Record discovery time, reporter, affected system, suspected data type, visible symptoms, and who is handling the response.
Disable compromised accounts, revoke sessions, rotate suspected secrets, suspend affected routes, or temporarily disable integrations as needed.
Save relevant audit logs, Render logs, Cloudflare events, database timestamps, GitHub deploy history, emails, screenshots, and support messages.
| Level | Examples | Immediate action |
|---|---|---|
| Low | Bug report with no personal data exposure, failed login attempts with no compromise, non-sensitive availability issue. | Record in issue queue, fix normally, retain notes if security-related. |
| Medium | Potential overexposure of class roster metadata, suspicious teacher/admin access, accidental email to wrong recipient with limited data. | Contain, review audit logs, notify internal owner, assess whether school/customer notification is needed. |
| High | Unauthorized access to student records, account takeover, exposed credentials/session tokens, database leak, Cloudflare/Render/GitHub compromise. | Contain immediately, preserve evidence, escalate to counsel/leadership, start notification timing review, prepare customer/school communications. |
| Critical | Confirmed broad personal-data breach, active attacker, ransomware, public data dump, access to many student education records. | Activate full response team, contact vendors/law enforcement if appropriate, prepare regulator/customer notices, and run continuous status updates. |
If education records or student personally identifiable information may be involved, notify the responsible school/teacher contact promptly, support their inspection/amendment/disclosure obligations, and coordinate parent or eligible-student communication through the school when appropriate.
Review applicable state, federal, contract, and international notification duties. GDPR Article 33 uses a 72-hour supervisory-authority benchmark when a notifiable personal-data breach is likely to create risk, while U.S. obligations vary by data type and state.
If a vendor system is involved, open a vendor support/security case. If Scholar Current stores personal information on behalf of a school or organization, notify that customer so they can assess their own obligations.
If theft, extortion, credential compromise, identity-theft risk, or active intrusion is suspected, consider law-enforcement contact and preserve chain-of-custody notes.
These links are reference material for the runbook owner and counsel. Keep the operational page current when vendor contracts, school agreements, or applicable law changes.