FTC Nabs Illuminate Education in Deception Settlement Deal
Published Date: 12/4/2025
Notice
Summary
Illuminate Education, a company that helps schools with data, is being called out for unfair business practices. They’ve agreed to fix these issues under a new deal, and the public can share their thoughts until January 5, 2026. This means Illuminate must change how they operate, but no fines or money penalties are mentioned yet.
Analyzed Economic Effects
6 provisions identified: 5 benefits, 1 costs, 0 mixed.
Millions of students' records exfiltrated
The proposed complaint says a threat actor had unfettered access to Illuminate's network for 13 days and exfiltrated millions of students' personal information. The exposed data included names, addresses, parent contact information, grades, indicators of special education plans (IEP/504), and free or reduced lunch status.
Must implement comprehensive security program
Part IV requires Illuminate to establish, implement, and maintain a comprehensive information security program to protect the security, availability, confidentiality, and integrity of covered information. The complaint lists failures the program must address, including lack of encryption (data stored in plaintext until at least January 2022), weak access controls, poor threat detection, and missing incident response until at least November 2022.
Ban on lying about security and breach timing
The proposed order bars Illuminate from misrepresenting how well it protects privacy, security, availability, confidentiality, or integrity of covered information and from misrepresenting the time period in which it will notify school districts and students of a breach. This stops the company from saying it does security or breach notices it does not actually perform.
Requirement to delete unneeded student data
Part II and Part III of the proposed order require Illuminate to delete or destroy covered information that is not needed under its customer contracts, and to document and follow a retention schedule showing why it collects each item and when it will be deleted. This limits how long student data can be kept.
Independent security assessments for 10 years
Part V requires Illuminate to obtain an initial and then biennial (every two years) independent third-party information security assessment for 10 years. Part VI requires disclosing material facts to the assessor and forbids misrepresenting facts material to those assessments.
Annual CISO certification and FTC breach notice reporting
Part VII requires an annual certification from the Chief Information Security Officer that the company implemented the order and reports any material noncompliance. Part VIII requires Illuminate to notify the Commission any time it notifies a federal, state, or local government that consumer information was accessed or exposed without authorization.
Your PRIA Score
Personalized for You
How does this regulation affect your finances?
Sign up for a PRIA Policy Scan to see your personalized alignment score for this federal register document and every other regulation we track. We analyze your financial profile against policy provisions to show you exactly what matters to your wallet.
Key Dates
Take It Personal
Get Your Personalized Policy View
Start a Free Government Policy Watch to see how policy affects your household, then upgrade to PRIA Full Coverage for year-round monitoring.
Already have an account? Sign in