When education vendors say that they protect the identities of their customers, but they don’t, bad things can happen. Illuminate Education discovered this the hard way.
On Monday, Thomas O’Malley shared the 2023 Comparitech article “US schools leaked 32 million records in 2,691 data breaches since 2005.” These leaks were due to large-scale breaches such as Illuminate Education and Blackbaud, as well as many other breaches, and affected institutions at all educational levels.
The December 2021 Illuminate Education data breach was first reported in January 2022, and by September was revealed to have affected schools across the country, exposing students’ names, birthdates, and other personal identifiable information (PII).
Two attempted class action lawsuits against Illuminate Education have been defeated. But there has still been fallout:
(The Future of Privacy Forum) initiated a review, seeking to determine whether (Illuminate Education’s) practices were and are consistent with its Pledge commitments, specifically with respect to technological safeguards in place to protect the security of data. Publicly available information appears to confirm that Illuminate Education did not encrypt all student information while at rest and in transit. Such a failure to encrypt would violate several Pledge provisions…
From https://studentprivacypledge.org/news/fpf-drops-illuminate-education-from-student-privacy-pledge/.
As a result of its inability to confirm that Illuminate Education practiced recommended data encryption practices, the Future of Privacy Forum “removed Illuminate Education from the list of Student Privacy Pledge signatories.” As of January 23, 2024, Illuminate Education’s status as a signatory has not been restored.
Can a company’s status as a Future of Privacy Forum signatory guarantee that they take all necessary steps to protect educational identity data? Of course not; perhaps there are unknown data protection failures by a signatory, and conversely a company may implement stellar policies but just never bothered to sign on the dotted line.
But presence or absence on the FPF signatories list can serve as a positive or negative risk indicator.
Bredemarket 