Parents/students do not have a private right of action under applicable federal law (FERPA). The US Dept of Education could theoretically hold the school district to account, but that would be extraordinary (speaking of the current context, but also historically).
I track US public school cybersecurity incidents and this represents a change in tack for ransomware attackers vis-a-vis schools. Clark County (Las Vegas) is only 1 of 3 school districts since the start of the school year compromised with ransomware alongside the exfilitration of student/employee data. The others include Fairfax County (VA) and Haywood County (NC). Overall, I count 35 instances of ransomware (K-12 districts) for all of 2020; 15 of those publicly disclosed since August 1, 2020.
PS The latest incident, with commentary from the district superintendent: "Got to work this morning, powered up my computer and the first message I got was you’ve been encrypted. Basically, you know, the same old thing…you’ll have to pay us in bitcoin, we’re holding your data ransom, you need to contact this email address."
They left Wi-Fi enabled on their cell phones, which automatically connected to the school network when within range. IT staff then associated the log-ins with individual students - allowing them to be identified and caught. Original article (via Washington Post): "A black principal, four white teens and the ‘senior prank’ that became a hate crime"
They boys are clearly tech-savvy to a degree (they build their own PCs, mined crypto, understood Windows user permissions, etc.), but I seriously doubt that they would or could have broken into the district's systems without two things: 1/ an admin password left on a sticky note and 2/ clear text storage of other user passwords in an excel file published in a shared folder on the first machine they accessed (a public machine in the middle school library!). Other issues: old user accounts left still active; no review of access logs or logs of server usage (which would have spotted Monero mining). Note: the boys reported that passwords on sticky notes was routine throughout the district (and how they got access to the security cameras, too).
