On June 5, 2026, the Federal Trade Commission (“FTC”) gave final approval to a modified consent order against Illuminate Education, Inc. (“EdTech Provider”), a K-12 software vendor, settling allegations that the EdTech Provider did not adequately protect the personal data of more than 10 million students. The action — which follows a public comment period and builds on a proposed order issued in December 2025 — sends a clear signal to organizations handling student data, children’s information, and other sensitive personal records: the FTC expects security promises to be backed by real controls, and data retention and minimization practices are now squarely in the enforcement crosshairs.
The Data Breach Incident and FTC Investigation
Between late December 2021 and January 2022, a threat actor infiltrated the EdTech Provider ‘s hosting environment using a former employee’s login credentials, remained undetected for approximately 13 days, and exfiltrated database backups containing personal information for more than 10.1 million current and former students, including email and mailing addresses, dates of birth, student records, and health-related information.
In its complaint, the FTC alleges that the EdTech Provider violated Section 5(a) of the FTC Act by engaging in unfair and deceptive practices. According to the FTC, the EdTech Provider failed to implement reasonable data security safeguards—such as encryption, access controls, and adequate monitoring—despite prior warnings about significant vulnerabilities. The Commission also alleges that the EdTech Provider misrepresented its data protection practices in public statements and contracts with school districts and did not provide timely breach notifications. The FTC further highlights alleged deficiencies in data retention and governance practices, which the agency contends exacerbated the scope of the breach.
The Final Order
The FTC published its proposed order on December 1, 2025, and opened a 30-day public comment period that closed on January 5, 2026. The Commission subsequently approved the order with modifications. The final order imposes a comprehensive set of requirements and restrictions on the EdTech Provider, including prohibitions on misrepresentations and other governance and reporting obligations. Notably, within 90 days, the EdTech Provider is required to publish a data retention schedule and implement enhanced security controls and data management procedures. The EdTech Provider is also required to obtain third-party security assessments initially and biennially for 10 years.
Notably, compared to the December 2025 proposal, the final order more explicitly incorporates a data minimization requirement, in addition to the mandated deletion within 90 days. Specifically, the order requires the EdTech Provider to: “[r]efrain from collecting, processing, or maintaining any Covered Information not reasonably necessary to provide products or services under Respondent’s contracts with its customers, except as requested by Respondent’s customers.”
Practical note
This action carries practical lessons for organizations that handle student data, children’s information, health-related records, or other sensitive personal data:
- Data minimization is now an enforcement priority. The FTC’s emphasis on data deletion and minimization reflects an enforcement view that excessive data retention amplifies risk. Organizations are conducting audits of data inventories, implementing clear retention schedules, and treating “collect only what you need, keep it only as long as necessary” as a compliance requirement—not merely a best practice.
- Ignored warnings amplify liability. The FTC specifically highlighted that the EdTech Provider was alerted to security vulnerabilities well before the breach and failed to act. Effective programs typically include processes to track and remediate findings from penetration tests, vulnerability scans, vendor assessments, and third-party audits are tracked and remediated through defined processes with clear ownership and deadlines.
- Security representations must match reality. Statements about data protection—whether on websites, in marketing materials, or in contracts—are expected to be regularly validated against actual technical controls. Gaps between promise and practice remain a core area of FTC scrutiny.
- Breach notification promises are enforceable. Contractual or policy-based notification timelines are increasingly scrutinized against operational readiness, including incident response playbooks, escalation paths, and pre-approved notification workflows.
Alston & Bird’s Privacy, Cyber & Data Strategy Team will continue to monitor FTC enforcement trends and developments affecting organizations that process sensitive and children’s data and provide updates as more information becomes available. Please contact us if you have any questions.
