WSU faces lawsuit over data breach

Plaintiffs argue inadequate security measures led to hard drive theft last spring

CODY COTTIER, Evergreen reporter

Four people are bringing a class-action lawsuit against WSU, alleging they suffered identity theft after a hard drive containing sensitive information for more than 1 million people was stolen from a WSU facility in April.

The lawsuit, which represents everyone affected by the security breach, argues that WSU failed to adequately protect the hard drive, on which the Social and Economic Sciences Research Center stored data about trends in state education and careers. It was kept in a $126-per-month self-storage locker in Olympia without video surveillance, and some data on it was not encrypted, “disregarding industry standards.”

After discovering the theft on April 21, WSU waited until June 9 to notify those whose information was stored on the hard drive. The lawsuit argues that by not immediately alerting them of the breach, the university violated the Washington Consumer Protection Act and prevented people from guarding themselves against identity theft.

The plaintiffs want WSU to fully disclose the nature of the compromised information, and adopt security practices to avoid similar incidents in the future.

According to the lawsuit, WSU is liable for penalties of up to $10,000 for each of the more than 1 million people, under state law regarding unauthorized disclosure of records for research.

“The facts presently known indicate that WSU was lackadaisical, cavalier, reckless or, at the very least, negligent in storing and protecting the [information],” the lawsuit states.

WSU’s Office of the Attorney General declined to comment on the lawsuit.

After the theft, WSU enlisted Navigant, a security company, to determine whose information had been stolen. This took six weeks, as the company decoded the data stored on a backup hard drive. The university then mailed more than 1 million notification letters.

Phil Weiler, vice president for marketing and communication, said WSU offered a year of free credit monitoring to people who received letters, and set up a call center to help them through the process.

“I think the university went a long way to do everything we could to protect people’s information,” Weiler said.

He noted that there is no evidence anyone has accessed the personal information on the hard drive. The Olympia Police Department found few leads, and did not identify any suspects in the theft.

Rachel Bender, one of several attorneys for the plaintiffs, said they have created a website for people who may have been affected by the security breach to contact them through, at wsuclassaction.com. She said each of the firms working the case has received emails from people who either believe they have suffered identity theft, or are concerned they will.

“We just want everyone to feel that if they’ve been affected they have somewhere to go,” Bender said. “We want to make sure this is handled properly.”

One of the plaintiffs, Abhi Sheth, filed a federal suit against WSU in July, but the case was dismissed soon after due to procedural issues. The new lawsuit, filed in December, consolidates Sheth’s complaint with those of three plaintiffs who previously filed cases separately.

According to the lawsuit, Sheth suffered a roughly $200 fraudulent charge about a week after the hard drive was stolen. Other plaintiffs experienced similar issues, or feared they would.

The lawsuit states the year of free credit monitoring WSU offered is not sufficient compensation. The effects of identity theft often play out over years, it states, requiring a great deal of time and money.

In addition to appropriate compensation, the plaintiffs are seeking orders that WSU establish and routinely update security policies; store personal information only at on-campus sites; regularly train security personnel; and disclose precisely what information was on the hard drive, and how members of the “class” — those whose information was stolen — should protect themselves.

“Our concern is protecting the class itself,” Bender said, “and making sure that anyone who has been affected by this has the information they need and the resources they’re looking for.”

 

Security improvements

WSU Information Technology Services is working on revisions to its security procedures, including a new policy about how to handle different types of data.

“Not everything needs to be protected at the same level,” said Sasi Pillay, vice president of ITS.

He said they recently presented to the president’s cabinet, recommending the university classify information system-wide. If the policy is ratified, Pillay said, they will survey all university departments to identify and classify what data they have.

Although the security breach last spring occurred because a physical hard drive was stolen, Pillay said the data storage location is less important than other security measures.

“It doesn’t really matter how you store it,” he said, “on campus or in the cloud, as long as data is encrypted.”

He said they hope to increase understanding of proper security through computer-based instruction, starting with ITS employees and spreading out to faculty, staff and students.

ITS is reviewing software contracts to ensure they are secure, Pillay said, and he is working on renewing the university’s liability insurance policy.

“IT security is not a destination, it’s a journey,” he said. “We have come a long way, we still have a long way to go.”

[pdf-embedder url=”https://dailyevergreen.com/wp-content/uploads/2018/03/Class-action-suit.pdf” title=”Class-action suit”]