Pain Browser No. 3: The $17M Settlement That Priced a Stolen Childhood

A federal court just attached a dollar figure to a hacked childhood. It came out to $1.70.

This spring, a judge in the Northern District of Illinois moved a $17.25 million settlement toward final approval. The class is every student in America who logged into Naviance, the college-planning platform thousands of high schools hand their kids, between August 2021 and January 2026. Around ten million students. The claim window closes May 26.

Run the settlement's own math. $17.25 million across ten million students is roughly $1.70 each. Then the lawyers take up to 37%. Then administration costs. Then a service award. What lands in an actual family's hands rounds toward zero. And $1.70 bought the easy case. Naviance never lost these kids' Social Security numbers. It tracked their clicks and sold the exhaust to ad-tech.

The hard case belongs to the same company. In December 2024, PowerSchool, the largest K-12 software company in North America, was breached. Bain Capital had taken it private for $5.6 billion less than three months earlier. The breach exposed 62.4 million students and 9.5 million teachers: names, addresses, Social Security numbers, medical records, special-education status, and for some children the bus stop where they stand every morning. Texas counted more than 880,000 victims and sued. That case is still open. No settlement. No number. No price.

That is the opening. Every American schoolchild's identity is loose right now. PowerSchool, Canvas two weeks ago, and a long tail of smaller districts put it there. The harm is real, it runs for a lifetime, and nobody has priced it. No district gets graded on it. No EdTech vendor gets certified against it. No carrier can underwrite it. There is no market sitting on top of 50 million children's data. $1.70 is what an empty market looks like. Someone is going to build the one that fills it.

Child identity theft is not adult identity theft scaled down. It is a different crime, and a worse one. A kid's Social Security number is clean, i.e., unused, uncredited, unmonitored. Nobody checks it until that kid applies for a loan, a job, or financial aid at seventeen or eighteen. That makes it the best raw material in fraud, the premium input for synthetic identity manufacturing. A fake identity built on a real child's SSN ages quietly for a decade with nobody watching the file. Javelin counted 1.25 million U.S. child identity-fraud victims in 2020, costing families more than $1,100 each. Industry estimates put aggregate annual child identity fraud near $1 billion. And the harm hides. It surfaces years later, when an eighteen-year-old gets denied a first credit card and learns someone has been operating as them since the third grade.

Loss numbers are not the opportunity. The opportunity is the layer above the loss: the rating and certification that lets a district measure its exposure, lets an EdTech vendor prove how it handles data, and lets a carrier price the risk. The loss class is the demand signal. The product is the standard that turns an un-modelable harm into something you can govern, insure, and sell against. That distinction is the business.

The supply feeding this loss class is already industrialized. PowerSchool was the biggest single event, not the only one. Canvas followed in May. Education was the fourth most-attacked ransomware sector in the first half of 2025, with attacks on schools and universities up 23% year over year. The reason is structural: a typical district runs dozens to hundreds of EdTech tools, and every vendor is a door. Worse, the defense is retreating. In 2025 the federal government shut down the Department of Education's Office of Educational Technology and killed the K-12 cybersecurity programs that ran through the Multi-State Information Sharing and Analysis Center. The institution holding more children's Social Security numbers than any other in America is getting less protected every quarter, exactly as the breach crews scale up.

That gap is the prize. To manage child-identity exposure at scale you need three things: a standard definition of the exposure, an institution-level metric that scores it, and a loss baseline credible enough to support a premium or win a contract. K-12 has none of them. A superintendent cannot tell the school board how exposed the district's kids are. An EdTech vendor cannot hand a procurement officer a third-party grade. A cyber underwriter writing a district is flying blind on the single biggest category of harm on the account. This is exactly where cyber insurance sat fifteen years ago: real losses, no standard, no market. The first credible standard wins the category.

The breach wave and the settlement calendar collided this month. ShinyHunters hit Canvas and roughly 9,000 institutions on May 7, 2026. The PowerSchool Naviance settlement goes to a final approval hearing on June 10, 2026, with its claim deadline two days out. The PowerSchool breach suit and the Texas Attorney General's case are both live. For the first time, harm to children's identity data is being adjudicated, priced, and headlined in the same news cycle. The price, where one exists, is $1.70 a kid. That is a market begging for a floor.

The second force is the one most identity builders have not connected to children yet: state age-verification law. As of spring 2026, at least nineteen states have passed social-media age-verification or addictive-feed laws, and four of them (Utah, Louisiana, Texas, Alabama) have passed App Store Accountability Acts. Utah's developer rules took effect May 6. Louisiana's law lands July 1. Alabama and California arrive in January 2027. In February the FTC issued a COPPA policy statement that openly encourages age-verification technology. Every one of these laws does the same thing. It forces platforms, app stores, and individual developers to collect and keep the exact data they used to work hard not to hold: birthdates, government ID images, biometric face scans, age attestations, all of it tied to minors. The EFF calls it a perverse incentive, and that is precisely right. A child-safety regime is now manufacturing a fresh, fast-growing, lightly secured supply of children's identity data, scattered across thousands of app developers and a brand-new tier of age-verification vendors. The law itself is widening the attack surface. This data will spread, and some of it will leak. That is not a risk scenario. It is the design.

The protective half has not shipped. Parents can already buy monitoring, e.g. Aura, LifeLock, Identity Guard, IDShield Family, and AllClear ID all sell child-identity monitoring and guided credit freezes. Nothing exists at the institution level. No BitSight for a school district. No certification an EdTech vendor can drop into an RFP. No exposure rating a carrier can rate-base on. The Credit Freeze for Newborns Act has been sitting in Congress unpassed since 2024. The underwriting machinery that finally made cyber insurance scalable has no child-identity equivalent in K-12. Demand is being set in court. Supply is being pumped out by breach crews and now by statute. The protective layer is a slide deck. The architecture is obvious and the product is not built. That is the opening, and it is open right now.

The market splits into four buyer pools, and the wedge is not the obvious one.

Start with who you should not sell to first. The district-side buyer is the one every founder reaches for, and as a revenue engine, it is a revenue trap. There are roughly 13,000 U.S. school districts. They hold the Social Security numbers, and after the 2025 federal cuts they have neither the budget nor the outside support to act on them. The district is the data holder, not the payer. Build a district-facing product to get the standard adopted, not to get it paid for. The district is the channel. It is not the customer.

The EdTech vendor-side buyer is the wedge, and this is where you start. PowerSchool, Instructure, Clever, ClassLink, Naviance, Securly, GoGuardian, and the new tier of age-verification vendors are all under three kinds of pressure at once. Procurement pressure: districts increasingly attach privacy and security terms to contracts, and the Student Data Privacy Consortium's National Data Privacy Agreement is becoming the default. Litigation pressure: PowerSchool's legal exposure is the cautionary tale every competitor's board has now read. Insurance pressure: their cyber renewals are repricing around Canvas and PowerSchool. A vendor will pay real money for a certification that de-risks its sales cycle, its renewal, and its next board meeting. Recurring revenue, SaaS-shaped, mid-ACV, and the largest customer pool. This is the first product.

The carrier-side buyer is the highest-value pool and the smallest. Cyber carriers writing K-12 districts and EdTech vendors need an institution-level child-identity exposure rating to underwrite the account at all, and not one of them can price that account today. Build the exposure rating a carrier can rate-base on, and you have a clean commercial path straight into the carrier rating business itself.

The consumer parent-side is the B2B2C tail. Aura, LifeLock, and the rest sell to parents today with no institution-grade data layer underneath them. License the institutional rating to them as the measurement spine and the marketing claim. Bigger end-user pool, lower defensibility per customer. Treat it as an expansion line, not the entry point.

Price this in the trust-and-safety certification comp set, not in consumer monitoring. The model to study is SOC 2 and the AICPA attestation franchise, the privacy-certification players like TRUSTe and iKeepSafe, and the cyber-rating comps: BitSight, where Moody's put in $250 million at a $2.4 billion valuation specifically to underwrite cyber, and Verisk's $40 billion-plus franchise built on insurance standardization. Consumer identity protection is a large, real market, but it is the commodity layer. The institutional certification layer on top of it has no public comp yet. That absence is the signal. The acquirers have not picked a winner because there is not yet a winner to pick. That is the seat that is open.

Monitoring is a feature. The certification is a company. That single distinction decides who gets funded in this category over the next eighteen months.

A standard becomes the moat. SOC 2 became the moat for enterprise software trust. The FERPA and COPPA attestations became table stakes for EdTech procurement. BitSight ratings became the moat for cyber underwriting. Once districts and carriers adopt a child-identity exposure standard, the cost of switching off it dwarfs any better detection model a competitor can show up with. Define the grade and you own the layer. Everyone else sells into it.

Here is the buyer you build for first. The head of trust and security at a mid-sized K-12 EdTech vendor. Their product sits in two thousand districts. Renewals are coming up, and the RFPs now ask, in writing, how student data is handled and what independent assurance backs the answer. Their cyber insurance renewal just repriced because the carrier read the same PowerSchool headlines they did. They have a security program and a SOC 2 report, and neither one answers the question every district and every underwriter is now asking: how exposed are the children whose Social Security numbers we handed you? They have no third-party grade to point to, because none exists. They will buy one the day a credible one ships.

That is the wedge buyer. The first product is the EdTech vendor certification paired with an institution-level exposure rating. Call it a Guardian Grade. Sell it into the trust-and-security function. Price it as an annual certification fee plus a per-student exposure assessment. Build it to drop straight into an RFP response and a carrier's underwriting file.

The first reference customer is a mid-sized EdTech vendor with heavy district-procurement exposure and a fresh renewal shock on its cyber policy. Sales cycle: 90 to 150 days. The first product is buildable by a team of four (a privacy counsel, a security engineer, a K-12 procurement operator, and a data engineer) in nine to twelve months. Small team, sharp wedge, a standard nobody else has planted. Go plant it.

Annual certification fee plus per-student-record exposure assessment usage. Not pure SaaS, not pure data licensing. The certification fee covers the audit, the RFP-ready attestation, the periodic re-assessment, and the standard updates. The usage fee captures the value moment: the vendor closing a district contract on the strength of the grade, or the carrier writing a policy against the rating.

Vendor-side ACV runs $40K to $150K depending on the volume of student records under management. Gross margins land at 80-90% at scale and drag to 60-70% in year one on audit labor and customer-side data ingestion. Carrier-side exposure-data licenses run higher, on a longer sales cycle, at 90%+ margins.

The alternative model is pure consumer B2B2C licensing: license the institutional rating to Aura, LifeLock, and the parent-facing brands as their data spine. Higher revenue ceiling per deal, far lower defensibility per customer, and it puts you one negotiation away from being a swappable data supplier. For most teams the certification-plus-usage wedge, anchored by named EdTech-vendor and carrier reference customers, is the stronger build. Consumer licensing is the expansion, not the entry.

Regulatory dependency is the biggest risk. FERPA has no private right of action and weak federal enforcement. COPPA enforcement is uneven. A certification is worth exactly what someone requires it to be worth. If nothing forces districts, vendors, or carriers to demand the grade, the standard never locks. The defense is to anchor the certification to carrier underwriting and district procurement, both of which create the requirement contractually even where the statute does not. The grade has to be something a carrier prices on and a procurement officer scores on, not something a regulator merely suggests.

Incumbent adjacency is the second risk. The credit bureaus (TransUnion, Experian, Equifax) and the cyber-rating incumbents already hold adjacent data and distribution and could build this internally. They have not in years, but a visible category leader can change that math inside twelve months. The defense is to get carrier-integrated, procurement-embedded, and regulatory-acceptable before the incumbents move.

The public-sector buyer with no budget is the third risk. The data holder, the school district, cannot pay for the platform, so the whole go-to-market rides on the EdTech-vendor and carrier wedge holding. If districts will not or cannot require the certification in procurement, the flywheel never spins. The defense is to win two or three large districts or a state procurement office as requiring parties early, even though they are not paying parties.

The consumer incumbents moving up is the fourth risk. Aura, LifeLock, and Identity Guard could build the institutional layer off their consumer monitoring data. Their disadvantage is structural: their salesforce, data, and product are built for parents at the kitchen table, not for procurement officers and underwriters. The window is however long it takes one of them to see that the certification layer is the better business.

Do not build a better child-identity monitor. Build the certification standard that makes child-identity exposure governable and insurable. The product is not the detection model and not the parent-facing app. The product is the institution-level grade a procurement officer scores on and an underwriter prices on.

Here is the diligence question that sorts the winners. Does the product survive better monitoring? If Aura improves its detection accuracy 20% next year, does that make your company more valuable or less? Less means you are selling monitoring, and the monitoring vendors will absorb you. More means you are selling the certification that consumes monitoring as an input. Only the second is a defensible company in 2026.

Founders pitching this category make two predictable mistakes. The first is pitching the consumer product, because it is the visible one and the one they can demo to their own family. The consumer layer is commoditized and the buyer pool is diffuse. The second is treating the school district as the buyer. The district is the data holder and the adoption channel. The EdTech vendor and the carrier are the buyers. Confuse the channel with the customer and the go-to-market dies.

Price for the vendor's procurement win and the carrier's underwriting decision, not for the cost of running the assessment. The vendor is buying a closed district contract and a survivable cyber renewal. The carrier is buying the ability to write the account at all. Size the certification fee and the per-student usage against those outcomes, never against your audit labor.

Founders. Pick the EdTech-vendor certification wedge and ship it. Ignore the pull toward the consumer product, and do not try to sell the district directly. The first reference customer, a mid-sized vendor with real procurement exposure, is worth more than the next ten leads, because it is the proof the next carrier and the next vendor both ask for.

Investors. The thesis is procurement and underwriting adoption, not detection accuracy. A team with documented relationships in district procurement, state education agencies, or K-12 cyber underwriting has more moat than one with a better monitoring model. Diligence question: how many procurement teams or carriers have said, in writing, that they would require or accept this certification? Zero means it is still a feature. One means early. Three with one in writing means the thesis is real.

Operators in EdTech. Get a child-identity exposure baseline for your platform this quarter. The breach pipeline that hit PowerSchool and Canvas is feeding your systems too, and procurement is about to ask for proof you cannot yet produce. If your team needs the exposure-worksheet template, reply to this email.

Acquirers. The acquisition trigger here is a public partnership between a child-identity rating startup and a cyber-rating incumbent (BitSight, SecurityScorecard, Black Kite), a K-12 cyber carrier, or a top-tier EdTech platform adopting the grade as a standard. That partnership is the signal the category is folding into the cyber and EdTech-trust stacks. The first startup to sign two of them in a single quarter is the target.

District and school leaders. You hold the data, and you almost certainly cannot pay for the platform. But you can require the certification in your next RFP. That one procurement clause, independent third-party assurance of child-identity exposure, is what creates this entire market. The builders will build it. You decide whether they have to.

• PowerSchool Naviance class action settlement now valued at $17.25 million, covering roughly 10 million students who logged into Naviance between August 2021 and January 2026. Claim deadline May 26, 2026; final approval hearing June 10, 2026. Per-student value before fees and costs is approximately $1.70.
• PowerSchool's December 2024 data breach exposed 62.4 million students and 9.5 million teachers, including names, addresses, Social Security numbers, medical information, and special-education status, across districts in all 50 states. Bain Capital had completed its $5.6 billion take-private of PowerSchool less than three months earlier in October 2024.
• Texas Attorney General Ken Paxton sued PowerSchool over the breach, counting more than 880,000 Texas victims. The case is unresolved. Multiple private class actions and additional state actions are pending.
• Canvas/Instructure was defaced by ShinyHunters on May 7, 2026, hitting roughly 9,000 educational institutions and 275 million students and faculty. Education was the fourth most-attacked ransomware sector in H1 2025, with attacks on schools and universities up 23% year over year.
• State age-verification and App Store Accountability laws are live. Utah's developer rules took effect May 6, 2026. Louisiana's law lands July 1, 2026. Alabama and California arrive in January 2027. The FTC issued a February 2026 COPPA policy statement encouraging age-verification technologies. The EFF has flagged the perverse incentive: the laws force platforms and developers to collect and retain new categories of minor identity data.
• Industry estimates put annual child identity fraud near $1 billion. Javelin counted 1.25 million U.S. child identity-fraud victims in 2020 with an average per-family cost above $1,100. Child SSNs remain the premium input for synthetic identity manufacturing because they are unmonitored until age seventeen or eighteen.
• The federal Department of Education's Office of Educational Technology and the K-12 cybersecurity programs that ran through the Multi-State Information Sharing and Analysis Center were shut down in 2025. The institution holding more children's Social Security numbers than any other in the country is getting less protected as the breach pipeline scales.
• The Credit Freeze for Newborns Act remains pending in Congress since 2024. No federal infrastructure exists to freeze, manage, or un-freeze a minor's credit file across the three bureaus at the hospital or SSN-application step.