Former Greensboro College Student Files Class Action Over August Data Breach
Greensboro College waited about six months to notify some 52,000 victims of an August data breach, alleged a negligence class action Tuesday (docket 1:24-cv-00243) in U.S. District Court for Middle North Carolina in Greensboro.
Greensboro didn’t use industry standards “appropriate to the nature of the sensitive, unencrypted information they were maintaining” for former student Abigail Hedgecock and class members, causing the exposure of personally identifiable information (PII) of victims, it said. If the North Carolina nonprofit college had notified Hedgecock and class members around the time the data breach was first discovered, they would have been “in a better position to protect themselves,” it said.
As a result of the breach, Hedgecock, a North Carolina resident and a student at Greensboro 2016-2017, suffered “injury and ascertainable losses,” including the threat of present and imminent fraud and identity theft, loss of benefit of her bargain, out-of-pocket expenses, loss of the value of time incurred to mitigate the effects of the cyberattack and loss in value of her PII, the complaint said. Her name and Social Security number were among the PII compromised in the breach, it said.
Greensboro charges students a $377 “technology campus facility” fee, part of which “is presumably dedicated to establishing and maintaining the data security for the network infrastructure” housing Hedgecock’s and class members’ PII, said the complaint. They “overpaid” for the services that “were intended to be accompanied by adequate data security, but were not,” it said.
The college’s Feb. 29 data breach notice letter “has done little to adequately protect” Hedgecock and class members or to compensate them for their injuries sustained in the breach, said the complaint. The notice letter “completely downplays and disavows the theft of Plaintiff’s and Class Members’ Private Information, when the facts demonstrate that the Private Information was accessed and exfiltrated,” it said.
The 24-month complimentary fraud and identity monitoring service offered by the college is “wholly inadequate” as it “places the burden squarely” on Hedgecock and class members by requiring them to spend time on signing up for the service vs. “automatically enrolling all victims of this cybercrime,” it said. They will still incur out-of-pocket costs for buying credit monitoring services, credit freezes, credit reports, or other protective measures to “deter and detect identity theft beyond the services offered” by the college, it said.
Greensboro’s privacy policy states that it “acknowledges that security and privacy are important issues for visitors…and recognizes our obligation to keep your information secure and confidential,” the complaint noted. By obtaining and using Hedgecock and class members’ PII, the college assumed “legal and equitable duties and knew or should have known that it was responsible for protecting” it from unauthorized disclosure, the complaint said.
Hedgecock asserts claims of negligence and negligence per se, breach of implied contract and unjust enrichment. She seeks for herself and the class orders requiring Greensboro to stop engaging in the wrongful conduct described; to pay for not less than three years of credit monitoring services for victims; to pay restitution and disgorgement of revenues wrongfully retained as a result of the wrongful conduct; and awards of actual, compensatory, statutory damages and penalties; plus attorneys’ fees and costs and pre- and post-judgment interest.