On Monday, it was announced that the Federal Trade Commission (“FTC”) was taking action against education technology provider Chegg Inc. (“Chegg”) for its deficient data security practices that exposed the sensitive information of millions of its customers and employees, including Social Security numbers, email addresses and passwords.  According to the FTC, Chegg allegedly failed to fix problems with its cybersecurity despite experiencing four breaches since 2017.  This latest development is another reaffirmation of the FTC’s prioritization of privacy and security, as previously covered on CPW.

Chegg, as outlined in the FTC’s Complaint, markets and sells direct-to-student educational products and services.  Its sells and rents textbooks to students and offers online learning aids.  In conjunction with providing these services, Chegg collected “information about a user’s religious denomination, heritage, date of birth, parents’ income range, sexual orientation, and disabilities,” which Chegg’s internal documents apparently described as “very sensitive.”  Chegg stored this data on a cloud service operated by a third party.  The target audience for Chegg’s products and services are high school and college students.

According to the FTC, “[f]rom at least 2017 to the present, Chegg has engaged in a number of practices that, taken individually or together, failed to provide reasonable security to prevent unauthorized access to users’ personal information.  These shortcomings also failed to provide reasonable security for the personal information Chegg collects from its employees, which has similarly resulted in unauthorized access to that information.”  This included, among other deficiencies:

  • Failing to implement reasonable access controls to safeguard users’ personal information until at earliest October 2018;
  • Storing users’ and employees’ personal information on Chegg’s network and databases in plain text rather than encrypting the information; and
  • Failing, until January 2021, to develop, implement, or maintain adequate written organizational information security standards, policies, procedures, or practices.

In the view of the FTC, Chegg’s security failures led to multiple data breaches that resulted in “repeated” exposure of users’ and employees’ personal information from September 2017-April 2020.

The FTC’s Complaint included two counts for violation of Section 5(a) of the Federal Trade Commission Act for (i) “failure to employ reasonable and appropriate measures to protect personal information caused or is likely to cause substantial injury to consumers” (which the FTC classified as an unfair act or practice) and (ii)  representing that it had it implemented reasonable measures to protect personal information against unauthorized access when it had not (which the FTC classified as false and misleading).

The FTC’s proposed order requires Chegg to bolster its data security, limit the data the company can collect and retain, offer users multifactor authentication to secure their accounts, and allow users to access and delete their data.

For more on this and other relevant developments, stay tuned.  CPW will be there to keep you in the loop.