The FTC issued another set of requirements for online businesses handling sensitive consumer data following multiple data breaches.
The Federal Trade Commission will require popular educational resource website Chegg to implement more robust data security measures following a series of documented network breaches that resulted in the exposure of consumers’ personal information.
Announced last Friday, the FTC finalized its order that Chegg fix the gaps in its security measures, particularly by limiting data collection and storage, enhancing data deletion options, educating consumers on the type of data it harvests, and implementing security protocols like multifactor authentication and threat analysis.
The Commission opted to finalize its order in a 4-0 vote among commissioners.
“Chegg took shortcuts with millions of students’ sensitive information,” said Samuel Levine, Director of the FTC’s Bureau of Consumer Protection. “Today’s order requires the company to strengthen security safeguards, offer consumers an easy way to delete their data, and limit information collection on the front end. The Commission will continue to act aggressively to protect personal data.”
Chegg, an educational company based in California, offers a variety of learning products and services geared toward high school and college students. In order to access many of these products, users are required to enter potentially sensitive identity information into the company’s database.
In the wake of four documented security breaches since 2017, information such as Chegg users’ dates of birth, sexual orientation, disability status, and financial information had been exposed.
The FTC’s order went into effect on Jan. 27. Within 90 days of the order’s issuance, Chegg will be required to develop a comprehensive information security program to deploy better network security safeguards.
In addition to improved cybersecurity measures and better user disclaimers, the order also requires Chegg to test and monitor their network security using third party services for an independent assessment. These results are to be submitted to the associate director for enforcement within the Bureau of Consumer Protection at the FTC.
The FTC’s order signals a broader federal push to regulate the private sector’s data security posture. The agency previously issued a similar order against online alcohol marketplace Drizly and company CEO James Cory Rella following data breaches due to lax security measures.
School and educational networks have also been listed as critical infrastructure following more frequent cyber attacks. The Cybersecurity and Infrastructure Security Agency recently unveiled cybersecurity guidance for K-12 school systems to better protect these networks from security breaches.