UPDATE -- Rocklin Unified School District/ Illuminate Education Data Breach

RUSD Families Are Sent Data Breach Notices from Illuminate Education: Attorney Investigation Ongoing

On May 20, 2022, the California Office of the Attorney General ("COAG") announced that Illuminate Education notified affected RUSD families about its 2021/22 data breach.

According to the posting, the breach was reported to the COAG on May 13, 2022. This data breach was previously reported to the California Attorney General on May 4, 2022. The updated sample notice (which can be found here ) states that Illuminate began to notify affected individuals on or about April 5, 2022.

The deadline to enroll in IDX credit monitoring services is listed on the updated notice as August 13, 2022.

If you have received a Data Breach Notice from RUSD/Illuminate for your child and are concerned about this breach and what your options are please fill out this contact form.

To learn more about this data breach of confidential student data, please read our original post about this event, which follows immediately below.

California Student Data at Risk -- Rocklin Unified School District/ Illuminate Education Data Breach

Attorney Investigation Launched on Behalf of Affected California Minors

On May 4, 2022, Rocklin Unified School District (“RUSD”) reported a Data Breach to the California Office of the Attorney General, providing notice through its vendor, Illuminate Education (“Illuminate”).

On January 8, 2022, Illuminate became aware of “suspicious activity” within some Illuminate applications used by RUSD. After investigation, Illuminate determined that “certain databases containing potentially protected student information were subject to unauthorized access between December 28, 2021 and January 8, 2022.” The affected databases may have contained protected data related to current and/or former Rocklin Unified School District students.

Illuminate Education is offering students 12 months of complementary identity monitoring services through IDX.

The full text of the RUSD / Illuminate Date Breach Notice can be found here.

The California Attorney General's Office Privacy Enforcement and Protection Unit has crafted recommendations for the education technology industry to protect the privacy of student personal information.

To view additional information regarding this data breach, click here.

California’s Privacy Enforcement and Protection Unit Recommendations:

• Minimize student data collected and retained

• Only use information for educational purposes

• Make sure your service providers are contractually required to also protect student data

• Respect users’ rights

• Data security: implement reasonable and appropriate safeguards

  • Implement a training program to ensure ed tech employees know how to best protect student data

• Provide a meaningful and understandable privacy policy[2]

The sensitive nature of this data means that “student information is something that must be handled with great care. [. . . ] As the devices we use each day become increasingly connected, it’s critical that we implement robust safeguards for what is collected, how it is used, and with whom it is shared.”[3]

Special California Laws Protect You

If your student is a California resident and received a Recent Notice of Data Breach from Rocklin Unified School District/Illuminate Education, you may be entitled to between $100 and $1,000 or your actual damages, whichever is greater. Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.

California has laws that specifically protect your personal information.

o The Student Online Personal Information Protection Act (SOPIPA) requires that every online service used primarily for K-12 school purposes must maintain reasonable security procedures and practices to protect student personal information from unauthorized access, destruction, or disclosure.

o The California Confidentiality of Medical Information Act (CMIA) requires that every health care provider and health care service plan who maintains medical information do so in a manner that preserves its confidentiality.

o The California Customer Records Act (CCRA) requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information.

o The California Consumer Privacy Act (CCPA) contains many protections for personal information of California residents.

If certain types of personal information, like medical information and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the SOPIPA, CCPA, and CCRA. Medical information is additionally covered by the CMIA.

We Can Help You Exercise Your Rights

Every case is unique. Even when your data has been part of a breach, despite the provisions of the SOPIPA, CMIA, and CCPA you may not be awarded compensation.

Experienced data breach and class action attorneys can help you exercise your rights, evaluate your options, and decide whether you are entitled to compensation. There are no out of pocket costs to you, as we only get paid if we prevail.

Confidential • No cost • No obligation

If you have received a Data Breach Notice from RUSD/Illuminate for your child and are concerned about this breach and what your options are please fill out this contact form.

[1] Source: Kamala Harris, former Attorney General of California, California DOJ, Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (2016). [2] Source: same. [3] Source: same.