Penetration Testing for EdTech Vendors: What FERPA Actually Expects

Selling a SaaS platform into K-12 districts or higher education means eventually landing on someone’s vendor security questionnaire. And increasingly, somewhere in that process, a procurement officer or Technology Director is going to ask for a third-party penetration test report.

The Family Educational Rights and Privacy Act (FERPA), is the federal law that governs how student education records are handled. The law does not define a specific security standard or require a specific type of testing. It requires reasonable care, and leaves the definition of reasonable to interpretation.

In practice, many EdTech vendors focus more on complying with state-level student privacy laws than with FERPA itself. Statutes such as California’s SOPIPA and New York’s Education Law 2-d impose stricter, more explicit security requirements than their federal counterpart.

What FERPA Actually Requires of You

When a school or district signs a contract with a SaaS vendor, that vendor becomes what FERPA calls a “school official,” an entity acting on behalf of the institution with a legitimate educational interest in the data.

That designation comes with a real obligation. You are expected to protect student records with the same care the institution would. What FERPA does not do is name a specific control set or require a specific type of testing. It leaves that to interpretation, which means in the event of a breach, regulators, attorneys, and school boards get to decide retroactively whether you did enough.

The Illuminate Education Warning Shot

In 2022, a breach at Illuminate Education exposed the personal records of millions of students. The regulatory fallout reached a final turning point in late 2025, when the company agreed to a $5.1 million settlement with the Attorneys General of New York, California, and Connecticut.

The investigation revealed that a cybersecurity vendor had alerted Illuminate to “high risk” server vulnerabilities as early as 2020. Because the company failed to fully implement the recommended fixes, regulators determined it had failed to meet the legal standard for reasonable security. In fact, as part of the 2025 settlement, Illuminate is now legally required to perform third-party penetration tests and independent security audits for the next several years.

For EdTech vendors, the takeaway is clear. Regulators no longer view security testing as an optional best practice. They now treat a failure to remediate known vulnerabilities as documented evidence of negligence. If a breach occurs, the investigation will look back to see if you performed the testing your contracts promised and whether you acted on the results.

Why Procurement Is Already Forcing the Issue

Beyond the immediate concerns of breach liability, school procurement departments are quickly raising their vendor security standards. School districts that previously accepted self-reported security questionnaires have transitioned to requiring proof of an independent, third-party penetration test. Similarly, colleges and universities are building security review processes that look more like enterprise vendor audits every year.

Failure to provide a current penetration test report often results in an immediate stall in the procurement process. A clear report gives your supporters inside the school district the proof they need to show the Technology Director or the school board. Having this document ready addresses critical objections early in the evaluation cycle, which is a requirement that many organizations are now finding non-negotiable.

What a FERPA-Relevant Pentest Actually Looks Like

Education technology is a specialized field with unique operational challenges. School IT staff and district directors are fully aware that their environments do not mirror a standard corporate office. They often reject one-size-fits-all security solutions because those products fail to account for the nuances of classroom technology and student privacy.

A basic vulnerability scan or a superficial automated test is a poor substitute for a manual penetration test. These generic assessments can be expensive and yet fail to identify the specific risks inherent to an educational context. To provide actual value, a test must focus on the unique ways that student data can be compromised.

Working with a partner who understands the specific needs of K-12 and higher education ensures that the testing is relevant to your actual environment. This specialized approach provides a level of depth that automated tools cannot reach. It also produces a report that speaks the language of a school board or a Technology Director rather than just listing raw technical data.

The Standard of Care Argument

FERPA creates a standard of care without defining it precisely. In the absence of a specific mandate, courts and regulators look at industry practice to determine what reasonable looks like. Across edtech, healthcare, finance, and government, that practice is converging on regular penetration testing as a baseline expectation.

The cost of a pentest engagement is a fraction of the cost of breach notification, a fraction of the cost of a failed procurement, and a fraction of the legal exposure that comes with handling millions of student records without documented evidence that you took security seriously.

You do not get a pentest to satisfy a FERPA checkbox. There is not one. You get it because you are handling data that belongs to children, because school districts are asking for it, and because if something goes wrong, it is the clearest evidence you have that you did your job.

If you are selling into education and you do not have a recent pentest report, that is the gap worth closing first.

The Checklist Your Auditor Wishes You Had

If your current reports leave auditors asking follow-up questions, it is time to raise your expectations.

Our free guide, Audit-Proof Your Pentest, gives you 17 questions that reveal whether you are working with a real security partner or just another checkbox vendor.

Learn how to spot shallow testing hidden behind polished reports, identify red flags in communication, and choose a partner who delivers evidence your auditor will actually trust.