Key developments
California Supreme Court narrows CMIA breach claims
On May 14, the California Supreme Court in J.M. v. Illuminate Education held that CMIA plaintiffs do not need to show unauthorized parties actually viewed the data; alleging a significant risk of unauthorized access is enough under section 56.101. The court also said Illuminate was not a provider of healthcare under CMIA because its platform served educational purposes, and it limited Customer Records Act coverage by finding the school district, not the student, obtained the service.
Why it matters
The ruling makes CMIA breach suits easier to plead while narrowing the statute's reach for education technology vendors.
Sources & driving stories
NIXON PEABODY
Nixon Peabody coverageLAW360 · Allison Grande
Law360 coverageInstructure reports Canvas breach affecting schools worldwide
Instructure said it detected unauthorized activity on April 29 and identified additional related activity on May 7 tied to the same incident. The exposure involved usernames, email addresses, course names, enrollment information, and messages; Federal Student Aid said Canvas platforms used by K-12 and higher-ed institutions worldwide were affected. The reporting warns the data can still support phishing, impersonation, and FERPA concerns.
Why it matters
School vendor breaches can create broad privacy and operational exposure even when passwords or course content were not taken.
Sources & driving stories
VANCORD · Jason Pufahl
Vancord coverageFidelity settles 2024 breach for $2.5 million
Fidelity Investments agreed to a $2.5 million class-action settlement over a 2024 breach in which a third party accessed customer names and personal identifiers, including Social Security numbers and driver’s licenses. More than 77,000 customers were reported impacted, and the deal includes reimbursement for documented losses, cash payments for claimants, and two years of identity-theft protection; final approval is set for July 9.
Why it matters
It shows how large breach cases are increasingly resolved through cash, reimbursement, and monitoring packages rather than continued litigation.
Sources & driving stories
FOX 9 MINNEAPOLIS-ST. PAUL · Catherine Stoddard
FOX 9 Minneapolis-St. Paul coverageWWLP · Jeremy Tanner
WWLP coverageWorth noting
WORTH NOTING
Oak View Group breach settlement
Another class action settlement adds an $824,000 fund, reimbursement claims, and August deadlines for a 2023 venue-management breach.
WORTH NOTING
April roundup shows enforcement shift
Securiti's roundup bundles new laws and regulator actions, including geolocation limits, pixel-consent rules, and workplace data enforcement.
Still unclear
OPEN QUESTION
How broadly will Illuminate's standard apply?
Courts will have to decide whether the significant-risk pleading rule extends beyond edtech to other holders of sensitive medical information.
OPEN QUESTION
Will schools change vendor incident playbooks?
The Canvas breach suggests districts may need tighter authentication, integration review, and notice procedures for third-party learning platforms.