Four Strikes and You’re Out: Multiple Data Breaches by Education Tech Company Draws Ire (and Legal Action) from the FTC

When a company suffers a data breach, it’s bad. When a company suffers four data breaches in the span of three years, it can lead to enforcement action by the U.S. Federal Trade Commission (FTC). 

Chegg, a U.S. education technology company specializing in the rental of digital and physical textbooks and online tutoring, is being ordered to reform and improve its data protection protocols after being sued by the U.S. Federal Trade Commission (FTC or Commission) for having “lax” cybersecurity practices that led to four separate data breaches between2017 and 2020.

The FTC claimed that Chegg failed to take necessary remedial steps to protect sensitive customer and employee data — including Social Security numbers, email addresses, passwords, and so on — in the wake of multiple significant data breaches. 

For example, Chegg suffered a data breach in 2018 that reportedly led to hackers obtaining the records of around 40 million customers. The 2018 data breach was quickly followed by three more data breaches stemming from phishing attacks targeting Chegg employees. The three successful phishing attacks led to the exposure of highly sensitive personal data concerning customers and employees of Chegg, including financial and medical information.

FTC’s Chegg Complaint Highlights Insufficient Data Security Practices

The FTC’s complaint against Chegg highlighted specific data security practices that were deemed woefully inadequate, including: 

  • Failure to implement basic security measures: The FTC alleged that Chegg failed to use “commercially reasonable security measures” to protect the personal data the company collected from customers and employees. 
  • Insecure data storage procedures: The FTC alleged that Chegg stored personal data insecurely on its cloud storage databases. For example, the company allegedly stored personal data in plain text and relied on outdated and weak encryption to protect user passwords.
  • Failure to develop adequate security policies or train employees on proper data protection protocols: The FTC alleged that, even after suffering three data breaches stemming from phishing attacks, Chegg failed to provide adequate security training to employees and contractors and implement a written security policy until January 2021.

FTC’s Chegg Consent Order Features Privacy and Data Protection Protocols Deemed Suitable by the Federal Agency

The FTC and Chegg agreed to a proposed settlement that includes a list of specific actions Chegg must take to bolster its data processing and protection protocols, including: 

  • Implement Comprehensive Data Security Program: The FTC will require Chegg to implement a “comprehensive information security program” focused on addressing the lax protocols and practices that were in place when the company’s data was repeatedly breached. Chegg’s new data security program must also contain specific elements, including encryption protocols for consumer data and providing security training to employees.
  • Implementing Multi Factor Authentication: Chegg will be required to offer multi factor authentication, or another authentication method, to customers and employees in an effort to mitigate the risk of future data breaches.
  • Document and Detail Data Collection Procedures: The FTC will require Chegg to document its data collection procedures. In addition, Chegg will need to adhere to a schedule setting out what personal information the company can collect, why it collects the information, and when it will delete the information.
  • Provide Consumers with Access to Collected Data: Chegg will be required to offer customers access to the data collected about them. In addition, Chegg will need to have procedures in place to process requests from customers that the company delete their data.

Key Takeaways from the FTC’s Action Against Chegg

Companies responsible for processing personal data, particularly in the education technology space, should heed some important lessons from the FTC’s complaint against Chegg, and the subsequent consent order. One of the key takeaways is the importance of having robust and effective data protection protocols in place to try and mitigate the risk of a data breach.

Nevertheless, an equally-important takeaway is the importance of taking action in the wake of a data breach and not burying your head in the proverbial sand. It stands to reason that if Chegg’s senior leadership had implemented improved data protection protocols following the 2017 data breach, the company may not have drawn the ire of the FTC.

Another key takeaway for education technology companies is to be on notice that the FTC is taking aggressive actions in this space to ensure personal data is being processed securely. For example, in May 2022, the FTC released a policy statement warning education technology companies that illegally collecting personal information from children under the age of 13 is a direct violation of the Children’s Online Privacy Protection Act. The policy statement also made clear that it is against the law for companies to “force parents and schools to surrender their children’s privacy rights in order to do schoolwork online or attend class remotely.” The law also requires companies to secure the data they collect. 

The Commission also is taking steps to bolster security market-wide, including initiating  an advance notice of proposed rulemaking on commercial surveillance and lax data security practices. And the FTC continues to hold companies accountable for failing to secure consumer data. Earlier this month, the FTC announced an order with the online alcohol delivery marketplace Drizly and its CEO for its insufficient data security practices.

VeraSafe Is Your Ideal Partner for the Security and Privacy Needs of Your Educational Platform

Establishing trust with your audience through privacy compliance is a fundamental need for businesses today, particularly education technology companies providing educational tools to minors. If your company is concerned about deficiencies in your current privacy and data protection protocols, or you need to establish robust privacy protocols, VeraSafe can help. Our team of experienced privacy attorneys and IT professionals has extensive experience advising edtech companies and can identify potential gaps between your organization’s practices and the requirements of various privacy laws, such as  Children’s Online Privacy Protection Act (COPPA), the Family Educational Rights and Privacy Act (FERPA), the GDPR, the CCPA, and regulatory standards set forth by the FTC. 

Contact VeraSafe today to learn more

Contact VeraSafe to discuss your data security management and privacy program today.