Recent federal and state regulators’ $5.1 million enforcement actions against a Wisconsin-based online education technology company in the wake of a massive cybersecurity breach demonstrate the high stakes of failing to adequately protect children’s data and health data, or issue breach notifications in a timely manner.
The enforcement actions stem from a 2021 data breach involving the personal information of over 10 million students nationwide, including roughly 3 million students in California, 1.7 million students in New York, and 28,000 in Connecticut. The breach was traced to the unauthorized use of administrative credentials associated with a former employee whose access had not been properly decommissioned, which enabled a threat actor to access the company’s internal systems. At the time of the intrusion, large volumes of student data were stored unencrypted at rest, including student names, dates of birth, student identification numbers, demographic data, special education information, disability data, and disciplinary records.
The regulators’ investigation concluded that the company failed to implement reasonable security measures, as required under California’s K-12 Pupil Online Personal Information Protection Act, Confidentiality of Medial Information Act, other state education, health, and consumer privacy and security laws, and the FTC Act. Regulators identified systemic deficiencies in identity and access management, monitoring and logging, credential lifecycle management, and data retention and deletion practices. Some of the regulators’ complaints also highlight the significant delays in issuing notifications. For example, the FTC’s complaint states that some school districts, students, and parents were notified as late as October 2023, nearly two years after the breach. The FTC found this delay violated both internal policy (which required notification within 72 hours) and contractual promises to school districts (some contracts required notification within 24 to 48 hours).
In November 2025, the Attorneys General of California, New York, and Connecticut announced a coordinated multistate settlement requiring the company to pay $5.1 million in civil penalties, and implement extensive data security and privacy program enhancements, to resolve allegations that the company failed to comply with various education, health, and consumer privacy and security laws. Several weeks later, the Federal Trade Commission (FTC) announced a proposed settlement resolving parallel federal claims under Section 5 of the FTC Act and imposing long-term injunctive obligations requiring the company to implement a comprehensive information security and data governance program. Specific measures the company must take pursuant to the settlements include reviewing and remediating contracts with school districts, maintaining detailed personal data inventories, adhering to data minimization principles, conducting annual risk assessments and penetration tests, and appointing a qualified security specialist who reports to the company’s board.
These enforcement actions underscore that regulators are increasingly willing to impose substantial financial penalties and sweeping programmatic reforms when companies fail to safeguard sensitive student data or delay breach notifications. The case highlights the real-world consequences of inadequate identity and access management, poor data retention practices, and insufficient breach response protocols. Companies of all sizes should proactively review and update their data security programs, ensure robust incident response plans are in place, and verify that contractual and statutory notification requirements are met.
