Penalty Amount
$5,100,000
Consumers Affected
3,000,000
California Attorney General Rob Bonta, joined by Connecticut and New York Attorneys General, secured a $5.1 million multistate settlement with edtech company Illuminate Education, Inc. over a 2021 data breach that exposed sensitive personal and medical information of millions of students, including over 434,000 California students. The investigation found Illuminate failed to implement basic security measures, including failing to terminate former employee credentials, lacking suspicious activity monitoring, and unsecured backup databases, as well as making false statements in its privacy policy. Illuminate must pay $3.25 million to California, implement enhanced security practices, and notify the CA DOJ of future student data breaches.
Illuminate must pay a total of $5.1 million to the three states ($3.25 million to California) in civil penalties. The company is subject to a permanent injunction requiring it to implement appropriate access controls and account management, including terminating former employee credentials and conducting regular audits of valid credentials; implement real-time monitoring and alerts for suspicious activity; safeguard backup databases by storing them separately from active databases; notify the California DOJ of any student data breaches; and provide reminders to school districts to review student data retention and deletion practices. Illuminate must also strengthen its data security practices to comply with state student data privacy laws.
In-house legal teams at educational institutions and edtech vendors should review vendor and customer agreements, respectively, for clauses related to student data security, including requirements for terminating access credentials of former employees, real-time monitoring of suspicious activity, and segregation of backup databases from active systems. Breach notification clauses should be updated to require prompt notice to state attorneys general for student data breaches, and data retention/deletion clauses should mandate regular reviews of student data stored by vendors. Privacy policy and public representation clauses should be audited to ensure all statements about security practices and industry pledges (e.g., Student Privacy Pledge) are accurate and not misleading. Vendors should also implement audit requirements for access credentials in their compliance programs, and customers should require vendors to provide regular security compliance reports.
Entity
Illuminate Education, Inc.
Also known as: Illuminate Education
Industry
TechnologyOfficial Press Release
https://oag.ca.gov/news/press-releases/attorney-general-bonta-joins-states-securing-51-million-settlements-education
Complaint 8
https://oag.ca.gov/system/files/attachments/press-docs/Complaint_8.pdf
Order FINAL JUD AND PERMANENT INJUNCTION
https://oag.ca.gov/system/files/attachments/press-docs/Order_FINAL_JUD__AND_PERMANENT_INJUNCTION.pdf
California Attorney General Enforcement Page
https://oag.ca.gov/privacy/privacy-enforcement-actions
"educational technology company Illuminate Education, Inc. (Illuminate)"
"As a result of today’s settlements, Illuminate must pay a total of $5.1 million to the states, including $3.25 million to California."
"today’s settlement marks DOJ’s first enforcement action involving California’s K-12 Pupil Online Personal Information Protection Act (KOPIPA)"
"Connecticut’s Student Data Privacy Law requires strict security to protect children’s information."
"Illuminate experienced a data breach that exposed the information of millions of students, including California students across 49 school districts. The breached data included sensitive personal and medical information, such as student name, race, whether the student received special education services or reasonable accommodations, and coded medical conditions."
"Illuminate failed to carry out basic security procedures to protect students’ information. First, Illuminate failed to terminate the login credentials of former employees, resulting in the credentials of a former employee with a high level of access to Illuminate’s systems remaining active after his departure from the company. Second, Illuminate did not monitor and alert for suspicious logins and activity. Third, Illuminate did not secure its back up databases separately from its active databases."
The FTC proposed a consent order against Illuminate Education, Inc. for failing to secure student data, leading to a breach affecting over 10 million students. The company allegedly had security failures and delayed breach notifications. The order requires a data security program, data deletion, and a retention schedule.
$5.1M
Connecticut Attorney General William Tong, along with California and New York Attorneys General, settled with Illuminate Education, Inc. for failing to protect student data in a breach that exposed personal information of millions of students. The settlement, the first under Connecticut's Student Data Privacy Law, requires Illuminate to pay $5.1 million and implement enhanced cybersecurity measures.
$5.1M
New York, California, and Connecticut attorneys general reached a $5.1 million settlement with educational technology company Illuminate Education, Inc. for failing to protect student data, resulting in a 2022 breach exposing millions of students’ personal information. The investigation found Illuminate failed to implement basic security measures including data encryption, suspicious activity monitoring, and proper decommissioning of inactive user accounts, and did not delete student data when required by contracts. Illuminate must pay the penalty and implement enhanced data security measures including a comprehensive information security program, encryption of student data, and annual notice to schools about data collection and deletion options.
California Attorney General Rob Bonta, joined by attorneys general from seven other states, filed a lawsuit to block the $6.2 billion merger between Nexstar Media Group and Tegna Inc. The lawsuit alleges the merger violates Section 7 of the Clayton Act by reducing competition in local TV markets, leading to higher prices, less local news, and job losses.
California Attorney General Rob Bonta filed a lawsuit against the U.S. Department of Education to block the expansion of IPEDS data collection requiring colleges to submit race-linked student data. The lawsuit argues the demand is arbitrary, capricious, and burdensome, and could enable costly partisan investigations. A multistate coalition co-led the challenge.
California Attorney General Rob Bonta and a coalition of state attorneys general announced they will continue their antitrust lawsuit against Live Nation/Ticketmaster after the U.S. Department of Justice settled the case. The states aim to hold Live Nation accountable for anticompetitive conduct that harms consumers, artists, and venues in the live music industry.