On October 31, 2022, the Federal Trade Commission announced a proposed settlement with education technology provider Chegg in connection with the company’s alleged poor cybersecurity practices.
The FTC’s complaint alleges that Chegg’s lax cybersecurity procedures contributed to four separate data breaches that exposed the financial and medical information of employees and the personal information of 40 million customers. The FTC found that Chegg failed to consistently implement basic security measures such as encryption and multi-factor authentication, and did not monitor company systems for security threats. The complaint further notes that the company did not provide adequate security training to employees and did not implement a written security policy until January 2021.
As part of the proposed order, the FTC will require Chegg to limit its data collection, allow consumers to access their data and implement a comprehensive security program that includes multi-factor authentication.
Update: On January 27, 2023, the FTC finalized its order with Chegg Inc., with only one substantive comment and a Commission vote of 4-0.