New York State Education Department officials are investigating whether the company’s security practices run afoul of state law, which requires education vendors to maintain “reasonable” data security safeguards and to notify schools about data breaches “in the most expedient way possible and without unreasonable delay.” New York City officials have accused Illuminate of misrepresenting its security safeguards and instructed educators to stop using its tools. Related: 74 Interview: Cybersecurity Expert Levin on the Harms of Student Data Hacks Student information in Los Angeles, the country’s second-largest school district, was also breached.Ĭompromised data includes information about students’ eligibility for special education services and free or reduced-price lunch, their names, demographic information, immigration status and disciplinary records. Outside New York City, home to America’s largest school district, state officials said the breach affected an additional 174,000 students across the state. ![]() City officials announced in March that the personal data of some 820,000 current and former students had been compromised. Signs of a data breach at California-based Illuminate first emerged in January when several of its popular digital tools, including programs used in New York City to track students’ grades and attendance, went dark. Education companies have long used the pledge as a marketing tool and the privacy forum has touted it as an assurance to schools as they shop for new technology. The privacy forum maintains that the Federal Trade Commission and state attorneys general can hold companies accountable to their pledge commitments via consumer protection rules that prohibit unfair and deceptive business practices, but such action has never been taken. The action taken against Illuminate comes just three months after the Federal Trade Commission announced efforts to ramp up enforcement of federal student privacy protections, including against companies that sell student data for targeted advertising and that lack reasonable systems “to maintain the confidentiality, security and integrity of children’s personal information.” Related: New Research: Security Report Finds Ed Tech Vulnerability That Could Have Exposed Millions of Students to Hacks During Remote Learning In a recent article in The 74, student privacy experts criticized the Big Tech-funded privacy forum for failing to sanction companies that break the agreement terms. “We will continue to monitor and enhance the security of our systems, and we will continue to work with students and school districts to resolve any concerns related to this matter while prioritizing the privacy and protection of the data we maintain,” Snyder said in a statement. Illuminate Education spokesperson Jane Snyder said the company is disappointed in the privacy forum’s decision, but it “will not detract from our commitment to safeguard the privacy of all student data in our care.” The privately held company founded in 2009 claims some 5,000 schools serving 17 million students use its tools. Illuminate Education CEO Christine Willig (Illuminate Education) The extent of the Illuminate breach remains unclear, but a tally by education news outlet THE Journal encompasses districts in six states affecting an estimated 3 million students. Though the privacy forum maintains that the pledge is legally binding and can be enforced by federal and state regulators, the move against Illuminate marks a dramatic shift in enforcement. ![]() Through the voluntary pledge, hundreds of education technology companies have agreed to a slate of safety measures to protect students’ online privacy. ![]() Illuminate reportedly used Amazon Web Services to store student data on accounts that were easy to identify. “Such a failure to encrypt would violate several pledge provisions,” Polonetsky said, including a commitment to “maintain a comprehensive security program” to protect students’ sensitive information and to “comply with applicable laws,” including an “explicit data encryption requirement” in New York.Įncryption is the cybersecurity practice of scrambling readable data into an unusable format to prevent bad actors from understanding it without a key. Donate here to support The 74's independent journalism. Sign up here for The 74’s daily newsletter. He said the decision to de-list Illuminate came after a review including “direct outreach” to the company, which “would not state” that such privacy practices had been in place. ![]() “Publicly available information appears to confirm that Illuminate Education did not encrypt all student information while” it was being stored or transferred from one system to another, forum CEO Jules Polonetsky said in a statement.
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |