Risk Management

Aeries Settles Data Breach Lawsuit for $1.75M; Illuminate Suit is Dismissed – For Now

Data Privacy Attorney Explains Why Schools and Ed Tech Vendors Collecting or Storing PII Face Greater Risk Than Ever

Two ed tech providers that suffered data breaches that compromised private student information have seen civil lawsuits reach vastly different results — yet both should serve as a stark warning for ed tech companies collecting student data, a data privacy attorney told THE Journal.

In a class-action lawsuit filed on behalf of students at San Dieguito Union High School District, a federal judge in March gave final approval to a settlement ordering Aeries Software to pay $1.75 million to members of the class, which includes nearly 100,000 former and current San Dieguito Union students whose PII was compromised in a November 2019 breach of Aeries databases. 

Last week, a proposed national class-action lawsuit filed against Illuminate Education over its January 2022 data breachwas dismissed by the same court, the U.S. District Court Central District of California, Western Division. The judge dismissing the lawsuit against Illuminate — formed when civil suits filed last summer in New York and California were combined — wrote in his decision that the plaintiffs did not successful establish standing to sue or that actual harm was imminent, and the court gave the plaintiffs 21 days to amend the complaint and re-file.

Recipe for a Costly Data Breach

The two lawsuits with differing outcomes stemmed from two vastly different breaches. In the Aeries case, plaintiffs had established that the compromised data included nearly every form of student and parent Personal Identifying Information stored by Aeries for San Dieguito Union schools over many years; in the Illuminate case, plaintiffs neither alleged nor established that any data beyond behavioral, academic, and demographic information was compromised. 

Aeries’ student information system — used by Texas and California districts to store the records of more than 30 million students, according to its website — was breached in November 2019; the company did not notify districts about the breach until the following April. 

That notice of data breach, sent to school districts and filed with the California Attorney General, “disclosed only that the following information was compromised: ‘Parent and student login information, physical residence addresses, emails, and password hashes,’” according to the settlement agreement filed with the court. 

The data breach notice “did not disclose that additional PII was stored on behalf of its school district customers, including student health records, Social Security numbers, class grades, standardized test information, previous addresses, and parents’ or guardians’ debit or credit cards and other financial information,” the settlement agreement said.

Aeries executives acknowledged during later court proceedings that the breach compromised the databases of 166 school districts, exposing the PII of approximately 3 million former and current students. At least one of the several lawsuits filed over the breach sought nationwide class-action status, but following months of mediation, the class was limited to only SDUHSD current and former students and their guardians “because class counsel determined that this population was differently situated” than other districts using Aeries’ SIS and “had an increased risk of exposure” from the data breach, according to the settlement filing with the court. 

In the Illuminate Education case, U.S. District Court Judge James Selna on April 19, 2023, granted Illuminate’s motion to dismiss, agreeing that “plaintiffs have not plausibly alleged any actual identity theft.” 

“Plaintiffs allege they are ‘concerned’ that their or their childs’ Social Security numbers were breached but do not actually allege social security numbers were part of the data breach,” the judge wrote in the dismissal. “Plaintiffs allege students’ academic, behavior, and demographic information was leaked … but notably do not allege social security, credit card, or bank information was leaked.”

In its breach notification letters that began going out to school districts last April, Illuminate expressly said that “Social Security numbers and financial information were not at risk as a result of this event.”

“On the other hand, it’s possible the leaked information potentially allowed an individual to recover passwords to (plaintiffs’ financial accounts),” wrote the judge. “In any event, the Court is left to speculate, based on the allegations and facts, as to whether any actual identity theft occurred based on information leaked in the data breach.”

He added that “the factual allegations do not actually create a nexus between the information leaked and the alleged harm.”

“Plaintiffs fail to establish any actual identity theft related to the data breach and thus the harm has not materialized. Likewise, Plaintiffs fail to allege how the information leaked in the data breach (academic and behavioral information) puts them at harm or risk, particularly credible and immediate risk of harm,” said the ruling.

The judge emphasized that “plaintiffs do not lack standing simply because the data breach did not involve credit card numbers, Social Security numbers, or other financial information.” But, he said, the plaintiffs must make a connection between the personal information leaked and the harms alleged.

In ruling that the plaintiffs failed to establish standing, the judge noted that “plaintiffs may be able to cure the deficiencies identified” and granted the plaintiffs 21 days to amend their complaint starting on April 19.

As of this writing, the plaintiffs in the Illuminate case had not filed an amended complaint. Illuminate Education was acquired by curriculum provider Renaissance last August

Why Are Ed Tech Vendors Collecting Private Data, Anyway?

Attorney Harris S. Freier, partner at Genova Burns LLC and head of the firm’s Privacy and Cybersecurity Practice, told THE Journal that ed tech providers almost never need student PII in order to provide their services and software to school districts.

“Schools should not provide student PII, and education tech vendors should not collect it,” Freier said. “It is never a good idea for any company, including education technology vendors, to ever have access to especially sensitive forms of personally identifiable information such as Social Security numbers, drivers license numbers, taxpayer ID numbers, health information, or banking/financial information of students unless they are actually providing a service linked to one of those protected categories of personal information. The liability tied to collecting this type of information — due to the near certainty that every company will eventually be breached — is almost never worth whatever business reason prompted the collection of the data to start with.”

Even the common practice of providing ed tech platforms with students’ birthdates and home addresses is a big risk for the vendors, he said; although identity theft from a data breach is far less likely if the compromised data didn’t include SSNs, drivers license numbers, or taxpayer IDs, vendors storing such data face the threat of costly lawsuits regardless of whether the breach causes actual harm.

Freier advises school districts to protect themselves in their vendor agreements.

“If sensitive PII needs to be collected — which in most cases it actually does not — encryption of the data should be required in any contract between the school and vendor, and the contract between the school and the vendor should make clear that the vendor will indemnify the school if student PII stored by the vendor is breached,” he said. 

Standing to Sue Over Breaches is Easier to Achieve Than Ever

Last September, a ruling from U.S. Court of Appeals for the Third Circuit shifted the baseline of the requirement for a data breach plaintiff to have suffered “actual or imminent harm,” Freier told THE Journal following the decision.

In that ruling, the Third Circuit Court of Appeals’ three-judge panel unanimously reinstated a putative class-action suit against a company that suffered a ransomware attack, leading to her sensitive information being released onto the dark web. 

Notably, Clemens did not suffer identity theft following the breach. After the company notified employees of the breach, Clemens “took swift action by reviewing her financial records and credit reports, switching banks and purchasing credit monitoring services,” according to court documents summarized by Freier on his legal blog.

In February 2021, the District Court for the Eastern District of Pennsylvania dismissed her case for lack of standing, due to the “speculative nature” of the injuries to the employees. But the decision issued on Sept. 2, 2022, by the Third Circuit Court of Appeals vacated the dismissal and remanded the case for consideration on the merits — giving the potential class of plaintiffs a new chance for relief and putting organizations that store PII data on notice, Freier said.

The Third Court Court of Appeals clarified that an injury can be “imminent” in order to qualify for standing, and does not need to have actually taken place at the time of suit being filed. Based on precedent in recent data breaches, the Court of Appeals “determined that the substantial risk of future injury qualifies for standing based on imminence, especially in the event of an intentional, targeted attack by a hacking group,” Freier wrote in his case analysis.

Freier told THE Journal that organizations — including ed tech providers and public schools serving minors — should take all possible precautions to protect private data stored within their systems, as the possibility of being held financially liable after a data breach is growing. 

“Now a victim of a data breach no longer needs to wait to suffer a direct harm such as their identity is stolen, and they must pay credit card and bank fees resulting from the identity theft,” he said. “Instead, the fact that a company is a victim of a hack, and the data has been released on the dark web is enough to allow any victims of the breach to bring suit, even if they have not yet suffered any harm resulting from the breach.”

In the case of K–12 schools, Freier said, a data breach that resulted in the public disclosure of academic records or PII on the dark web would put the district in an increasingly hot seat, legally and financially.

“In the case of minors, the rights to educational records are controlled by the parents/guardians, and a cyberattack where educational records are exposed to a third party is a FERPA violation, so that means the school is not only dealing with a potential class-action but also a potential Department of Education investigation,” Freier said.