Embattled education technology vendor Illuminate Education has become the first-ever company to get booted from the Student Privacy Pledge, an unprecedented move that follows a massive data breach affecting millions of students and allegations the company misrepresented its security safeguards. 

The Future of Privacy Forum, which created the self-regulatory effort nearly a decade ago to promote ethical student data practices by education technology companies, announced on Monday it had stripped Illuminate of its pledge signatory designation and referred the company to the Federal Trade Commission and state attorneys general in New York and California, where the biggest breaches occurred, to 鈥渃onsider further appropriate action,鈥� including sanctions. 

鈥淧ublicly available information appears to confirm that Illuminate Education did not encrypt all student information while鈥� it was being stored or transferred from one system to another, forum CEO Jules Polonetsky said in a statement. He said the decision to de-list Illuminate came after a review including 鈥渄irect outreach鈥� to the company, which 鈥渨ould not state鈥� that such privacy practices had been in place.

 鈥淪uch a failure to encrypt would violate several pledge provisions,鈥� Polonetsky said, including a commitment to 鈥渕aintain a comprehensive security program鈥� to protect students鈥� sensitive information and to 鈥渃omply with applicable laws,鈥� including an 鈥渆xplicit data encryption requirement鈥� in New York.

Encryption is the cybersecurity practice of scrambling readable data into an unusable format to prevent bad actors from understanding it without a key. Amazon Web Services to store student data on accounts that were easy to identify. 

Through the voluntary pledge, have agreed to to protect students鈥� online privacy. Though the privacy forum maintains that the pledge is legally binding and can be enforced by federal and state regulators, the move against Illuminate marks a dramatic shift in enforcement. The extent of the Illuminate breach remains unclear, encompasses districts in six states affecting an . 

Illuminate Education spokesperson Jane Snyder said the company is disappointed in the privacy forum鈥檚 decision, but it 鈥渨ill not detract from our commitment to safeguard the privacy of all student data in our care.鈥� The privately held company founded in 2009 claims some 5,000 schools serving 17 million students use its tools.

鈥淲e will continue to monitor and enhance the security of our systems, and we will continue to work with students and school districts to resolve any concerns related to this matter while prioritizing the privacy and protection of the data we maintain,鈥� Snyder said in a statement.

In a recent article in 社区黑料, student privacy experts criticized the Big Tech-funded privacy forum for failing to sanction companies that break the agreement terms. 

The action taken against Illuminate comes just three months after the Federal Trade Commission announced efforts to ramp up enforcement of federal student privacy protections, including against companies that sell student data for targeted advertising and that lack reasonable systems 鈥渢o maintain the confidentiality, security and integrity of children鈥檚 personal information.鈥� 

The privacy forum maintains that the Federal Trade Commission and state attorneys general can hold companies accountable to their pledge commitments via consumer protection rules that prohibit unfair and deceptive business practices, but such action has never been taken. Education companies have long used the pledge as a marketing tool and the privacy forum has touted it as an assurance to schools as they shop for new technology. 

Signs of a data breach at California-based Illuminate first emerged in January when several of its popular digital tools, including programs used in New York City to track students鈥� grades and attendance, went dark. City officials announced in March that the personal data of some 820,000 current and former students had been compromised. Outside New York City, home to America鈥檚 largest school district, state officials said the breach affected an additional 174,000 students across the state. Student information in Los Angeles, the country鈥檚 second-largest school district, was also breached. 

Compromised data includes information about students鈥� eligibility for special education services and free or reduced-price lunch, their names, demographic information, immigration status and disciplinary records. 

New York City officials have accused Illuminate of misrepresenting its security safeguards and instructed educators to stop using its tools. New York State Education Department officials are investigating whether the company鈥檚 security practices run afoul of state law, which requires education vendors to maintain 鈥渞easonable鈥� data security safeguards and to notify schools about data breaches 鈥渋n the most expedient way possible and without unreasonable delay.鈥� 

School districts in California, Colorado, Connecticut, Oklahoma and Washington have since that their personal information was compromised in the breach. Illuminate Education has never said how many people were affected by the lapse while at the that it has 鈥渘o evidence that any information was subject to actual or attempted misuse.鈥� 

鈥淔PF believes that the privacy and security of students鈥� information is essential,鈥� Polonetsky said in the statement, declining to comment further. 鈥淭o help ed tech companies better protect student data, we will be providing training for Pledge signatories, with a specific focus on data governance and security.鈥�

For years, critics have accused the pledge of providing educators and parents with a false affirmation about the safety of education technology while being a tech-funded effort to thwart meaningful government regulation. 

The privacy forum鈥檚 decision to yank Illuminate doesn鈥檛 suggest stronger pledge enforcement going forward, said Doug Levin, the national director of The K12 Security Information eXchange. Rather, he accused the privacy forum of acting more in response to media coverage than a desire to hold companies to their promises.

鈥淭he only time that the Future of Privacy Forum has considered de-listing an organization is when the practices of a company have come under the attention of national media,鈥� he said, adding that the press is an insufficient tool to hold tech companies accountable. 鈥淚 think this is a case where [the privacy forum] was looking at collateral reputational damage and damage to the pledge and they had to act to protect their own self-interests and the interests of other pledge members. I do not read it as a signal that enforcement of the pledge will be enhanced going forward.鈥�

Meanwhile, Levin sees Illuminate鈥檚 unwillingness to discuss its security practices with the privacy forum as another reason to believe the company acted negligently.

Illuminate is 鈥渃learly in legal jeopardy and I think they are concerned about making statements that could be used in a legal context to hold them accountable,鈥� Levin said.

Still, the privacy forum鈥檚 decision to remove Illuminate raises the stakes from its previous enforcement efforts, most notably against the College Board, a nonprofit that administers the widely used SAT college admissions exam. In 2018, the privacy forum placed the nonprofit鈥檚 after found it was selling student data to third parties. The College Board was reinstated as an active pledge signatory a year later. It remains , despite a 2020 investigation by Consumer Reports that uncovered it was sending student data to major digital advertising platforms.

While some have argued that the College Board should have been removed from the pledge, the privacy forum has previously resisted efforts to de-list signatories. When the group learns about complaints against pledge signatories, it typically works with companies to resolve issues and ensure compliance, according to . 

Removing companies from the pledge, the post argued 鈥渃ould result in fewer privacy protections for users, as a former signatory would not be bound by the Pledge鈥檚 promises for future activities.鈥�

Disclosure: The Bill & Melinda Gates Foundation and the Chan Zuckerberg Initiative provide financial support to the Future of Privacy Forum and 社区黑料.