Illuminate Education, which sells data and assessment tools designed to improve instruction and learning outcomes, was accused of misrepresenting its privacy practices and neglecting basic security measures. For districts and industry leaders, the penalty against Illuminate underscores a resolve among states to act when student data isn’t adequately protected.
“Illuminate failed to encrypt student data, implement appropriate systems and processes to monitor for suspicious activity, decommission inactive user accounts, and limit account permissions to only those that were necessary,” the news release said, adding that the company "also failed to delete student data when its contracts with certain school districts ended and failed to conduct a complete investigation following the data breach.”
New York will receive $1.7 million of the overall settlement, according to the release. Under the agreement, Illuminate must also maintain a robust data security program to protect student information by enforcing policies that limit access to the data, encrypting all information the company collects or stores, monitoring the company's networks for suspicious activity, and tracking and remediating security vulnerabilities through a formal process.
The news release said the court also instructed the company to notify schools about what kinds and categories of data it collects — for example, health records — on an annual basis.
“Technology is everywhere in schools today, and Connecticut’s Student Data Privacy Law requires strict security to protect children’s information,” Connecticut Attorney General William Tong said in a public statement. “This action — Connecticut’s first ever under the Student Data Privacy Law — holds Illuminate accountable and sends a strong message to education technology companies that they must take privacy obligations seriously.”
This particular data breach is not the first Illuminate has experienced.
In New York Attorney General Letitia James’ assurance of discontinuance letter, she stated that, in 2020, an unnamed cybersecurity vendor alerted Illuminate that its internal server practices posed a “high risk” and recommended developing account management and password policies. Illuminate did not fully implement that guidance.
Then in December 2021, and again in January 2022, Illuminate experienced two major data breaches, impacting “approximately 1.7 million current and former New York students across approximately 750 schools,” James wrote. Data stolen by the hackers “included student names, birth dates, student ID numbers and demographic information,” according to the news release.
“Our investigation revealed a troubling pattern of security deficiencies that should have never happened for a company charged with protecting data about kids,” California Attorney General Rob Bonta said in a public statement. “Today’s settlement should send a clear message to tech companies, especially those in the education space: California law imposes heightened obligations for companies to secure children’s’ information. ... Data security concerns know no borders, and as today’s settlements showcase, neither should state collaboration.”
