The action is part of the FTC’s focused efforts on bolstering the data security and collection policies of ed tech companies in the U.S. Chegg, a multi-billion dollar online education giant that employs about 2,500 people, offers high school and college students college scholarship search services and other services like online tutoring. The company said it has agreed to comply with all FTC requirements.
Millions of Personal Records Exposed Since 2017
California-based ed tech company Chegg Inc’s repeated “lax” approach to data security since 2017 has exposed Social Security numbers, email addresses, passwords, and more belonging to its employees and millions of customers, an Oct. 31 FTC press release said. Over the next two years, Chegg employees suffered recurring phishing attacks that exposed their medical and financial information. “Chegg allegedly failed to fix problems with its data security despite experiencing four security breaches since 2017,” the FTC said.
Chegg Collected Specific User Information
As part of its scholarship search service, Chegg collected user information such as heritage, religious background, disabilities, sexual orientation, and dates of birth. From its employees, the company collected Social Security numbers, financial and medical data, as well as dates of birth, the FTC said. “Chegg took shortcuts with millions of students’ sensitive information,” Director of the FTC’s Bureau of Consumer Protection Samuel Levine said. “Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end.”
FTC Complaint and Proposed Order
To address the FTC’s complaint and proposed order which the Commission voted 4-0, Chegg has agreed to upgrade its cybersecurity practices. Steps laid out by the FTC include documenting and following a schedule relating to which personal data is collected, why it is collected, and when the information will be deleted. The Commission also requires Chegg to provide its customers access to data collected about them and allow them to request the deletion of that data. Furthermore, Chegg must provide multifactor authentication methods to its employees and customers to secure their accounts as well as implement a cybersecurity program that includes encrypting customer data and providing employee training for the same.
Bolstering Cybersecurity Best Practices
Ed tech is a rapidly emerging sector that saw $1.7 billion in venture capital raised in 2019 — in large part coming from the urgent remote learning requirements during the pandemic. As a result, the FTC has been tightening its grip on lax data security practices in several industries, such as ed tech, social media, and the health sector. In April 2021, the FTC fined TikTok $5.7 million for illegally sharing data about minors, while in June this year, we wrote about FTC Head Lina M. Khan’s decision to regulate children’s data privacy and limit Big Tech’s dominance. Data breaches are dangerous and often happen due to company-wide issues with lax data security. In August, our VPNOverview security team discovered a data breach affecting nearly 100,000 U.S. healthcare workers due to a misconfigured AWS S3 bucket belonging to digital healthcare and education service provider PlatformQ.