Student Sues Md. College for Negligence After March Data Breach
Washington College failed to secure plaintiff Abigail Collins’ personally identifiable information (PII) in a March data breach, alleged a class action (docket 1:23-cv-03258) Friday in U.S. District Court for Maryland in Baltimore.
Sign up for a free preview to unlock the rest of this article
Export Compliance Daily combines U.S. export control news, foreign border import regulation and policy developments into a single daily information service that reliably informs its trade professional readers about important current issues affecting their operations.
Unauthorized third-party cybercriminals gained access to the PII of Collins, a Washington College student and resident of Worton, Maryland, and class members, said the complaint. Collins’ information was stored with the college, which informed her of the breach in a Nov. 15 notice. Though Collins was aware a cybersecurity incident occurred in March, she didn't know her PII might be involved until she received the letter, it said.
Collins was injured in the form of lost time dealing with the consequences of the data breach, including lost time spent verifying its impact. She was injured by time spent exploring credit monitoring and identity theft insurance options, self-monitoring her accounts and seeking legal counsel regarding her options for remedying or mitigating its effects, the complaint said.
The plaintiff and class members were also injured by the “material risk to future harm” they may suffer as a result of their PII being exposed in the breach, said the complaint. The risk is “imminent and substantial” because data exposed in the breach, including Social Security numbers, is “highly sensitive and presents a high risk of identity theft and fraud,” it said. Given the college’s “clientele,” some of the class’s exposed information “has already been misused,” it said.
Plaintiff and class members suffered actual injury in the form of damages to and dimunition in the value of their PII, and they have experienced increased anxiety for their loss of privacy and over the impact of cybercriminals “accessing, using, and selling their PII,” it said. Collins has a continuing interest in ensuring that her PII, which “remains backed up in the Defendant’s position, is protected and safeguarded from future breaches,” it said.
Collins asserts claims of negligence, breach of implied contract, breach of the implied covenant of good faith and fair dealing, and unjust enrichment. She seeks awards of actual, nominal and consequential damages and orders enjoining the college from engaging in the conduct alleged. She also seeks orders requiring the college to protect, through encryption, all data collected in accordance with applicable regulations, industry standards, and federal, state or local laws; requiring it to delete and purge the PII of all class members; and requiring it to maintain a comprehensive information security program, plus prejudgment interest and attorneys’ fees and legal costs.