Data Breach Class Action Investigation
UPDATE: Illuminate Education Data Breach
‣ Los Angeles Unified (LAUSD), Ceres Unified and Riverside County are the latest California Schools Districts to Send Families Notices from Massive Illuminate Education Data Breach
Update Information
- From December 28, 2021-January 8, 2022, Illuminate Education, a popular vendor for school districts across the county, suffered a data breach impacting over 3 million students
- Illuminate and newly identified school districts began notifying affected families in May 2022, four to five months after this sensitive student data was accessed.
- According to Illuminate, SSNs and financial information were not put at risk
- Generally, it has been reported that following may be at risk: Student name, Academic information, Behavior information, Enrollment information, Accommodation information, Special education information, and Student demographic information
Personal data about students represents a particularly attractive target for cyber thieves because minors do not use credit cards, file taxes, or have other contact with their credit on a regular basis. Thieves take advantage of this lapse in oversight to use the stolen credentials of minors to credit false identities and rack up fraudulent chargers. If you are the parent of a minor affected by these data breaches, it is vital that you take steps, like credit freezes, to prevent long-term repercussions to your child’s credit from this data breach.
To learn more about this data breach of confidential student data, please read our original post about this event below.
UPDATE —
Illuminate Education Data Breach / Rocklin Unified School District
‣ RUSD Families Sent Data Breach Notices from Illuminate Education
On May 20, 2022, the California Office of the Attorney General (“COAG”) announced that Illuminate Education notified affected RUSD families about its 2021/22 data breach.
According to the posting, the breach was reported to the COAG on May 13, 2022. This data breach was previously reported to the California Attorney General on May 4, 2022. The updated sample notice (which can be found here ) states that Illuminate began to notify affected individuals on or about April 5, 2022.
The deadline to enroll in IDX credit monitoring services is listed on the updated notice as August 13, 2022.
To learn more about this data breach of confidential student data, please read our original post about this event below.
On May 4, 2022, Rocklin Unified School District (“RUSD”) reported a Data Breach to the California Office of the Attorney General, providing notice through its vendor, Illuminate Education.
Illuminate Education, based in Irvine, California, provides student information management services, screening and progress monitoring for academics and social-emotional behavior, and other student tracking services.
According to Illuminate and RUSD, on January 8, 2022, Illuminate became aware of “suspicious activity” within some Illuminate applications used by RUSD.
After investigation, Illuminate determine that:
“certain databases containing potentially protected student information were subject to unauthorized access between December 28, 2021 and January 8, 2022.”
The affected databases may have contained protected data related to current and/or former Rocklin Unified School District students.
What Did The Illuminate Data Breach Potentially Disclose?
- Student name
- Academic information
- Behavior information
- Enrollment information
- Accommodation information
- Special education information
- Student demographic information
Illuminate Education is offering the minor students 12 months of complementary identity monitoring services through IDX.
A full copy of the Rocklin Unified School District / Illuminate Date Breach Notice can be found here.
Illuminate Education’s data breach has impacted students in other school districts as well, including students in Colorado, Connecticut, and over 800,000 current and former New York City students.
The type of data potentially compromised by this data breach should be afforded the highest level of security. As noted by the former California Attorney General,
“The data on students collected and maintained by Ed Tech can be very sensitive, including medical histories, social and emotional assessments, child welfare or juvenile justice system involvement, progress reports, and test results.” [1]
The sensitive nature of this data means that “student information is something that must be handled with great care. [. . . ] As the devices we use each day become increasingly connected, it’s critical that we implement robust safeguards for what is collected, how it is used, and with whom it is shared.”[2]
Special California Privacy Laws Protect Your Information
If your student is a California resident and received a Recent Notice of Data Breach from RUSD/Illuminate Education, you may be entitled to between $100 and $1,000 or your actual damages, whichever is greater. Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.
California has laws that specifically protect your personal information.
- The Student Online Personal Information Protection Act (SOPIPA) requires that every online service used primarily for K-12 school purposes must maintain reasonable security procedures and practices to protect student personal information from unauthorized access, destruction, or disclosure.
- The California Confidentiality of Medical Information Act (CMIA) requires that every health care provider and health care service plan who maintains medical information do so in a manner that preserves its confidentiality.
- The California Customer Records Act requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information.
- The California Consumer Privacy Act (CCPA) contains many protections for personal information of California residents.
If certain types of personal information, like medical information and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the SOPIPA, CCPA, and CCRA. Medical information is additionally covered by the CMIA.
Cyber crimes present an attractive target for hackers: Data can be bought and sold anonymously, and the going rate per personal record is low (under $20 per record, depending on the type of information according to Privacy Affairs Dark Web Index of 2021). Medical records are even more valuable, as they potentially provide access to expensive health care along with other forms of identity theft. Thieves may choose to wait years to capitalize on compromised personal data. The longer cyber thieves can go undetected, the more they stand to profit from their illegal activities.
[1] Source: Kamala Harris, former Attorney General of California, California DOJ, Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (2016).
[2] Source: same.
