On October 31, 2022, the Federal Trade Commission (FTC) announced a complaint and proposed consent order against Chegg, an edtech company, over its security practices that resulted in four security breaches in three years. The commissioners unanimously voted to approve the proposed order. The case follows the FTC’s announcement earlier this year that it would scrutinize the practices of edtech providers. Significantly, in addition to more typical data security relief that the FTC includes in its consent orders, the Chegg order requires the company to provide consumers with the right to access and delete their personal information, a novel requirement in FTC security settlements.
The Complaint Allegations
Chegg primarily targets high school and college students by offering a textbook rental service and online aids, earning its nickname as a “homework help platform.” (Because Chegg does not appear to have targeted children under 13, there is no allegation that Chegg violated the Children’s Online Privacy Protection Act.) In conducting its business, Chegg allegedly collected students’ sensitive personal information, such as their religious denomination, heritage, sexual orientation, and disability information. Chegg stored that information in Amazon Web Services (AWS) files that allowed customers to classify data in the order of sensitivity, store it in separate “buckets,” and apply individual access controls.
Despite Chegg’s ability to calibrate employee and contractor access to the AWS Simple Storage Service buckets, according to the complaint, Chegg provided all employees and contractors with indiscriminate access to all data stored. As a result, a contractor who did not need access to all of the information contained in the buckets exfiltrated a database of 40 million users of the Chegg platform. The complaint also alleges three separate incidents in which employees fell for phishing attacks that exposed sensitive data about Chegg’s employees, including medical and financial information.
The failures alleged in the complaint are, by now, a familiar story. They include:
The Proposed Order
In addition to requiring that Chegg implement a comprehensive security program and obtain biennial third-party assessments of the program, the proposed order requires a number of additional measures:
Observations
Taken together, the Drizly case announced last week and the Chegg case announced this week provide clues as to the FTC’s agenda on data security issues. Below are some observations:
First, both cases are consistent with the FTC’s announced priorities. Last week’s action against Uber-acquired Drizly is consistent with the FTC’s interest in scrutinizing gig economy companies. And the Chegg case effectuates the FTC’s stated priority in edtech.
Second, both proposed orders reflect an increased focus on data minimization. In Drizly, the FTC required the company to implement retention schedules and delete unnecessary data. In Chegg, the FTC is going a step further. In addition to requiring retention schedules and deletion, the order requires the company to provide consumers the ability to access and delete their own data, thus incorporating new rights afforded to consumers in California and other states’ privacy laws. Notably, Drizly can respond to such requests in accordance with those states’ laws where they apply. But where the consumer resides in a state without such a law, the FTC’s order requirements go beyond the state law requirements, in that they do not provide for the typical deletion exceptions included in those laws.
Finally, although the FTC named the CEO in Drizly individually, it did not do so in Chegg, suggesting that the FTC is continuing to look at the issue of individual liability for data security matters on a case-by-case basis.
Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning cybersecurity compliance or investigations, please contact Tracy Shapiro, Yeji Kim, or any member of the firm’s privacy and cybersecurity practice.