On October 31, 2022, the Federal Trade Commission (FTC) announced a complaint and proposed consent order against Chegg, an edtech company, over its security practices that resulted in four security breaches in three years. The commissioners unanimously voted to approve the proposed order. The case follows the FTC’s announcement earlier this year that it would scrutinize the practices of edtech providers. Significantly, in addition to more typical data security relief that the FTC includes in its consent orders, the Chegg order requires the company to provide consumers with the right to access and delete their personal information, a novel requirement in FTC security settlements.

The Complaint Allegations

Chegg primarily targets high school and college students by offering a textbook rental service and online aids, earning its nickname as a “homework help platform.” (Because Chegg does not appear to have targeted children under 13, there is no allegation that Chegg violated the Children’s Online Privacy Protection Act.) In conducting its business, Chegg allegedly collected students’ sensitive personal information, such as their religious denomination, heritage, sexual orientation, and disability information. Chegg stored that information in Amazon Web Services (AWS) files that allowed customers to classify data in the order of sensitivity, store it in separate “buckets,” and apply individual access controls.

Despite Chegg’s ability to calibrate employee and contractor access to the AWS Simple Storage Service buckets, according to the complaint, Chegg provided all employees and contractors with indiscriminate access to all data stored. As a result, a contractor who did not need access to all of the information contained in the buckets exfiltrated a database of 40 million users of the Chegg platform. The complaint also alleges three separate incidents in which employees fell for phishing attacks that exposed sensitive data about Chegg’s employees, including medical and financial information.

The failures alleged in the complaint are, by now, a familiar story. They include:

• failure to implement reasonable access controls;
• storing users’ and employees’ information in clear text, without encryption;
• failure to maintain written security policies;
• failure to train employees on data security;
• failure to inventory and delete users’ and employees’ personal information after the information is no longer necessary; and
• failure to adequately monitor systems for unauthorized attempts to exfiltrate personal information.

The Proposed Order

In addition to requiring that Chegg implement a comprehensive security program and obtain biennial third-party assessments of the program, the proposed order requires a number of additional measures:

• Multifactor authentication: Within six months after issuance of the order, Chegg must provide multifactor authentication as an option or as a requirement for consumer users. This goes beyond multifactor authentication requirements in prior data security orders. Not only must Chegg require multifactor authentication for employees, contractors, and affiliates, it must also offer such authentication to consumers as well. 
• Data retention and deletion: Just as in last week’s Drizly order, this order requires Chegg to document and adhere to a data retention schedule. But in what appears to be a first for a data security case, the FTC order requires Chegg to allow consumers to request access to or the deletion of their personal information by “provid[ing] a Clear and Conspicuous link on the homepage and initial login page of [Chegg’s] websites directing consumers to an online form through which they can request access to or the deletion . . .”
• Notice to consumers: Consistent with the FTC’s recent emphasis on consumer notice, the order requires notice to individuals whose information was breached. 

Observations

Taken together, the Drizly case announced last week and the Chegg case announced this week provide clues as to the FTC’s agenda on data security issues. Below are some observations:

First, both cases are consistent with the FTC’s announced priorities. Last week’s action against Uber-acquired Drizly is consistent with the FTC’s interest in scrutinizing gig economy companies. And the Chegg case effectuates the FTC’s stated priority in edtech.

Second, both proposed orders reflect an increased focus on data minimization. In Drizly, the FTC required the company to implement retention schedules and delete unnecessary data. In Chegg, the FTC is going a step further. In addition to requiring retention schedules and deletion, the order requires the company to provide consumers the ability to access and delete their own data, thus incorporating new rights afforded to consumers in California and other states’ privacy laws. Notably, Drizly can respond to such requests in accordance with those states’ laws where they apply. But where the consumer resides in a state without such a law, the FTC’s order requirements go beyond the state law requirements, in that they do not provide for the typical deletion exceptions included in those laws.

Finally, although the FTC named the CEO in Drizly individually, it did not do so in Chegg, suggesting that the FTC is continuing to look at the issue of individual liability for data security matters on a case-by-case basis.

Wilson Sonsini Goodrich & Rosati routinely helps companies navigate complex privacy and data security issues. For more information or advice concerning cybersecurity compliance or investigations, please contact Tracy Shapiro, Yeji Kim, or any member of the firm’s privacy and cybersecurity practice.