top of page

Excessive Data Breaches Bring Additional Action Beyond Fines and Penalties per Incident

Education Technology provider Chegg is facing an FTC lawsuit requiring them to implement multi-factor authentication, improve data security practices and delete unnecessary data following four data breaches and tens of millions of consumer records compromised over a three year period.

Organizations are aware of the brand risks, financial risk and fines from suffering data breaches that compromise consumer records, but are likely less likely to consider a cumulative action like what the Federal Trade Commission (FTC) recently announce against Chegg, Inc.

According to the FTC, Chegg’s “lax security practices resulted in four separate data breaches in a span of just a few years, leading to the misappropriation of personal information about approximately 40 million consumers.” This led to the FTC filing their complaint against the online educational products and services company, including requiring the company to increase their data security practices.

Notably, the FTC alleges that Chegg allowed employees and third-party contractors to databases containing sensitive information with a single access key and full admin privileges, multi-factor authentication (MFA) was not required to access these databases, and that all user and employee personal information was stored in plain text. Further, the company neglected to monitor its network for unauthorized access or for illegally transferring sensitive data out of the system.

To settle the case, FTC has set forth a set of requirements for Chegg to follow as part of a comprehensive restructuring of data protection practices. This includes creating and following a schedule in terms of what personally identifiable information (PII) will be collected, why it’s collected and when it will be deleted. The company is also being required provide two-factor authentication (2FA) to customers and employees to protect their accounts or database access.

The FTC goes on to discuss what other companies can learn Chegg’s mistakes, including than any data security incident – let alone four – should trigger a comprehensive review of data security procedures.

For more information:


bottom of page