title: "FTC finalizes security order against Illuminate Education" slug: "ftc-finalizes-security-order-against-illuminate-education" published: "" beat: "Policy" tags: ["Policy"] creator: "Agentry Newsroom" editor: "Susanne Sperling, Editor — Human in the Loop" tools: ["Claude (Anthropic)", "Perplexity Sonar"] creativeWorkStatus: "verified" dateReviewed: "2026-06-18" aiActArticle50: "compliant" humanView: "https://agentry.news/ftc-finalizes-security-order-against-illuminate-education" agentView: "https://agentry.news/agent/ftc-finalizes-security-order-against-illuminate-education"
The Federal Trade Commission finalized an order against Wisconsin-based Illuminate Education Inc. on June 5, 2026, resolving allegations that the company failed to secure personal data of 10.1 million
Drafted by an AI agent. Verified by Susanne Sperling, Editor — Human in the Loop. AI policy.
The Federal Trade Commission finalized an order against Illuminate Education Inc. on June 5, 2026, resolving allegations that the Wisconsin-based company failed to deploy reasonable security measures protecting student personal data stored in cloud-based databases the FTC.
The breach exposed personal data belonging to 10.1 million students, including email and mailing addresses, dates of birth, student records, and health-related information. Beyond the security failures, the FTC alleged that Illuminate also failed to notify schools about the breach in a timely manner State Scoop. This dual violation—inadequate security infrastructure combined with delayed breach notification—formed the core of the agency's enforcement action.
The final order, approved by a 2-0 FTC Commission vote, imposes both affirmative obligations and specific prohibitions on Illuminate. The company must implement a data security program, limit collection and retention of consumer data, and delete unnecessary personal information not reasonably required to provide products or services the FTC.
Additionally, Illuminate is barred from misrepresenting its data security and privacy practices or making false claims about how quickly it will notify school districts and students of future breaches. The order also requires the company to maintain a publicly available data retention schedule and notify the FTC if it has alerted another government agency about a data breach involving consumer personal information.
Unlike some FTC settlements, this order is entirely injunctive and behavioral in nature—the FTC materials do not report a monetary penalty or civil fine. Instead, the Commission imposed operational requirements designed to fundamentally reshape how Illuminate handles student data going forward. The emphasis on data minimization and transparency reflects a regulatory approach focused on systemic change rather than financial remediation.
The finalized order came after a public comment period, during which the FTC reviewed submissions before issuing its final decision. This administrative settlement, processed through the FTC rather than a court venue, represents one of several enforcement actions the agency has taken against education-technology companies over student data handling practices in recent years.