In late 2025, a significant development occurred in K-12 edtech oversight: Illuminate Education, a company whose tools are used in hundreds of school districts, agreed to a $5.1 million multistate settlement after multiple data security failures. GovTech
For school district leaders, vendors, and policymakers, this isn’t just “another vendor had a breach.” It’s a signal that the expectations around student data protection are shifting, and districts nationwide will feel the ripple effects.
What happened?
The case centers on several core failings by Illuminate Education:
- The company reportedly failed to encrypt student data, did not maintain “appropriate systems and processes to monitor for suspicious activity,” neglected to properly decommission inactive accounts, and did not limit account permissions to what was necessary. GovTech
- Illuminate Education had two major breaches in New York: one in December 2021 and one in January 2022, affecting roughly 1.7 million current and former New York students across about 750 schools. GovTech
- The settlement requires the company to maintain a robust data security program: encrypt all data collected or stored, monitor networks for suspicious activity, track and remediate vulnerabilities, limit access and permissions, and annually notify schools about the kinds/categories of data collected (including health records). GovTech
- The lead states in the settlement include New York, California and Connecticut. GovTech
Why this matters for school districts nationwide
Even if your district didn’t use Illuminate Education’s tools, there are important take aways:
1. Vendor risk is real and enforceable.
For years, districts have signed data sharing agreements with edtech vendors, sometimes without fully digging into the vendor’s security practices. This settlement underscores that states will hold vendors accountable, meaning districts should raise their expectations and their contracting stance.
2. Contracts and procurement need sharper clauses.
This means insisting on vendor obligations around:
- Encryption of student data (at rest and in transit)
- Access controls and role-based permissions
- Account lifecycle management (deactivating old accounts)
- Regular monitoring for unauthorized activity
- Clear data-deletion or data-return terms when contracts end
- Annual disclosures of the categories of data collected
District procurement teams should ask: Does this vendor have documented processes for each of these? The settlement shows that failure to implement them is no longer “just regulatory risk”, it’s enforceable risk.
3. State laws and multistate cooperation are increasing the stakes.
In this example, California’s Attorney General noted that “data security concerns know no borders …and so neither should state collaboration.” GovTech For district leaders, this means that you’re not just dealing with your own state’s laws: vendors operating nationally may be subject to enforcement across multiple states. Thus, your vendor’s compliance posture in other states may reflect how they’ll respond in your state.
4. Transparency to parents and students matters more than ever.
Part of the settlement requires Illuminate Education to annually notify schools about what data they collect (e.g., health records). GovTech Districts should consider: Are we transparent enough with families about what third-party tools are collecting? Are the tools we select providing sufficient clarity and protections?
5. Internal district processes must align with the vendor ecosystem.
Even the best vendor safeguards won’t help if district practices are weak. For example, if your district isn’t revoking access for departing staff, or doesn’t audit vendor accounts, you remain vulnerable. This settlement should prompt district leadership to ask hard questions:
- Who in the district monitors vendor access and permissions?
- How often does the district audit data sharing agreements and vendor security practices?
- Does our district’s procurement policy require vendors to certify compliance with best practice security standards or independent audits?
What happens next (and what you should do)
Immediate actions for district leadership might include:
- Audit all current vendor contracts: Identify edtech vendors who handle student data and assess whether the contract addresses encryption, access controls, account lifecycle management, data deletion, and disclosure of data categories.
- Request vendor security documentation: Ask vendors to provide evidence of their security practices (e.g., third-party audit reports, penetration test summaries, policies for inactive accounts).
- Update procurement language: Amend RFPs and vendor agreements to include clear requirements for data security and vendor accountability.
- Communicate with stakeholders: Inform your leadership team, board, and possibly the community about the settlement — and what it means for your district’s vendor risk management.
- Review internal practices: Ensure your own data governance policies (access management, account deactivation, vendor review) are robust and documented.
Longer-term considerations:
- Stay informed about state student data privacy laws: Many states are upgrading or enforcing laws related to student information; your district should map where your state stands.
- Build a vendor risk management framework: Define how you assess, monitor, and review vendor partnerships annually.
- Educate faculty, staff, and admin about data handling responsibilities: The human element remains a key vulnerability (e.g., weak credentials, accounts left open).
- Consider establishing incident response protocols: If a vendor has a breach (or you suspect one), is your district clear on what you will do, when, and how to communicate with stakeholders and regulators?
Final reflections
This settlement with Illuminate Education is a wake up call. It says loud and clear: when it comes to student data, expectations are not just aspirational, they are enforceable.
For districts committed to safeguarding student privacy and trust, the path is clear: revisit your vendor relationships, sharpen your contracts, strengthen your own internal governance, and communicate transparently with your community.
As edtech becomes more embedded in instruction and operations, the value and risk of the data involved only grow. Districts nationwide must treat vendor data security as a core, strategic, ethical and operational priority, not just an IT concern.
