[BreachExchange] What Led to a $4.7 Million Breach Lawsuit Settlement?

[Destry Winant]

https://www.databreachtoday.com/what-led-to-47-million-breach-lawsuit-settlement-a-12401

Washington State University has agreed to pay more than $4.7 million
to settle a lawsuit stemming from the theft of a portable hard disk
drive from a self-storage unit. The drive contained information on
about 1.2 million individuals - much of it unencrypted - that was
gathered for an education research project, according to the
settlement.

One legal expert suggests the settlement was so large because of the
lax security for the sensitive data, which included Social Security
numbers.

"The settlement is a bit larger than typical, but the ... arguably
more liberal Washington state [consumer protection laws], together
with the absolute recklessness of storing unencrypted personal
information in, bizarrely, a safe in a storage locker - when
encrypting the hard drive would have made the safe unnecessary - makes
the larger settlement appear more reasonable," says technology
attorney Steven Teppler, a partner at the law firm Mandelbaum Salsburg
P.C., who was not involved in the case.

Terms of Settlement

The settlement includes cash reimbursements of up to $5,000 for those
who can document out-of-pocket expenses related to the breach, such as
for credit monitoring services and credit reports. "In the event the
total amount of all claims for cash exceeds $3.25 million, the amount
of each claim for cash shall be reduced pro rata," the settlement
states.

Some plaintiffs in the lawsuit claimed that their stolen data was used
as part of various identity theft crimes or that they needed to buy
credit monitoring services to ensure that ID theft didn't happen.
Although it settled the case, the university had argued that it was
difficult to tie ID theft to the incident because so much personal
data is available as a result of various breaches.

The settlement also includes two years of prepaid credit monitoring
and insurance services for all those whose data was exposed, as well
as payments for administrative fees, attorneys fees and other
expenses.

Theft From Storage Unit

The settlement stems from the April 2017 theft of a hard disk drive
stored in a safe at a self-storage unit used by the university's
Social & Economic Sciences Research Center in Olympia, Washington.

The university's Social & Economic Sciences Research Center collected
data on almost 1.2 million individuals over a 15-year period for an
education research study. The data included names, addresses, phone
numbers, email addresses, dates of birth, SAT and ACT scores, Social
Security numbers, career data and personal health information,
according to the settlement, which did not specify the health data
involved.

Many of the plaintiffs in the case claimed that they never knew the
university or the research center had ever collected this information,
according to the settlement.

Poor Security Practices

The security breakdown that led to the lawsuit started when the
university's research center created a weekly network backup of the
research and data that was then stored on hard drives. These portable
devices were then swapped out on a weekly or bi-weekly basis,
according to the settlement that was unsealed late last week.

These portable drives were stored in the self-storage unit, which did
not have security cameras, according to the settlement.

Someone broke into the unit and stole a backup drive containing more
than 700,000 files. Of those, 3,057 files contained personal
information on over 1 million people, the settlement notes.

The university first learned of the theft on April 21, 2017. School
leaders informed local law enforcement of the theft and hired a
computer forensics firm to investigate the incident and confirm what
data was taken. The university later acknowledged all this in a June
2017 press release.

Settlements and Security Revamps

Phil Weiler, a university spokesman, says in a statement the $4.7
million settlement and the ongoing credit monitoring and identity
theft services would be paid for through the school's cyber liability
insurance policy and its insurance through the state.

"While Washington State University disputes the claims made in the
suit, the university has concluded that continued litigation would be
even more expensive and time-consuming," Weiler tells ISMG. "As a
result, WSU has entered into an agreement to provide plaintiffs with
additional credit monitoring and insurance services, as well as pay
for certain lost time related to the theft and documented
out-of-pocket costs."

The university had originally offered one year of prepaid credit
monitoring, but only about 44,000 individuals took advantage of the
offer, according to the settlement agreement.

Additionally, the university agreed to:

- Destroy archived research data related to the project mentioned in
the lawsuit;
- Move any remaining research backup hard drives to a more secure location;
- Conduct data security assessment and audits and then implement any
necessary new procedures, policies, technologies and training;
- Terminate outside IT contracts related to the research project
mentioned in the lawsuit and transfer those responsibilities to the
school's Office of Research Information Technology.

Start From Scratch?

Teppler says he would advise any clients in a similar situation to
revamp their entire security strategy, starting with an assessment to
find where any and all data is stored and the nature of that data.

"I would advise a complete security assessment, which typically
involves investigating an entity's technology ecosystem, and the
policies - if any - that govern its administration and protection,"
Teppler says. "Following that, we'd come up with phased
recommendations based on prioritized security requirements."