FTC Takes Action Against Education Technology Provider for Failing to Secure Students’ Personal Data

Illuminate Education will be required to implement an information security program to address data security failures after a breach involving data of more than 10 million students The Federal Trade Commission will require education technology provider Illuminate Education, Inc. (Illuminate) to implement a data security program and delete unnecessary data to settle allegations that the company’s data security failures led to a major data breach, which allowed hackers to access the personal data of more than 10 million students. In a complaint, the FTC alleged that Wisconsin-based Illuminate claimed to protect the privacy and security of the data it maintains but failed to deploy reasonable security measures to protect student data stored in cloud-based databases. These failures led to a major data breach. “Illuminate pledged to secure and protect personal information about children and failed to do so,” said Christopher Mufarrige, Director of the FTC’s Bureau of Consumer Protection. “Today’s action is an important reminder to companies that the FTC will hold them accountable if they fail to keep their privacy promises to consumers, particularly when it involves children’s medical diagnoses and other personal data.” Illuminate sells cloud-based technology products and collects and maintains personal information about students on behalf of schools and school districts. In its complaint, the FTC alleged that in late December 2021 a hacker used the credentials of a former employee—who had departed Illuminate three and a half years prior—to breach Illuminate’s databases stored on a third-party cloud provider. The hacker gained access to personal data of 10.1 million students, including their email and mailing addresses, dates of birth, student records, and health-related information. On its website, the company claimed that it protects “your data like it’s our own” and that it takes “security measures—physical, electronic, and procedural—to help defend against the unauthorized access and disclosure of your information.” In contracts with school systems, the company represented it implemented practices and procedures designed to meet or exceed private industry best practices and pledged to take specific steps to protect and secure student data, such as encrypting it. As early as January 2020, Illuminate was alerted by a third-party vendor that there were numerous security vulnerabilities on its network, but the company failed to take steps to adequately correct these problems, the complaint alleged. These alleged security failures included failing to implement reasonable access controls that safeguard students’ personal information, effective threat detection and response, and vulnerability monitoring and patch management practices. They also included storing student data in plain text until at least January 2022. The FTC also alleged the company failed to notify school districts in a timely manner, as promised, about the data breach. For example, it waited nearly two years to notify some school districts, comprising more than 380,000 students, about the data breach. The proposed order prohibits Illuminate from misrepresenting its data security and privacy practices and how quickly it will notify school districts and students about breaches involving their personal data. In addition, it will be required to take other steps to address the failures outlined in the complaint, including: Deleting personal information that it no longer needs to provide requested services; Following a publicly available data retention schedule that details why information is collected and establishes a timeframe for its deletion; Establishing and implementing a comprehensive information security program that protects the security, availability, confidentiality, and integrity of personal information it collects; and Notifying the FTC if it has alerted another federal, state, or local government about a data breach involving consumers’ personal information. The Commission voted 2-0 to accept the proposed complaint and order for public comment. The FTC will publish a description of the consent agreement package in the Federal Register soon. The agreement will be subject to public comment for 30 days after publication in the Federal Register after which the Commission will decide whether to make the proposed consent order final. Instructions for filing comments will appear in the published notice. Once processed, comments will be posted on Regulations.gov. NOTE: The Commission issues an administrative complaint when it has “reason to believe” that the law has been or is being violated, and it appears to the Commission that a proceeding is in the public interest. When the Commission issues a consent order on a final basis, it carries the force of law with respect to future actions. Each violation of such an order may result in a civil penalty of up to $51,744.