Late Friday afternoon Chicago Public Schools families learned that CPS students were (once again!) victims of a massive data breach, one that impacts all current and former students back to 2017—700,000 people. Read more about that here. While we don’t yet know if the software vendor, Cleo, was at fault for insecurely holding data, what we do know is that, even if Cleo is at fault, most families impacted by this breach likely have no recourse under Illinois law to sue the vendor.

That’s because our state data privacy law, the Student Online Personal Protection Act (SOPPA), doesn’t include what’s known as a “private right of action.”

This CPS breach comes just two months after ed tech vendor PowerSchool announced a ransomware attack on their software that impacted more than 60 million students and almost 10 million educators—affecting, at a minimum, dozens of Illinois school districts.

(Here’s our list of Illinois districts involved in the PowerSchool breach based on media reports; let us know if your district was impacted, but isn’t listed. Unfortunately, there is no central tracking of these breaches in Illinois, and PowerSchool still hasn’t released its own list. In fact, according to PowerSchool’s breach hotline this week, they haven’t even finalized a list of affected schools yet!)

As with the CPS Cleo incident, SOPPA gives families no right to sue PowerSchool even though their system didn’t require multi-factor authentication and the data wasn’t encrypted.  

Instead, SOPPA depends on our State Attorney General for enforcement, and even though massive breaches that have been the vendors’ fault have impacted thousands upon thousands of Illinois students (e.g. Batelle for Kids, 2022 and Pearson, 2018), to our knowledge there has not been any action taken by the AG under SOPPA against these companies.

That’s even the case for vendors with multi-million dollar state contracts that are violating SOPPA by selling student data, specifically the testing companies College Board and now ACT, Inc. Under SOPPA, selling student data has been illegal in Illinois since 2017!

That’s why IL-FPS is supporting a new bill HB 2696, sponsored by State Rep Anne Stava-Murray (D-Downers Grove), in the IL General Assembly.

HB 2696 would give families the right to bring lawsuits against tech vendors who violate SOPPA. It would also reinforce the fact that testing companies with state contracts can’t sell the data they have access to as a contractor! More info about the bill here.

Take action to get this bill moving and passed!

• Fill out a witness slip as a PROPONENT for two hearings, March 19th and March 20th. (Witness slip How-To instructions here) [NOTE 3/15: HB 2696 now scheduled for 3/19 or 3/20. Please (re)submit for both dates.]

• Write your state rep using this form to ask them to sponsor HB 2696.

• Call your state rep—find their number here.

There ARE strong requirements in SOPPA already for protecting student data, but if no one is enforcing those requirements, tech companies have no motivation to comply with them!

And at a time when the Presidential administration is gutting federal agencies that play crucial roles in protecting student privacy, including the US Department of Ed, FTC, SEC, FBI and Cybersecurity and Infrastructure Security Agency, Illinois needs to step up protections at the state level.

The price of a public education in Illinois shouldn't be students' personal private data. Let's get this bill passed!