Attorney General James and Multistate Coalition Secure 51 Million from Education Software Company for Failing to Protect Students Data

pNEW YORK New York Attorney General Letitia James California Attorney General Rob Bonta and Connecticut Attorney General William Tong today announced that they have secured 51 million from educational technology company Illuminate Education Inc Illuminate for failing to protect students data Illuminate provides software to schools and school districts across the country to track students attendance and grades and to monitor students academic behavioral and mental health development In 2022 Illuminate experienced a data breach that exposed the personal information of millions of students including 17 million students in New York An investigation by the Office of the Attorney General OAG and the New York State Education Department NYSED found that Illuminate failed to implement basic security measures to protect students data including failing to monitor for suspicious activity on their platforms As a result of todays settlements Illuminate must pay 51 million and take steps to enhance and strengthen their cybersecurity practices    ppStudents parents and teachers should be able to trust that their schools online platforms are safe and secure said Attorney General James Illuminate violated that trust and did not take basic steps to protect students data Todays settlements will ensure that Illuminate protects students data in classrooms across the country My office will continue to use every tool at our disposal to protect children online   ppTechnology is everywhere in schools today and Connecticuts Student Data Privacy Law requires strict security to protect childrens information said Attorney General Tong Illuminate failed to implement basic safeguards and exposed the personal information of millions of students including thousands here in Connecticut This actionConnecticuts first ever under the Student Data Privacy Lawholds Illuminate accountable and sends a strong message to education technology companies that they must take privacy obligations seriouslyppIlluminate failed to appropriately safeguard the data of school children resulting in a data breach that compromised the sensitive data of students nationwide including more than 434000 California students Our investigation revealed a troubling pattern of security deficiencies that should have never happened for a company charged with protecting data about kids said Attorney General Rob Bonta Todays settlement should send a clear message to tech companies especially those in the education space California law imposes heightened obligations for companies to secure childrens information I am grateful to Attorney General James and Attorney General Tong for their partnership in investigating companies that fail to safeguard our residents data Data security concerns know no borders and as todays settlements showcase neither should state collaborationppAdministrators caregivers and students should feel confident that the software platforms used in schools uphold the highest standards of data security and privacy said NYSED Commissioner Rosa By failing to follow even the most basic security protocols Illuminate exposed the personal information of millions of students to bad actorsan egregious breach of trust and data protection I thank the attorneys generalespecially Letitia James of New Yorkfor their partnership in this investigation and commend them for their unwavering dedication to safeguarding the personal information of our students and familiesppIn December 2021 hackers were able to access one of Illuminates online accounts using the credentials of a former employee who had left the company years earlier The hackers then downloaded unencrypted database files containing the information of approximately 17 million current and former New York students from approximately 750 schools The student information included student names birth dates student ID numbers and demographic information    ppThe OAG and NYSED determined that prior to the breach Illuminate had failed to implement reasonable data security practices designed to protect students personal information Among other things Illuminate failed to encrypt student data implement appropriate systems and processes to monitor for suspicious activity decommission inactive user accounts and limit account permissions to only those that were necessary Illuminate also failed to delete student data when its contracts with certain school districts ended and failed to conduct a complete investigation following the data breach In addition Illuminate made representations about its data security program that ran counter to its actual data security practices     ppAs a result of todays settlements Illuminate must pay 51 million of which New York will receive 17 million in penalties and costs Illuminate is also required to adopt measures to better protect students personal information including    ppIlluminate must also provide schools with an annual notice that identifies the categories of student data it collects and lets schools identify student records such as those that are dated or inactive for deletion  ppFor New York this matter was handled by Senior Enforcement Counsel Jordan Adler and Deputy Bureau Chief Clark Russell with special assistance from Internet and Data Security Analyst Nishaant Goswamy of the Bureau of Internet and Technology under the supervision of Bureau Chief Kim Berger The Bureau of Internet and Technology is a part of the Division for Economic Justice which is led by Chief Deputy Attorney General Chris DAngelo and overseen by First Deputy Attorney General Jennifer Levy  ppWe value your privacyWe use cookies to enhance your browsing experience improve our content delivery and analyze our traffic We do not use cookies for advertising or marketing purposes By using this website you consent to our use of cookies You can learn more about how we collect and use information by reviewing our privacy policyp