Following up on its warning that it would be cracking down on Education Technology companies, the Federal Trade Commission (FTC) issued a proposed order against Chegg Inc., an online tutoring and homework aid service for high school college students, for lax security practices. According to its complaint, the FTC alleged that Chegg violated Section 5 of the FTC Act by failing to implement reasonable security measures to protect student and employee data and deceptively claiming in its privacy notice that it engaged in commercially reasonable security measures to protect users’ personal data.
Chegg’s Commercially Unreasonable Security Practices
According to the FTC, Chegg engaged in the following commercially unreasonable security practices for years. These practices allegedly exposed users’ and employees’ sensitive data to unauthorized and potentially harmful use when it suffered at least four data breaches between 2017 and 2020:
Allowing employees and contractors to use a single AWS access key to access Chegg data stored in Amazon’s Simple Storage Services (S3). This key conferred full administrative privileges to all employees over all data in the S3 databases, including personal data such as sexual orientation, religion, disabilities, Social Security numbers, email addresses, and passwords.
Not restricting employees’ and contractors’ access to only the minimum data necessary for their particular roles.
Not requiring employees and contractors to turn on multi-factor authentication when accessing the databases storing personal data.
Not rotating access keys to databases storing personal data.
Storing user and employee personal data in plain text (i.e., Chegg did not encrypt the data).
Using outdated hashing methods for user passwords.
Not maintaining or implementing information security standards, policies, or procedures.
Not providing or requiring employees and contractors’ security training or guidance.
Not maintaining a retention policy or process for deleting personal information when it was no longer necessary.
Not adequately monitoring its networks and systems for unauthorized access or transfer outside of Chegg’s network.
The proposed complaint alleges that Chegg could have addressed each of these failures by implementing readily available and relatively low-cost security measures.
FTC Requirements for Commercially Reasonable Security Practices
Among other things, the FTC’s proposed order requires Chegg to improve its security practices by:
Documenting its personal information collection and retention practices, including documentation of the purposes and business needs that support the collection and retention, and a timeframe for deletion.
Providing its customers with access to their personal data and allowing them to request deletion of that data by providing a “clear and conspicuous” link on the homepage and initial login page of its websites. This link must direct consumers to an online form through which they can request access to or the deletion of their personal information.
Implementing multi-factor authentication or another authentication method.
Implementing and maintaining a comprehensive and documented information security plan, which is extensive and includes:
The provision of written program evaluations to the board of directors, or the equivalent at least every 12 months and within 30 days of any incident.
The designation of a qualified employee to coordinate and be responsible for the program.
The assessment of internal and external risks to the security, confidentiality, and integrity of personal information at least every 12 months and within 30 days of any incident.
The implementation, maintenance, and documentation of safeguards that control for the internal and external risks identified, and the assessment of those safeguards at least every 12 months and within 30 days of any incident. Among the required safeguards is encryption of, at a minimum, all Social Security numbers, passport numbers, financial account information, tax information, dates of birth associated with a user’s account, “medical information” associated with a user’s account, and user account credentials on computer networks, including, but not limited to cloud storage.
Chegg’s proposed consent order and these requirements will last for 20 years as is typical for most FTC orders. The consent agreement package will be subject to public comment for 30 days after publication in the Federal Register.
Charlotte Lunday is a Senior Associate at Hintze with expertise in COPPA, FERPA, and online safety.
Sheila Sokolowski is a Partner at Hintze, she has expertise on FERPA and student privacy, and also HIPAA and health privacy and chairs the firm’s Health and Biotech Privacy Group.
Hintze Law PLLC is a Chambers-ranked privacy firm that provides counseling exclusively on global data protection. Its attorneys and privacy analysts support global technology, ecommerce, advertising, media, retail, healthcare, and mobile companies, organizations, and industry associations in all aspects of privacy and data security.