassey. He pointed to a breach involving 3 million records where a vendor left a cloud storage bucket at factory default settings, unlocked and unencrypted. In another case, a single subcontractor at the software company PowerSchool lacked multifactor authentication, allowing a hacker to exfiltrate data for 63 million students.
“‘The vendor has this covered’ is a dangerous statement,” Tassey warned. Under FERPA, the school owns the risk. The vendor is essentially a school official working for the district, meaning the legal and ethical responsibility for that data never truly leaves the superintendent’s desk.
In another example, one district complied with a records request for student surveys regarding suicidal ideation by simply deleting the students’ names. But because the surveys were written in the students’ own words, mentioning specific family members and other personal information, the community easily identified the authors.
“Don’t just look at the column headings,” Tassey said, adding that redaction must be a process of actually reading the data, not just checking a box, because in the world of student privacy, “the answer to every FERPA question is: It depends.”
The session concluded with a call to shift the perspective on FERPA from a burden of paperwork to a core mission. While data is a valuable commodity, Tassey reminded the audience that they are the caretakers of something far more significant.
“Our children are our most precious natural resource,” he said. “Protecting this data is more of a mission ... it’s way more of a responsibility than just a job.”
