The Federal Trade Commission (FTC) recently announced that it agreed to proposed consent orders with two companies that experienced recent cybersecurity incidents, Illuminate Education (“Illuminate”) and Illusory Systems, which does business as Nomad (“Illusory”), to resolve allegations that both companies’ information security practices had violated Section 5 of the FTC Act.  Both consent orders include information security-focused elements that have frequently been included in prior settlement settlements, such as requirements to establish an information security program and conduct periodic third-party assessments.  However, both consent orders are set to expire after ten years, as opposed to the twenty years set by longstanding FTC policy for administrative orders.

We have summarized the key elements of both consent orders below. The proposed consent orders are subject to 30 days of public comment before finalization.

Illuminate Education

    Illuminate is an education technology company that provides educational software, web applications, and tools to schools and school districts to support Pre-K–12th grade education.  According to the FTC’s Complaint, from December 2021 to January 2022, Illuminate experienced a data security incident involving more than 10 million students’ personal data when hackers exploited login credentials from a former employee who had left the company more than three years earlier.  The FTC alleged in its Complaint that Illuminate violated Section 5 of the FTC Act by engaging in unfair and deceptive acts or practices—specifically, by failing to implement reasonable and appropriate cybersecurity measures to protect personal information; misrepresenting the extent to which it had implemented reasonable cybersecurity measures; and failing to timely notify school districts of a data breach, contradicting its commitments to those school districts.

    The FTC’s Complaint detailed Illuminate’s security acts and practices that it alleged fell below a “reasonable” standard of cybersecurity. These included, among others:

    • Until January 2022, storing students’ personal information in plaintext within Illuminate’s network;
    • Failing to implement reasonable access controls to safeguard student data, such as by auditing and removing inactive accounts;
    • Failing to implement reasonable data retention practices and procedures; and
    • Failing to timely notify impacted school districts and individuals of the data breach.

    The Complaint also alleged that a third-party vendor notified Illuminate of “numerous” security weaknesses as early as 2020, but Illuminate failed to take necessary steps to rectify them.

    To resolve the FTC’s claims, the proposed consent order between the FTC and Illuminate would require Illuminate to, for example:

    • Establish and maintain a comprehensive information security program meeting specific requirements outlined in the order, including strict limitations on access controls such as the use of MFA and periodic access reviews, data inventory and classification requirements, and obligations for periodic briefings to the company’s Board on the program;
    • Avoid misrepresenting Illuminate’s privacy and cybersecurity protections and the timeframe in which Illuminate will notify impacted individuals and school districts of a data breach;
    • Delete personal information that it does not need to provide its services;
    • Impose new data retention limits on the personal information that it holds, and publish those retention schedules publicly;
    • Periodically obtain third party information security assessments;
    • Submit an annual certification from Illuminate’s Chief Information Security Officer (“CISO”) to the FTC regarding compliance with the order; and
    • Notify the FTC of qualifying security incidents.

    As noted above, the proposed consent order (including the above-mentioned requirements) would terminate ten years after its issuance date, a shorter duration than many administrative orders that were issued in recent years.

    Illusory

    According to the FTC’s Complaint, Illusory, a company that provides a “cross-chain bridge” platform to transfer messages and assets, experienced a security incident in 2022 causing more than $100 million in asset losses after malicious actors exploited a code vulnerability introduced into Illusory’s smart contract offering.  In a Complaint, the FTC alleged that Illusory violated Section 5 of the FTC Act by engaging in unfair and deceptive conduct—including by failing to implement reasonable software development practices that led to the security incident, and by misrepresenting the adequacy of Illusory’s existing secure software development practices.

    The FTC announced a proposed consent order to resolve the claims, which includes many provisions similar to the Illuminate order described above, and which would require Illusory to, for example:

    • Establish and maintain a comprehensive information security program meeting requirements specified in the order, including implementing “a way to quickly pause or limit the functioning of” a system that allows irrevocable actions such as unrecoverable transfer of funds “if it exhibits unexpected behavior”;
    • Avoid misrepresenting its implementation of secure software development practices or protection of consumers’ financial assets;
    • Periodically obtain third party information security assessments;
    • Submit an annual certification from Illuminate’s Chief Executive Officer (“CEO”) to the FTC regarding compliance with the order; and
    • Return to consumers the assets recovered after the security breach, to the extent they were not already returned.

    Similar to the Illuminate consent order above, the consent order for Illusory would also expire after ten years.

    Tags: Consent Order, FTC
    Print:
    Email this postTweet this postLike this postShare this post on LinkedIn
    Photo of Ashden Fein Ashden Fein

    Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel…

    Ashden Fein is co-chair of Covington’s Data Privacy and Cybersecurity Practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance. Ashden also serves as lead counsel in criminal, civil, and internal investigations involving cybersecurity, insider risk, and U.S. national security issues.

    Ashden regularly counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

    Ashden also assists clients from across industries with leading internal investigations and responding to government inquiries related to U.S. national security and insider risks. He frequently represents government contractors in False Claims Act matters involving cybersecurity and national security. Additionally, he advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

    Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

    Read more about Ashden FeinEmail
    Show more Show less
    Photo of Caleb Skeath Caleb Skeath

    Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

    Caleb Skeath advises in‑house legal and security teams on the full lifecycle of…

    Caleb Skeath helps companies manage their most complex and high‑stakes cybersecurity and data security challenges, combining deep regulatory insight, technical fluency, and practical judgment informed by leading incident response matters.

    Caleb Skeath advises in‑house legal and security teams on the full lifecycle of cybersecurity and privacy risk—from governance and preparedness through incident response, regulatory engagement, and follow‑on litigation. A Certified Information Systems Security Professional (CISSP), he is trusted by clients across highly regulated and technology‑driven sectors to provide clear, practical guidance at moments when legal judgment, technical understanding, and business realities must be aligned.

    Caleb has deep experience leading and overseeing responses to complex cybersecurity incidents, including ransomware, data theft and extortion, business email compromise, advanced persistent threats and state-sponsored threat actors, insider threats, and inadvertent data loss. He regularly helps in‑house counsel structure and manage investigations under attorney‑client privilege; coordinate with internal IT, information security, and executive stakeholders; and engage with forensic firms, crisis communications providers, insurers, and law enforcement. A central focus of his practice is advising on notification obligations and strategy, including the application of U.S. federal and state data breach notification laws and requirements along with contractual notification obligations, and helping companies make defensible, risk‑informed decisions about timing, scope, and messaging.

    In addition to his work responding to cybersecurity incidents, Caleb works closely with clients’ legal, technical, and compliance teams on cybersecurity governance, regulatory compliance, and pre‑incident planning. He has extensive experience drafting and reviewing cybersecurity policies, incident response plans, and vendor contract provisions; supervising cybersecurity assessments under privilege; and advising on training and tabletop exercises designed to prepare organizations for real‑world incidents. His work frequently involves translating evolving regulatory expectations into actionable guidance for in‑house counsel, including in highly-regulated sectors such as the financial sector (including compliance with NYDFS cybersecurity regulations, the Computer Security Incident Notification Rule, and GLBA guidelines and guidance) and the pharmaceutical and healthcare sector (including compliance with GxP standards, FDA medical device guidance, and HIPAA).

    Caleb’s practice also addresses evolving and emerging areas of cybersecurity and data security law, including advising clients on compliance with the Department of Justice’s Data Security Program, CISA‑related security requirements for restricted transactions, and preparation for new regulatory regimes such as the CCPA cybersecurity audit requirements and federal incident reporting obligations. He regularly counsels clients on how artificial intelligence and connected devices intersect with cybersecurity, privacy, and consumer protection risk, and how to support innovation while managing regulatory exposure.

    Caleb also has extensive experience helping clients navigate high-stakes cybersecurity-related inquiries from the Federal Trade Commission, state Attorneys General, and other sector-specific regulators, including incident-specific inquiries as well as broader inquiries related to an entity’s cybersecurity practices and the security of product or service offerings. For companies that have entered into cybersecurity-related settlement agreements with regulators, Caleb has helped guide them through compliance with settlement agreement obligations, including navigating required third-party assessments and strategically responding to cybersecurity incidents that can arise while a company is subject to a settlement agreement. Caleb also routinely works hand-in-hand with colleagues in Covington’s class action litigation, commercial litigation, and insurance recovery practices to prepare for and successfully navigate incident-related disputes that can devolve into litigation.

    Read more about Caleb SkeathEmail
    Show more Show less
    Photo of Laura Kim Laura Kim

    Laura Kim has a proven track record of successfully resolving clients’ most important consumer protection matters before the FTC, State AGs, and the NAD. She is well-known for her insider knowledge of the FTC as well as her practical approach to accomplishing her…

    Laura Kim has a proven track record of successfully resolving clients’ most important consumer protection matters before the FTC, State AGs, and the NAD. She is well-known for her insider knowledge of the FTC as well as her practical approach to accomplishing her clients’ objectives.

    As chair of Covington’s Advertising & Consumer Protection Investigations practice group, Laura represents corporate and individual clients in investigations before the FTC and State Attorneys General. She also provides pragmatic compliance advice on a wide range of consumer protection issues, including substantiating claims involving generative artificial intelligence, environmental benefits, and “Made in USA.” She counsels brands on emerging issues involving influencers, consumer reviews, AI-generated content, and subscription autorenewals. Laura regularly represents both challengers and advertisers before the NAD, achieving favorable outcomes in matters involving artificial intelligence, influencers, and claim substantiation.

    During her twelve-year tenure at the FTC, Laura served as Assistant Director in two divisions of the Bureau of Consumer Protection, Attorney Advisor to Chairman William E. Kovacic, and Chief of Staff to Bureau Director Jessica Rich. She oversaw major rulemakings—including the Green Guides and the Telemarketing Sales Rule—and supervised dozens of investigations and enforcement actions. As Assistant Director in the Division of Enforcement, Laura also supervised compliance monitoring and enforcement proceedings for companies under federal court or Commission order.

    Read more about Laura KimEmail
    Show more Show less
    Photo of Emily Pehrsson Emily Pehrsson

    Emily Pehrsson works across sectors to counsel national and multinational companies on data privacy and cybersecurity issues.

    In particular, Emily’s practice includes partnering with clients on the development of new products and services, designing privacy governance programs, and developing privacy disclosures and settings.

    Emily Pehrsson works across sectors to counsel national and multinational companies on data privacy and cybersecurity issues.

    In particular, Emily’s practice includes partnering with clients on the development of new products and services, designing privacy governance programs, and developing privacy disclosures and settings. Emily also counsels clients on topics such as cyber incident response, compliance with state and federal privacy and cybersecurity regulations, and government investigations. She routinely advises on complex national security and financial privacy regulatory frameworks.

    In addition to her regular practice, Emily maintains a pro bono practice counseling small and nonprofit clients on privacy and cybersecurity, supporting domestic violence survivors, and handling criminal matters.

    Read more about Emily PehrssonEmail
    Show more Show less
    Photo of Analese Bridges Analese Bridges

    Analese Bridges is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Advertising and Consumer Protection Practice Groups. She represents and advises clients on a range of cybersecurity, data privacy, and consumer protection issues…

    Analese Bridges is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Advertising and Consumer Protection Practice Groups. She represents and advises clients on a range of cybersecurity, data privacy, and consumer protection issues, including cyber and data security incident response and preparedness, cross-border privacy law, government and internal investigations, and regulatory compliance.

    Read more about Analese BridgesEmail
    Show more Show less