FTC Gives Final Approval to Order Against Illuminate Settling Allegations It Failed to Secure Students’ Personal Data

Following a public comment period, the Federal Trade Commission finalized a modified order requiring Illuminate Education Inc. to implement a data security program, limit collection and retention of consumer data, and delete unnecessary data to settle charges that the company's data security failures led to a major data breach involving the personal data of millions of students.

In its complaint, the FTC alleged that Wisconsin-based Illuminate claimed to protect the privacy and security of the student data it maintained but failed to deploy reasonable security measures to protect the information stored in cloud-based databases. According to the FTC's complaint, these failures led to a major data breach, which allowed a hacker to access personal data of 10.1 million students, including their email and mailing addresses, dates of birth, student records and health-related information.

The FTC's complaint further alleges that, despite being alerted almost two years before the breach by its third-party vendor about numerous security vulnerabilities on its network, Illuminate failed to take steps to adequately address the problems. The FTC alleged the company also failed to notify schools about the breach in a timely manner, as promised.

Under the order modified in response to public comment and finalized by the Commission, Illuminate is prohibited from misrepresenting its data security and privacy practices or how quickly it will notify school districts and students about breaches involving their personal data.

In addition, Illuminate must take other steps to address the failures alleged in the complaint, including:

• Deleting personal information that is not reasonably needed to provide requested products or services;
• Refraining from collecting, processing or maintaining personal data not reasonably necessary to provide requested products or services;
• Following a publicly available data retention schedule that details why information is collected and establishes a set timeframe for its deletion;
• Establishing and implementing a comprehensive information security program that protects the security, confidentiality and integrity of personal information it collects; and
• Notifying the FTC if it has alerted another federal, state or local government about a data breach involving consumers' personal information.

The Commission voted2-0 to finalize the order and send responses to the three commenters.