1.800.840.9690|save@cutmycost.com

FERPA in the EdTech Era: Why Student-Data Compliance Lands on Schools, Not Their Software Vendors

Few sectors have adopted technology as quickly as education. A single district may run learning management systems, student information systems, assessment platforms, communication apps, tutoring tools, and an expanding roster of AI-assisted products — many of them adopted by individual teachers or departments without a central review. Each of those tools touches student data, and each one represents a point where the institution’s compliance obligations quietly extend beyond its own walls.

That expansion is where many schools and colleges are exposed. The Family Educational Rights and Privacy Act (FERPA) was written in 1974, long before cloud platforms, mobile apps, or machine learning existed. Yet it remains the federal standard governing how student education records are protected and shared — and under its structure, the legal responsibility for that data does not transfer to the vendor holding it. It stays with the school.

What FERPA Actually Governs

FERPA is administered and enforced by the U.S. Department of Education’s Student Privacy Policy Office, which investigates complaints, develops guidance, and provides technical assistance to the education community. The law protects “education records” — broadly defined as records directly related to a student and maintained by an educational agency or institution. That includes far more than grades and transcripts: it can extend to disciplinary records, special-education documentation, identifying information, and the data captured by the digital tools students use every day.

FERPA applies to schools, districts, and postsecondary institutions that receive funding under programs administered by the Department of Education. In practice, that covers virtually all public K-12 systems and most colleges and universities, including private institutions whose students receive federal financial aid. As a general rule, the institution must have written consent before disclosing personally identifiable information from education records — subject to a set of specific exceptions that have become central to how technology is adopted in schools.

The “School Official” Exception — and the Liability It Creates

The exception that matters most in a technology context is the “school official” provision. It allows an institution to share education records, without separate consent, with outside parties that perform a service the school would otherwise handle itself — provided those parties are under the institution’s direct control regarding the use and maintenance of the data, and have a legitimate educational interest.

This is the mechanism that makes modern EdTech possible. When a district adopts a cloud gradebook or a university licenses an analytics platform, the vendor is typically designated a “school official” so that student data can flow to it lawfully. The arrangement is routine, and for the most part it works as intended.

The complication is where accountability sits. Designating a vendor as a school official does not move the compliance obligation to that vendor. If student data is mishandled, exposed, or used outside the agreed purpose, it is the institution — not the software company — that answers for it. FERPA’s ultimate enforcement mechanism is the potential withdrawal of federal funding, and there is no private right of action for families to sue under the statute. But the practical consequences reach well beyond that: federal complaints and investigations, mandated corrective action, reputational damage, breach-notification obligations under state law, and a loss of trust among the families and students the institution serves.

In other words, schools carry the risk for data they no longer physically hold. That asymmetry is the heart of the EdTech compliance problem.

Why the Exposure Is Growing

Three trends have widened this gap considerably in recent years.

Tool sprawl. The number of digital products in use across a typical district has climbed into the hundreds, and by some industry estimates well over a thousand distinct tools are accessed across a district in a given month. Many enter through individual classrooms rather than a procurement process, which means a meaningful share of the data-sharing happening in a school has never been reviewed against FERPA at all.

Vendor breaches as routine events. Concentrating student data in a handful of large platforms creates concentrated risk. The May 2026 incident involving the Canvas learning management system — which took the platform offline during final-exam periods at many institutions — underscored how a single vendor compromise can disrupt operations system-wide and put records belonging to millions of students in question. The Department of Education subsequently sought information from the platform’s parent company regarding its FERPA obligations. For most institutions, the prudent assumption now is that an EdTech vendor breach is an operational risk to plan for, not a remote possibility.

Artificial intelligence. AI-assisted tools that analyze student behavior, generate feedback, or personalize instruction introduce new questions about what data is collected, where it is processed, whether it is used to train models, and how long it is retained. These are precisely the questions FERPA’s “legitimate educational interest” and purpose-limitation principles are meant to address — but only if someone is asking them before a tool is adopted.

A Tightening State-Law Layer

FERPA is the federal baseline, not the ceiling. Over the past decade, states have introduced hundreds of bills addressing student data privacy, and many now impose obligations that go beyond federal requirements — mandatory contract terms with vendors, prohibitions on using student data for advertising, deletion rights, and breach-notification timelines. Long-standing examples include California’s student-data provisions and New York’s Education Law 2-d, and additional comprehensive state privacy laws have continued to take effect into 2026.

For institutions operating across state lines, or serving students who reside in multiple states, this patchwork means a vendor arrangement that satisfies FERPA may still fall short of a specific state’s requirements. Compliance is no longer a single checklist; it is a layered set of obligations that has to be mapped to the jurisdictions an institution actually touches.

What Sound Governance Looks Like

The encouraging reality is that the controls reducing FERPA exposure are the same disciplined IT practices that protect any organization handling sensitive data. They do not require a large team — they require consistency and ownership.

Maintain a real inventory of tools and data flows

An institution cannot govern what it cannot see. A current record of every platform that touches student data — what it collects, where it stores it, and which staff approved it — converts invisible classroom adoptions into a manageable list. This is the single most important step, and the one most often skipped.

Put the agreement in writing before data moves

The “school official” exception depends on the institution retaining direct control over how data is used. That control has to be documented. Agreements should specify the purpose of the data sharing, prohibit secondary uses such as advertising or model training, define breach-notification timelines, and address how data is returned or destroyed when the relationship ends.

Enforce access controls and monitoring

Most student-data incidents trace back to compromised credentials or excessive access rather than exotic attacks. Role-based permissions, multi-factor authentication, and continuous monitoring limit both the likelihood and the blast radius of an exposure. These are core elements of a managed Security+ program and apply directly to the systems where education records live.

Plan for the vendor breach you don’t control

Because so much student data now sits with third parties, an institution’s resilience depends on how quickly it can respond when a vendor is compromised. A tested incident-response process, a current vendor-risk file, and reliable backup and recovery capabilities determine whether a Canvas-style event becomes a contained disruption or a prolonged crisis.

Treat compliance as a continuous program

FERPA obligations are not satisfied by a signed form at the start of a school year. New tools are adopted continuously, vendor practices change, and state requirements evolve. A standing review cycle — supported where appropriate by outside compliance consulting — keeps the institution’s posture aligned with both its tool inventory and the current legal landscape.

Final Thought: The Responsibility Doesn’t Outsource

EdTech has become inseparable from how schools and colleges operate, and the “school official” exception is what allows that ecosystem to function within the law. But the exception governs how data may be shared — not who is accountable for it. That responsibility remains with the institution, regardless of which vendor’s servers the records happen to sit on.

For administrators and IT leaders, the practical takeaway is straightforward. Know which tools touch student data, document the terms under which they hold it, control access to the systems that matter, and prepare for the breach that originates somewhere outside the institution’s own network. In an environment where student records are spread across hundreds of platforms and a single vendor incident can affect millions, that visibility is not a regulatory formality. It is the foundation of protecting the students an institution is entrusted to serve.

By Thomas McDonald

2026-06-07T16:09:31-05:00June 7, 2026|
Read More

Managing Third-Party Vendor Risk: The Growing Compliance Blind Spot for SMBs

Modern businesses depend on an expanding network of third-party vendors to operate efficiently. From cloud service providers and software platforms to managed IT firms and payroll processors, external partners now play a critical role in day-to-day operations. While these relationships enable scalability and specialization, they also introduce a growing layer of compliance risk that many organizations are not fully prepared to manage.

Regulators increasingly view third-party exposure as an extension of a company’s own compliance obligations. When a vendor mishandles data, fails to meet security standards, or experiences a breach, the regulatory and operational consequences often fall on the organization that entrusted them with sensitive information. As a result, third-party risk management has become a strategic priority for leadership teams across regulated industries.

Why Third-Party Risk Has Become a Compliance Priority

Historically, compliance programs focused on internal controls—policies, systems, and employee behavior within the organization’s direct control. Today, that boundary has expanded. Regulators now expect businesses to account for the security posture and operational practices of vendors that access or process regulated data.

This shift reflects how deeply integrated vendors have become in core business functions. A healthcare practice may rely on multiple technology providers to manage patient records, billing, and communications. A financial firm may use external platforms for customer onboarding, document management, and data analytics. Each of these relationships creates a new compliance dependency.

To address these growing risks, the National Institute of Standards and Technology (NIST) released updated guidance on cybersecurity supply chain risk management, outlining how organizations should identify, assess, and mitigate risks throughout their vendor ecosystem. The framework emphasizes that third-party risk is not just a technical issue—it is a governance responsibility that requires executive oversight.

What Regulators Expect from Vendor Oversight

Across healthcare, finance, legal, and other regulated sectors, compliance expectations now extend well beyond internal systems. Regulators want to see evidence that organizations are actively managing vendor relationships with the same rigor applied to internal controls.

Key expectations typically include:

  • Documented vendor risk assessments before onboarding
  • Written agreements defining data protection responsibilities
  • Ongoing monitoring of vendor security practices
  • Clear incident response coordination procedures
  • Formal offboarding processes when relationships end

In many cases, regulators are less concerned with whether a vendor experiences an incident and more focused on whether the organization exercised reasonable oversight. The absence of documented due diligence, contractual safeguards, or monitoring processes can quickly become a compliance liability.

Where Many Organizations Fall Short

Despite growing regulatory pressure, many small and mid-sized businesses still manage vendors informally. Relationships are often built on trust, convenience, or cost efficiency rather than structured risk evaluation.

Common gaps include:

  • No centralized inventory of vendors with data access
  • Outdated contracts lacking security or compliance clauses
  • Minimal visibility into vendor security practices
  • No formal vendor risk tiering or review schedule
  • Limited awareness of fourth-party dependencies

These blind spots are rarely intentional. In many cases, they reflect operational constraints rather than negligence. However, when an incident occurs, regulators and insurers focus on what controls were in place—not the resource limitations behind them.

The Hidden Operational Risks of Vendor Failures

Third-party incidents can disrupt far more than compliance posture. Operational consequences often include service outages, data inaccessibility, reputational damage, and delayed customer service.

For example, if a payroll vendor experiences a security breach, employee compensation may be delayed. If a cloud platform goes offline, customer-facing systems may become unavailable. If a document management provider mishandles data, legal exposure may follow.

In these moments, organizations rely heavily on internal IT coordination and external support resources to stabilize operations. This is where structured IT support models—such as those offered through Support+—can play a stabilizing role by ensuring incident response workflows, system visibility, and communication processes remain consistent during disruptions.

Building a Scalable Vendor Risk Management Framework

Effective third-party risk management does not require enterprise-scale resources. It requires consistency, documentation, and leadership alignment.

A practical framework typically includes:

1. Centralized Vendor Inventory

Maintain a current list of all vendors with access to sensitive systems or data. Include service scope, data types handled, and system integrations.

2. Risk-Based Classification

Group vendors into low, medium, and high-risk categories based on data sensitivity and operational impact.

3. Standardized Due Diligence

Use questionnaires, security assessments, or third-party reports to evaluate vendor controls before onboarding.

4. Contractual Safeguards

Ensure agreements include data protection obligations, breach notification timelines, and audit rights.

5. Ongoing Monitoring

Review vendor performance, security updates, and compliance status on a scheduled basis.

6. Exit Planning

Define how data is returned or destroyed when relationships end.

These steps create a repeatable governance structure that supports both compliance and operational resilience.

Why Executive Oversight Matters

Third-party risk is no longer an IT-only concern. Vendor relationships influence legal exposure, financial stability, brand reputation, and regulatory standing. As a result, executive teams must remain engaged in vendor governance decisions.

This includes approving risk frameworks, reviewing high-risk vendor relationships, and ensuring that compliance programs receive adequate resources. When leadership treats vendor oversight as a strategic function rather than an administrative task, organizations are better positioned to respond to both audits and incidents.

Technology’s Role in Vendor Risk Visibility

While governance frameworks define expectations, technology enables execution. Monitoring tools, access controls, and security platforms help organizations track vendor activity and identify anomalies before they escalate into compliance events.

Services such as Security+ can support this visibility by helping organizations strengthen network controls, monitor system access, and enforce consistent security policies across vendor integrations. When technology and governance work together, third-party risk becomes more manageable and measurable.

Preparing for the Next Regulatory Wave

As regulatory scrutiny continues to evolve, third-party oversight will remain a focal point. New data protection laws, cybersecurity mandates, and industry-specific standards increasingly require documented vendor governance.

Organizations that proactively strengthen their third-party risk programs now will be better prepared for future compliance requirements. Those that delay may find themselves reacting to audits, incidents, or contractual disputes without the necessary framework in place.

Final Thought: Trust Requires Structure

Third-party relationships are essential to modern business operations. But trust alone is no longer enough to satisfy regulatory expectations. Structured oversight, clear documentation, and ongoing monitoring are now the foundation of compliant vendor management.

By aligning governance frameworks with operational tools and executive oversight, organizations can reduce regulatory exposure while maintaining the flexibility that vendor partnerships provide.

In a compliance environment defined by interconnected systems and shared responsibilities, visibility is no longer optional—it is the foundation of resilience.

By Thomas McDonald

2026-01-21T13:50:43-05:00January 21, 2026|
Read More

Aligning Business Continuity Planning with Compliance Requirements

Business continuity planning used to be considered an internal IT concern. But in today’s environment—shaped by cyber threats, operational complexity, and tightening regulations—continuity is now a compliance requirement. If your organization operates in a regulated industry like healthcare, finance, or legal, regulators expect more than backups. They expect documented plans, tested procedures, and evidence that your systems can recover quickly in the event of disruption.

Regulatory compliance frameworks—from HIPAA and GLBA to client-driven SLA audits—require businesses to demonstrate how they’ll maintain secure access to critical systems and data during outages, cyberattacks, or infrastructure failures. That demand is pushing organizations to rethink how they approach disaster recovery and operational risk.

By aligning your business continuity planning with compliance mandates, you reduce exposure, improve resilience, and gain the confidence to navigate audits and crises alike. Solutions like Recovery+ can help bridge the gap—delivering not only the tools to recover, but also the documentation to prove you can.

Continuity Is a Compliance Expectation—Not a Recommendation

Compliance regulators no longer view business continuity as optional. In the healthcare space, for example, the HIPAA Security Rule mandates that covered entities implement a contingency plan that includes backup procedures, disaster recovery strategies, and emergency access protocols for electronic protected health information (ePHI).

As noted in the HIPAA Journal’s coverage, failure to plan for system outages or data recovery events constitutes a direct violation of the law. Simply having backups isn’t enough—you must demonstrate how they work, how fast you can recover, and who is responsible during an emergency.

The same is true in finance. Institutions governed by the Gramm–Leach–Bliley Act (GLBA) are required to maintain safeguards that include recovery capabilities. And in legal services, business continuity expectations are increasingly written into contracts, especially when handling sensitive or confidential client information.

In each of these cases, regulators and clients aren’t just asking, “Do you have a backup?” They’re asking, “Can you recover the right data, fast enough, with proof?”

What a Compliance-Ready Continuity Plan Looks Like

To meet compliance expectations, a continuity plan must go beyond IT best practices. It must be documented, tested, and aligned with risk. A compliance-ready plan includes:

  • Recovery Time Objectives (RTO) – Maximum acceptable downtime for each system or service.
  • Recovery Point Objectives (RPO) – Maximum data loss tolerance, often in hours or minutes.
  • Data Backup Policies – Frequency, retention, encryption standards, and offsite replication.
  • System Restoration Procedures – Step-by-step instructions for restoring servers, applications, and cloud services.
  • Roles and Responsibilities – Who initiates the plan, who communicates status updates, and who manages technical tasks.
  • Testing & Maintenance Schedule – Evidence of plan testing and version control for updates.

If your continuity documentation can’t answer these questions quickly—or worse, doesn’t exist—you may not be in compliance.

The Operational Risks of Poor Planning

Without a compliance-aligned plan, disruptions often last longer, cause more damage, and invite legal scrutiny. Even brief outages can have cascading effects—lost data, missed transactions, and customer dissatisfaction. But beyond the immediate consequences, the long-term risk is legal and reputational damage.

Consider these common gaps that surface during audits or incidents:

  • No documented recovery workflows for mission-critical systems
  • Backups that are stored locally, without offsite or cloud redundancy
  • Disaster recovery plans that haven’t been tested in over a year
  • Lack of version control or audit trail for continuity documentation
  • No role clarity—staff unsure who does what in an emergency

These aren’t just operational oversights. In regulated industries, they’re compliance failures—and they can lead to fines, lawsuits, or client attrition.

Why Backup Alone Isn’t Enough

There’s a big difference between backing up data and being able to recover it in a compliant way. A full backup that takes 24 hours to restore may not meet your defined RTO. A local backup that gets encrypted by ransomware is worthless. And a backup that can’t be validated or documented might as well not exist during an audit.

That’s why organizations are turning to full-service solutions like Recovery+, which pairs high-performance disaster recovery infrastructure with compliance-grade reporting and support.

How Recovery+ Helps Meet Compliance Standards

At Cost+, our Recovery+ platform was built to meet both the technical and regulatory demands of modern business continuity. It’s more than a backup service—it’s a managed recovery framework with built-in documentation, encryption, and audit readiness.

Key features include:

  • Encrypted backups stored in redundant, geographically separated environments
  • Defined and tracked RTO/RPO metrics for each system
  • Automated testing of backup integrity and system recovery
  • Role-based access controls and event logging for audit transparency
  • Reporting templates that support HIPAA, GLBA, and client security reviews

Whether you’re preparing for a formal audit, a due diligence request, or internal risk assessment, Recovery+ gives you the tools—and the proof—to show you’re prepared.

Industries Where Continuity and Compliance Collide

Some industries are more exposed than others when it comes to continuity risk. If your business operates in any of these sectors, a compliance-aligned recovery plan should be non-negotiable:

  • Healthcare – HIPAA, HITECH, and patient care continuity requirements
  • Finance – GLBA, PCI-DSS, SOX, and consumer data integrity
  • Legal – Contractual obligations and client confidentiality expectations
  • Insurance – Policyholder data protection and regulatory disclosure rules
  • Education – FERPA, grant compliance, and sensitive student data

Each of these industries faces increased risk—not just from data loss, but from failed expectations around service availability and compliance deliverables.

Making the Case for Audit-Ready Recovery

In many organizations, continuity planning is still viewed as a low-priority IT function. That mindset needs to change. Recovery should be treated as a strategic capability—one that reduces downtime, meets client expectations, and satisfies regulatory audits without scrambling.

If your business continuity plan can’t be tested, can’t be documented, and can’t deliver fast, secure restoration, it’s not just a technical risk—it’s a compliance liability. With Recovery+, businesses can move from guesswork to confidence, knowing their continuity strategy holds up both in practice and under audit.

Final Thought: Compliance Without Recovery Is Incomplete

Protecting your business from operational risk means having the ability to recover—fully, quickly, and with traceability. Compliance frameworks have recognized this, and now your business continuity plan must rise to meet the same standard.

With Recovery+, you’re not just checking a box. You’re building a recovery process that’s measurable, testable, and aligned with the laws that govern your industry. It’s how modern businesses protect their data, their people, and their reputation—before something goes wrong.

By Thomas McDonald
Vice President

2025-12-08T19:44:12-05:00December 8, 2025|
Read More

AI Email Legal Risk: What Business Owners Should Consider

As businesses embrace tools like Microsoft Copilot and ChatGPT for communication, a new layer of concern has emerged—ai email legal risk. While AI tools can streamline productivity, they also introduce potential liability in areas like defamation, intellectual property, and privacy law. Business owners need to understand what’s at stake when machine-generated content becomes part of their daily operations.

person sending an email with an AI and worrying about legal risk

What Could Go Wrong?

AI-generated emails may seem polished, but they can still include inaccuracies, biased language, or improperly reused content. If your business sends out information generated by AI without proper oversight, you may be held responsible—even if the mistake wasn’t written by a human employee. This includes statements that could be interpreted as defamatory, violate copyright laws, or disclose confidential or protected information.

Top Legal Risks to Watch

  • Defamation: If an AI-generated message includes false or damaging claims about a person or company, your business may be liable—even if there was no intent to harm.
  • Copyright Infringement: AI tools may unknowingly replicate phrases, ideas, or materials that are under copyright protection, opening you to legal action.
  • Data Privacy Violations: Emails that disclose personal information about employees or clients may breach regulations like GDPR, HIPAA, or the CCPA.
  • Misrepresentation: If AI creates inaccurate claims in marketing or sales emails, this can lead to regulatory scrutiny or legal disputes.

Real-World Examples

In one case, a law firm’s automated follow-up emails—written by AI—incorrectly implied that a client had missed a payment deadline. The client sued for defamation, claiming reputational damage. In another instance, a company using generative AI received a cease-and-desist letter after AI-created marketing content closely resembled material from a competitor’s campaign.

Best Practices for Business Leaders

1. Always Review Before Sending

Never allow AI-generated emails to be sent without human review. Designate responsible team members to edit and approve content—especially anything external-facing.

2. Train Your Team on Risk Awareness

Ensure employees understand the limitations of AI. Conduct training to help staff identify red flags, including misleading statements, confidential data, or legal gray areas.

3. Keep Records of AI Outputs

Maintain an archive of AI prompts and generated content. If legal issues arise, you’ll want a full audit trail to demonstrate your review process and intent.

4. Disclose When Appropriate

In certain industries, it may be necessary—or simply good practice—to disclose when content is AI-assisted. This can build trust with clients and reduce risk.

5. Avoid Using AI for Sensitive Topics

Do not rely on AI tools to draft emails involving legal, financial, HR, or regulatory content. These areas carry too much nuance and liability to automate without oversight.

Helpful Resource

For a legal perspective on these risks, this article from Keystone Law provides a valuable overview of AI liability in professional communication:
The Risks of AI for Business

Where Cost+ Can Help

Through Security+, Cost+ helps companies establish safe AI usage policies, train staff, and audit communication practices to stay ahead of emerging risks.

Bottom Line

The rise of AI in business communication introduces both opportunity and risk. By understanding and addressing ai email legal risk, your company can benefit from efficiency gains without exposing itself to costly legal exposure.

By Thomas McDonald
Vice President

2025-07-06T11:53:26-05:00July 6, 2025|
Read More

New York Enacts Mandatory Cyber Reporting: What It Means for Business Continuity and Compliance

New York cyber reporting law alert! In a major shift that sets the tone for national cybersecurity policy, New York State has passed legislation requiring all local governments and public authorities to report cyberattacks within 72 hours and disclose ransomware payments within just 24 hours. This groundbreaking law—signed by Governor Kathy Hochul on June 26, 2025—represents a growing recognition of the urgent need for cyber transparency, resilience, and coordinated response.

New York Senate Bill S7672 2025 the legislation requiring municipalities to report cyber incidents within 72 hours

Why This Law Matters

Cyberattacks against municipalities have surged in recent years, often exploiting weak infrastructure, outdated systems, and underfunded security programs. With local governments controlling critical infrastructure—from public schools and utilities to transit and healthcare systems—the risk of disruption has never been greater.

By mandating strict disclosure timelines, New York is effectively forcing a culture shift in how organizations prepare for, detect, and recover from attacks. In particular, this law shines a spotlight on ransomware—a tactic that continues to dominate headlines and cost millions in recovery and downtime.

What Organizations Need to Do

If your business or partners work with or alongside public agencies in New York, this law may affect your operations directly or indirectly. Organizations should:

  • Ensure cyber incidents are identified and escalated within hours—not days.
  • Have clearly documented disaster recovery and incident response plans.
  • Prepare executives and legal teams to handle ransomware payment disclosures within 24 hours.
  • Deploy advanced detection systems such as endpoint protection and network monitoring.
  • Regularly test and update policies with simulated tabletop exercises.

Implications Beyond Public Sector

While the law targets public entities, it sets a precedent that private businesses would be wise to follow voluntarily. Regulatory bodies at the federal level are likely to mirror these expectations in future legislation. Cyber insurance underwriters may also start to weigh reporting preparedness more heavily in risk models.

From a supply chain perspective, failure to rapidly disclose or respond to a breach could impact vendor relationships, insurance coverage, and customer trust. Organizations of all sizes should view this law as a benchmark—not a boundary.

How Cost+ Helps You Stay Compliant and Resilient

At Cost+, we support businesses in building strong cyber foundations through a layered and affordable approach. Our Recovery+, Security+, and Compliance+ services are designed to help you prevent attacks, prepare for the worst, and respond with confidence if an incident occurs.

We also offer free assessments, including:

Final Thoughts

New York’s new cyber reporting law isn’t just about compliance—it’s about preparedness. In a world where ransomware groups move faster than legislation, every hour counts. The organizations that succeed won’t be the ones who scramble after an incident—they’ll be the ones who plan before it happens.

Now is the time to align your security posture with tomorrow’s regulations—before they become mandates.

Cost+ is local to New York City and we’re happy to stop by in person to help with all aspects of IT. From support to cyber security. Offices located in New Jersey, Florida and Arizona. To schedule a consultation or learn more, contact Cost+ today.

By Thomas McDonald
Vice President

2025-06-27T18:01:47-05:00June 27, 2025|
Read More
Company

About
Careers
Press Room
Contact Us

Consulting

Penn Testing
Virtual C-Suite
Expense Review
Business Continuity

About

Privacy Policy
Billing Policy
Acceptable Use
Terms of Service

Quick Links

Security Blog
Code of Conduct
Employee Whistleblower Policy
Modern Day Slavery Statement

© 2025 National Discount Brands, LLC. All Rights Reserved.

Go to Top