A child can leave a school district, but the child's digital shadow may remain behind.

Attendance records, addresses, disciplinary histories, disability information, health records, transportation details, parent contacts, passwords and assessment results can travel through multiple school systems and outside applications. Each record may be necessary for education. Each also becomes something the district must protect. Families curious about how disability records enter a child's file in the first place can look at the state's rules on requesting a special education evaluation, since that process generates some of the most sensitive information a district holds.

A June 2026 follow-up audit by the New York State Comptroller found that the Uniondale Union Free School District had only partially implemented three of five earlier information-technology recommendations and had not implemented two. Auditors reported that 3,808 of 5,485 enabled nonstudent network accounts, or 69 percent, were not needed and should have been disabled. The unnecessary accounts included 3,346 associated with former employees and 462 shared or service accounts.

The finding does not establish that those accounts were used in a breach. It exposes something more basic: a school network can have thousands of digital doors, and no district can confidently protect the building if it does not know which doors should still be open.

School cybersecurity is now a student-safety issue

Cybersecurity is often discussed as an information-technology problem. That understates the stakes.

A compromised system can interrupt payroll, disable communications, delay transportation, lock educators out of instructional platforms and expose confidential student information. Ransomware can force a district to choose between restoring operations slowly or negotiating with criminals. A stolen student record can create identity-theft risks that remain unnoticed for years because children do not routinely monitor credit reports.

The issue is especially sensitive in schools because student records may include information that families would never place on a public form: counseling notes, disability classifications, behavior reports, residency documentation, foster-care status and medical accommodations.

Protecting that information is not simply good practice. New York Education Law Section 2-d and Part 121 of the Commissioner's Regulations require educational agencies to establish safeguards for student data and align their security practices with the National Institute of Standards and Technology Cybersecurity Framework.

What the Uniondale follow-up audit found

The comptroller's office originally audited Uniondale's information-technology controls in 2023. Auditors returned in October 2025 to review the district's progress, issuing the follow-up report in June 2026.

District officials had developed written procedures covering the creation, modification and disabling of nonstudent accounts. Auditors nevertheless found that staff were not consistently following those procedures.

The audit identified thousands of accounts that remained enabled even though they were no longer needed. Many were linked to former employees. Others were shared or service accounts that had not been disabled promptly.

This is not a cosmetic recordkeeping issue. An active account belonging to a former employee can become an entry point for someone who obtains or guesses the credentials. Shared accounts can make it difficult to determine who performed a particular action. Excessive administrative permissions can allow a compromised account to reach systems and records far beyond the user's legitimate responsibilities.

The comptroller warned that unnecessary accounts could be used to view or remove personal information, make unauthorized changes to district records or deny legitimate users access to the network.

Uniondale officials told auditors that the district had migrated its account-management system to a cloud environment and had been working through legacy accounts while optimizing the new process. That context explains the operational challenge. It does not eliminate the risk created while the work remains unfinished.

The larger lesson applies to every school system: cybersecurity policies are only as effective as the routines used to enforce them.

New York City faced a different set of warnings

A separate 2026 comptroller audit examined student-data privacy and security across New York City Public Schools, the nation's largest school district.

Auditors reviewed 141 breaches or unauthorized releases that NYCPS reported to the State Education Department between January 2023 and February 2025. They found that 67 incidents, or 48 percent, were reported to the state late. Notifications to affected individuals and families were delayed in 16 cases.

The audit also found that NYCPS lacked written policies in certain fundamental areas, including data classification, risk assessment and backup and recovery. Among 524 responding schools, 218 reported using at least 70 different student-information-system applications beyond the two central systems.

That degree of decentralization creates an inventory problem. A central office cannot fully assess risk if individual schools are adopting applications that the district has not comprehensively catalogued.

Training was another concern. New York requires employees with access to personally identifiable information to receive annual data-privacy and security training. Auditors found that 73 percent of NYCPS employees completed the required training in 2024, leaving a substantial portion without documented completion.

The New York City and Uniondale findings are different in scale, but they point toward the same institutional weakness: school systems often accumulate accounts, software and data faster than they build the controls needed to govern them. New York City has already taken one visible step in that direction. Chancellor Kamar Samuels paused new educational technology purchases citywide this summer until the department finishes an artificial intelligence policy built around the same privacy and oversight questions these audits raise.

Why former employee accounts matter

When an educator, administrator, contractor or clerical employee leaves, the district should promptly disable unnecessary access. That sounds simple. In practice, it requires coordination among human resources, payroll, school leadership and technology staff.

If one department learns about the departure but the technology office does not, the account may remain active. If an employee works in several systems, disabling the main email account may not remove access to transportation software, special education records, financial platforms or cloud storage.

Strong districts establish an offboarding process that begins before the person's final day. Access is inventoried, district devices are recovered, shared passwords are changed where necessary and system permissions are removed according to a documented timeline.

The same discipline should apply when employees transfer positions. A staff member who moves from district administration to a classroom may no longer require access to sensitive districtwide records. Security depends not only on removing former employees, but on applying the principle of least-privilege access: each user receives only the permissions needed for the current role.

The app problem inside modern classrooms

Schools now rely on digital platforms for instruction, behavior tracking, assessment, translation, communication, artificial intelligence and special education management. Many are useful. Some are adopted informally because a teacher or administrator wants to solve an immediate problem.

That creates a tension between innovation and governance.

A free reading app may request student names, grade levels and performance data. A behavior platform may contain incident records. An AI tool may store prompts that include identifiable student details. A parent-communication service may collect phone numbers and language preferences.

Before a district approves a platform, it should know what data the vendor collects, why it needs the information, where the data is stored, which subcontractors can access it, how long records are retained and what happens when the contract ends.

Families should not have to become cybersecurity analysts to understand every classroom application. The district should maintain and publish clear information about approved vendors and their data practices.

What must districts tell families after a breach?

New York's student-data rules require educational agencies to report qualifying incidents and provide required notifications. The timing and content depend on the nature of the event and the data involved.

Families should expect more than a vague message stating that the district recently became aware of an issue.

A useful breach notice should explain:

What happened. Was the incident caused by phishing, ransomware, unauthorized disclosure, a stolen device or a vendor compromise?

Which information was involved. Families need to know whether the exposed data included names, addresses, Social Security numbers, medical information, grades or login credentials.

Who was affected. The district should identify whether the incident involved current students, former students, employees or particular schools.

What the district has done. The notice should describe containment, password resets, law-enforcement involvement, vendor actions and changes to security practices.

What families should do. That may include changing passwords, monitoring accounts, preserving suspicious messages or using identity-protection services when appropriate.

Speed matters because delayed notification reduces a family's ability to respond.

What parents can ask their school district

Parents do not need access to confidential network diagrams or technical vulnerability reports. Those details can create additional security risks. They can still ask meaningful governance questions.

Does the district require multifactor authentication for staff accounts?

How quickly are accounts disabled when employees leave?

Does the district maintain a complete inventory of applications used by each school?

How often does the board receive cybersecurity updates?

Has the district completed a recent risk assessment or penetration test?

What percentage of employees completed annual data-security training?

How are vendors reviewed before receiving student information?

Does the district have an incident-response and operational-recovery plan?

How are families notified when student information is exposed?

The goal is not to force district officials to reveal exploitable details. It is to determine whether cybersecurity is being governed as an organizational responsibility rather than delegated entirely to one technology director.

What school boards should be watching

Boards of education do not need to configure firewalls, but they do have a fiduciary and oversight role.

A board should receive understandable reports on staff training, account management, critical vendors, insurance requirements, incident-response exercises, backup testing and the implementation of audit recommendations.

The phrase "for security reasons, we cannot discuss cybersecurity" should not end the conversation. Certain technical details belong in confidential sessions. Oversight metrics, policy compliance and corrective-action status can still be discussed publicly.

Audit recommendations deserve particular attention. When an external review identifies weaknesses, the corrective-action plan should contain named responsibilities, deadlines and evidence of completion. A plan that remains partially implemented years later may represent continuing exposure.

Security is not a product the district buys once

School cybersecurity cannot be solved by purchasing one filtering service, one insurance policy or one annual training video.

It is a continuing management discipline built through account controls, staff habits, vendor oversight, reliable backups, software updates, incident exercises and transparent leadership.

The Uniondale audit is significant not because one Long Island district is uniquely vulnerable. It is significant because the weaknesses are recognizable. Old accounts remain active. Procedures exist but are not consistently followed. Cloud migrations leave legacy records behind. Technology teams play catch-up while schools continue generating more data.

Every district should view those findings as a prompt to look inward.

Families entrust schools with information because children cannot be educated safely and effectively without sharing some personal details. That trust creates an obligation. The district's digital doors should be counted, monitored and closed the moment they are no longer needed.