Background
On November 6, California Attorney General (AG) Rob Bonta, Connecticut AG William Tong, and New York AG Letitia James announced a $5.1 million settlement with Illuminate Education, Inc. (Illuminate), an educational technology company that offers K-12 software solutions that enable schools and school districts to track student attendance and grades, and monitor academic progress, behavior, and mental health.
The settlement resolved a coordinated investigation by the states of California, New York, and Connecticut into Illuminate’s handling of student data. That investigation was in response to Illuminate’s announcement that, between December 28, 2021, and January 8, 2022, a threat actor accessed sensitive information belonging to more than 4.7 million students, which was stored on Illuminate’s backup databases. The information that was potentially accessed included: names, birth dates, emails, demographic information, academic and behavior information, disciplinary records, accommodation information, special education information, and information on coded medical conditions.
The AGs commenced the coordinated investigation under states’ unfair and deceptive practices act laws, general laws requiring businesses to comply with their posted privacy policy (CalOPPA) and safeguard medical information (CMIA), and three specific student privacy laws that apply to Educational Technology companies (i.e., California’s K-12 Pupil Online Personal Information Protection Act (KOPIPA), the Connecticut Student Data Privacy Law, Conn. Gen. Stat. §§ 10-234aa-dd (the CSDPL), and the New York Education Law §2-d (NYEL)).
The AGs alleged, among other things, that Illuminate failed to terminate login credentials of former employees, failed to monitor and alert for suspicious logins to and activities in its systems, failed to securely back up databases separately from active databases, failed to encrypt student data, and failed to remediate high risk vulnerabilities in its systems. The AGs also noted that Illuminate made false and misleading statements about its cybersecurity practices, including misrepresenting that it was compliant with the Future of Privacy Forum’s “Student Privacy Pledge,” after the Privacy Forum dropped Illuminate for noncompliance with its pledge commitments.
Under the settlement, Illuminate agreed to pay $5.1 million in civil penalties and costs to the AGs, to be split among the states in proportion to the number of student residents from each state affected by the breach. California will receive $3.25 million; New York is set to receive $1.7 million; and Connecticut will receive $150,000.
In addition to the monetary component, the settlement also includes prospective relief in the form of nonmonetary terms, including a commitment to implement and maintain a comprehensive information security program that is reasonably designed to protect the security, integrity, and confidentiality of student data; the appointment of a qualified individual responsible for implementing, maintaining, and monitoring the information security program; and the implementation of controls to limit access to student data and policies related to monitoring, encryption, vulnerability management, and contract requirements outlining the protections of student data it handles. Further, Illuminate agreed to establish an incident response plan, data retention policies and procedures, and the creation of a data retention and deletion notice that it will send to educational agencies on an annual basis. Finally, Illuminate agreed to subject itself to obtain a comprehensive assessment of its network by an independent third-party auditor within one year of the settlement and to perform third-party audits of a cybersecurity program annually for three years thereafter.
Why It Matters
The settlement with the AGs is important for three reasons. First, it marks the first enforcement actions pursued by California under KOPIPA and Connecticut under the CSDPL and the second enforcement action by New York under the NYEL. Entities providing technology in the education space should familiarize themselves not only with the various state laws that apply to the protection of student data, but also to the nonmonetary terms in the settlement, which provide a roadmap on what regulators are focusing on (e.g., a comprehensive security program, an employee responsible for implementing and overseeing it, the implementation of access controls and the secure storage of sensitive data, accurate and transparent representations about the privacy policies and cybersecurity program, annual assessments and audits and actions taken in response to high risk vulnerabilities identified, and notices advising students and consumers on retention and deletion rights).
Second, the settlement evidences the continued regulatory trend in scrutinizing businesses that collect, process, and share information of minors. Entities should familiarize themselves with the various state and federal laws, including the Children’s Online Privacy Protection Rule (COPPA), which focus on, among other things age verification, parental consent, and access controls. Both the FTC and state AGs have utilized COPPA to hold entities accountable for improper conduct in handling information obtained from children.
Third, the settlement evidences the continued collaboration among state AGs in pursuing the enforcement of privacy and cybersecurity laws targeted at the protection of consumer information. This action is indicative of the more general trend of state AGs uniting to combine resources and expertise, as seen with the development of the Consortium of Privacy Regulators formed by California, Colorado, Connecticut, Delaware, Indiana, New Jersey, and Oregon.
Troutman Pepper Locke State Attorneys General Team
 |
Ashley Taylor – Co-leader and Firm Vice Chair Ashley is co-leader of the firm’s nationally ranked State Attorneys General practice, vice chair of the firm, and a partner in its Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group. He helps his clients navigate the complexities involved with multistate attorneys general investigations and enforcement actions, federal agency actions, and accompanying litigation. |
 |
Clay Friedman – Co-leader Clay co-leads the firm’s State Attorneys General practice and is nationally ranked by Chambers USA for AG Government Relations and in Best Lawyers for Advertising Law. He has dedicated his entire career to state attorney general and federal work, serving for nearly a decade in a senior role and more than 25+ years in private practice. Clay focuses his practice on helping industry-leading companies mitigate the risks associated with state and federal regulatory investigations and associated litigation. |
 |
Chris Carlson Chris advises clients on regulatory, civil, and criminal investigations and litigation. With a background as an assistant attorney general, he provides practical guidance to clients with matters involving state attorneys general and federal regulatory agencies. |
 |
Lauren Fincher Lauren has vast experience handling state attorneys general investigations, navigating complex regulatory compliance matters, and providing strategic counsel in enforcement actions across various industries. She helps clients manage high-stakes regulatory matters and guides them through complex legal landscapes. |
 |
Stephen Piepgrass Stephen leads the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, representing clients in single and multistate enforcement actions, including inquiries and investigations, as well as litigation involving state attorneys general and other state and federal governmental enforcement bodies. He has significant experience handling actions with federal agencies, including the CFPB and FTC, as well as single plaintiff and class action litigation for clients in highly regulated sectors such as financial services, health care, pharmaceutical, and education. |
 |
Michael Yaghi Mike handles high-profile state attorneys general, FTC, and CFPB investigations by advising clients through these complex government inquiries. He assists clients through the entire life cycle of investigations, from regulatory enforcement through formal litigation. |
 |
Samuel E. “Gene” Fishel Gene is a former regulator with two decades of experience who has overseen state privacy and cybersecurity regulation enforcement, led national, multistate attorneys general privacy investigations, and prosecuted computer crimes at the state and federal levels. He has served at the forefront of state attorney general and federal enforcement, and utilizes this experience to proficiently represent client interests. |
 |
Jeff Johnson Jeff helps clients navigate complex regulatory and litigation challenges with local, state, and federal authorities. His clients benefit from his decade of broad litigation experience, understanding of emerging state and federal regulatory issues, and strong relationships with attorneys general across the U.S. In addition to handling cases from trial through state or federal appeals, Jeff serves as amicus counsel in advancing legal rules to support his clients’ vital interests. |
 |
Jay Myers Jay assists clients in heavily regulated industries, including health care, energy, insurance, emerging industries, and data privacy. He provides both regulatory legal advice and government relations strategies. Jay’s past and current clients include Fortune 10 companies, startups, nonprofits, industry associations, and advocacy groups. Recognizing that state government matters are often complex and multifaceted, he utilizes regulatory guidance, government advocacy, or both in tandem to deliver tailored solutions for each client’s unique needs. |
 |
Zoe Schloss
Zoe represents clients in litigation and government investigations. As former deputy attorney general for the Delaware Department of Justice, she is an experienced litigator who understands the enforcement priorities that impact her clients. Zoe works with individuals and corporate entities in highly regulated industries, including financial services, health care, and energy. |
 |
Jessica Birdsong Jessica is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, magna cum laude, where she served as associate articles editor of the Journal of Law & Technology. |
 |
Blake R. Christopher Blake collaborates with clients on matters related to government contracting, investigations, and disputes. His senior-level government experience generates valuable insights and strategies for clients across a variety of industries. |
 |
Nick Gouverneur Nick is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. He received his J.D. from the University of Illinois College of Law, where he served as a member of the Journal of Law, Technology & Policy. |
 |
Troy Homesley Troy is an accomplished litigator who has represented and defended clients across a wide range of complex, high-stakes disputes at both the trial and appellate levels. He has represented technology companies, business executives, law firms, investment funds, high-ranking federal officials, international non-profits, and asylum seekers. Troy draws on his broad litigation experience to advise clients before litigation arises, while claims are pending or threatened, and leading up to and through trial and appeals. |
 |
Namrata Kang Namrata (Nam) is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement (RISE) Practice Group, based in the Washington, D.C. office. She routinely advises clients on a wide variety of state and federal regulatory matters, with a particular emphasis on state consumer protection laws relating to consumer financial services and marketing and advertising. Nam’s experience transcends multiple industries, including financial services, telecommunications, media, and sports betting. |
 |
Michael Lafleur Michael is an associate in the firm’s Regulatory Investigations, Strategy, and Enforcement Practice Group. Based out of the firm’s Boston office, Mike has deep experience in litigation, investigations, and other regulatory matters involving state-level regulators and state attorneys general. |
 |
Philip Nickerson Philip represents clients in sectors such as financial, tech, real estate, and energy in a range of litigation matters. He is experienced in matters involving trade secrets, government investigations, commercial contracts, construction and product defect. |
 |
Lane Page Lane specializes in federal and state regulatory investigations and complex civil litigation. He focuses on representing financial institutions and other businesses, with a particular emphasis on consumer protection and fair lending issues. |
 |
Dascher Pasco Dascher is an attorney within the Regulatory Investigations, Strategy, and Enforcement practice, based in the Richmond office. She joined our firm after working in personal injury and medical malpractice for a Virginia trial law firm. Dascher brings varied legal experience to the firm with strong litigation and regulatory strategy capabilities. |
 |
Kyara Rivera Rivera Kyara is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. She received her J.D. from the University of Richmond School of Law, cum laude, where she served as publications and online editor of the Public Interest Law Review. |
 |
Timothy Shyu Timothy is an associate in the firm’s Regulatory Investigations, Strategy + Enforcement Practice Group. |
 |
Trey Smith Trey focuses his practice on representing and advising regulated utilities before state public utility commissions. He routinely helps clients obtain certificates of public convenience and necessity for transmission infrastructure. In this role, Trey works with his clients’ subject-matter experts to manage administrative proceedings, including by preparing initial filings; responding to discovery requests; drafting rebuttal testimony; and litigating any disputed issues. |
 |
Daniel Waltz Dan helps clients navigate all aspects highly regulated relationships between industry participants and federal, state and local governments. Whether engaging with regulators, negotiating transactions or representing clients in the courtroom, he delivers solutions that help his clients achieve their strategic goals. |
 |
Cole White Cole is a member of the firm’s Regulatory Investigations, Strategy and Enforcement (RISE) group. He has a decade of experience working in the attorney general community, having joined the firm from the Wyoming Office of the Attorney General, where he was assistant attorney general. |
 |
Stephanie Kozol Stephanie is Troutman Pepper Locke’s senior government relations manager in the state attorneys general department. |