Data you kept but did not need is the FTC's new target
The FTC's finalized Illuminate order treats data you retain without a reason as a security failure, and that framing reaches well beyond edtech.
In June the FTC gave final approval to its order against Illuminate Education, the edtech vendor whose breach exposed the personal data of millions of students. The headline is familiar, a company that said it took security seriously and did not. The part worth your attention is quieter. A large share of the order is about data the company should have deleted years earlier.
The breach itself came from ordinary failures. Student records sitting in plaintext until 2022, inactive accounts that were never audited or removed, no real retention discipline. What makes this order useful for anyone running a SaaS product is how the FTC framed the fix. It did not just require encryption and an incident response plan, which is table stakes at this point. It required Illuminate to delete covered information whose retention is not reasonably necessary, to stop collecting and keeping data beyond what its contracts actually require, and to publish a retention schedule that ties every category of data to a stated purpose and a time limit.
Read that as a shift in what counts as reasonable security. For years the operating assumption was that holding onto data was free and deleting it was the risky move, because you might need it later. The FTC is now treating retained data you cannot justify as a security failure in its own right. Every record you keep is a record that can be stolen, and if you cannot point to a business reason and a contract that needs it, the existence of that data becomes the violation. Minimization stopped being a privacy nicety and became a security control the agency will enforce.
This matters most for the data you forgot you had. Old exports, abandoned test databases, backups nobody owns, the analytics table from a product you sunset two years ago. Having written code before I wrote contracts, I know how these accumulate. Nobody decides to keep them. They just never get deleted, because deletion requires someone to take responsibility and there is no deadline forcing the question. The Illuminate order supplies the deadline by making the undeleted data the liability.
This quarter, build the retention schedule the FTC required of Illuminate before anyone requires it of you. Inventory the personal data you hold, name the purpose and the contractual basis for each category, set a deletion timeline, and actually delete what fails the test. Write it down and make it real rather than aspirational. The schedule is the document that turns “we take security seriously” from a phrase that gets you sued into a practice you can show. If you cannot say why you still have something, that is your answer about whether to keep it.