The Daily Evergreen

WSU faces lawsuit over data breach

Plaintiffs argue inadequate security measures led to hard drive theft last spring

TEVA MAYER | The Daily Evergreen

TEVA MAYER | The Daily Evergreen

CODY COTTIER, Evergreen reporter

Hang on for a minute...we're trying to find some more stories you might like.


Email This Story






Four people are bringing a class-action lawsuit against WSU, alleging they suffered identity theft after a hard drive containing sensitive information for more than 1 million people was stolen from a WSU facility in April.

The lawsuit, which represents everyone affected by the security breach, argues that WSU failed to adequately protect the hard drive, on which the Social and Economic Sciences Research Center stored data about trends in state education and careers. It was kept in a $126-per-month self-storage locker in Olympia without video surveillance, and some data on it was not encrypted, “disregarding industry standards.”

After discovering the theft on April 21, WSU waited until June 9 to notify those whose information was stored on the hard drive. The lawsuit argues that by not immediately alerting them of the breach, the university violated the Washington Consumer Protection Act and prevented people from guarding themselves against identity theft.

The plaintiffs want WSU to fully disclose the nature of the compromised information, and adopt security practices to avoid similar incidents in the future.

According to the lawsuit, WSU is liable for penalties of up to $10,000 for each of the more than 1 million people, under state law regarding unauthorized disclosure of records for research.

“The facts presently known indicate that WSU was lackadaisical, cavalier, reckless or, at the very least, negligent in storing and protecting the [information],” the lawsuit states.

WSU’s Office of the Attorney General declined to comment on the lawsuit.

After the theft, WSU enlisted Navigant, a security company, to determine whose information had been stolen. This took six weeks, as the company decoded the data stored on a backup hard drive. The university then mailed more than 1 million notification letters.

Phil Weiler, vice president for marketing and communication, said WSU offered a year of free credit monitoring to people who received letters, and set up a call center to help them through the process.

“I think the university went a long way to do everything we could to protect people’s information,” Weiler said.

He noted that there is no evidence anyone has accessed the personal information on the hard drive. The Olympia Police Department found few leads, and did not identify any suspects in the theft.

Rachel Bender, one of several attorneys for the plaintiffs, said they have created a website for people who may have been affected by the security breach to contact them through, at wsuclassaction.com. She said each of the firms working the case has received emails from people who either believe they have suffered identity theft, or are concerned they will.

“We just want everyone to feel that if they’ve been affected they have somewhere to go,” Bender said. “We want to make sure this is handled properly.”

One of the plaintiffs, Abhi Sheth, filed a federal suit against WSU in July, but the case was dismissed soon after due to procedural issues. The new lawsuit, filed in December, consolidates Sheth’s complaint with those of three plaintiffs who previously filed cases separately.

According to the lawsuit, Sheth suffered a roughly $200 fraudulent charge about a week after the hard drive was stolen. Other plaintiffs experienced similar issues, or feared they would.

The lawsuit states the year of free credit monitoring WSU offered is not sufficient compensation. The effects of identity theft often play out over years, it states, requiring a great deal of time and money.

In addition to appropriate compensation, the plaintiffs are seeking orders that WSU establish and routinely update security policies; store personal information only at on-campus sites; regularly train security personnel; and disclose precisely what information was on the hard drive, and how members of the “class” — those whose information was stolen — should protect themselves.

“Our concern is protecting the class itself,” Bender said, “and making sure that anyone who has been affected by this has the information they need and the resources they’re looking for.”

 

Security improvements

WSU Information Technology Services is working on revisions to its security procedures, including a new policy about how to handle different types of data.

“Not everything needs to be protected at the same level,” said Sasi Pillay, vice president of ITS.

He said they recently presented to the president’s cabinet, recommending the university classify information system-wide. If the policy is ratified, Pillay said, they will survey all university departments to identify and classify what data they have.

Although the security breach last spring occurred because a physical hard drive was stolen, Pillay said the data storage location is less important than other security measures.

“It doesn’t really matter how you store it,” he said, “on campus or in the cloud, as long as data is encrypted.”

He said they hope to increase understanding of proper security through computer-based instruction, starting with ITS employees and spreading out to faculty, staff and students.

ITS is reviewing software contracts to ensure they are secure, Pillay said, and he is working on renewing the university’s liability insurance policy.

“IT security is not a destination, it’s a journey,” he said. “We have come a long way, we still have a long way to go.”

[pdf-embedder url=”https://dailyevergreen.com/wp-content/uploads/2018/03/Class-action-suit.pdf” title=”Class-action suit”]

About the Writer
CODY COTTIER, Evergreen reporter
Cody Cottier is a senior communication and philosophy double major from Chimacum.
Navigate Right
Navigate Left
  • WSU faces lawsuit over data breach

    Local

    Library to offer engaging programs for seniors

  • WSU faces lawsuit over data breach

    Crime

    Suspect in alleged 2016 rape will not be charged

  • WSU faces lawsuit over data breach

    Faculty

    WSU psychologist receives honor from APA

  • Crime

    Former UM football player enters plea in assault

  • WSU faces lawsuit over data breach

    News

    Welcome sign greets visitors in dozens of languages

  • WSU faces lawsuit over data breach

    News

    GPSA talks increased budget, mental health

  • WSU faces lawsuit over data breach

    News

    Gym hygiene: Science behind dress code

  • WSU faces lawsuit over data breach

    News

    ‘2 Weeks of Pullman’ aids Cougar Health Fund

  • WSU faces lawsuit over data breach

    News

    ‘Party in the Park’ celebrates culture, cuisine

  • News

    Activist visits campus to talk leadership, involvement

Hang on for a minute...we're trying to find some more stories you might like.


Email This Story






No P.R. No B.S. No Retreat. Watchdogs since 1895
WSU faces lawsuit over data breach