On June 5, 2026, the Federal Trade Commission gave final approval to its order against Illuminate Education, Inc., resolving a complaint that the education-technology company failed to secure the personal data of K-12 students. The order is unremarkable in one sense: there is no headline-grabbing penalty figure. It is remarkable in another. For the next ten years, a private company will operate its data-security function under the direct supervision of a federal regulator, subject to mandated controls, independent assessments, and reporting obligations that reach into how it collects, stores, and deletes children’s data.

That structure is not an accident. It is the model. Across the FTC’s recent data-security docket, the agency has shifted the center of gravity away from one-time monetary relief and toward long-duration injunctive orders that function as enforceable, multi-year compliance regimes. The Illuminate matter is one of the clearest examples yet of that approach applied to the edtech sector, where the data at stake belongs to minors who never consented to anything and cannot meaningfully protect themselves.

What Happened at Illuminate Education

Illuminate, a Wisconsin-based provider of student-assessment and data-management software used by school districts nationwide, suffered a breach disclosed in late December 2021. According to the FTC’s complaint, an intruder accessed Illuminate’s cloud-hosted databases using the credentials of a former employee who had left the company roughly three and a half years earlier. Those credentials still worked.

The exposed data covered approximately 10.1 million students and included names, email and mailing addresses, dates of birth, student records, and health-related information. The FTC alleged that Illuminate represented that it protected the privacy and security of student data but failed to deploy reasonable security measures for information stored in cloud databases. Most damning: Illuminate’s own third-party vendor had flagged numerous security vulnerabilities on its network nearly two years before the breach, and the company failed to adequately remediate them. The FTC further alleged that Illuminate did not notify schools of the breach in a timely manner, despite promising it would.

The fact pattern is a catalog of preventable failures: orphaned credentials never deprovisioned, known vulnerabilities left unpatched, security promises that outran security practice, and breach-notification commitments that went unmet. None of it required a sophisticated adversary. It required only an attacker willing to try a stale login.

The Regulatory Framework: Three Overlapping Regimes

Edtech vendors holding student data sit at the intersection of at least three federal frameworks, and the boundaries between them are not clean.

Section 5 of the FTC Act

The FTC’s authority here flows from Section 5 of the FTC Act, which prohibits unfair or deceptive acts or practices. The agency’s data-security cases typically rest on two theories. The deception theory targets the gap between what a company says about its security and what it actually does; Illuminate’s representations that it protected student data, set against its failure to remediate known vulnerabilities, fit squarely within it. The unfairness theory targets security practices that cause or are likely to cause substantial consumer injury that consumers cannot reasonably avoid and that is not outweighed by countervailing benefits. Critically, the FTC Act does not require a company to be a “covered entity” under any sector-specific law. If you hold consumer data and misrepresent or unreasonably fail to protect it, you are within reach.

FERPA and the “School Official” Exception

The Family Educational Rights and Privacy Act (FERPA) governs the privacy of student education records held by schools and districts that receive federal funding. FERPA does not regulate vendors directly. Instead, edtech companies typically operate under the “school official” exception, which lets a district share education records with a contractor that performs a function the district would otherwise perform itself, provided the vendor is under the district’s “direct control” with respect to the use and maintenance of those records and uses the data only for authorized purposes.

That arrangement creates a structural gap. FERPA’s enforcement mechanism is the potential loss of federal funding, and it runs against the school district, not the vendor. A breach at the vendor becomes the district’s compliance problem even though the district may have had little practical visibility into the vendor’s security posture. The FTC’s willingness to pursue the vendor directly under Section 5 fills part of that gap, but it does not relieve districts of their FERPA obligations to maintain direct control over how their service providers handle education records.

COPPA and Children Under 13

The Children’s Online Privacy Protection Act (COPPA) and its implementing Rule impose notice, consent, data-minimization, and security obligations on operators of online services directed to children under 13, or that have actual knowledge they collect personal information from such children. In the school context, the FTC has taken the position that schools may provide consent on behalf of parents for the collection of students’ personal information, but only for the use and benefit of the school and for no other commercial purpose. The 2025 amendments to the COPPA Rule sharpened the regime further, adding explicit data-retention limits and requiring written information-security programs for covered operators. Much edtech sits within COPPA’s scope for younger students, layering a second federal data-protection obligation on top of the district’s FERPA duties and the vendor’s baseline Section 5 exposure.

The practical takeaway: an edtech vendor serving K-12 districts can be simultaneously a Section 5 actor, a FERPA “school official,” and a COPPA operator. A single breach can implicate all three.

What the Order Actually Requires

The finalized Illuminate order is where the enforcement teeth are. Rather than a fine, it imposes a set of affirmative, auditable obligations that will govern the company’s conduct for a decade. The core requirements:

  • A comprehensive written information-security program. Illuminate must establish, implement, and maintain a documented program designed to protect the security, confidentiality, and integrity of the personal information it collects. This is the now-standard FTC backbone: a named senior officer accountable for the program, a written risk assessment, safeguards keyed to identified risks, and periodic review.
  • Data minimization. The company is prohibited from collecting, processing, or maintaining personal data that is not reasonably necessary to provide the requested products or services. This converts minimization from a privacy aspiration into an enforceable prohibition.
  • Mandatory deletion of unnecessary data. Illuminate must delete personal information that is not reasonably needed. Data you no longer hold cannot be breached, and the FTC is increasingly treating retention itself as a risk to be managed down.
  • A published data-retention schedule. The company must follow a publicly available schedule documenting why each category of information is collected and setting a defined timeframe for its deletion. Retention becomes a transparency obligation, not an internal preference.
  • Prohibition on misrepresentation. Illuminate is barred from misrepresenting its data-security and privacy practices, including how quickly it will notify districts and students about breaches. This directly addresses the timely-notification failure in the complaint.
  • Independent third-party assessments. Consistent with the FTC’s modern order template, the company is subject to periodic independent assessments of its security program, typically biennial across the order’s life.
  • Breach reporting to the FTC. Illuminate must notify the FTC when it has reported a data breach involving consumers’ personal information to another federal, state, or local authority.

Read together, these provisions are not a slap on the wrist; they are a decade-long operating constraint. The third-party assessment requirement, in particular, means an outside firm will repeatedly attest to the program’s adequacy, and any false attestation or material gap becomes potential order-violation exposure, which carries civil penalties of more than $50,000 per violation. That is how the FTC manufactures real consequences from an authority that does not, by itself, allow it to fine first-time data-security offenders: the conduct order creates the penalty hook for the future.

Why K-12 Edtech Is Uniquely Exposed

Several features make student-data vendors a sustained enforcement priority.

The data subjects are children. Minors cannot consent, cannot monitor their own credit, and will carry the consequences of an early-life data exposure for decades. Compromised student records, including health information and dates of birth, are durable identity-theft fuel that may not be misused until the child becomes an adult.

The consent chain is attenuated. Parents consent to the school; the school contracts the vendor under FERPA’s school-official exception; the vendor often subcontracts to cloud and analytics providers. By the time data reaches the fourth party, the original consent has been stretched far past anything a parent contemplated.

Districts have limited leverage and limited expertise. Public school systems are resource-constrained and rarely staffed to evaluate a vendor’s cloud security architecture. They depend on the vendor’s representations, which is exactly the dependency the deception theory polices.

The sector aggregates enormous datasets. The breaches of 2026 made the scale undeniable. The Instructure/Canvas incident, disclosed in spring 2026, became one of the largest education-sector breaches on record, with the threat actor claiming data touching thousands of institutions and hundreds of millions of users before a ransom was reportedly paid. Separately, the Moody Bible Institute breach underscored that the exposure runs across the full education spectrum, from K-12 platforms to higher-education and faith-based institutions. Illuminate is the enforcement bookend to that breach wave: the part where a regulator imposes lasting structural obligations rather than the part where a company writes a check to extortionists.

What Edtech Vendors and Their Districts Should Do Now

The Illuminate order reads as a compliance specification. The smart move is to treat its requirements as a template to adopt voluntarily, before they arrive by consent decree.

Checklist for edtech and SaaS vendors

  • Deprovision credentials on departure, automatically. The proximate cause of the Illuminate breach was a former employee’s still-active login. Tie access revocation to HR offboarding, enforce it for contractors and service accounts, and audit for orphaned accounts quarterly.
  • Remediate known vulnerabilities on a defined clock. A vendor warning ignored for two years was the most aggravating fact in the complaint. Track every finding to closure with owners and deadlines, and escalate overdue critical items to leadership.
  • Stand up a written information-security program now. Name an accountable senior owner, perform and document a risk assessment, and map safeguards to identified risks. Do not wait for a regulator to require the document you should already have.
  • Minimize collection and enforce retention. Inventory every data element you collect, justify each against an actual product need, and delete what fails the test. Publish a retention schedule with deletion timeframes.
  • Make breach-notification promises you can keep. Define notification timelines in your contracts and privacy representations, and build the internal runbook to meet them. Missed notification commitments are independently actionable as deception.
  • Map your COPPA and FERPA posture explicitly. Confirm whether you are a COPPA operator for any user population, document the school-official basis for the FERPA data you process, and confirm you use that data only for authorized educational purposes.
  • Commission independent security assessments. An outside attestation is both a control and evidence of reasonableness if your practices are ever questioned.
  • Govern your subprocessors. Illuminate’s data sat with a third-party cloud provider. Flow your security obligations down by contract and verify, do not assume, that subprocessors meet them.

Checklist for school districts contracting edtech

  • Exercise the “direct control” FERPA actually requires. The school-official exception is conditioned on your control over how the vendor uses and maintains education records. Put that control in writing and monitor it.
  • Require security representations and the right to verify. Demand a written security program, recent independent assessment results, and contractual audit rights. Treat vague “we take security seriously” language as a red flag, not an assurance.
  • Contract for breach notification with hard timelines. Specify how fast and through what channel the vendor must notify you, and what they owe affected students and families.
  • Impose data-minimization and deletion terms. Limit the data the vendor may collect, prohibit secondary commercial use, and require deletion at contract end and on a defined schedule.
  • Inventory your vendor footprint. Most districts cannot list every edtech tool in use across classrooms. You cannot govern what you have not catalogued.
  • Plan for vendor breach as your incident. Because FERPA enforcement runs against the district, a vendor breach is your regulatory and community-trust problem. Have a response plan that assumes it will happen.

Conclusion

The Illuminate Education order will not generate the headlines a nine-figure fine would. That is precisely why it matters. The FTC has signaled, again, that the durable instrument of data-security enforcement is the long-duration injunctive order: a written security program, mandatory data minimization and deletion, published retention schedules, independent assessments, and breach-reporting obligations, all enforceable for ten or twenty years with steep per-violation penalties for any lapse. For edtech and SaaS vendors that hold the sensitive data of children, the lesson is direct. The controls the FTC imposed on Illuminate are the controls a reasonable custodian of student data should already have. Adopt them now, or have them imposed later under federal supervision. The breaches of 2026 made clear how much student data is in play; the Illuminate order makes clear who will answer for failing to protect it.

This article is provided for informational purposes only and does not constitute legal advice.