$4.7 Million Settlement Agreed in Washington State University Data Breach Class Action Lawsuit

In the past few days a $4.7 million settlement has been approved by the King County Superior Court to reimburse individuals whose personal information was stolen from Washington State University in April 2017.

Washington State University had backed up personal information on external hard drives which were saved in a safe in a self-storage locker. On April 21, 2017, the university discovered a break-in had taken place at the storage facility and the safe had been stolen. The hard drives held the sensitive personal information of 1,193,190 individuals. Most of the files on the hard drives did not contain encryption.

The drives contained the types of data chased by identity thieves: Names, contact information, and Social Security numbers, along with health data of patients, college admissions test scores, and other data. The information dated back around 15 years and had been obtained by the WSU Social and Economic Sciences Research Center for a research project.

While the hard drive was taken, Washington State University states there are no indications any data stored on the devices have been accessed or improperly used. Some of the plaintiffs named in the lawsuit claimed they have suffered identity theft/fraud due to the breach, but the university maintains that such cases were not due to the stolen hard drive. The decision was taken to settle the lawsuit to save money. The settlement, while high, is believed to be much lower than the continued  expense of legal action.

In January 2019, a settlement of $5.26 million was agreed with the WSU Board of Regents. While the final settlement is lower, it does not take into account the cost of credit monitoring and identity theft protection services for individuals affected by the breach. In addition to settlement amount, Washington State University will pat for two years of credit monitoring and identity theft protection services for up to 1,193,190 patients impacted by the breach.

The final cost will depend on the number of people who submit claims. WHU will accept claims up to $5,000 from individuals impacted by the breach to make up for out-of-pocket expenses and lost time, provided there is evidence of those. The fund for paying for those claims is $3.5 million. If that total is surpassed, claim amounts will be reduced pro rata. Around $800,000 has been set aside to cover attorneys’ fees and a further $650,000 will pay for administrative costs. Washington State University was covered by a cyber-liability insurance policy which will cover the settlement.

The university has also committed to updating policies and procedures and enhance security. Backup data will now be held in a more secure location, data security assessments and audits will be regularly conducted, and more training will be provided to staff. IT contracts in relation to the research project will be ended and those functions will be handled in house and archived data from the research project will be permanently deleted.

The settlement emphasises the importance of using encryption to protect stored data, especially data saved on portable electronic devices. In the event of loss or theft of a device, data cannot be viewed and such an incident would not be classified as a reportable breach.

Author: Maria Perez