Federal Trade Commission Accuses Chegg of “Careless” Data Security

Sophie Shapiro

Associate Editor

Loyola University Chicago School of Law, JD 2024

On Monday, October 31, the U.S. Federal Trade Commission (FTC) called on education technology provider Chegg, Inc. (Chegg) to bolster its data security, citing lax security practices that regulators said exposed the personal data of more than 40 million Chegg users. The exposed personal information included names, email addresses, passwords, and for certain users, sensitive scholarship data such as dates of birth, parents’ income range, sexual orientation, and disabilities.

What is Chegg?

Launched in 2005, Chegg is an American education technology company based out of Santa Clara, California. Chegg provides a variety of services to students, such as physical and digital textbook rentals, online tutoring, study guides, and practice problems for a plethora of subject matters. The company began trading publicly on the New York Stock Exchange in November 2013.

FTC’s complaint

The FTC filed a three-count complaint against Chegg, alleging that Chegg failed to:

  1. Implement basic security measures: Despite their promises, Chegg continuously failed to “use reasonable security measures” to protect both the information it collected and stored, according to the FTC. One example the FTC provided dealt with the issue of failing to require Chegg employees to use multifactor authentication measures when they logged into various third-party databases. This, in turn, created a serious weakness for Chegg as the company was unable to not monitor its databases, and additionally, track any threats. The FTC highlighted the importance of avoiding the use of a single login measure in order to properly protect both employers and users.
  2. Store information securely: The FTC found that Chegg not only was storing personal data on its cloud storage databases in plain text, but additionally relied on “outdated and weak” encryption for passwords. This left Chegg users in a very vulnerable position for personal information being leaked and exposed.
  3. Develop adequate security policies and training: Chegg was required to provide sufficient training to its employees regarding training measures, and the company failed to do so, even after multiple phishing attacks. Officials also added that Chegg didn’t even have a written security policy until January 2021.

Ultimately the FTC concluded that Chegg failed to use “commercially reasonable” safeguards.

FTC’s proposed Order

According to the Director of the FTC’s Bureau of Consumer Protection, Samuel Levine, “Chegg took shortcuts with millions of students’ sensitive information.” This data breach caused the FTC to order Chegg to act in compliance with the following:

  1. Detail and Limit Data Collection: Chegg must now not only document, but also implement and follow a schedule that tracks three things: 1) what personal information the company is specifically collecting, 2) its purpose for collecting such data, and 3) when it plans to delete said information.
  2. Provide Consumer Access to Data:Chegg customers will now have full access to any data that has been collected on them, and further, can demand at any point that such data is completely erased.
  3. Implement Multifactor Authentication: A multifactor authentication must be used at all times as a way to ensure account protection to both Chegg users and employees.
  4. Implement Security Program:A comprehensive information security program must be created and implemented. This security program will address the various flaws in Chegg’s current security practices.

Chegg’s response to the three-count complaint against them

In a statement to Engadget, Chegg says it treats data privacy as a “top priority.” The company cooperated with the FTC and further stated that they will fully comply with the Commission’s Administrative Order. A Chegg representative ensured that “Chegg is wholly committed to safeguarding users’ data and has worked with reputable privacy organizations to improve our security measures and will continue our efforts.”

It is important that Chegg representatives have openly addressed these security data breach issues and assure they are going to do better. However, such words must be accompanied by action in order for Chegg to gain back both user and employee trust.

Why are these cybersecurity crackdowns important?

The FTC works to both protect and educate consumers. Without regulatory bodies like the FTC companies like Chegg could continue to take advantage of its susceptible users, exposing extremely personal data. Thus, it is crucial to have laws and regulations that force companies to use reasonable security measures to protect such user data.

Furthermore, it is imperative to recognize that Chegg is catered towards children given that it is an education technology company. The FTC has a long history of fining companies for violating children’s privacy on services like YouTube and TikTok. The FTC is able to do so under the Children’s Online Privacy Protection Act, a federal law that mandates any online service that is aimed at children below the age of 13 to safeguard their personal data. Additionally, parental data must be obtained before collecting any sort of data for these kids. However, the federal complaint against Chegg is the first case under the FTC’s new campaign, which specifically focusses on protecting student privacy, especially via the educational-technology industry.

This complaint, filed on behalf of the FTC, marks a monumental event, highlighting continued and enhanced measures for increasing protection for all internet users, particularly children, through enforcing laws and regulations that must be complied with.