HARRISBURG – As cyberattacks targeting schools continue to rise nationwide, the Senate Education Committee advanced legislation authored by Sen. Kristin Phillips-Hill (R-York) to strengthen protections for student data and digital privacy.
Senate Bill 378 would establish clear rules for how student data is collected, stored and shared, while increasing transparency for parents and accountability for schools and third-party vendors.
“Parents are required to hand over some of their child’s most personal information,” Phillips-Hill said. “That digital footprint does not just stay within a school district, it is often shared with outside companies, and we need to ensure it is protected every step of the way.”
The risks tied to third-party vendors are no longer theoretical. In 2025, a major student information system provider used by school districts across the country was hacked, exposing sensitive student data and leading to extortion attempts against schools.
The U.S. Department of Education has also warned that K-12 schools are increasingly vulnerable to cyberattacks, noting there are at least five incidents a week across the country, particularly due to their reliance on digital platforms and outside vendors that store and manage student information.
Phillips-Hill emphasizes that these incidents highlight exactly why Senate Bill 378 is needed. When third-party systems are compromised, students’ personal information is at risk.
Senate Bill 378 addresses these concerns by clearly defining student data, establishing who owns it, and requiring stronger safeguards, disclosures, and limitations on how both schools and vendors can collect, use and share it.
The bill moves to the full Senate for further consideration.