United States of America: Federal Trade Commission closes consultation on proposed consent order for Illuminate Education over failure to secure students' personal data

On 5 January 2025, the Federal Trade Commission (FTC) closes a consultation on its proposed consent order against educational technology provider Illuminate Education. The FTC alleged that Illuminate Education failed to take appropriate cybersecurity measures, leading to a cybersecurity incident in which the personal data of 10.1 million students was compromised. The FTC complaint claims that Illuminate Education did not implement reasonable access controls, effective threat detection and response, and vulnerability monitoring, as well as failing to notify school districts. The FTC's published a proposed consent order, which would prohibit Illuminate Education from making misrepresentations about its data security practices, mandate the deletion of a range of data, and require the implementation of a comprehensive information security programme. After the consultation period, the FTC will decide whether to make the consent order final.