EdTech Joint Settlement Shows Enforcers' Focus on Protecting Kids’ Data
A Nov. 6 joint settlement between three states and software company Illuminate Education over a data breach that exposed students' information highlights regulators' focus on protecting minors’ data, said privacy pros and an attorney in interviews. In addition, the incident and settlement show that no matter what sector a breach occurs in, the principles of information security are similar, the attorney said.
Sign up for a free preview to unlock the rest of this article
Timely, relevant coverage of court proceedings and agency rulings involving tariffs, classification, valuation, origin and antidumping and countervailing duties. Each day, Trade Law Daily subscribers receive a daily headline email, in-depth PDF edition and access to all relevant documents via our trade law source document library and website.
The $5.1 million settlement with Connecticut, New York and California attorneys general resolved claims that Illuminate failed to use basic security measures to protect student data, leading to a breach affecting millions (see 2511060032). It was the first enforcement action under Connecticut’s 2016 Student Data Privacy Law and California’s 2014 K-12 Pupil Online Personal Information Protection Act (KOPIPA) (see 2511060055).
“We haven't seen a lot of state enforcement of student privacy laws historically,” which makes this settlement unique, Kelley Drye privacy attorney Laura Riposo VanDruff said in an interview.
Since there was a “significant data security incident” and “three regulators with very consistent messaging” were “enforcing different laws,” it shows “a renewed priority for state regulators” to protect "student information,” she said.
“That certainly is consistent with what we're seeing both at the state and federal level, with respect to a real focus, not just on under-13 data that's protected by [COPPA], but on protecting minors’ information that is collected and used in a variety of contexts,” VanDruff added.
VanDruff noted “there are a number of states [that] have a student privacy law,” but “we just haven't seen [it] robustly enforced to date.” The existence of such a law “evidences a focus by state legislatures on the unique needs of students,” even though the theories vary from state to state. “The patchwork is real.”
For example, California enforcing this settlement under KOPIPA suggests regulators are "taking a renewed interest in enforcing the laws provided to them by their legislatures,” she added. “Knowing that states are actually enforcing [these kinds of laws] is going to be significant, particularly in the EdTech space.”
Lena Cohen, Electronic Frontier Foundation (EFF) staff technologist, agreed that “it’s great to see state attorneys general acting aggressively to enforce protection of young people’s data."
The settlement also highlights collaboration among states, said privacy pros. Cobun Zweifel-Keegan, IAPP managing director for Washington, D.C., noted that “it's relatively common in the AG context to bring joint action,” something that’s referred to as multi-state actions. The public doesn’t “always see them, because it takes a long time for them to be negotiated,” and often takes longer “when you're coordinating across states.”
Wilson Sonsini lawyers agreed in a Nov. 13 blog post. “This case highlights the growing trend of coordinated enforcement actions between states." They said another example is the Consortium of Privacy Regulators, which includes the California Privacy Protection Agency and several other state regulators (see 2504160037 and 2510080008).
Same Defenses for Companies
From breaches of “student information that could reveal sensitive information about a minor” to “a company that collects social security numbers,” the “principles of protecting that data are effectively the same,” VanDruff said. “The circumstances of any single breach are likely to be unique, but how you protect against that is by having a layered defense strategy, and it was the failure of” that defense “that we see alleged in each of the actions filed by the attorneys general.”
“The inverse is also true,” VanDruff added. “There was a focus in the wake of a variety of big incidents, or FTC actions or state attorney general actions about how to protect other consumer data,” and “that can be equally applied to … the EdTech space too.”
Cohen added that “the settlement also raises the question of why this data is held in private hands -- rather than retained only by school districts themselves -- to begin with.” She continued: “Any time a person’s data is shared with another entity, the risk of breach or abuse is multiplied.”
Something this settlement has in “common” with other recent enforcement actions “is each regulator [is] raising concerns about failures of information-security practices,” VanDruff said. But “what's different is that they're using the authorities that they have" to achieve "analogous goals.” This demonstrates the “flexibility of the tools that many state regulators have … to require companies [to] engage in reasonable practices.”
This settlement, which also includes a monetary penalty, “absolutely” includes lessons for other companies in that it demonstrates “information security is a regulator priority … in any space that handles sensitive information,” VanDruff said.