Penalty Amount
$5,100,000
Consumers Affected
4,728,610
Connecticut Attorney General William Tong, along with California and New York Attorneys General, settled with Illuminate Education, Inc. for failing to protect student data in a breach that exposed personal information of millions of students. The settlement, the first under Connecticut's Student Data Privacy Law, requires Illuminate to pay $5.1 million and implement enhanced cybersecurity measures.
Illuminate must pay $5.1 million and adopt measures including reviewing contracts, employing data safeguards, access controls, risk assessments, establishing a right to delete data, monitoring vendors, and obtaining third-party security assessments.
In-house legal teams should review all agreements where the company acts as a data processor or service provider to educational institutions, including vendor contracts with school districts and any subcontractor agreements. Key clauses to scrutinize are data security specifications, breach notification timelines and procedures, data retention and deletion terms, representations of compliance with student privacy laws (like FEPRA and state-specific statutes), and requirements for subprocessor oversight. Given the failure to implement basic monitoring and security, contracts may need to be amended to include more prescriptive technical controls (e.g., mandatory encryption, continuous security monitoring), shorter breach notification windows, regular independent security audits, and explicit indemnification for privacy violations.
Entity
Illuminate Education, Inc.
Also known as: Illuminate Education
Industry
TechnologyOfficial Press Release
https://portal.ct.gov/ag/press-releases/2025-press-releases/attorney-general-tong-enters-into-settlement-in-first-action-under-student-data-privacy-law
illuminate education avc ct fully executed 103025.pdf?rev=c1
https://portal.ct.gov/-/media/ag/press_releases/2025/illuminate-education-avc-ct--fully-executed-103025.pdf?rev=c1b494f168ea413886ade5983a62afe0&hash=57D77A8E4F5595FCF16A00239839BC18
Connecticut Attorney General Enforcement Page
https://portal.ct.gov/AG/Privacy/Privacy-Resources
"Illuminate Education, Inc."
"$5.1 million"
"Connecticut’s Student Data Privacy Law"
"failed to implement basic security measures to protect students’ data"
"experienced a data breach"
"personal information of millions of students"
The FTC proposed a consent order against Illuminate Education, Inc. for failing to secure student data, leading to a breach affecting over 10 million students. The company allegedly had security failures and delayed breach notifications. The order requires a data security program, data deletion, and a retention schedule.
$5.1M
New York, California, and Connecticut attorneys general reached a $5.1 million settlement with educational technology company Illuminate Education, Inc. for failing to protect student data, resulting in a 2022 breach exposing millions of students’ personal information. The investigation found Illuminate failed to implement basic security measures including data encryption, suspicious activity monitoring, and proper decommissioning of inactive user accounts, and did not delete student data when required by contracts. Illuminate must pay the penalty and implement enhanced data security measures including a comprehensive information security program, encryption of student data, and annual notice to schools about data collection and deletion options.
$5.1M
California Attorney General Rob Bonta, joined by Connecticut and New York Attorneys General, secured a $5.1 million multistate settlement with edtech company Illuminate Education, Inc. over a 2021 data breach that exposed sensitive personal and medical information of millions of students, including over 434,000 California students. The investigation found Illuminate failed to implement basic security measures, including failing to terminate former employee credentials, lacking suspicious activity monitoring, and unsecured backup databases, as well as making false statements in its privacy policy. Illuminate must pay $3.25 million to California, implement enhanced security practices, and notify the CA DOJ of future student data breaches.
On May 11, 2026, Connecticut Attorney General William Tong led a bipartisan coalition of 21 attorneys general in submitting a comment letter to the U.S. Food and Drug Administration (FDA) urging the agency to abandon draft guidance that would ease approvals for flavored e-cigarette products. The coalition argues the guidance ignores evidence that flavored e-cigarettes disproportionately drive youth addiction and that FDA has failed to enforce existing authorization requirements for e-cigarette products. The letter references past tobacco and e-cigarette enforcement actions, including the 1998 tobacco master settlement agreement and the 2022 $438.5 million settlement with JUUL Labs.
Connecticut’s legislature passed House Bill 5312, creating new civil enforcement mechanisms for deepfake digital sexual assault, including unauthorized dissemination of synthetically created intimate images and AI-generated child pornography. The bill establishes a private right of action for victims and empowers the Connecticut Attorney General to pursue civil injunctions and penalties against abusers and platforms hosting illegal content. This builds on prior Connecticut laws criminalizing unauthorized intimate image dissemination.
Connecticut Attorney General William Tong praised final passage of House Bill 5312, which creates new civil enforcement mechanisms for deepfake digital sexual assault. The legislation allows the AG to pursue civil injunctions and penalties against platforms that disseminate illegal synthetic intimate images, including AI-generated child pornography, and establishes a private right of action for victims. The bill builds on prior Connecticut laws criminalizing unauthorized dissemination of intimate images.