Probably you have a number of staff and techs who have laptops that leave the district.
You must make sure that 100% of the Microsoft and Mac laptops that leave the district have a strong encryption framework in place. This really is true on all Windows and Mac devices on your network, but your biggest risk starts with all the devices that leave the district.
Microsoft has Bitlocker free in all Windows 10 endpoints. You simply have to turn it on. Please make sure it is on everywhere. SCCM has a free, optional console to easily manage Bitlocker. Azure AD joined devices have their Bitlocker keys managed in the Azure Device Management console.
For Macs Apple provides FileVault. It also should be turned on.
Years ago a laptop went rogue from a local hospital that had personally identifiable information on it. The hospital ended up buying identity protection services to protect their clients - just in case.
If BitLocker was in place, that "data" would have been gibberish without credentials
If you need help getting started with this, give us a call.
-Scott Quimby, CISSP