In a 4-0 vote, the Federal Trade Commission last week finalized a proposed order requiring ed tech provider Chegg to tighten its data security and delete unnecessary data.
The company — which sells products and services including virtual tutoring and an online college scholarship search service to high school and college students — had experienced four security breaches since 2017. Those incidents exposed Social Security numbers, email addresses, passwords, birthdates, parents’ income ranges, sexual orientation, disabilities and other sensitive data of millions of its customers and employees. Despite this, Chegg allegedly did not correct the issues, the FTC said.
Under the FTC order, Chegg will be required to implement a comprehensive information security program that includes data encryption and employee security training, limit the data it collects and retains, offer users security measures like multifactor authentication, and permit users to access and delete data they’ve provided to the company.
“Chegg took shortcuts with millions of students’ sensitive information,” Samuel Levine, director of the FTC’s Bureau of Consumer Protection, said in an Oct. 31 statement on the proposed order. He also warned that the FTC “will continue to act aggressively to protect personal data.”
In an October statement to news outlets, Chegg said it is “wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts.”
The education sector has received particular attention on the cybersecurity front in recent years, as a perfect storm of growing digitization of curriculum, a treasure trove of sensitive personal data, and limited IT funding and staffing made schools a high-value target for ransomware attacks in particular. In such an attack, a bad actor infiltrates a target’s network with malware that encrypts and locks sensitive data and systems until a ransom is paid.
Recent high-profile attacks have targeted the Los Angeles Unified School District, Iowa’s Des Moines Public Schools, and Arkansas’ Little Rock School District, the latter of which ultimately paid a $250,000 ransom.
The finalized order against Chegg comes just weeks after a report from nonprofit Internet Safety Labs found 96% of apps used or recommended by K-12 schools share students’ personal information with third parties. The report also pointed to custom school district apps made by large tech developers as among the least safe.
Efforts by lawmakers to update the Children’s Online Privacy Protection Act stalled during the previous Congress.