1. Insights
  2. Publications
  3. Alerts

FTC's Illuminate Education Order Serves as a Data Deletion Reminder

December 5, 2025

Reading Time : 3 min
Jump to
View Authors' DetailsView Related Services, Sectors, and Regions

By: Natasha G. Kohne, Evan D. Wolff, Rita S. Heimes, Maida Oringher Lerner, Edward Block

On December 1, 2025, the Federal Trade Commission (FTC) issued a consent order against Illuminate Education, Inc. (Illuminate), a prominent provider of educational technology solutions, for alleged failures in protecting student data. The case provides a useful year-end reminder for organizations to prioritize and invest in their information security programs, including taking the privacy-protective step of deleting data once it is no longer in use.

Background

Illuminate is a California-based corporation offering cloud-based educational software to schools and districts across the United States. Its products manage student information, assess learning needs and track academic and behavioral data for over 17 million students in more than 5,200 school districts.

According to the FTC's complaint against Illuminate, between December 2021 and January 2022, a threat actor infiltrated Illuminate's Amazon Web Services (AWS) environment using credentials belonging to a former employee. The attacker had undetected access for 13 days, exfiltrating backups containing the personal information of over 10 million students. The compromised data included names, addresses, grades, special education and disability information and other sensitive details.

In addition to the standard security failures (unencrypted sensitive data, failure to deprovision accounts in a timely fashion, poor vulnerability management practices and ineffective incident response planning), according to the FTC, Illuminate also lacked proper data retention policies and practices, exposing student data to the breach that should have been deleted from their systems. Illuminate also signed contracts with school systems in which the company represented that it maintained reasonable security practices.

Information Security Best Practices

Failure to employ reasonable information security measures, while misrepresenting that you do, can violate Section 5(a) of the FTC Act, which prohibits unfair or deceptive acts or practices in or affecting commerce.

The Illuminate consent order provides a succinct list of what the FTC currently considers to be "reasonable" information security best practices. One of the most significant, especially when it comes to the collection and use of sensitive information and particularly when that information has a finite shelf-life like student information, is to adopt and enforce strict data retention policies to avoid keeping information no longer in service to the customer.

Heading into 2026, organizations should make reviewing and updating their information security programs a priority. The following ten takeaways from the FTC's Illuminate consent order can serve as a high-level guide:

  1. Adopt Data Minimization and Retention Policies: Only retain data necessary for business or legal purposes. Regularly purge outdated or unnecessary records.
  2. Encrypt All Sensitive Data: Use strong encryption for data at rest and in transit. Regularly audit storage configurations, especially in cloud environments.
  3. Maintain Information Security Policies, Procedures, Standards and Technical Measures: Use drafting these policies as an opportunity to inventory data assets and ensure security controls are properly configured.
  4. Designate Security Leadership: Appoint qualified information security personnel to manage compliance with security policies and procedures, including training staff on privacy and security and reporting to executives and the Board on security practices.
  5. Implement Rigorous Access Controls: Immediately disable access for departing employees and regularly review all user privileges.
  6. Establish Comprehensive Incident Response Plans: Develop, document and test incident response procedures. Ensure effective logging and real-time monitoring are in place.
  7. Ensure Timely Breach Notification: Develop clear protocols for breach notification that comply with all contractual and regulatory requirements. Line up qualified outside counsel in advance.
  8. Conduct Regular Security Assessments and Remediate Findings: Engage independent assessors and act promptly on their recommendations. Using outside counsel for such engagements can help maintain attorney-client privilege.
  9. Align Consumer-Facing Statements and Contracts with Actual Practices: Ensure that privacy policies, contracts and public representations accurately reflect current security practices.
  10. Select Security-Focused Vendors: Ensure service providers are capable of safeguarding any personal information shared with them and contractually require them to uphold high privacy and security standards.

Share This Insight

Related Services, Sectors, and Regions

© 2025 Akin Gump Strauss Hauer & Feld LLP. All rights reserved. Attorney advertising. This document is distributed for informational use only; it does not constitute legal advice and should not be used as such. Prior results do not guarantee a similar outcome. Akin is the practicing name of Akin Gump LLP, a New York limited liability partnership authorized and regulated by the Solicitors Regulation Authority under number 267321. A list of the partners is available for inspection at Eighth Floor, Ten Bishops Square, London E1 6EG. For more information about Akin Gump LLP, Akin Gump Strauss Hauer & Feld LLP and other associated entities under which the Akin Gump network operates worldwide, please see our Legal Notices page.