FTC Takes Action Against Ed-Tech Company for Failure to Deliver on Security Promises

Federal regulators have ramped up their scrutiny of ed-tech companies in the wake of a string of high-profile school data breaches in recent years, and the Federal Trade Commission’s latest action against Illuminate Education is another signal that regulators will hold companies accountable when they fall short in protecting student information.

Illuminate Education is a Wisconsin-based company that offers cloud-based products to schools. The complaint stems from a 2021 data breach that affected more than 10 million students, exposing sensitive information such as email addresses and mailing addresses, dates of birth, student records, and health-related information. A hacker used the credentials of a former employee – who had departed the company three and a half years prior – to access the data, the FTC said.

Regulators said that company failed to implement the security practices it promised schools.

According to the complaint, Illuminate had pledged that student information would be encrypted, but much of that data was stored in plaintext. The company also maintained inadequate access controls and did not have systems in place to monitor for intrusions or respond quickly to security incidents, the FTC alleged.

Districts were also left waiting for answers over long periods, federal officials said, with some not learning about compromised student information until nearly two years after the breach occurred.

Under the proposed settlement, Illuminate will not face monetary penalties but will be required to implement a comprehensive information-security program, publish a clear data-retention schedule, and stop making claims about its security posture that it cannot substantiate. Illuminate will also need to notify federal regulators each time it reports a breach elsewhere.

“We’re making sure that Illuminate is enhancing and continuing to maintain appropriate information security practices and not engaging in any misrepresentation going forward,” said Bhavna Changrani, one of the lead staff attorneys on this case.

For K-12 vendors, the FTC’s action spotlights an ever-tightening compliance environment. Over the last few years, the FTC has also taken action against major education technology companies like Chegg and Edmodo over data security issues.

Companies serving K-12 students need to make sure they deliver on what they promise, Changrani said. That includes the communication about and management of large volumes of student information, how they validate internal processes, how quickly they can detect unauthorized access, and how they plan to work with school systems during a breach.

For businesses that can’t live up to their word – violations can result in a civil penalty of up to $51,744, according to the FTC.

“This is an important reminder to companies that the commission will hold them accountable if they’re failing to keep their privacy promises to schools and to students,” Changrani said. “The commission is going to continue to use its primary enforcement tool, which is the FTC Act, and ensure that it addresses unfair and deceptive behaviors in the industry.”