Calif. College Data Breach Victims Face Lifetime of Identity Theft Risk: Class Action
California Northstate University waited 10 months to inform victims of a February 2023 data breach, causing them risks “for their respective lifetimes,” alleged a negligence complaint Thursday (docket 2:24-at-00158) in U.S. District Court for Eastern California in Sacramento.
Plaintiff Ganesh Sankar, a Georgia resident, applied for admission to CNSU, making him a data breach victim, said the complaint. The private university began notifying current, former and prospective students of the data breach Dec. 21, telling them it recently completed its investigation of a Feb. 12-13 “incident” that involved “an unauthorized actor” who “potentially accessed and obtained certain files stored on our server,” said the complaint.
The university identified one or more files Nov. 2 containing Sankar’s name and Social Security number, the complaint said. The university offered him a complimentary one-year membership to Experian’s Identity Works to help detect “possible misuse of your information,” it said.
The cyberattack was designed to gain access to personally identifiable information (PII) of “specific individuals,” including that of Sankar and class members, said the complaint. He believes the PII was then sold on the dark web.
CNSU had obligations “created by contract, industry standards, common law, and its own promises and representations” to keep Sankar and class members’ PII confidential and to protect them from unauthorized access and disclosure, the complaint said. Sankar’s unencrypted PII was compromised due to the university’s "careless acts and omissions" and “utter failure” to protect class members’ PII, it said.
Sankar provided his PII to CNSU as a condition of applying for admission to the university, said the complaint. As a result of the data breach, he has had to make efforts to mitigate its impact, including researching the incident and reviewing credit reports, financial account statements, and/or medical records for any indication of actual or attempted identity theft or fraud, the complaint said. He will continue to spend “significant time" and "valuable hours for the remainder of his life, that he otherwise would have spent on other activities,” it said.
The plaintiff suffered actual injuries, including diminution in value of his PII, violation of his privacy rights, theft of his PII and “present, imminent and impending injury arising from the increased risk of identity theft and fraud,” the complaint said. He has also suffered emotional distress as a result of the theft of his PII, it said.
In addition to negligence, he asserts claims of invasion of privacy, unjust enrichment and violation of California’s Unfair Competition Law. He seeks injunctive relief prohibiting CNSU from engaging in the wrongful acts described; and requiring it to encrypt all data collected; to delete and destroy plaintiffs’ and class members’ PII; to provide out-of-pocket expenses related to identity theft, tax fraud and other unauthorized use of their PII; and to implement a comprehensive information security program, the complaint said.
Sankar seeks for himself and the class awards of actual, nominal, statutory, consequential and punitive damages; attorneys’ fees and costs; and pre- and post-judgment interest. CNSU didn’t comment.