Washington State University: Data Breach Lawsuit Settlement


Washington State University (WSU) has agreed to pay up to $5.3 million to settle a class action lawsuit prompted by the heist of personal data on some 1.2 million individuals in 2017.

The lawsuit stems from an old-fashioned burglary of a self-storage unit in Olympia, Washington a year ago. Robbers made away with a safe belonging to WSU’s Social and Economic Sciences Research department that contained the personal data of the victims, including names, social security numbers and health records. University officials apparently didn’t disclose the security breach for seven weeks. The lawsuit alleged that the delay violated the state’s Consumer Protection Act and a state law that requires timely disclosure of data breaches.

The settlement, which was approved by a King’s County, Washington judge, also provides victims with two years of free credit monitoring, the Spokesman-Review reported. Victims are entitled up to $5,000 in cash for breach-related expenses, attorney’s fees and other compensation. The lion’s share of the settlement will be paid by the WSU’s insurance policies. Actual payout amounts will be determined by the number of people filing claims. While the university claimed it had no evidence that the stolen data had been used to injure the victims, a number of students said their financial accounts had been hacked in the ensuing weeks following the break-in, the Spokesman-Review said.

The Statement

The university issued the standard statement in settlement cases such as this one: “While Washington State University disputes the claims made in the suit, the university has concluded that continued litigation would be even more expensive and time-consuming. As a result, WSU has entered into an agreement to provide plaintiffs with additional credit monitoring and insurance services, as well as pay for certain lost time related to the theft and documented out-of-pocket costs.”

WSU claimed that its tardy response to the security breach owed in part to the sensitive data being stored in relational databases. “We had to associate groups of names with addresses and Social Security numbers. This took a considerable amount of time and expertise from an outside firm,” a WSU spokesperson said.

The storage unit burglary was the second time a hard drive containing sensitive information was stolen from a WSU department, according to the Spokesman-Review report. In 2013, four hard drives were stolen from the university’s School of Biological Sciences that contained the names and social security numbers of 108 school employees and former employees. Some payroll information on 263 other employees was also taken in the burglary, the report said. In that instance, school officials quickly informed victims, changed passwords and encrypted devices.

Similar Lawsuit Settlements

The WSU class action settlement is among a number of similar cases. The University of California at Los Angeles Health recently settled a lawsuit that affected the data of 4.5 million people for $7.5 million. In January, 2018, the University of Central Florida agreed to spend an additional $1 million annually to shore up its cybersecurity safeguards following a hack that exposed 63,000 social security numbers of students and employees.

Last July, the San Francisco Superior Court approved a class action settlement on behalf of current and former employees of the Academy of Art University resulting from a 2016 phishing breach that sent the personal financial data of 3,000 current and former employees to a hacker. The plaintiffs were compensated for out-of-pocket expenses and provided two years of free credit monitoring.

D. Howard Kass

D. Howard Kass is a contributing editor to MSSP Alert. He brings a career in journalism and market research to the role. He has served as CRN News Editor, Dataquest Channel Analyst, and West Coast Senior Contributing Editor at Channelnomics. As the CEO of The Viewpoint Group, he led groundbreaking market research.