According to the Federal Trade Commission (FTC) complaint, Illuminate publicly claimed to protect student information with strong security controls. Its privacy policy included statements like, “We protect your data like it’s our own,” and “We take security measures — physical, electronic, and procedural — to help defend against the unauthorized access and disclosure of your information.”
In reality, the FTC said, the company stored data in plain text until at least January 2022, maintained weak access controls and failed to monitor or patch vulnerabilities, even after a third-party vendor flagged numerous issues in early 2020. One of these vulnerabilities included the retention of credentials from a former employee who had not worked with the company for more than three years.
After cyber incidents exposed student and educator data, including names, dates of birth, emails and disciplinary information, the complaint said Illuminate delayed breach notifications to impacted school districts for months, despite promising to notify them in a matter of days. For some districts, Illuminate allegedly withheld breach notifications for nearly two years.
A proposed order from the FTC published yesterday, now open for public comment, would become enforceable once finalized, and imposes detailed security obligations.
Under the order, the company would be permanently banned from misrepresenting how it protects student information or how quickly it will notify districts and families of breaches. Within 90 days of the order’s effective date, Illuminate must delete or destroy all student and educator data collected through its products — including academic records and personal information — that are not necessary for contracted services, and enumerate exactly what was removed in a written statement to the FTC.
Illuminate would also need to publish a clear retention schedule on its website explaining the purpose of collecting different categories of information, such as identifiers, demographic data, academic records or health details. The schedule must also include the business justification for retaining information and specific timelines for deletion.
The order also requires Illuminate to implement a comprehensive security program within 90 days, including:
- documented inventory and classification of collected information
- real-time monitoring of systems and access
- controls to prevent unauthorized access, including stricter role-based permissions
- firewalls, intrusion detection and prevention, and data loss prevention tools
- strict access controls for employees and customers, including revoking access within 30 days of job or contract changes
- encryption of sensitive data
- phishing-resistant modes of multifactor authentication for all employees and contractors
- regular risk assessment and testing, including vulnerability scans every four months
- documented incident response procedures that ensure timely investigation and remediation of vulnerabilities
- annual security training for employees
The order also requires a designated overseer at Illuminate who will report to the company board annually and within 30 days of any new data security incident. The program is mandated to be evaluated and adjusted continually to reflect business changes and incidents. This includes third-party audits of the security program every other year for 10 years.
The FTC will accept public comments for 30 days after publication in the Federal Register before deciding to finalize the order or not. Violations of the order carry penalties of up to $51,000 per instance.
Illuminate has previously reached settlements with affected districts in New York, California and Connecticut, though the FTC order is the first federal-level enforcement action.
