Connecticut, New York, California Settle for $5.1M in Student Privacy Case
Illuminate Education failed to use basic security measures to protect student data, which led to a breach affecting millions of children, attorneys general from Connecticut, New York and California announced Thursday in a $5.1 million settlement with the education software company.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
The announcement marks the first settlement under Connecticut’s 2016 Student Data Privacy Law and the first enforcement action under California’s 2014 K-12 Pupil Online Personal Information Protection Act. The three AGs claimed Illuminate Education failed to implement basic security. The company didn’t comment Thursday.
Illuminate provides schools with software that tracks attendance, grades and academic behavior. The AGs alleged that in December 2021, hackers used credentials from a former company employee to access online accounts, including unencrypted personal data from millions of students. The breach affected 3 million students in California, 1.7 million in New York and nearly 30,000 in Connecticut. The company agreed to pay $3.3 million to California, $1.7 million to New York and $150,000 to Connecticut, according to the announcement.
Connecticut AG William Tong (D) said that Illuminate additionally agreed to review and ensure state compliance with all school contracts, maintain data inventories, minimize data retention, perform data security risk assessments and establish a right to delete data.
California AG Rob Bonta (D) said the company failed to terminate credentials of former employees, didn't monitor for suspicious activity and also failed to back up databases separately from active databases.
The company made “false and misleading statements in its Privacy Policy, including stating that it took steps to prevent unauthorized access and disclosure of information and that its measures ‘meet or exceed the requirements of applicable federal and state law,’” said the complaint. Bonta also alleged that the company “deceptively” advertised itself as a participant in the Future of Privacy Forum’s Student Privacy Pledge, but was dropped from the list after the breach.
New York AG Letitia James (D) cited the company’s failure to “encrypt student data, implement appropriate systems and processes to monitor for suspicious activity, decommission inactive user accounts, and limit account permissions to only those that were necessary.” She claimed the company also failed to delete student data when school district contracts ended and failed to fully investigate the 2021 data breach.
Enacted in 2016 and last amended in 2018, Connecticut’s Student Data Privacy Law requires “online educational providers to maintain data security measures that meet or exceed industry standards and that are designed to protect student data from unauthorized access or disclosure,” said Tong.
Bonta said Illuminate Education has now agreed to audit and eliminate credentials of former employees, deploy real-time monitoring, inform California of future student data breaches and remind school districts of the need to review data storage.