/Passle/66030b5f24299750fade21de/MediaLibrary/Images/2024-06-03-17-53-24-064-665e03146c0a627be5528374.jpg)
In the first half of 2025, ransomware attacks against schools, colleges, and universities globally have increased by 23%. Additionally, a recent global study has revealed that 61% of organizations in the education sector have reported being targeted by ransomware in the past 12 months.
Schools are often enticing targets for hackers, given increased digitization and the storage of large amounts of sensitive data. Cybersecurity is a top concern of school district technology officers because of this increased threat level, and attacks are growing more sophisticated with the use of generative AI. Districts are then forced to defend against highly sophisticated attacks with limited budgets to train staff on cybersecurity.
During a ransomware attack, hackers break into a network, encrypt the data (so the school district can’t access it), and offer a ransom to the district to decrypt the data. When determining whether to pay the ransom, school districts face major legal and ethical considerations. The FBI and Cybersecurity and Infrastructure Security Agency advise against payment, citing no guarantee of recovery and the risk of incentivizing further crime. However, some institutions, constrained by limited resources, may weigh payment as a practical necessity to restore operations. This creates a complex balance between compliance obligations, fiduciary duties, and operational continuity.
To mitigate legal exposure, experts recommend implementing robust cybersecurity governance measures, appointing a dedicated cybersecurity officer, ensuring system-wide training, deploying baseline protections (e.g., multifactor authentication, spam filtering, regular offline backups), and maintaining an incident response plan with tested protocols. Such measures can strengthen an institution’s position in regulatory investigations and civil claims by demonstrating reasonable security efforts.
Additionally, education technology leaders at F3 Law are in the process of developing a new Data Privacy and Security Agreement (“DPSA”) that has very robust and specific data security system measures. The DPSA is between school districts and vendors for the purpose of establishing clear rules and responsibilities for the use and collection of sensitive data.
Ransomware attacks against schools, colleges, and universities globally increased 23% year over year in the first half of 2025.
