A Better Newspaper

## Canvas / Instructure – Data Breach & EdTech Litigation Risk (2026) ### Overview Instructure, the company behind the Canvas learning management system, disclosed a data breach in late April 2026 that may have exposed millions of student and teacher records worldwide (Top Class Actions, May 2026). ### Key Details - The breach was reportedly disclosed by Instructure in late April 2026 (Top Class Actions, May 2026). - The breach may have exposed millions of student and teacher records globally (Top Class Actions, May 2026). - Canvas is one of the most widely deployed learning management systems in K-12 and higher education in the US and internationally. ### Legal & Litigation Exposure - The scale of potential affected users—students and educators across multiple jurisdictions—creates substantial class action litigation exposure. - Student data is subject to FERPA (Family Educational Rights and Privacy Act) protections in the US, creating federal regulatory exposure in addition to state-level privacy claims. - COPPA (Children's Online Privacy Protection Act) exposure exists if any affected students are under 13. - International exposure under GDPR is significant given Canvas's global deployment in EU member states. - State attorneys general investigations are probable given the educational institution context. ### Strategic Significance EdTech platforms hold uniquely sensitive data combining identity, academic performance, behavioral, and sometimes health records. A breach of this scale in the educational sector is likely to accelerate regulatory scrutiny of EdTech data security obligations and may influence pending state-level student privacy legislation. ### Outlook Monitor for class action filings in US federal courts, state AG investigations (particularly California, New York, and Texas), and GDPR enforcement actions from EU data protection authorities.