A new warning centered on higher-education technology risk argues that institutions can’t outsource accountability for student records even when data sits inside third-party cloud infrastructure. The report flags a Canvas learning management platform breach as a signal that campus and vendor liability can overlap under FERPA. The analysis focuses on governance: it says educational institutions remain responsible for overseeing educational records when third-party systems operate them, meaning oversight gaps can translate into compliance exposure. It also frames the broader institutional problem as “digital deferred maintenance,” describing accumulating technical debt in IT systems and governance processes until a failure event forces action. For CIOs, trustees and compliance leaders, the immediate takeaway is to treat cloud and vendor management as core governance—not as an operational detail that can be delegated without monitoring. FERPA oversight plans, incident response readiness, and audit rights become central questions.