Utah HB 55 - What It Protects, What It Doesn't, and What Districts Should Do Before 7/1.

If you're a superintendent, CTO, or Director of IT in a Utah district, you've probably already seen the headlines. Vendor sells student data without authorization → district can walk away → no exit fees, no damages, no contractual handcuffs.

Sounds great. And in one specific scenario, it is.

But here's what I want you to take from this read:

✅ What HB 55 actually covers (it's narrower than most you might think)
✅ The three breach scenarios this law leaves wide open
✅ Why 'vendor or district?' becomes the most expensive question you'll ever answer after an incident
✅ The 30-day window between now and July 1 - and what to do in it
✅ A practical checklist your team can run before the law takes effect

Stick with me. There's a scenario I want to walk through first.

Picture a district CTO. Doesn't matter where - could be Utah, could be anywhere. Small district. Lean IT team. Vendor contracts that look reasonable on paper. If you asked her whether she was worried about a breach, she'd probably tell you no. Her district has "all the privacy stuff" handled.

Now ask her a different question - the one I ask most district leaders I meet: "If a parent calls you Monday morning and says their kid's data showed up on a forum, what do you say in the first 24 hours?"

Most district leaders, faced with that question for the first time, answer the same way: "I'd call the vendor."

That's where most district response plans end. And it's exactly where the real problem begins.

Because here's what nobody tells you about a breach: the legal question isn't "what happened?" It's "who caused it?" And the answer to that question determines whether your district spends the next six months on the offense or on the defense - regardless of what any law says about vendor accountability.

That's the gap HB 55 doesn't close. And it's the gap every district in Utah currently sits in.

What HB 55 actually does (in plain language)

Let's get the bill itself out of the way, because most coverage glosses over the specifics.

HB 55 passed both chambers of the Utah Legislature unanimously and was signed by the Governor on February 27, 2026. Chief sponsor: Rep. Tiara Auxier. It takes effect July 1, 2026.

What it does:

When a third-party contractor makes an unauthorized sale of student data in violation of FERPA, COPPA, or Utah's student data privacy chapter, three things must happen.

• Your district has 30 days from discovery to formally notify the vendor.
• The vendor has 30 days to remediate to your satisfaction and establish processes preventing recurrence.
• If they don't, you must terminate the contract - and they cannot impose a fee, seek damages, or assert any financial liability for that termination.

The law also requires that all new contracts include a provision stating this termination duty and prohibiting exit fees tied to it.

That's it. That's the whole law.

Read that again, because the language matters: unauthorized sale of student data.

Not "breach." Not "incident." Not "exposure." A specific bad-actor behavior, with a specific legal trigger.

The brutal truth most coverage is glossing over

HB 55 protects districts from one specific vendor behavior. It's an important one - but it's a small slice of the actual breach scenarios districts face.

Here's how the framing usually goes wrong: a district leader reads the headlines, sees the words "privacy violation," and assumes the coverage is broad. It isn't. Three things HB 55 does not do, and each one matters before July 1:

It doesn't cover ransomware. When a vendor's systems get encrypted by an outside attacker and student data leaks as a result, that's not a sale. Your remedies are whatever your existing DPA says they are.

It doesn't cover misconfiguration. When a vendor's API quietly exposes PII for eight months because nobody set the permissions right, that's not a sale. Same answer.

It doesn't cover employee exfiltration. When a vendor employee downloads a roster on their way out the door and posts it on Pastebin, that's not a sale (technically). Same answer.

For example...

What a $17.25M case looks like in practice

On the same day HB 55 was signed, a federal court gave preliminary approval to a $17.25M class-action settlement against PowerSchool, its Naviance subsidiary, and Chicago Public Schools. The allegation: Naviance covertly recorded student communications and shared data with third-party analytics tools, affecting more than 10 million students between 2021 and 2026.

Here's the part Utah districts should sit with. If a similar incident happened with a Utah vendor under HB 55, would it be covered?

Probably not. The Naviance case wasn't framed as an unauthorized sale - it was framed as unauthorized interception and analytics-sharing. HB 55's no-fee termination right is keyed specifically to sales. The closest analog scenarios that account for the bulk of K-12 incidents - covert tracking, third-party data routing, ransomware, misconfiguration - all sit outside the law's protection.

The settlement does require something HB 55 doesn't: CPS must now mandate annual privacy compliance certifications from every vendor that handles student data. That requirement is going to ripple through K-12 vendor contracts nationally. We'll cover what that means for your DPA renewal cycle in a future post. 

And the biggest gap of all - the one I keep thinking about with the districts we serve, and what happens when this kind of legislation lands in their state:

HB 55 doesn't address district-side risk at all.

Districts are targeted as often as the vendors they contract with. Sometimes more. HB 55 doesn't change that. It just changes what happens after a vendor contract goes wrong.

Why "vendor or district?" is the question that will cost you

Here's something most district leaders don't think about until it's too late.

When an incident hits, the first 72 hours are spent answering one question: where did this come from?

Was it the vendor's system? Was it ours? Was it the integration between the two? Was it phishing? Was it a misconfigured share? Was it an employee mistake?

The answer to that question determines:

• Whether your district is the responding party or the responsible party
• Whether HB 55's no-fee termination protection even applies
• What you tell parents, your board, the AG's office, and the press
• How much your district's insurance premium goes up next year
• Whether anyone loses their job

And here's the kicker: you can't answer that question after the fact unless you've documented your security posture before the fact.

This is where pentests stop being a compliance checkbox and start being a legal asset.

A recent, documented pentest tells you - and more importantly, tells anyone investigating - exactly what your district's attack surface looked like on a specific date. Combined with a vCISO relationship that owns ongoing remediation tracking, you get something most districts don't have: the ability to point at evidence and say "this wasn't us, and here's why."

One more thing worth knowing: HB 55 also strengthens what the State Board's Student Data Privacy Team can do. Anyone - a parent, a former employee, a competitor - can now submit a suspected violation report directly to the Board, which is required to initiate a compliance audit if the report is credible. That's a new audit-risk surface most districts haven't accounted for. We'll dig into that one in detail in our June 2 post.

Quick aside for the district leaders reading this: If you don't have current pentest documentation and you're not sure where to start, we'd be happy to walk you through what readiness looks like for your district size. A 20-minute call, no slides, no pitch deck.

Book time with our team. 

What the new playbook actually looks like

The old playbook was: trust your vendor's DPA, hope nothing goes wrong, react when it does.

That playbook was already broken. HB 55 just makes the brokenness more visible.

The new playbook for Utah districts has four parts, and they need to be in place before July 1, not after:

1. Audit your DPAs against HB 55's required language.

The law mandates that new contracts include specific provisions about the termination duty and prohibiting exit fees tied to it. Existing contracts may not have this language, and renewal cycles are about to get interesting. Most Utah LEAs use the Utah Student Privacy Alliance's standardized DPA template - but if you have any custom contracts, walk them against the law's requirements. If you don't have someone on staff who can do this, get help.

2. Inventory which vendors hold what data.

Most districts can't produce a clean list of "which third-party contractors have access to which categories of student data." When an incident happens, that list is the first thing anyone investigating will ask for. Build it now while you're calm.

3. Get a PenTest on the books.

Not because it makes you bulletproof - it doesn't. Because when the attribution question comes up, "we conducted a third-party penetration test on [date] and remediated findings by [date]" is the difference between being a defendant and being a witness.

4. Establish a vCISO relationship.

This is the piece districts skip and regret. A vCISO doesn't just do incident response. They own the ongoing question of "is our security posture defensible today?" - which is the only question that matters when an incident happens tomorrow.

What this looks like in the real world

We've talked to peers across K-12 security who've watched some version of this story play out at districts they work with. The pattern repeats: a downstream integration, a vendor partnership that nobody flagged at signing, a data flow that ran for months or years before anyone went looking. The PowerSchool/Naviance settlement is the publicly documented version of what those conversations describe.

Naviance is a college- and career-planning platform used by tens of millions of students. Court filings allege that between August 2021 and January 2026, the platform routed student data to third-party analytics and advertising tools - including Heap, Google, Microsoft, Hotjar, and Gainsight - without the kind of explicit district authorization most DPAs would have required if anyone had thought to ask the right questions.

No district set out to allow this. The integrations sat downstream of the contract, invisible to the day-to-day operational team. By the time the lawsuit surfaced what had been happening, the data flows had been running for years.

Here's the part that matters for HB 55 readiness: the districts whose data was affected are now answering hard questions from parents, school boards, and journalists. The ones who can produce a clear vendor inventory, a recent pentest, and documentation of when and how they reviewed third-party integrations are in a very different position than the ones who can't.

HB 55 doesn't change the math on that - the documentation work has to happen either way. What HB 55 does is tighten the timeline. After July 1, the State Board's Student Data Privacy Team will have a formal mechanism to accept third-party violation reports and initiate audits. Districts that get organized before July 1 will be ready for that audit surface. Districts that don't, won't.

The shift most of us have had to make

It's tempting to think of cybersecurity as something you buy - a tool, a vendor, an annual scan. That's how most of us came up in this industry. But the work that actually pays off when something goes wrong isn't the purchasing. It's the documenting.

Tools are tools. They're useful when they save time or prove a point. But the actual defensible position your district sits in - the one that holds up when a regulator, a parent, or a journalist asks "what did you do to prevent this?" - that position is built out of documentation, not software.

And the time to build it is before the incident, not during.

The federal Government Accountability Office reports that K-12 districts hit by cyber incidents have faced monetary losses ranging from $50,000 to over $1 million per incident - and recovery has taken two to nine months. Districts that paid ransoms in a 2023 Sophos study averaged $2.18 million in total recovery costs. Texas, Idaho, Louisiana, and New Jersey districts have each lost $300,000 to $2 million in single phishing incidents.

Districts that started the documentation work early will spend a fraction of those numbers - and come out on the other side with their reputation intact. Districts that didn't will be writing checks they never budgeted for.

You don't need a degree in cybersecurity to know which side of that you want to be on. You just need a system.

So here's the offer

We're Loop + Ledger.

We do professional security audits paired with vCISO support, specifically for K-12 districts, with former educators in C-suite roles.

We pentest districts the way we'd want our own kids' districts pentested - practical, prioritized, and translated into language a school board will actually act on.

HB 55 is now law. The 30-ish days between now and July 1 is the window to get your district's documentation in order before an incident forces the question. After July 1, the urgency only goes up - and so does the audit surface, which we'll cover in detail in our June 2 post.