Privacy & Information Security Law Blog

On November 6, 2025, Connecticut Attorney General William Tong, along with California Attorney General Rob Bonta and New York Attorney General Letitia James, announced a significant settlement stemming from the enforcement of Connecticut’s Student Data Privacy Law. This case marked the first enforcement action since the law's enactment and involved Illuminate Education, Inc. ("Illuminate"), an educational technology provider whose 2022 data breach exposed sensitive information belonging to millions of students.

In December 2021, hackers gained access to Illuminate’s systems using credentials from a former employee. The hackers downloaded unencrypted database files containing sensitive information such as student names, birth dates, IDs, and demographic details. The number of students affected in each state was as follows:

• Connecticut: 28,610 students
• New York: 1.7 million students
• California: 3 million students

Illuminate will pay a total of $5.1 million in penalties, distributed as follows:

• $150,000 to Connecticut
• $1.7 million to New York
• $3.25 million to California

In addition to the monetary penalties above, the settlement requires Illuminate to implement comprehensive security measures, including:

• employing specific safeguards, including maintaining data inventories, minimizing data and setting retention limits;
• implementing proper access controls and authentication procedures;
• conducting data security risk assessments and penetration testing;
• monitoring vendors; and
• providing a right to data deletion