Ex-Skidmore Student Sues Over Risk of ID Theft After Data Breach
Skidmore College discovered a data breach on Feb. 17 and only began notifying affected individuals Sept. 15, alleged plaintiff Mary Cogan in a class action Thusrday (docket 1:23cv1409) in U.S. District for Northern New York in Syracuse.
Due to the college's “delayed response” of the college, Cogan, of Saratoga Springs, New York, “had no idea” her personally identifiable information (PII) had been compromised and that she was at “significant and imminent risk of identity theft and various other forms of personal, social and financial harm” that will remain for her and class members’ respective lifetimes, said her complaint.
Cogan, a former student and employee of Skidmore, received the college’s data breach notification letter Sept. 23, advising her her PPI – name, address, Social Security number, financial account numbers and health insurance information -- “could have been accessed,” the complaint said. The notice said the school was in the process of implementing additional security protocols to protect its network, email, environment and systems.
Cogan has suffered diminution of the value of her PII, lost time and opportunity costs, annoyance, interference, increased anxiety and concerns over the loss of privacy and substantial risk of fraud and identity theft, said the complaint. Skidmore offered 24 months of complimentary Experian IdentityWorks monitoring services as a result of the breach but has otherwise “failed to provide any compensation for the unauthorized release and disclosure” of Cogan’s and class members, PII, it said.
Skidmore should have known the risks of collecting and storing PII and the importance of maintaining secure systems, given recent prevalence of such events, the complaint said. It breached its duty to affected individuals by failing to provide adequate security measures and to protect Cogan’s PII from being “foreseeably captured, accessed, exfiltrated, stolen, disclosed, and misused,” it said.
Cogan asserts claims of negligence, negligence per se, breach of implied contract and unjust enrichment. She seeks an order requiring the college to implement and maintain reasonable security measures, bump the credit monitoring service period to 10 years and “meaningfully educate” victims about threats they face as a result of the breach. She seeks awards of compensatory, statutory, nominal and punitive damages, equitable relief requiring restitution and disgorgement of revenues Skidmore “wrongfully retained” as a result of its wrongful conduct, plus reasonable attorneys’ fees and legal costs, the complaint said.