March 6, 2024
This week, the Future of Privacy Forum concluded its review of Raptor Technologies’ Student Privacy Pledge status. We have removed the “under review” designation, restoring Raptor Technologies’ status as an active signatory.
Our review was initiated after we were made aware of reports by security researchers of a non-password-protected data repository that contained an estimated 4 million records, which included PII of students, parents, and school staff.
When FPF learns of a complaint about a Pledge signatory, we analyze the issues and reach out to the signatory to understand the complaint, the signatory’s policies and practices, and other relevant information. Our goal is to work with the company to resolve any Pledge-covered practices that do not align with Pledge requirements. During our review, Raptor Technologies informed FPF that they quickly secured the data and notified clients after being notified of the vulnerability. Following a 3rd party review, the company has no evidence the data was misused.
FPF found that Raptor Technologies had misconfigured cloud storage that contained sensitive personal information and lacked a specific contact method for receiving security reports, FPF also found that – despite these issues – the company had an overall strong security program in place which included regular third-party audits, moved quickly to address both issues, and bolstered their security program after learning of the issues. Therefore, we are restoring their status as an active signatory.
This incident serves as an important reminder that maintaining a strong security program does not prevent all security vulnerabilities. FPF has reached out to all Pledge signatories to remind them of the importance of correctly configuring cloud storage and of having a way for security researchers to report discovered vulnerabilities, such as posting a dedicated security email contact on the site or in a security.txt file.
The Student Privacy Pledge is a voluntary but legally enforceable promise by each signatory that it will adhere to its commitments. The Pledge is neither intended as a comprehensive privacy policy nor to be inclusive of all requirements to achieve compliance with all applicable federal or state laws. This Pledge is not a third-party audit, and it is not officially endorsed by any governmental agency that has regulatory or enforcement authority. The Federal Trade Commission (FTC) or state Attorneys General (AG) have legal authority to ensure signatories keep their promises. If signatories enter into contracts that are modeled on the Pledge, schools may have contractual rights to enforce these promises.
Media Contact:
John Verdi, Vice President of Policy, FPF, media@fpf.org