FPF Drops Illuminate Education from Student Privacy Pledge

FPF Drops Illuminate Education from Student Privacy Pledge
FPF Drops Illuminate Education from Student Privacy Pledge

August 8, 2022

FPF Drops Illuminate Education from Student Privacy Pledge

Illuminate Education De-listed from Pledge and Referred for Potential FTC and State AG Action

After a review of the facts available and based on communications with Illuminate Education, the Future of Privacy Forum (FPF) has removed Illuminate Education from the list of Student Privacy Pledge signatories. We have shared this decision with the Federal Trade Commission, as well as the Attorneys General for California and New York as a referral to those agencies so that they might consider further appropriate action. Noncompliance with the Pledge when publicly attesting to compliance may be a misleading and deceptive business practice under federal and state law if confirmed by those agencies.

Earlier this year, Illuminate Education confirmed widespread media reports that it had experienced a data breach. According to Illuminate’s statements, “potentially protected” student information was subject to unauthorized access between December 28, 2021, and January 8, 2022. FPF initiated a review, seeking to determine whether the company’s practices were and are consistent with its Pledge commitments, specifically with respect to technological safeguards in place to protect the security of data. Publicly available information appears to confirm that Illuminate Education did not encrypt all student information while at rest and in transit. Such a failure to encrypt would violate several Pledge provisions, including commitments to: 

  1. “maintain a comprehensive  security program that is reasonably designed to protect the security, confidentiality, and integrity of Student PII – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information;” and 
  2. “comply with applicable laws,” including New York EdLaw 2-d’s explicit data encryption requirement.

FPF’s review included direct outreach to Illuminate Education. In multiple communications with Illuminate, the company would not state that it encrypted all student information while at rest and in transit during the relevant time periods. The list of Student Privacy Pledge signatories has been updated accordingly.

FPF believes that the privacy and security of students’ information is essential. To help ed tech companies better protect student data, we will be providing training for Pledge signatories, with a specific focus on data governance and security.