X

Online Education Service Provider Settles Charges for Failing to Prevent Data Leaks

An online education technology provider settled FTC charges for "engag[ing] in a number of practices that, taken individually or together, failed to provide reasonable security to prevent unauthorized access to users' personal information." FTC also charged the provider with failing to protect personal information that it obtained from its employees.

In its Complaint, FTC alleged that the company did not maintain sufficient data protection controls to prevent unauthorized access to the private information stored on its third-party cloud-based information storage system. FTC said that the company failed to safeguard private information by (i) allowing multiple employees to use a single access key to gain entry to the cloud system (which the provider failed to rotate); (ii) failing to restrict employee access to the system based on job function; (iii) failing to implement a multi-factor authentication program; and (iv) using outdated, unencrypted information storage practices, which did not contain any protocols for removing old customer information. Additionally, FTC found that the company failed to monitor for unauthorized access attempts and did not provide adequate training to prepare employees to safely handle sensitive data.

FTC said that due to these failures, the company was subject to multiple data breaches. FTC found that in several instances, employees fell victim to phishing attacks that gave unauthorized users access to sensitive employee data like direct deposit information, birthdates and social security numbers. In other instances, millions of customers had personal information, such as medical and financial data, leaked online as a result of the company's lax data security practices. FTC determined that the company's lack of proper action resulted in harm to consumers that could have been prevented. Further, FTC said that the company made misleading statements regarding its data security practices.

As a result of the findings, the company agreed to numerous undertakings to improve its data security protections, such as (i) documenting and adhering to a retention schedule; (ii) providing customers with a right to access and delete personal data; (iii) implementing multi-factor authentication; and (iv) developing and maintaining a comprehensive security program, including encrypting consumer data and providing security training to its employees, among other things.

Primary Sources

  1. FTC Complaint: Chegg, Inc.
  2. FTC Decision and Order: Chegg, Inc.
  3. FTC Press Release: FTC Brings Action Against Ed Tech Provider Chegg for Careless Security that Exposed Personal Data of Millions of Customers

Premium Content

Available only to Premium subscribers.

 

Join Premium

US Regulatory Intelligence combines regulatory and enforcement news, analysis, and practical work tools on an easy-to-use digital platform.

Request a Free Trial

Tags

Regulated Activities
Data Protection / Cybersecurity
Sub-Activity
Data Breach, Data Protection
Regulated Entities
Commercial Companies
Body of Law
Commerce
Jurisdiction
US - Federal
Organization
Other Author Organizations
Sub-Author
FTC