Search
  • April M Strauss

California Student Data at Risk -- Rocklin Unified School District/ Illuminate Education Data Breach

Updated: May 10

Attorney Investigation Launched on Behalf of Affected California Minors



On May 4, 2022, Rocklin Unified School District (“RUSD”) reported a Data Breach to the California Office of the Attorney General, providing notice through its vendor, Illuminate Education (“Illuminate”).


​Information Potentially at Risk:


Student name Academic information Behavior information Enrollment information Accommodation information Special education information Student demographic information


On January 8, 2022, Illuminate became aware of “suspicious activity” within some Illuminate applications used by RUSD. After investigation, Illuminate determined that “certain databases containing potentially protected student information were subject to unauthorized access between December 28, 2021 and January 8, 2022.” The affected databases may have contained protected data related to current and/or former Rocklin Unified School District students.


Illuminate Education is offering students 12 months of complementary identity monitoring services through IDX.


The full text of the RUSD / Illuminate Date Breach Notice can be found here.

​The type of data potentially compromised by this

data breach should be afforded the highest level

of security, since “the data on students collected

and maintained by Ed Tech can be very sensitive,

including medical histories, social and emotional

assessments, child welfare or juvenile justice

system involvement, progress reports, and test

results.” [1]

​This is the third data breach reported on the RUSD website since April, 2020.

The California Attorney General's Office Privacy Enforcement and Protection Unit has crafted recommendations for the education technology industry to protect the privacy of student personal information.


To view additional information regarding this data breach, click here.


California’s Privacy Enforcement and Protection Unit Recommendations:

  • Minimize student data collected and retained

  • Only use information for educational purposes

  • Make sure your service providers are contractually required to also protect student data

  • Respect users’ rights

  • Data security: implement reasonable and appropriate safeguards

  • Implement a training program to ensure ed tech employees know how to best protect student data

  • Provide a meaningful and understandable privacy policy[2]


The sensitive nature of this data means that “student information is something that must be handled with great care. [. . . ] As the devices we use each day become increasingly connected, it’s critical that we implement robust safeguards for what is collected, how it is used, and with whom it is shared.”[3]


Special California Laws Protect You


If your student is a California resident and received a Recent Notice of Data Breach from Rocklin Unified School District/Illuminate Education, you may be entitled to between $100 and $1,000 or your actual damages, whichever is greater. Participants in data breach lawsuits can recover damages, injunctive relief (to make sure that the business has reasonable security practices to protect consumer data from being leaked again), and anything else the court concludes is necessary to compensate data breach victims and prevent these harms from reoccurring.


California has laws that specifically protect your personal information.


o The Student Online Personal Information Protection Act (SOPIPA) requires that every online service used primarily for K-12 school purposes must maintain reasonable security procedures and practices to protect student personal information from unauthorized access, destruction, or disclosure.


o The California Confidentiality of Medical Information Act (CMIA) requires that every health care provider and health care service plan who maintains medical information do so in a manner that preserves its confidentiality.


o The California Customer Records Act (CCRA) requires businesses to put into place and maintain reasonable security procedures and practices to protect consumer’s personal information.


o The California Consumer Privacy Act (CCPA) contains many protections for personal information of California residents.


If certain types of personal information, like medical information and names, are left unencrypted and are accessed, stolen, or hacked because a business didn’t fulfill its obligation to implement and maintain reasonable security, an affected California resident can sue to protect their rights under the SOPIPA, CCPA, and CCRA. Medical information is additionally covered by the CMIA.


We Can Help You Exercise Your Rights


Every case is unique. Even when your data has been part of a breach, despite the provisions of the SOPIPA, CMIA, and CCPA you may not be awarded compensation.

Experienced data breach and class action attorneys can help you exercise your rights, evaluate your options, and decide whether you are entitled to compensation. There are no out of pocket costs to you, as we only get paid if we prevail.


Confidential • No cost • No obligation


If you have received a Data Breach Notice from RUSD/Illuminate for your child and are concerned about this breach and what your options are please fill out this contact form.


[1] Source: Kamala Harris, former Attorney General of California, California DOJ, Ready for School: Recommendations for the Ed Tech Industry to Protect the Privacy of Student Data (2016). [2] Source: same. [3] Source: same.