Illuminate Education, Inc.; Analysis of Proposed Consent Order To Aid Public Comment

Issuing agencies

Abstract

The consent agreement in this matter settles alleged violations of Federal law prohibiting unfair or deceptive acts or practices. The attached Analysis of Proposed Consent Order to Aid Public Comment describes both the allegations in the complaint and the terms of the consent order--embodied in the consent agreement--that would settle these allegations.

Full Text

<html>
<head>
<title>Federal Register, Volume 90 Issue 231 (Thursday, December 4, 2025)</title>
</head>
<body><pre>
[Federal Register Volume 90, Number 231 (Thursday, December 4, 2025)]
[Notices]
[Pages 55868-55869]
From the Federal Register Online via the Government Publishing Office [<a href="http://www.gpo.gov">www.gpo.gov</a>]
[FR Doc No: 2025-21892]



[[Page 55868]]

=======================================================================
-----------------------------------------------------------------------

FEDERAL TRADE COMMISSION

[File No. 222 3105]


Illuminate Education, Inc.; Analysis of Proposed Consent Order To 
Aid Public Comment

AGENCY: Federal Trade Commission.

ACTION: Proposed consent agreement; request for comment.

-----------------------------------------------------------------------

SUMMARY: The consent agreement in this matter settles alleged 
violations of Federal law prohibiting unfair or deceptive acts or 
practices. The attached Analysis of Proposed Consent Order to Aid 
Public Comment describes both the allegations in the complaint and the 
terms of the consent order--embodied in the consent agreement--that 
would settle these allegations.

DATES: Comments must be received on or before January 5, 2026.

ADDRESSES: Interested parties may file comments online or on paper by 
following the instructions in the Request for Comment part of the 
SUPPLEMENTARY INFORMATION section below. Please write ``Illuminate; 
File No. 222 3105'' on your comment and file your comment online at 
<a href="https://www.regulations.gov">https://www.regulations.gov</a> by following the instructions on the web-
based form. If you prefer to file your comment on paper, please mail 
your comment to: Federal Trade Commission, Office of the Secretary, 600 
Pennsylvania Ave. NW, Mail Stop H-144 (Annex E), Washington, DC 20580.

FOR FURTHER INFORMATION CONTACT: Bhavna Changrani (202-326-2363), 
Attorney, Division of Privacy and Identity Protection, Bureau of 
Consumer Protection, Federal Trade Commission, 400 7th St. SW, 
Washington, DC 20024.

SUPPLEMENTARY INFORMATION: Pursuant to section 6(f) of the Federal 
Trade Commission Act, 15 U.S.C. 46(f), and FTC Rule Sec.  2.34, 16 CFR 
2.34, notice is hereby given that the above-captioned consent agreement 
containing a consent order to cease and desist, having been filed with 
and accepted, subject to final approval, by the Commission, has been 
placed on the public record for a period of 30 days. The following 
Analysis to Aid Public Comment describes the terms of the consent 
agreement and the allegations in the complaint. An electronic copy of 
the full text of the consent agreement package can be obtained at 
<a href="https://www.ftc.gov/news-events/commission-actions">https://www.ftc.gov/news-events/commission-actions</a>.
    You can file a comment online or on paper. For the Commission to 
consider your comment, we must receive it on or before January 5, 2026. 
Write ``Illuminate; File No. 222 3105'' on your comment. Your comment--
including your name and your State--will be placed on the public record 
of this proceeding, including, to the extent practicable, on the 
<a href="https://www.regulations.gov">https://www.regulations.gov</a> website.
    Because of heightened security screening, postal mail addressed to 
the Commission will be subject to delay. We strongly encourage you to 
submit your comments online through the <a href="https://www.regulations.gov">https://www.regulations.gov</a> 
website. If you prefer to file your comment on paper, write 
``Illuminate; File No. 222 3105'' on your comment and on the envelope, 
and send it via overnight service to: Federal Trade Commission, Office 
of the Secretary, 600 Pennsylvania Avenue NW, Mail Stop H-144 (Annex 
E), Washington, DC 20580.
    Because your comment will be placed on the publicly accessible 
website at <a href="https://www.regulations.gov">https://www.regulations.gov</a>, you are solely responsible for 
making sure your comment does not include any sensitive or confidential 
information. In particular, your comment should not include sensitive 
personal information, such as your or anyone else's Social Security 
number; date of birth; driver's license number or other State 
identification number, or foreign country equivalent; passport number; 
financial account number; or credit or debit card number. You are also 
solely responsible for making sure your comment does not include 
sensitive health information, such as medical records or other 
individually identifiable health information. In addition, your comment 
should not include any ``trade secret or any commercial or financial 
information which . . . is privileged or confidential''--as provided by 
section 6(f) of the FTC Act, 15 U.S.C. 46(f), and FTC Rule Sec.  
4.10(a)(2), 16 CFR 4.10(a)(2)--including competitively sensitive 
information such as costs, sales statistics, inventories, formulas, 
patterns, devices, manufacturing processes, or customer names.
    Comments containing material for which confidential treatment is 
requested must be filed in paper form, must be clearly labeled 
``Confidential,'' and must comply with FTC Rule Sec.  4.9(c). In 
particular, the written request for confidential treatment that 
accompanies the comment must include the factual and legal basis for 
the request and must identify the specific portions of the comment to 
be withheld from the public record. See FTC Rule Sec.  4.9(c). Your 
comment will be kept confidential only if the General Counsel grants 
your request in accordance with the law and the public interest. Once 
your comment has been posted on the <a href="https://www.regulations.gov">https://www.regulations.gov</a> 
website--as legally required by FTC Rule Sec.  4.9(b)--we cannot redact 
or remove your comment from that website, unless you submit a 
confidentiality request that meets the requirements for such treatment 
under FTC Rule Sec.  4.9(c), and the General Counsel grants that 
request.
    Visit the FTC website at <a href="https://www.ftc.gov">https://www.ftc.gov</a> to read this document 
and the news release describing the proposed settlement. The FTC Act 
and other laws the Commission administers permit the collection of 
public comments to consider and use in this proceeding, as appropriate. 
The Commission will consider all timely and responsive public comments 
it receives on or before January 5, 2026. For information on the 
Commission's privacy policy, including routine uses permitted by the 
Privacy Act, see <a href="https://www.ftc.gov/site-information/privacy-policy">https://www.ftc.gov/site-information/privacy-policy</a>.

Analysis of Proposed Consent Order To Aid Public Comment

    The Federal Trade Commission (``Commission'') has accepted, subject 
to final approval, an agreement containing a consent order from 
Illuminate Education, Inc. (``Respondent''). The proposed consent order 
(``proposed order'') has been placed on the public record for 30 days 
for receipt of public comments from interested persons. Comments 
received during this period will become part of the public record. 
After 30 days, the Commission will again review the agreement, along 
with the comments received, and will decide whether it should make 
final the proposed order or withdraw from the agreement and take 
appropriate action.
    Respondent is a California corporation with its principal place of 
business in Wisconsin Rapids, WI. Respondent offers schools and 
districts a suite of software products and solutions, such as the IO 
Suite,\1\ to help manage student information, assess literacy, track 
grades, communicate with parents, and determine students' academic and 
social-emotional behavior learning needs. In the course of providing 
its products and services, Respondent stores personal information of 
millions of students. The personal information includes students' name 
and address, parent contact information, grades, whether the student 
has specialized learning plans in place (such as Individualized 
Education Plans (IEP) or 504 Plans which can reveal

[[Page 55869]]

special needs or disabilities), or whether the student receives free or 
reduced lunch.
---------------------------------------------------------------------------

    \1\ The IO suite of programs includes IO Admin, IO Assessment, 
IO Auth, IO Classroom, IO Compass, IO Insights, IO Messenger, and 
Data Driven Classroom.
---------------------------------------------------------------------------

    The proposed complaint alleges that despite representing to school 
districts, students and their parents that it would keep their student 
personal information safe, Respondent failed to utilize reasonable 
information security measures to do so. The proposed complaint alleges 
that as a result of Respondent's unreasonable information security 
practices, a threat actor infiltrated Respondent's network, had 
unfettered access to students' personal information for 13 days, and 
exfiltrated millions of students' personal information.
    The Commission's proposed three-count complaint alleges that 
Respondent violated Section 5(a) of the FTC Act by (1) unfairly failing 
to employ reasonable information security practices to protect 
students' personal information, (2) misrepresenting to school 
districts, students and their parents that it took reasonable steps to 
protect student personal information, and (3) misrepresenting to school 
districts that it would provide timely notifications regarding breach 
or unauthorized disclosure. With respect to the first count, the 
proposed complaint alleges that Respondent:
    (a) stored, until at least January 2022, students' personal 
information in Illuminate's network in S3 buckets in plaintext, rather 
than encrypting the information;
    (b) failed to implement reasonable access controls to safeguard 
students' personal information stored in AWS services;
    (c) failed to employ effective threat detection and response on its 
network and databases;
    (d) failed to employ effective vulnerability monitoring and patch 
management practices;
    (e) improperly configured, or failed to implement, logging and 
monitoring tools to appropriately capture and alert on suspicious data 
security events;
    (f) failed, until at least November 2022, to establish a 
comprehensive incident management or incident response plan; and
    (g) failed, until at least March 2022, to have a policy, process, 
or procedure for inventorying and deleting students' personal 
information stored on Illuminate's network after that information is no 
longer necessary.
    The proposed complaint alleges that Respondent could have addressed 
each of these failures by implementing readily available and relatively 
low-cost security measures. It also alleges that Respondent's failures 
caused, or are likely to cause, substantial injury to consumers that is 
not outweighed by countervailing benefits to consumers or competition 
and is not reasonably avoidable by consumers themselves. Such practices 
constitute unfair acts or practices under Section 5 of the FTC Act.
    With respect to the second count, the proposed complaint alleges 
that, at various times, Respondent represented to school districts, 
students and their parents that it used reasonable measures to protect 
student personal information. The proposed complaint alleges that, in 
reality, and as noted above, Respondent failed to implement reasonable 
measures to protect students' personal information. Such 
representations were, therefore, deceptive under Section 5 of the FTC 
Act.
    Finally, the third count of the proposed complaint alleges that at 
various times Respondent represented that it would provide timely 
notifications to school districts whose data has been exposed as a 
result of a breach or unintended disclosure. The proposed complaint 
alleges that Respondent failed to timely notify school districts whose 
data had been exposed due to a breach or unintended disclosure. Such 
representations were, therefore, deceptive under Section 5 of the FTC 
Act.

Summary of Proposed Order With Respondent

    The proposed order contains injunctive relief designed to prevent 
Respondent from engaging in the same or similar acts or practices in 
the future.
    Part I prohibits Respondent from misrepresenting (1) the extent to 
which it protects the privacy, security, availability, confidentiality, 
or integrity of any covered information; and (2) the time period in 
which Respondent will notify school districts and students of a breach 
or unintended disclosure of any covered information as defined in the 
proposed order.
    Part II requires that Respondent delete or destroy covered 
information that is not being retained in connection with providing 
products or services under Respondent's contracts with its customers or 
as requested by Respondent's customers.
    Part III requires that Respondent document and adhere to a 
retention schedule for the covered information it collects from 
consumers, including the purposes for which it collects such 
information and the timeframe for its deletion.
    Part IV requires Respondent to establish and implement, and 
thereafter maintain, a comprehensive information security program that 
protects the security, availability, confidentiality, and integrity of 
covered information.
    Part V requires Respondent to obtain initial and biennial 
information security assessments by an independent, third-party 
professional for 10 years. Part VI requires Respondent to disclose all 
material facts to the assessor required by Part V and prohibits 
Respondent from misrepresenting any fact material to the assessments 
required by Part V.
    Part VII requires Respondent to submit an annual certification from 
the Chief Information Security Officer responsible for its information 
security program that the company has implemented the requirements of 
the Order and is not aware of any material noncompliance that has not 
been corrected or disclosed to the Commission. Part VIII requires 
Respondent to notify the Commission any time it notifies a federal, 
state, or local government that information of or about a consumer was, 
or is reasonably believed to have been, accessed, acquired, or publicly 
exposed without authorization.
    Parts IX-XII are reporting and compliance provisions, which include 
recordkeeping requirements and provisions requiring Respondent to 
provide information or documents necessary for the Commission to 
monitor compliance.
    Part XIII states that the proposed order will remain in effect for 
10 years, with certain exceptions.
    The purpose of this analysis is to facilitate public comment on the 
proposed order, and it is not intended to constitute an official 
interpretation of the complaint or proposed order, or to modify the 
proposed order's terms in any way.

    By direction of the Commission.
April J. Tabor,
Secretary.
[FR Doc. 2025-21892 Filed 12-3-25; 8:45 am]
BILLING CODE 6750-01-P


</pre></body>
</html>