Well, in the case of the Seattle Public School District’s data breach, the culprit seems to be their outside law firm:
“Late Tuesday night Seattle Public Schools learned that a law firm retained by the district to handle a complaint against the district inadvertently sent personally identifiable student information to an individual involved in the case. The district promptly removed the law firm from the case and is working to ensure that all improperly released records are retrieved or destroyed.”
This goes to show, once again, that even the best security policies and procedures can be quickly undone by a third party who has possession of your data not adhering to the same policies. You may know where your data is at any given moment, but do you know how it’s being handled? Might be time to make sure the outside entities you deal with, including law firms, are aware of the security requirements related to your data, and the consequences of not living up to those requirements.