The King County Superior Court recently approved a $4.7 million settlement to repay people who suffered theft of their personal data from Washington State University in April 2017.
Copies of the personal information of 1,193,190 individuals were stored on portable hard drives and Washington State University kept them in a safe in a self-storage locker. The safe was stolen during a break-in at the storage facility on April 21, 2017. The majority of the files were not encrypted.
The drives stored information that most identity thieves target, such as names, contact details, and Social Security numbers, along with patient health information, college admissions test results and other data. The drives contained about 15 years of research project information collected by the WSU Social and Economic Sciences Research Center.
Despite the hard drive theft, Washington State University claimed there was no evidence that the data was accessed or misused. However, some of the plaintiffs alleged that the breach caused them to suffer identity theft/fraud. The settlement was only decided to save money as the cost of settlement, although high, is far lower compared to the cost of legal action.
In January 2019, the WSU Board of Regents agreed to a settlement of $5.26 million. The final settlement amount did not include the cost of two years of credit monitoring and identity theft protection services for the 1,193,190 breach victims.
The final amount that WSU will spend is going to depend on how many people will submit claims. People impacted by the breach can claim up to $5,000 each to take care of out-of-pocket costs and lost time, as long as the costs can be validated. There is a $3.5 million fund to cover claims. If the claim amount exceeds the fund total, the claim amounts will be diminished pro rata. Roughly $800,000 was reserved to cover attorneys’ fees and $650,000 for administrative costs. WSU has a cyber-liability insurance policy that is going to cover the settlement.
The university also decided to revise policies and procedures and improve security. Backup data storage is now more secure, data security evaluations and audits will be routinely conducted, and extra training will be given to employees. IT contracts related to the research project will be terminated and such functions will be managed in house. Archived research project information will be completely destroyed.
The settlement shows why it is necessary to encrypt stored data, particularly data saved on portable electronic devices. In case of device loss or theft, data is not accessible and such an incident is not considered as a reportable breach.