FTC Finalizes Order with Chegg over Alleged Poor Security Practices that Exposed Student Data

  • The FTC finalized an order with Chegg, Inc. regarding alleged poor data security practices that lead to at least four separate data breaches at the education technology company in which users’ and employees’ personal information was compromised.
  • In its complaint, the FTC alleged that Chegg violated the FTC Act by failing to adequately protect the personal information it collected from employees and users. Chegg collected particularly sensitive personal information from users in connection with its scholarship search services, such as religious denomination, heritage, parents’ income range, sexual orientation, and disabilities. Despite the sensitivity of the information Chegg collected, the company allegedly utilized poor data security practices that led to multiple data breaches, including failing to implement commercially reasonable security measures, storing information on Chegg’s network and databases in plain text rather than encrypting the information, and failing to provide adequate guidance or training for employees and contractors regarding information security and safeguarding of information.
  • Under the terms of the order, Chegg must create and adhere to a retention schedule for personal information that includes a timeframe for deletion, allow users to request deletion of their personal information, offer multi-factor authentication methods to consumer users to secure their accounts, establish and implement a comprehensive information security program, and undertake information security assessments by a third party, among other things.