- A class action lawsuit filed against ed tech company Illuminate Education has been dismissed by a state judge who said the plaintiffs had failed to establish standing or prove any instance of actual identity theft.
- Judge James Selna for the Central District Court of California ruled Wednesday in a case seeking damages from Illuminate over a 2021 data breach that leaked academic, behavior and demographic information of 3 million students. The plaintiffs sought monetary damages to compensate for being "placed at an imminent, immediate, and continuing increased risk of harm from identity theft and fraud.”
- The class action represents current and former students attending school districts throughout California, Colorado, Connecticut, New York, Oklahoma and potentially other states where their private information was stored in Illuminate’s PupilPath system. The plaintiffs were given 21 days to amend their complaint and address issues identified by Selna.
The biggest year to date for data breaches in K-12 schools occurred in 2021, with a significant share attributable to the Illuminate Education incident that affected at least 605 institutions, according to an April report by Comparitech.
In January 2022, Illuminate became aware that an unauthorized third party had accessed its database containing personal and protected health information of students. Illuminate did not notify schools about the incident until late March 2022, according to the lawsuit.
Months following the data breach’s announcement, Renaissance acquired Illuminate. Chris Bauleke, Renaissance's chief executive officer, said in an email to customers announcing the acquisition that there was no evidence of misused data. Illuminate also offered identity monitoring for any notified individual following the cyberattack.
Nonetheless, Illuminate has faced backlash for the mass data breach.
In August, the nonprofit Future of Privacy Forum said it removed Illuminate from its Student Privacy Pledge list, a voluntary data privacy protection pledge, THE Journal reported. The move marked the first time a company had been removed from the pledge.
The forum also forwarded its decision to federal and state officials for potential legal action against Illuminate, saying that a company publicly stating it followed the pledge despite its noncompliance may be misleading under federal and state law.
Meanwhile, the New York City Department of Education stopped using Illuminate products in June 2022 after the breach exposed personal data of about 820,000 current and former students. Illuminate had signed a data privacy and security agreement with the city's schools promising to encrypt student data, but when the cyberattack happened, the school system said the vendor had not done so.
Paul Bischoff, a consumer privacy expert, previously told K-12 Dive that holding vendors like Illuminate accountable for these kinds of breaches is tricky.
“Companies need to take steps to protect their data, but you also don’t want to blame victims, because ultimately Illuminate is a victim of a cyberattack,” Bischoff said. “You don’t want to penalize companies too much for data breaches, because then they won’t report them at all to get out of the consequences.”