Risk Management

Aeries Settles Data Breach Lawsuit for $1.75M; Illuminate Suit is Dismissed – For Now

Data Privacy Attorney Explains Why Schools and Ed Tech Vendors Collecting or Storing PII Face Greater Risk Than Ever

Two ed tech providers that suffered data breaches that compromised private student information have seen civil lawsuits reach vastly different results — yet both should serve as a stark warning for ed tech companies collecting student data, a data privacy attorney told THE Journal.

In a class-action lawsuit filed on behalf of students at San Dieguito Union High School District, a federal judge in March gave final approval to a settlement ordering Aeries Software to pay $1.75 million to members of the class, which includes nearly 100,000 former and current San Dieguito Union students whose PII was compromised in a November 2019 breach of Aeries databases. 

Last week, a proposed national class-action lawsuit filed against Illuminate Education over its January 2022 data breachwas dismissed by the same court, the U.S. District Court Central District of California, Western Division. The judge dismissing the lawsuit against Illuminate — formed when civil suits filed last summer in New York and California were combined — wrote in his decision that the plaintiffs did not successful establish standing to sue or that actual harm was imminent, and the court gave the plaintiffs 21 days to amend the complaint and re-file.

Recipe for a Costly Data Breach

The two lawsuits with differing outcomes stemmed from two vastly different breaches. In the Aeries case, plaintiffs had established that the compromised data included nearly every form of student and parent Personal Identifying Information stored by Aeries for San Dieguito Union schools over many years; in the Illuminate case, plaintiffs neither alleged nor established that any data beyond behavioral, academic, and demographic information was compromised. 

Aeries’ student information system — used by Texas and California districts to store the records of more than 30 million students, according to its website — was breached in November 2019; the company did not notify districts about the breach until the following April. 

That notice of data breach, sent to school districts and filed with the California Attorney General, “disclosed only that the following information was compromised: ‘Parent and student login information, physical residence addresses, emails, and password hashes,’” according to the settlement agreement filed with the court. 

The data breach notice “did not disclose that additional PII was stored on behalf of its school district customers, including student health records, Social Security numbers, class grades, standardized test information, previous addresses, and parents’ or guardians’ debit or credit cards and other financial information,” the settlement agreement said.

Aeries executives acknowledged during later court proceedings that the breach compromised the databases of 166 school districts, exposing the PII of approximately 3 million former and current students. At least one of the several lawsuits filed over the breach sought nationwide class-action status, but following months of mediation, the class was limited to only SDUHSD current and former students and their guardians “because class counsel determined that this population was differently situated” than other districts using Aeries’ SIS and “had an increased risk of exposure” from the data breach, according to the settlement filing with the court. 

In the Illuminate Education case, U.S. District Court Judge James Selna on April 19, 2023, granted Illuminate’s motion to dismiss, agreeing that “plaintiffs have not plausibly alleged any actual identity theft.” 

“Plaintiffs allege they are ‘concerned’ that their or their childs’ Social Security numbers were breached but do not actually allege social security numbers were part of the data breach,” the judge wrote in the dismissal. “Plaintiffs allege students’ academic, behavior, and demographic information was leaked … but notably do not allege social security, credit card, or bank information was leaked.”

In its breach notification letters that began going out to school districts last April, Illuminate expressly said that “Social Security numbers and financial information were not at risk as a result of this event.”

“On the other hand, it’s possible the leaked information potentially allowed an individual to recover passwords to (plaintiffs’ financial accounts),” wrote the judge. “In any event, the Court is left to speculate, based on the allegations and facts, as to whether any actual identity theft occurred based on information leaked in the data breach.”

He added that “the factual allegations do not actually create a nexus between the information leaked and the alleged harm.”

“Plaintiffs fail to establish any actual identity theft related to the data breach and thus the harm has not materialized. Likewise, Plaintiffs fail to allege how the information leaked in the data breach (academic and behavioral information) puts them at harm or risk, particularly credible and immediate risk of harm,” said the ruling.