The Federal Trade Commission (FTC) recently announced that it agreed to proposed consent orders with two companies that experienced recent cybersecurity incidents, Illuminate Education (“Illuminate”) and Illusory Systems, which does business as Nomad (“Illusory”), to resolve allegations that both companies’ information security practices had violated Section 5 of the FTC Act.  Both consent orders include information security-focused elements that have frequently been included in prior settlement settlements, such as requirements to establish an information security program and conduct periodic third-party assessments.  However, both consent orders are set to expire after ten years, as opposed to the twenty years set by longstanding FTC policy for administrative orders.

We have summarized the key elements of both consent orders below. The proposed consent orders are subject to 30 days of public comment before finalization.

Illuminate Education

    Illuminate is an education technology company that provides educational software, web applications, and tools to schools and school districts to support Pre-K–12th grade education.  According to the FTC’s Complaint, from December 2021 to January 2022, Illuminate experienced a data security incident involving more than 10 million students’ personal data when hackers exploited login credentials from a former employee who had left the company more than three years earlier.  The FTC alleged in its Complaint that Illuminate violated Section 5 of the FTC Act by engaging in unfair and deceptive acts or practices—specifically, by failing to implement reasonable and appropriate cybersecurity measures to protect personal information; misrepresenting the extent to which it had implemented reasonable cybersecurity measures; and failing to timely notify school districts of a data breach, contradicting its commitments to those school districts.

    The FTC’s Complaint detailed Illuminate’s security acts and practices that it alleged fell below a “reasonable” standard of cybersecurity. These included, among others:

    • Until January 2022, storing students’ personal information in plaintext within Illuminate’s network;
    • Failing to implement reasonable access controls to safeguard student data, such as by auditing and removing inactive accounts;
    • Failing to implement reasonable data retention practices and procedures; and
    • Failing to timely notify impacted school districts and individuals of the data breach.

    The Complaint also alleged that a third-party vendor notified Illuminate of “numerous” security weaknesses as early as 2020, but Illuminate failed to take necessary steps to rectify them.

    To resolve the FTC’s claims, the proposed consent order between the FTC and Illuminate would require Illuminate to, for example:

    • Establish and maintain a comprehensive information security program meeting specific requirements outlined in the order, including strict limitations on access controls such as the use of MFA and periodic access reviews, data inventory and classification requirements, and obligations for periodic briefings to the company’s Board on the program;
    • Avoid misrepresenting Illuminate’s privacy and cybersecurity protections and the timeframe in which Illuminate will notify impacted individuals and school districts of a data breach;
    • Delete personal information that it does not need to provide its services;
    • Impose new data retention limits on the personal information that it holds, and publish those retention schedules publicly;
    • Periodically obtain third party information security assessments;
    • Submit an annual certification from Illuminate’s Chief Information Security Officer (“CISO”) to the FTC regarding compliance with the order; and
    • Notify the FTC of qualifying security incidents.

    As noted above, the proposed consent order (including the above-mentioned requirements) would terminate ten years after its issuance date, a shorter duration than many administrative orders that were issued in recent years.

    Illusory

    According to the FTC’s Complaint, Illusory, a company that provides a “cross-chain bridge” platform to transfer messages and assets, experienced a security incident in 2022 causing more than $100 million in asset losses after malicious actors exploited a code vulnerability introduced into Illusory’s smart contract offering.  In a Complaint, the FTC alleged that Illusory violated Section 5 of the FTC Act by engaging in unfair and deceptive conduct—including by failing to implement reasonable software development practices that led to the security incident, and by misrepresenting the adequacy of Illusory’s existing secure software development practices.

    The FTC announced a proposed consent order to resolve the claims, which includes many provisions similar to the Illuminate order described above, and which would require Illusory to, for example:

    • Establish and maintain a comprehensive information security program meeting requirements specified in the order, including implementing “a way to quickly pause or limit the functioning of” a system that allows irrevocable actions such as unrecoverable transfer of funds “if it exhibits unexpected behavior”;
    • Avoid misrepresenting its implementation of secure software development practices or protection of consumers’ financial assets;
    • Periodically obtain third party information security assessments;
    • Submit an annual certification from Illuminate’s Chief Executive Officer (“CEO”) to the FTC regarding compliance with the order; and
    • Return to consumers the assets recovered after the security breach, to the extent they were not already returned.

    Similar to the Illuminate consent order above, the consent order for Illusory would also expire after ten years.

    Tags: Consent Order, FTC
    Print:
    Email this postTweet this postLike this postShare this post on LinkedIn
    Photo of Ashden Fein Ashden Fein

    Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

    For cybersecurity matters, Ashden counsels…

    Ashden Fein is a vice chair of the firm’s global Cybersecurity practice. He advises clients on cybersecurity and national security matters, including crisis management and incident response, risk management and governance, government and internal investigations, and regulatory compliance.

    For cybersecurity matters, Ashden counsels clients on preparing for and responding to cyber-based attacks, assessing security controls and practices for the protection of data and systems, developing and implementing cybersecurity risk management and governance programs, and complying with federal and state regulatory requirements. Ashden frequently supports clients as the lead investigator and crisis manager for global cyber and data security incidents, including data breaches involving personal data, advanced persistent threats targeting intellectual property across industries, state-sponsored theft of sensitive U.S. government information, extortion and ransomware, and destructive attacks.

    Additionally, Ashden assists clients from across industries with leading internal investigations and responding to government inquiries related to the U.S. national security and insider risks. He also advises aerospace, defense, and intelligence contractors on security compliance under U.S. national security laws and regulations including, among others, the National Industrial Security Program (NISPOM), U.S. government cybersecurity regulations, FedRAMP, and requirements related to supply chain security.

    Before joining Covington, Ashden served on active duty in the U.S. Army as a Military Intelligence officer and prosecutor specializing in cybercrime and national security investigations and prosecutions — to include serving as the lead trial lawyer in the prosecution of Private Chelsea (Bradley) Manning for the unlawful disclosure of classified information to Wikileaks. Ashden is a retired U.S. Army officer.

    Read more about Ashden FeinEmail
    Show more Show less
    Photo of Caleb Skeath Caleb Skeath

    Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

    Caleb specializes…

    Caleb Skeath advises clients on a broad range of cybersecurity and privacy issues, including cybersecurity incident response, cybersecurity and privacy compliance obligations, internal investigations, regulatory inquiries, and defending against class-action litigation. Caleb holds a Certified Information Systems Security Professional (CISSP) certification.

    Caleb specializes in assisting clients in responding to a wide variety of cybersecurity incidents, ranging from advanced persistent threats to theft or misuse of personal information or attacks utilizing destructive malware. Such assistance may include protecting the response to, and investigation of an incident under the attorney-client privilege, supervising response or investigation activities and interfacing with IT or information security personnel, and advising on engagement with internal stakeholders, vendors, and other third parties to maximize privilege protections, including the negotiation of appropriate contractual terms. Caleb has also advised numerous clients on assessing post-incident notification obligations under applicable state and federal law, developing communications strategies for internal and external stakeholders, and assessing and protecting against potential litigation or regulatory risk following an incident. In addition, he has advised several clients on responding to post-incident regulatory inquiries, including inquiries from the Federal Trade Commission and state Attorneys General.

    In addition to advising clients following cybersecurity incidents, Caleb also assists clients with pre-incident cybersecurity compliance and preparation activities. He reviews and drafts cybersecurity policies and procedures on behalf of clients, including drafting incident response plans and advising on training and tabletop exercises for such plans. Caleb also routinely advises clients on compliance with cybersecurity guidance and best practices, including “reasonable” security practices.

    Caleb also maintains an active privacy practice, focusing on advising technology, education, financial, and other clients on compliance with generally applicable and sector-specific federal and state privacy laws, including FERPA, FCRA, GLBA, TCPA, and COPPA. He has assisted clients in drafting and reviewing privacy policies and terms of service, designing products and services to comply with applicable privacy laws while maximizing utility and user experience, and drafting and reviewing contracts or other agreements for potential privacy issues.

    Read more about Caleb SkeathEmail
    Show more Show less
    Photo of Laura Kim Laura Kim

    Laura Kim has a proven track record of successfully resolving clients’ most important consumer protection matters before the FTC, State AGs, and the NAD. She is well-known for her insider knowledge of the FTC as well as her practical approach to accomplishing her…

    Laura Kim has a proven track record of successfully resolving clients’ most important consumer protection matters before the FTC, State AGs, and the NAD. She is well-known for her insider knowledge of the FTC as well as her practical approach to accomplishing her clients’ objectives.

    As chair of Covington’s Advertising & Consumer Protection Investigations practice group, Laura represents corporate and individual clients in investigations before the FTC and State Attorneys General. She also provides pragmatic compliance advice on a wide range of consumer protection issues, including substantiating claims involving generative artificial intelligence, environmental benefits, and “Made in USA.” She counsels brands on emerging issues involving influencers, consumer reviews, AI-generated content, and subscription autorenewals. Laura regularly represents both challengers and advertisers before the NAD, achieving favorable outcomes in matters involving artificial intelligence, influencers, and claim substantiation.

    During her twelve-year tenure at the FTC, Laura served as Assistant Director in two divisions of the Bureau of Consumer Protection, Attorney Advisor to Chairman William E. Kovacic, and Chief of Staff to Bureau Director Jessica Rich. She oversaw major rulemakings—including the Green Guides and the Telemarketing Sales Rule—and supervised dozens of investigations and enforcement actions. As Assistant Director in the Division of Enforcement, Laura also supervised compliance monitoring and enforcement proceedings for companies under federal court or Commission order.

    Read more about Laura KimEmail
    Show more Show less
    Photo of Emily Pehrsson Emily Pehrsson

    Emily Pehrsson works across sectors to counsel national and multinational companies on data privacy and cybersecurity issues.

    In particular, Emily’s practice includes partnering with clients on the development of new products and services, designing privacy governance programs, and developing privacy disclosures and settings.

    Emily Pehrsson works across sectors to counsel national and multinational companies on data privacy and cybersecurity issues.

    In particular, Emily’s practice includes partnering with clients on the development of new products and services, designing privacy governance programs, and developing privacy disclosures and settings. Emily also counsels clients on topics such as cyber incident response, compliance with state and federal privacy and cybersecurity regulations, and government investigations. She routinely advises on complex national security and financial privacy regulatory frameworks.

    In addition to her regular practice, Emily maintains a pro bono practice counseling small and nonprofit clients on privacy and cybersecurity, supporting domestic violence survivors, and handling criminal matters.

    Read more about Emily PehrssonEmail
    Show more Show less
    Photo of Analese Bridges Analese Bridges

    Analese Bridges is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Advertising and Consumer Protection Practice Groups. She represents and advises clients on a range of cybersecurity, data privacy, and consumer protection issues…

    Analese Bridges is an associate in the firm’s Washington, DC office and a member of the Data Privacy and Cybersecurity and Advertising and Consumer Protection Practice Groups. She represents and advises clients on a range of cybersecurity, data privacy, and consumer protection issues, including cyber and data security incident response and preparedness, cross-border privacy law, government and internal investigations, and regulatory compliance.

    Read more about Analese BridgesEmail
    Show more Show less