Governance & Risk Management , Incident & Breach Response , Managed Detection & Response (MDR)
What Led to a $4.7 Million Breach Lawsuit Settlement?Washington State University Case Involved Theft of a Hard Disk Drive
Washington State University has agreed to pay more than $4.7 million to settle a lawsuit stemming from the theft of a portable hard disk drive from a self-storage unit. The drive contained information on about 1.2 million individuals - much of it unencrypted - that was gathered for an education research project, according to the settlement.
See Also: LIVE Webinar | Stop, Drop (a Table) & Roll: An SQL Highlight Discussion
One legal expert suggests the settlement was so large because of the lax security for the sensitive data, which included Social Security numbers.
"The settlement is a bit larger than typical, but the ... arguably more liberal Washington state [consumer protection laws], together with the absolute recklessness of storing unencrypted personal information in, bizarrely, a safe in a storage locker - when encrypting the hard drive would have made the safe unnecessary - makes the larger settlement appear more reasonable," says technology attorney Steven Teppler, a partner at the law firm Mandelbaum Salsburg P.C., who was not involved in the case.
Terms of Settlement
The settlement includes cash reimbursements of up to $5,000 for those who can document out-of-pocket expenses related to the breach, such as for credit monitoring services and credit reports. "In the event the total amount of all claims for cash exceeds $3.25 million, the amount of each claim for cash shall be reduced pro rata," the settlement states.
Some plaintiffs in the lawsuit claimed that their stolen data was used as part of various identity theft crimes or that they needed to buy credit monitoring services to ensure that ID theft didn't happen. Although it settled the case, the university had argued that it was difficult to tie ID theft to the incident because so much personal data is available as a result of various breaches.
The settlement also includes two years of prepaid credit monitoring and insurance services for all those whose data was exposed, as well as payments for administrative fees, attorneys fees and other expenses.
Theft From Storage Unit
The settlement stems from the April 2017 theft of a hard disk drive stored in a safe at a self-storage unit used by the university's Social & Economic Sciences Research Center in Olympia, Washington.
The university's Social & Economic Sciences Research Center collected data on almost 1.2 million individuals over a 15-year period for an education research study. The data included names, addresses, phone numbers, email addresses, dates of birth, SAT and ACT scores, Social Security numbers, career data and personal health information, according to the settlement, which did not specify the health data involved.
Many of the plaintiffs in the case claimed that they never knew the university or the research center had ever collected this information, according to the settlement.
Poor Security Practices
The security breakdown that led to the lawsuit started when the university's research center created a weekly network backup of the research and data that was then stored on hard drives. These portable devices were then swapped out on a weekly or bi-weekly basis, according to the settlement that was unsealed late last week.
These portable drives were stored in the self-storage unit, which did not have security cameras, according to the settlement.
Someone broke into the unit and stole a backup drive containing more than 700,000 files. Of those, 3,057 files contained personal information on over 1 million people, the settlement notes.
The university first learned of the theft on April 21, 2017. School leaders informed local law enforcement of the theft and hired a computer forensics firm to investigate the incident and confirm what data was taken. The university later acknowledged all this in a June 2017 press release.
Settlements and Security Revamps
Phil Weiler, a university spokesman, says in a statement the $4.7 million settlement and the ongoing credit monitoring and identity theft services would be paid for through the school's cyber liability insurance policy and its insurance through the state.
"While Washington State University disputes the claims made in the suit, the university has concluded that continued litigation would be even more expensive and time-consuming," Weiler tells ISMG. "As a result, WSU has entered into an agreement to provide plaintiffs with additional credit monitoring and insurance services, as well as pay for certain lost time related to the theft and documented out-of-pocket costs."
The university had originally offered one year of prepaid credit monitoring, but only about 44,000 individuals took advantage of the offer, according to the settlement agreement.
Additionally, the university agreed to:
- Destroy archived research data related to the project mentioned in the lawsuit;
- Move any remaining research backup hard drives to a more secure location;
- Conduct data security assessment and audits and then implement any necessary new procedures, policies, technologies and training;
- Terminate outside IT contracts related to the research project mentioned in the lawsuit and transfer those responsibilities to the school's Office of Research Information Technology.
Start From Scratch?
Teppler says he would advise any clients in a similar situation to revamp their entire security strategy, starting with an assessment to find where any and all data is stored and the nature of that data.
"I would advise a complete security assessment, which typically involves investigating an entity's technology ecosystem, and the policies - if any - that govern its administration and protection," Teppler says. "Following that, we'd come up with phased recommendations based on prioritized security requirements."