The FTC also claims Chegg failed to implement “commercially reasonable” measures. It allegedly allowed workers and contractors to log in with a single sign-on, did not require multi-factor authentication, and did not screen for threats. According to the Commission, the corporation maintained personal data in plain text and relied on “outdated and poor” encryption for passwords. Officials further claim that Chegg did not have a formal security policy until January 2021, and that despite three phishing assaults, it did not give enough security training.
According to the FTC, Chegg has agreed to comply with a proposed order to make reparations. The organization will need to both identify and limit the extent of the information it gathers. It plans to implement multi-factor authentication as well as a “comprehensive” security programme that will involve encryption and security training. Customers will have access to their data and will be able to request that Chegg erase it.
