The Federal Trade Commission (FTC) approved a final order requiring Chegg, Inc. to tighten data security practices following a 2019 breach exposing the personal information of approximately 40 million customers.
The FTC alleged that Chegg violated the federal Trade Commission Act by failing to provide reasonable security for personal information collected from its customers. The order mandates that Chegg implement a comprehensive security program to protect all customer data in its possession.
Chegg must conduct regular security risk assessments, employ a chief information security officer, use strong encryption to protect data at rest and in transit, and monitor for suspicious activity. The company is barred from misrepresenting the security of any covered information or the extent of any security measures.
“Companies have an obligation to protect the sensitive personal information they collect from consumers,” said Andrew Smith, Director of the FTC’s Bureau of Consumer Protection. “This order requires Chegg to put reasonable security measures in place to satisfy that obligation and better safeguard consumers’ data going forward.”
The breach exposed information including names, email addresses, passwords, credit card numbers, and purchase histories. Chegg notified affected customers and offered identity theft protection services. The FTC’s action is intended to prevent future missteps that could endanger sensitive data.
Chegg will be required to obtain independent audits certifying its compliance with the FTC order for 20 years. Failure to comply could result in civil and criminal penalties. The order takes effect in 30 days.
The case highlights the FTC’s ongoing efforts to penalize companies for data breaches and force improvements in security practices. Regulated entities are expected to anticipate threats, detect vulnerabilities, and take reasonable steps to shield consumer information from unauthorized access or misuse.
While Chegg avoided a large financial penalty, the ordered reforms and audits still represent a major commitment of resources to overcome issues that led to the breach. The action establishes clear expectations for Chegg and other companies holding huge troves of consumer data.