December 3, 2025
Hudson Cook Enforcement Alert: FTC Targets Student Data Security Failures in Settlement with Education Technology Provider
Megan Nicholls and Mark D. Metrey
HIGHLIGHTS:
- The Federal Trade Commission ("FTC") announced a proposed settlement with a provider of cloud-based educational software resolving allegations that it failed to implement reasonable security measures to protect the personal information of millions of students.
- The complaint alleges that the Company stored unencrypted student data, failed to disable former employee credentials, and lacked effective monitoring and breach-response systems, resulting in the exposure of personal information for over 10 million students.
- The proposed order prohibits misrepresentations about privacy or data security, mandates deletion of unnecessary student information, requires a comprehensive information security program and third-party assessments of the Company's security measures, and imposes detailed reporting and recordkeeping obligations.
CASE SUMMARY:
The FTC published a press release on December 1, 2025, summarizing its complaint and proposed consent order against an education technology company ("Company") providing Pre-K through 12 software and assessment tools to schools and school districts nationwide. The Company's products are used by more than 17 million students across 5,200 school districts for managing attendance, testing, special education tracking, and data analytics. According to the complaint, a data breach between December 2021 and January 2022 exposed the personal information of more than 10 million students, including names, birthdates, email addresses, demographic data, disability information, and disciplinary records. The FTC alleged that the Company stored this information in plain text on cloud-based platforms like Amazon Web Services, failed to disable former employee credentials, and ignored security warnings identifying critical weaknesses. The hacker exploited administrator keys belonging to a former employee, which allowed the hacker to work around multifactor authentication requirements and exfiltrate hundreds of database backups. The Company allegedly paid the hacker a ransom to destroy the data that was exfiltrated.
The complaint further alleges that the Company waited months to years to notify schools, students, and parents of the breach, contrary to contractual representations requiring notification within 72 hours. The FTC also alleged misrepresentations in the Company's privacy policy and contracts with school districts, which claimed that it encrypted student data and used reasonable security measures consistent with industry standards.
Under the proposed order, the Company must not misrepresent its privacy or security practices and must delete or destroy unnecessary student information within 90 days of the order's effective date. The Company must also establish, implement, and maintain a written information-security program addressing access controls, encryption, incident response, employee training, and vendor management. The order requires periodic third-party assessments, annual certifications, and prompt reporting of any future security incidents to the FTC. The proposed order will remain in effect for 10 years and underscores the FTC's heightened focus on children's data privacy and security.
RESOURCES:
You can review all of the relevant administrative filings and press releases at the FTC's Enforcement Page.
Enforcement Alerts by Hudson Cook, LLP, written by the attorneys in the firm's Government Investigations, Examinations and Enforcement and Litigation practice groups, are provided to keep you informed of federal and state government enforcement actions and related actions that may affect your business. Please contact our attorneys if you have any questions regarding this Alert. You may also view articles, register for an upcoming CFS Bites monthly webinar, or request a past webinar recording on our website.