The Next Question Independent School Boards Are Not Ready For

The Next Question Independent School Boards Are Not Ready For

Technology Governance
June 04, 20266 min read

Something happened in May 2026 that most independent school leaders noticed briefly and moved past.

A cybercriminal group called ShinyHunters breached Canvas, one of the most widely used learning management systems in education. Roughly 9,000 schools, universities, and education providers were affected. Approximately 275 million records were exposed.

Most of those schools found out the same way.

A message from the attacker appeared directly on the Canvas login screen. Not an internal alert. Not a call from their IT vendor. A ransom demand was displayed to students and faculty as they tried to start their day.

Most institutions had IT vendors. Most had support contracts. Many had cybersecurity tools in place.

And they still found out from the people who stole their data.

That detail is worth sitting with.

Why Education Keeps Getting Targeted

The Canvas breach was not a random event. It was the latest in a pattern that security researchers have been documenting for years.

Education is a high-value, relatively low-resistance target. Schools hold data that is worth money — student records, donor financial information, staff payroll data, and years of accumulated institutional communications. Most of that data lives in systems that were never designed with a hostile actor in mind. And most of the organizations that hold it have limited resources dedicated to protecting it.

According to research from ATLIS and Orah, only 41 percent of U.S. independent schools include IT in safety decisions. Vendor contracts auto-renew without a structured review. Cybersecurity exposures go unaddressed because no one with strategic authority is tracking them across the full technology environment.

This is not a story about schools being careless. It is a story about schools being structurally under-resourced for the level of complexity they are now managing.

When a breach occurs, the question that lands on the head of the school's desk is not a technology question.

It is a leadership question.

Who owns this? Who decides what happens next? Who notifies families, donors, and regulators — and how fast?

Most independent schools have never formally defined those answers. Not because they are irresponsible. Because nobody told them it was their job to ask.

The Governance Gap Nobody Is Talking About

Independent schools operate in an increasingly complex accountability environment.

They manage student data under state privacy statutes. They hold donor financial information under a fiduciary obligation. They operate learning platforms, communication systems, and financial tools that touch nearly every stakeholder the school serves.

And most of them have no one at the leadership table whose specific job is to govern any of it.

They may have an IT vendor maintaining the network. They may have an IT coordinator handling devices and helpdesk tickets. But neither of those roles is present when a multi-year vendor contract gets signed without a data security clause, when a new AI tool gets deployed in classrooms without a privacy review, or when a board needs to weigh in on cybersecurity risk and has no framework for doing so.

That gap is real. And it has a cost that most schools do not see until something forces the conversation.

A breach forces the conversation. So does an audit. So does an accreditation review cycle.

The Question That Is Coming

Accreditation bodies move deliberately. They build consensus before formalizing new requirements. But the direction across institutional accountability frameworks is not ambiguous.

Schools that have been through recent review cycles are already seeing technology governance surface as a line of questioning. Not yet as a formal finding in most cases. But as a conversation that leadership was not prepared for.

The questions tend to sound like this:

Does the school have a documented technology plan aligned to its growth and mission?

How does the governing board receive reporting on technology risk and infrastructure status?

What policies govern data privacy, vendor accountability, and cybersecurity oversight at the leadership level?

Who at the board level is accountable when a technology failure or security incident occurs?

These are not technical questions. A head of school does not need to understand network architecture to answer them. A board member does not need a cybersecurity background to ask them.

But they do need someone to have built the structure that makes those answers possible.

Most independent school boards have not had that structure built for them. Not because they are not capable. Because the expectation that it belongs at the board level has not yet been made fully explicit.

It is coming.

The Difference Between Ready and Scrambling

When a school has clarity in technology governance, it does not mean its systems are perfect. It does not mean nothing will ever go wrong.

It means leadership knows exactly what to do when something does.

It means the board can address technology risk during a review cycle without first calling the IT vendor.

It means that when a vendor is breached, or when a platform used by thousands of students and staff is compromised, the head of school does not have to figure out in real time who makes the notification call, what the legal obligation is, and what to say to the families and donors who trusted the school with their information.

The Canvas breach gave roughly 9,000 institutions an unplanned lesson in what that moment feels like.

Most independent schools did not need to be in that lesson. They just were not prepared to be out of it.

Getting prepared does not require you to replace your IT vendor. It does not require hiring a full-time technology director. It does not require a large budget or a technical overhaul.

It requires someone who can assess where your school actually stands, identify the governance gaps that pose real risk, and present a clear picture to the people who govern the institution.

That is a 90-day process. And the schools that start it before the review cycle — or before the breach — are the ones that stay in control of the narrative.

A Starting Point

If your board has never formally reviewed your school's technology governance posture, a practical first step is the executive assessment at kenneththomas.com. It is designed for school leaders and governing boards, takes about ten minutes, and requires no technical background.

It gives leadership a starting point for the conversation that most schools have never had.

Kenneth Thomas is a governance-focused Fractional CTO for independent schools. He works with executive directors and governing boards to eliminate hidden technology risk and establish clear oversight at the board level — without replacing existing IT vendors or creating operational disruption. Learn more at kenneththomas.com or book a 15-minute call at https://www.kenneththomas.com/consultation.

Credit: Canvas breach details referenced in this article draw on reporting by Scott P., "They Did the Math: Why Threat Actors Keep Targeting Education," published May 8, 2026. Referenced with permission.

independent school technology governanceschool board cybersecurity oversightindependent school data breachtechnology governance for schoolsschool leadership technology riskfractional CTO independent schools
Back to Blog