Illuminate Education Booted from Student Privacy Pledge, Referred for Potential FTC and State AG Action

Voluntary Pledge Commitments Not Kept by Illuminate, Future of Privacy Forum Says

  • By Kristal Kuykendall
  • 08/09/22

Editor's Note: THE Journal has published an updated list of all K–12 schools nationwide known to be impacted by the Illuminate Education data breach. Find more details about the Illuminate data breach — such as why New York is investigating the ed tech company for potential violations of state law and why cybersecurity experts say transparency should be mandated — in this previous report.

The Future of Privacy Forum on Monday announced it has removed Illuminate Education from the nonprofit’s list of Student Privacy Pledge signatories — the first time a company has been de-listed from the voluntary data protection pledge — and said it sent its decision and supporting facts to federal and state authorities for potential legal action against the ed tech company.

The removal decision follows FPF’s review of “publicly available information” and communications with Illuminate officials about the breach of private student data stored on Illuminate Education’s servers sometime between Dec. 28, 2021, and Jan. 8, 2022. On Jan. 8, Illuminate has since said, its staff discovered that an unauthorized party had accessed its servers, and the company shut down numerous ed tech platforms for about a week as it worked to secure its network and systems.

Eight months later, Illuminate has not made any announcement confirming the precise type of student data that was compromised, nor has it revealed the number of students impacted; according to Illuminate’s website at the time of the breach, its K–12 ed tech solutions — including IO Classroom (previously named Skedula), PupilPath, EduClimber, IO Education, SchoolCity, and others — serve over 5,000 schools with a total enrollment of about 17 million U.S. students.

The Student Privacy Pledge, created in 2014 by FPF and the Software & Information Industry Association to provide a self-regulatory path for K–12 education technology providers, includes commitments to ethical business practices and top-line security and data protection methods. The pledge was updated in 2020 and, when a signatory breaks the promises included within the pledge, is considered enforceable by the Federal Trade Commission and state attorneys general — though that has never been tested.

“By taking the pledge, a company is making a public statement of their practices with respect to student data,” the Student Privacy Pledge website states. “Accountability comes from the Federal Trade Commission, which has the authority to bring civil enforcement actions against companies who do not adhere to their public statements of practices. If a company acts in contradiction to their own public statements, they risk an enforcement action for ‘unfair or deceptive trade practices.’ This is known as FTC Section 5 authority, which you can learn more about by visiting the FTC’s explanation.”

FPF said in its statement Monday it shared its decision and case information with the FTC and attorneys general in California and New York, where at least 3 million students were impacted by the data breach. “Noncompliance with the Pledge when publicly attesting to compliance may be a misleading and deceptive business practice under federal and state law if confirmed by those agencies,” FPF said.

FPF said its review sought to determine whether the company’s data protection practices meet the requirements of the Student Privacy Pledge, and it found those practices lacking.

“Publicly available information appears to confirm that Illuminate Education did not encrypt all student information while at rest and in transit,” FPF said. “Such a failure to encrypt would violate several Pledge provisions, including commitments to:

  • “maintain a comprehensive security program that is reasonably designed to protect the security, confidentiality, and integrity of Student PII – such as unauthorized access or use, or unintended or inappropriate disclosure – through the use of administrative, technological, and physical safeguards appropriate to the sensitivity of the information; and
  • “comply with applicable laws,” including New York state law that explicitly requires data encryption.

FPF noted that throughout “multiple communications with Illuminate, the company would not state that it encrypted all student information while at rest and in transit during the relevant time periods.”

Hard-Hit New York State Education Department is Already Investigating Illuminate

The Illuminate Education data breach is known to have impacted the nation’s two largest school districts, New York City Department of Education with about 820,000 students currently enrolled and Los Angeles Unified with 430,000 students, along with hundreds of other schools across New York state, 30 other districts in California, nine districts in Colorado, four in Connecticut, one in Oklahoma, and two in Washington state.

The estimated total of 3 million students impacted by the breach is based on New York State Department of Education official estimates that “at least 2 million” statewide were impacted, plus the current enrollment figures of the other districts that have since disclosed their student data was also breached by Illuminate.

Illuminate’s notification letters to impacted districts — many of which shared them directly on their district websites — stated that current and, in some cases, former students were impacted by the breach, and a handful of schools that publicly detailed the depth of the impact have said that private information belonging to students enrolled as many as nine years ago was among the breached data, plus the data of current students.

The vast reach of the data breach will likely never be fully known because most state laws do not require public disclosure of student data breaches; Illuminate has said in a statement that the data of current and former students was compromised at the impacted schools but declined to specify the number of students impacted in multiple email communications with THE Journal.

Though most states do not require public disclosure of data breaches impacting students, a few, such as New York and California, require prompt notification of parents when any student data is compromised and others leave it up to individual school districts to decide whether and how to disclose breaches, or only require notification if the students’ Social Security numbers are among the compromised data.

Illuminate has repeatedly said — through emailed statements to THE Journal and through its form-letter notification sent to districts known to be impacted — that Social Security numbers were not stored on its servers and not included in the breach. Notification letters shared by impacted districts have stated that the compromised data included student names, academic and behavioral records, enrollment data, disability accommodation information, special education status, demographic data, and in some cases the students’ reduced-price or free lunch status.

A New York Times report published July 31 about the Illuminate breach cited educators and administrators at impacted schools, who said the Illuminate software used by many districts to track students’ progress included “extremely confidential” information about students’ intellectual disabilities, emotional states, physical disabilities, and whether the student was homeless, for example.

“Officials said in some districts the data included the names, dates of birth, races or ethnicities and test scores of students,” wrote Natasha Singer in the New York Times report. “At least one district said the data included more intimate information like student tardiness rates, migrant status, behavior incidents and descriptions of disabilities.”

The New York State Education Department on May 5 told THE Journal that its data privacy officials on April 1 opened an investigation into Illuminate’s handling of the data breach.

Illuminate has not responded to multiple follow-up emails and phone calls requesting more information about the incident.

Featured

  • pattern of icons for math and reading, including a pi symbol, calculator, and open book

    HMH Launches Personalized Path Solution

    Adaptive learning company HMH has introduced HMH Personalized Path, a K-8 ELA and math product that combines intervention curriculum, adaptive practice, and assessment for students of all achievement levels.

  • red brick school building with a large yellow "AI" sign above its main entrance

    New National Academy for AI Instruction to Provide Free AI Training for Educators

    In an effort to "transform how artificial intelligence is taught and integrated into classrooms across the United States," the American Federation of Teachers (AFT), in partnership with Microsoft, OpenAI, Anthropic, and the United Federation of Teachers, is launching the National Academy for AI Instruction, a $23 million initiative that will provide access to free AI training and curriculum for all AFT members, beginning with K-12 educators.

  • laptop on a desk with its screen displaying numerous colorful educational app icons

    Survey Finds Majority of Schools Using 10 to 15 Educational Apps

    A new report points to the fragmented digital landscape of educational apps in use at schools and districts across the country.

  • laptop displaying AI-powered educational content

    Kira Introduces AI-Generated Lesson Tool

    AI company Kira has announced a new AI-powered lesson generation tool that it says delivers complete, standards-aligned lessons that are personalized to each student.