Oliver Page
Case study
November 7, 2025
Pennsylvania has taken decisive action to protect student data and school systems from escalating cyber threats with Act 3 of 2023. Signed into law by Governor Josh Shapiro on May 17, 2023, this legislation creates both funding opportunities and reporting obligations for K-12 schools across the Commonwealth.
Quick Overview: What Act 3 Does
The timing matters. Since 2005, schools and colleges in the United States have experienced 3,713 data breaches, exposing at least 37.6 million individual records. Pennsylvania schools reported 78,639 school safety incidents in 2023-24 alone, with 16,345 involving law enforcement.
Act 3 represents Pennsylvania's legislative response to this growing crisis. It recognizes that K-12 schools—with their limited IT budgets and valuable student data—have become prime targets for cybercriminals. The law doesn't just demand compliance; it offers financial support to help schools build stronger defenses.
For IT directors managing tight budgets and rising threats, Act 3 offers a pathway forward. But it also creates new compliance obligations that require immediate attention.
For further reading on similar cybersecurity laws, consider these related articles:
Pennsylvania's Act 3 of 2023 represents a turning point in how the Commonwealth protects its schools from cyber threats. By amending the Public School Code of 1949, this legislation creates a framework that combines proactive cybersecurity funding with clear reporting requirements—a recognition that school safety now extends far beyond physical campuses into the digital field.
Governor Josh Shapiro signed Act 3 into law on May 17, 2023, and the timing couldn't be more critical. The threats facing K-12 schools have escalated dramatically in recent years. A 2024 analysis from Comparitech revealed that since 2005, schools and colleges in the United States have experienced 3,713 data breaches, exposing at least 37.6 million individual records. These aren't abstract statistics—they represent real students whose personal information, from Social Security numbers to health records, has been compromised.
The Pennsylvania Commission on Crime and Delinquency (PCCD) now oversees the implementation of Act 3, working directly with schools to strengthen their digital defenses. This legislative response acknowledges a harsh reality: schools hold treasure troves of sensitive data, making them attractive targets for cybercriminals who know that educational institutions often lack the resources to defend themselves effectively.
At the heart of Act 3 sits the Public School Cyber Security Grant Program—a funding mechanism designed to level the playing field for schools struggling with limited IT budgets.
The PCCD administers this grant program, handling everything from application review to funding allocation. Their goal is straightforward: help schools invest in cybersecurity measures that might otherwise remain financially out of reach. For many districts, this represents the difference between hoping nothing bad happens and actually building robust defenses.
The grant program welcomes applications from a wide range of school entities across Pennsylvania. School districts, intermediate units, charter schools, cyber charter schools, and area career and technical schools can all apply for funding. The application process typically requires schools to identify their specific cybersecurity needs, propose practical solutions, and demonstrate how their plans align with Act 3's objectives.
This isn't just about buying software and calling it a day. The funding allocation supports comprehensive security improvements—from conducting thorough risk assessments to implementing network monitoring solutions. For schools that have been making do with outdated systems and crossed fingers, the grant program offers a genuine pathway to meaningful protection.
The second pillar of Act 3 establishes clear, urgent obligations when things go wrong. Because in cybersecurity, it's rarely a question of if an incident will occur, but when.
Act 3 requires schools to report cybersecurity incidents to the PCCD within three business days—essentially a 72-hour reporting window—of determining that a breach has occurred. This rapid timeline isn't arbitrary. Quick reporting enables the state to track emerging threats, identify patterns, and help other schools prepare for similar attacks.
A cybersecurity incident under Act 3 covers any event that results in unauthorized access to, disruption of, or misuse of an information system or the nonpublic information stored on it. This definition is intentionally broad, encompassing everything from ransomware attacks to data theft to system compromises.
But there's more. When a breach involves unencrypted personal information, schools must also notify the District Attorney in the county where the breach occurred within that same three-day window. This dual reporting mechanism ensures both state-level coordination through PCCD and local law enforcement involvement when sensitive data is exposed.
The mandatory reporting rule serves a purpose beyond compliance. By enhancing statewide threat intelligence, Pennsylvania can build a comprehensive picture of the cyber landscape facing its schools. This collective knowledge helps inform better preventative strategies, smarter resource allocation, and more effective support for vulnerable districts. It transforms isolated incidents into shared learning opportunities—a critical advantage in the constantly evolving world of cyber threats.
Now that we've covered the basics, let's dive deeper into how Act 3 actually works in practice. This isn't just legislation that sits on a shelf gathering dust. It's designed to give schools real resources and clear direction for building stronger digital defenses through grant funding, practical compliance steps, and a focus on what actually works—robust cybersecurity measures, solid incident response plans, and training that sticks with your team.
Think of the Act 3 grant program as your school's cybersecurity toolkit budget. The funds can be used across a wide range of critical security improvements, and the eligible expenses are thoughtfully designed to address the areas where schools need help most.
Security risk assessments are often the first step. You can't fix what you don't know is broken, right? These assessments help identify the weak spots in your IT infrastructure so you can prioritize where to focus your efforts and dollars.
Once you know where the vulnerabilities are, you can invest in cybersecurity software and hardware—the digital armor that protects your school's systems. This includes essential tools like advanced firewalls, endpoint protection for all those laptops and tablets, intrusion detection systems, and secure servers. These technologies form the foundation of your defense strategy.
Network monitoring solutions act like security cameras for your digital environment. They watch for suspicious activity in real-time, giving your IT team a chance to catch and stop threats before they turn into full-blown disasters. Data encryption tools add another crucial layer of protection, especially for sensitive student information. Even if data somehow gets stolen, encryption makes it unreadable to unauthorized users.
Then there's incident response plan development. A cyberattack isn't a question of "if" anymore—it's "when." Having a well-tested plan is like conducting fire drills for your digital assets. The grant funds can help schools create, practice, and refine these plans so everyone knows exactly what to do when an incident occurs.
Finally, and perhaps most importantly, Act 3 funds can support cybersecurity awareness training for employees. Here's the truth: your technology is only as strong as the people using it. A staff member clicking on a phishing email can undo even the most sophisticated security systems. That's why comprehensive training for all school employees is so vital—covering everything from spotting phishing attacks to practicing good password habits and safe browsing. At CyberNut, we've seen how effective training transforms a school's security culture. A well-trained staff becomes your first and strongest line of defense. If you're curious about where your team stands, consider starting with a free phishing audit to see how vulnerable your school might be to these common attacks.
The reporting requirements under Act 3 might seem like just another administrative task, but they serve a much bigger purpose. These rules help manage the fallout from breaches, ensure schools meet their legal obligations, and ultimately build trust with the communities they serve.
When a breach involves unencrypted personal information, schools must notify the District Attorney in their county within three business days of finding the incident. This isn't arbitrary red tape—it's tied directly to Pennsylvania's breach notification law, which has been strengthened with stricter timelines for public entities. The Pennsylvania Commission on Crime and Delinquency (PCCD) must also receive notification within that same three-day window for any cybersecurity incident.
Why does this matter so much? Quick notification allows law enforcement to start investigating immediately, potentially recovering stolen data or catching the perpetrators. But there's an equally important human element here. The 74's investigation into over 300 K-12 cyberattacks during 2024-2025 uncovered something troubling: a widespread pattern where school districts provided incomplete, misleading, or even downright inaccurate information after security incidents. Some schools tried to minimize what happened or delayed sharing the truth with families.
Act 3 pushes schools in the opposite direction—toward transparency and accountability. When a school is upfront about a breach, parents and staff can take protective steps like monitoring their credit or changing passwords. Yes, sharing bad news is uncomfortable. But that honesty is what builds and maintains trust with your community. People understand that cyberattacks happen to even well-prepared organizations. What they struggle to forgive is being kept in the dark or misled about risks to their personal information.
The importance of transparency can't be overstated. When schools communicate openly about cybersecurity incidents, they demonstrate that they value their community's wellbeing over their own reputation. That commitment to doing the right thing, even when it's difficult, strengthens the relationship between schools and the families they serve.
Pennsylvania isn't fighting this battle alone. When you look at Act 3 in context, you'll see it's part of a much larger movement sweeping across the nation. From coast to coast, states are waking up to the reality that our schools need better protection, and they're taking action through state-level legislation that addresses what federal initiatives have left unaddressed.
The truth is, existing federal protections like FERPA have serious limitations. Written back in 1974—before the internet even existed—FERPA simply wasn't designed for today's digital threats. Its vague security standards leave enormous gaps, particularly around vendor risk management and specific incident response protocols. This inadequacy has forced states to create their own, more robust cybersecurity requirements custom to modern threats.
Pennsylvania chose a grant-based model that focuses on supporting schools financially while establishing clear reporting requirements. It's an approach that says, "We know this is expensive, and we're here to help you do it right." But other states have taken different paths to the same destination.
New York, for example, went with compliance mandates. Every educational agency must have a data security and privacy policy aligned with the NIST Cybersecurity Framework 1.1, and they must post that policy publicly for accountability. Texas took yet another route with required security plans—their law mandates that districts adopt cybersecurity policies that secure infrastructure, assess risk, and implement mitigation planning. Each state is crafting solutions that fit their unique circumstances and resources.
Meanwhile, the federal government is finally stepping up. The FCC's $200M E-Rate Cybersecurity Pilot Program represents a significant national push for K-12 security. This three-year pilot program tests whether Universal Service funding can effectively support cybersecurity in schools and libraries. With up to $200 million available for advanced firewalls, endpoint protection, identity authentication, and network monitoring solutions, it signals federal recognition that this problem demands serious investment.
What connects all these approaches—Pennsylvania's grants, New York's compliance mandates, Texas's required security plans, and the federal E-Rate program—is the shared understanding that our current patchwork of protections isn't enough. Schools hold incredibly sensitive data, from student psychological evaluations to financial records, and they need comprehensive, modern security frameworks to protect it.
Here's something that might surprise you: even with all the sophisticated technology we can deploy, human error remains the leading cause of security breaches. A NYSED report on human error found that 200 of the 384 student data incidents reported in New York State in 2024 were caused by people making mistakes. That's more than half of all incidents!
Think about that for a moment. You can have the best firewalls money can buy, the most advanced encryption, and state-of-the-art monitoring systems—but if someone clicks on a phishing email or falls for a social engineering trick, all those defenses can crumble.
Phishing attacks are particularly insidious. A teacher receives what looks like a legitimate email from the district office asking them to verify their credentials. They click, they enter their information, and suddenly an attacker has the keys to your network. Social engineering works the same way, manipulating people into revealing confidential information or performing actions that compromise security.
This is exactly why Act 3 wisely includes cybersecurity awareness training for employees as an eligible grant expense. Technology alone won't save us. We need continuous training that keeps security top of mind for every staff member, from the superintendent to the cafeteria worker who might receive a suspicious email.
Building a security-conscious culture isn't about making people paranoid—it's about empowering them with knowledge. When your staff can spot the warning signs of a phishing attempt, when they understand why strong passwords matter, when they know exactly what to do if something seems off, they become your strongest defense. At CyberNut, we've seen how effective ongoing, engaging training can transform an entire school's security posture. If you're wondering where your staff stands right now, consider getting a free phishing audit to see how vulnerable your school might be.
The reality is that Act 3 recognizes what security experts have known for years: the human element is critical. You can't just throw technology at the problem and hope for the best. You need people who understand the threats and know how to respond. That's not just good security practice—it's the foundation of a truly resilient school system.
We understand that new legislation can bring a lot of questions, especially when it involves both compliance obligations and funding opportunities. Here, we address some of the most common inquiries regarding Act 3 of 2023 to help you steer what this means for your district.
The Pennsylvania Commission on Crime and Delinquency (PCCD) is the central authority responsible for overseeing Act 3. Think of them as both your resource and your accountability partner in this process.
PCCD wears several hats under this legislation. First, they administer the Public School Cyber Security Grant Program, which means they handle everything from reviewing applications to allocating funds and ensuring the money is used appropriately. If you're applying for grants, PCCD is your primary point of contact.
Second, PCCD collects all the mandatory incident reports from school entities across Pennsylvania. This isn't just paperwork—it's how the state builds a comprehensive picture of the cybersecurity threats facing our schools. By gathering this intelligence, PCCD can identify patterns, share threat information, and help schools learn from each other's experiences.
Beyond administration and data collection, PCCD provides guidance for schools navigating these new requirements. They're there to help you understand what compliance looks like and how to make the most of available resources. Their role is supportive, focused on strengthening Pennsylvania's collective defense rather than simply policing schools.
Here's some good news: Act 3 takes a support-first approach rather than leading with punishment. The legislation is designed to help schools improve their cybersecurity posture, not to create a minefield of fines and penalties.
That said, non-compliance does carry real consequences, even if they're not always in the form of direct fines. If your school fails to follow the grant program guidelines or meet reporting requirements, you could face ineligibility for future grants. That's a significant loss, cutting off access to funding that could strengthen your defenses when you need it most.
The more serious risk is what happens when you remain vulnerable. Schools that ignore Act 3's guidance face increased vulnerability to attacks, which can result in devastating financial losses, operational shutdowns, and the exposure of sensitive student and staff data. The cost of recovering from a major breach—both financially and reputationally—far exceeds any investment in prevention.
There's also the matter of legal liability from data breaches. While Act 3 itself doesn't spell out specific monetary fines for schools, the mandatory incident reporting connects to Pennsylvania's broader Breach of Personal Information Notification Act. Failing to comply with those notification requirements can lead to lawsuits from affected individuals and serious regulatory scrutiny.
Perhaps most damaging is the reputational damage that comes with non-compliance. When parents find their child's school didn't take basic cybersecurity precautions or tried to hide a breach, trust evaporates. In tight-knit communities, that kind of damage can take years to repair. Act 3 encourages transparency and proactive protection precisely because these are what communities deserve.
Act 3 casts a wide protective net over the various types of sensitive information that schools handle every day. Understanding what you're protecting helps clarify why these requirements matter so much.
At the top of the list is Student Personally Identifiable Information (PII). This encompasses far more than just names and addresses. We're talking about dates of birth, Social Security numbers, academic records, disciplinary files, health information, special education documentation, and even psychological evaluations. The LAUSD cyberattack showed us just how devastating these breaches can be—cybercriminals gained access to student psychological evaluations, medication details, and reports of sexual abuse. That's not just data; those are children's lives being exposed.
Employee data is equally critical. Your staff members trust you with their Social Security numbers, bank account information for direct deposit, health insurance details, and personal contact information. A breach of employee data can lead to identity theft and financial fraud that affects your team members' lives outside of school.
Schools also handle substantial financial records—everything from district budgets and payroll systems to vendor contracts and purchasing information. Cybercriminals know this data has value, whether they're deploying ransomware to lock you out or stealing financial information for fraud.
Finally, Act 3 protects your school operational systems. These are the digital tools that keep your school running: student information systems, attendance tracking, grade management, facility access controls, and communication platforms. When these systems go down or get compromised, your ability to educate students grinds to a halt.
Act 3 recognizes that all of this data—every piece of information your school handles—deserves protection. The legislation provides both the resources and the framework to make that protection possible.
Act 3 of 2023 represents a turning point for how Pennsylvania protects its students, staff, and educational institutions from cyber threats. This isn't just another piece of legislation gathering dust on a shelf—it's a genuine commitment to changing how schools approach digital security.
By creating the Public School Cyber Security Grant Program and establishing clear incident reporting mandates, Pennsylvania is saying something important: we're done playing defense. The days of waiting for an attack to happen and then scrambling to respond are over. Act 3 pushes schools toward a proactive rather than reactive security posture, where prevention and preparation take center stage.
What makes this legislation particularly effective is its recognition that cybersecurity isn't just about buying the latest firewall or antivirus software. Yes, those technical controls matter—security risk assessments, network monitoring solutions, data encryption tools, and robust hardware all play vital roles in a multi-layered defense strategy. But technology alone can't solve this problem.
The critical role of employee training cannot be emphasized enough. We've seen throughout this discussion that human error causes more than half of all data breaches in educational settings. Every teacher who can spot a phishing email, every administrator who uses strong passwords, every staff member who thinks twice before clicking a suspicious link—these individuals become your school's strongest defense.
That's exactly where we come in. At CyberNut, we've built our entire approach around the understanding that cybersecurity training doesn't have to be boring, time-consuming, or overwhelming. Our automated, gamified micro-trainings are specifically designed for busy educators who need effective protection without adding more work to their already full plates.
If you're wondering where your school stands right now, we'd encourage you to find out how vulnerable your school is to phishing attacks with a free phishing audit. There's no obligation, no pressure—just honest insight into where you might be at risk.
Beyond that, we invite you to explore how CyberNut's solutions can help your district not just check the compliance boxes that Act 3 requires, but genuinely build a security-conscious culture that protects your students for years to come. Our custom, engaging approach transforms cybersecurity from a dreaded requirement into something your staff actually participates in willingly.
Pennsylvania has given its schools the tools and framework to succeed. Now it's up to each district to take action. Together, we can strengthen Pennsylvania's digital defenses and create safer learning environments where students can focus on what matters most—their education.
Oliver Page
Some more Insigths
Back
.png)
.png)
.png)
.png)
.png)
