In yet another data security enforcement action that is of interest to dealers, in late 2025, the Federal Trade Commission (“FTC”) as well as the Attorneys General for the states of CT, CA and NY, separately announced the settlement of enforcement actions against Illuminate Education, Inc. (“Illuminate”), related to alleged failures to implement reasonable security measures to protect the personal information of millions of students.
These settlements provide valuable guidance to dealers on the importance of having a comprehensive privacy and data security plan that also includes your vendors as well as the ongoing potential for joint or coordinated enforcement actions by both state and federal regulators.
This case is notable because here, the FTC did not seek monetary penalties, but the states nevertheless sought and obtained significant monetary penalties of over $5 million.
Background
Between December 2021 and January 2022, a data breach exposed the personal information of more than 10 million students, including names, birthdates, email addresses, demographic data, disability information, and disciplinary records. Allegedly, Illuminate stored this information in plain text on cloud-based platforms, failed to disable former employee credentials, and ignored security warnings identifying critical weaknesses. The threat actor was able to exploit administrator keys belonging to a former employee, which allowed the threat actor to work around multifactor authentication requirements and exfiltrate hundreds of database backups. In addition, Illuminate allegedly paid the threat actor a ransom to destroy the data that was exfiltrated. Illuminate allegedly waited months to years to notify schools, students, and parents of the breach, contrary to contractual representations requiring notification within 72 hours. Illuminate also allegedly misrepresented its privacy policy and contracts with school districts, which claimed that it encrypted student data and used reasonable security measures consistent with industry standards.
The FTC Action
The FTC complaint alleges that Illuminate violated Section 5(a) of the FTC Act when it:
- failed to employ reasonable information security practices to protect students’ personal information,
- misrepresented to school districts, students and their parents that it took reasonable steps to protect student personal information, and
- misrepresented to school districts that it would provide timely notifications regarding breach or unauthorized disclosure.
The proposed FTC consent order provides for injunctive relief (not a monetary civil penalty) against Illuminate and that the order remains in effect for 10 years.
State Attorneys General Actions
Picking up where the FTC left off, in a coordinated investigation by the Attorneys General of California, New York, and Connecticut under each state UDAP, privacy and data protection law that used the same data breach event, related evidence and allegations as the FTC, the state Attorneys General entered into a $5.1 million-dollar civil penalty settlement with Illuminate.
The state settlement also includes non-monetary terms like those in the proposed FTC consent order.
Key Takeaways for Dealers
While these enforcement actions and settlements did not involve a dealer or a company in the automotive industry, they are instructive for dealers for the following reasons:
- The State regulators are significantly picking up enforcement and seeking significant penalties, even without FTC action.
- A compliant security posture is critical, but in the event an issue does occur, prompt reporting of the security failures is critical. Don’t wait, don’t obfuscate, act quickly, and disclose as required.