Another Lesson for Higher Education Institutions about the Importance of Cybersecurity Investment

Key Takeaway

A Massachusetts class action claim underscores that institutions of higher education will continue to be targets for cybercriminals – and class action plaintiffs know it.

Background

On January 4, 2023, in Jackson v. Suffolk University, No. 23-cv-10019, Jackson (Plaintiff) filed a proposed class action lawsuit in the U.S. District Court for the District of Massachusetts against her alma matter, Suffolk University (Suffolk), arising from a data breach affecting thousands of current and former Suffolk students.

The complaint alleges that an unauthorized party gained access to Suffolk’s computer network on or about July 9, 2022.  After learning of the unauthorized access, Suffolk engaged cybersecurity experts to assist in an investigation. Suffolk completed the investigation on November 14, 2022.  The investigation concluded that an unauthorized third party gained access to and/or exfiltrated files containing personally identifiable information (PII) for students who enrolled after 2002.

The complaint further alleges that the PII exposed in the data breach included students’ full names, Social Security Numbers, Driver License numbers, state identification numbers, financial account information, and Protected Health Information.  While Suffolk did not release the total number of students affected by the data breach, the complaint alleges that approximately 36,000 Massachusetts residents were affected.  No information was provided about affected out-of-state residents.

Colleges and Universities are Prime Targets for Cybercriminals

Unfortunately, Suffolk’s data breach is not an outlier.  Colleges and universities present a wealth of opportunities for cyber criminals because they house massive amounts of sensitive data, including employee and student personal and financial information, medical records, and confidential and proprietary data.  Given how stolen data can be sold through open and anonymous forums on the Dark Web, colleges and universities will continue to remain prime targets for cybercriminals.

Recognizing this, the FBI issued a warning for higher education institutions in March 2021, informing them that cybercriminals have been targeting institutions of higher education with ransomware attacks.  In May 2022, the FBI issued a second alert, warning that cyber bad actors continue to conduct attacks against colleges and universities.

Suffolk Allegedly Breached Data Protection Duty

In the complaint, Plaintiff alleges that Suffolk did not follow industry and government guidelines to protect student PII.  In particular, Plaintiff alleges that Suffolk’s failure to protect student PII is prohibited by the Federal Trade Commission Act, 15 U.S.C.A. § 45 and that Suffolk failed to comply with the Financial Privacy Rule of the Gramm-Leach-Bliley Act (GLBA),  15 U.S.C.A. § 6801.  Further, the suit alleges that Suffolk violated the Massachusetts Right to Privacy Law, Mass. Gen. Laws Ann. ch. 214, § 1B, as well as its common law duties.

How Much Cybersecurity is Enough?

To mitigate cyber risk, colleges and university must not only follow applicable government guidelines but also  consider following industry best practices to protect student PII.

In particular, GLBA requires a covered organization to designate a qualified individual to oversee its information security program and conduct risk assessments that continually assess internal and external risks to the security, confidentiality and integrity of personal information.  After the risk assessment, the organization must address the identified risks and document the specific safeguards intended to address those risks.  See 16 CFR § 314.4.  

Suffolk, as well as other colleges and universities, may also want to look to Massachusetts law for guidance about how to further invest in its cybersecurity program.  Massachusetts was an early leader among U.S. states when, in 2007, it enacted the “Regulations to safeguard personal information of commonwealth residents” (Mass. Gen. Laws ch. 93H § 2) (Data Security Law).  The Data Security Law – still among the most prescriptive general data security state law – sets forth a list of minimum requirements that, while not specific to colleges and universities, serves as a good cybersecurity checklist for all organizations:

  1. Designation of one or more employees responsible for the WISP.
  2. Assessments of risks to the security, confidentiality and/or integrity of organizational Information and the effectiveness of the current safeguards for limiting those risks, including ongoing employee and independent contractor training, compliance with the WISP and tools for detecting and preventing security system failures.
  3. Employee security policies relating to protection of organizational Information outside of business premises.
  4. Disciplinary measures for violations of the WISP and related policies.
  5. Access control measures that prevent terminated employees from accessing organizational Information.
  6. Management of service providers that access organizational Information as part of providing services directly to the organization, including retaining service providers capable of protecting organizational Information consistent with the Data Security Regulations and other applicable laws and requiring service providers by contract to implement and maintain appropriate measures to protect organizational Information.
  7. Physical access restrictions for records containing organizational Information and storage of those records in locked facilities, storage areas or containers.
  8. Regular monitoring of the WISP to ensure that it is preventing unauthorized access to or use of organizational Information and upgrading the WISP as necessary to limit risks.
  9. Review the WISP at least annually or more often if business practices that relate to the protection of organizational Information materially change.
  10. Documentation of responsive actions taken in connection with any “breach of security” and mandatory post-incident review of those actions to evaluate the need for changes to business practices relating to protection of organizational Information.

An organization not implementing any of these controls should consider documenting the decision-making process as a defensive measure.  In implementing these requirements and recommendations, colleges and universities can best position themselves to thwart cybercriminals and plaintiffs alike.

© Copyright 2023 Squire Patton Boggs (US) LLP

First BIPA Trial Results in $228M Judgment for Plaintiffs

Businesses defending class actions under the Illinois Biometric Information Privacy Act (BIPA) have struggled to defeat claims in recent years, as courts have rejected a succession of defenses.

We have been following this issue and have previously reported on this trend, which continued last week in the first BIPA class action to go to trial. The Illinois federal jury found that BNSF Railway Co. violated BIPA, resulting in a $228 million award to a class of more than 45,000 truck drivers.

Named plaintiff Richard Rogers filed suit in Illinois state court in April 2019, and BNSF removed the case to the US District Court for the Northern District of Illinois. Plaintiff alleged on behalf of a putative class of BNSF truck drivers that BNSF required the drivers to provide biometric identifiers in the form of fingerprints and hand geometry to access BNSF’s facilities. The lawsuit alleged BNSF violated BIPA by (i) failing to inform class members their biometric identifiers or information were being collected or stored prior to collection, (ii) failing to inform class members of the specific purpose and length of term for which the biometric identifiers or information were being collected, and (iii) failing to obtain informed written consent from class members prior to collection.

In October 2019, the court rejected BNSF’s legal defenses that the class’s BIPA claims were preempted by three federal statutes governing interstate commerce and transportation: the Federal Railroad Safety Act, the Interstate Commerce Commission Termination Act, and the Federal Aviation Administration Authorization Act. The court held that BIPA’s regulation of how BNSF obtained biometric identifiers or information did not unreasonably interfere with federal regulation of rail transportation, motor carrier prices, routes, or services, or safety and security of railroads.

Throughout the case, including at trial, BNSF also argued it should not be held liable where the biometric data was collected by its third-party contractor, Remprex LLC, which BNSF hired to process drivers at the gates of BNSF’s facilities. In March 2022, the court denied BNSF’s motion for summary judgment, pointing to evidence that BNSF employees were also involved in registering drivers in the biometric systems and that BNSF gave direction to Remprex regarding the management and use of the systems. The court concluded (correctly, as it turned out) that a jury could find that BNSF, not just Remprex, had violated BIPA.

The case proceeded to trial in October 2022 before US District Judge Matthew Kennelly. At trial, BNSF continued to argue it should not be held responsible for Remprex’s collection of drivers’ fingerprints. Plaintiff’s counsel argued BNSF could not avoid liability by pleading ignorance and pointing to a third-party contractor that BNSF controlled. Following a five-day trial and roughly one hour of deliberations, the jury returned a verdict in favor of the class, finding that BNSF recklessly or intentionally violated BIPA 45,600 times. The jury did not calculate damages. Rather, because BIPA provides for $5,000 in liquidated damages for every willful or reckless violation (and $1,000 for every negligent violation), Judge Kennelly applied BIPA’s damages provision, which resulted in a judgment of $228 million in damages. The judgment does not include attorneys’ fees, which plaintiff is entitled to and will inevitably seek under BIPA.

While an appeal will almost certainly follow, the BNSF case serves as a stark reminder of the potential exposure companies face under BIPA. Businesses that collect biometric data must ensure they do so in compliance with BIPA and other biometric privacy regulations. Where BIPA claims have been asserted, companies should promptly seek outside counsel to develop a legal strategy for a successful resolution.

For more Privacy and Cybersecurity Legal News, click here to visit the National Law Review.

© 2022 ArentFox Schiff LLP

Wendy’s E. Coli Outbreak Lawsuits

Health Department officials are investigating over one hundred cases of E. coli poisoning in Michigan, Ohio, Indiana and Pennsylvania. People have been diagnosed with food poisoning in Michigan, Ohio, Pennsylvania, and Indiana. The majority of these people claim that they ate sandwiches topped with lettuce at a Wendy’s Restaurant within the week before their food poisoning diagnosis.

Public health officials in Michigan have confirmed 43 cases of E. Coli that match the strain in a multi-state outbreak. A number of similar cases have been identified in Ohio. The specific source of the food poisoning has not been officially determined, but one possible source is romaine lettuce used to top hamburgers and sandwiches at Wendy’s restaurants.

The illness onset dates range from late July through early August 2022. The sickness and harm have ranged from mild to very severe. Many victims have required extensive hospitalization and medical care. Four cases of hemolytic uremic syndrome (HUS) have been diagnosed and suspected to be related to the contaminated lettuce at Wendy’s Restaurants.

  • E. Coli outbreak cases have been reported in the following counties: Allegan, Branch,Clinton, Genesee, Gratiot, Jackson, Kent, Macomb, Midland, Monroe, Muskegon, Oakland, Ogemaw, Ottawa, Saginaw, Washtenaw, and Wayne and the City of Detroit. Public health departments in those counties are closely monitoring patients and working hard to determine the source of the poisoning.

E. coli is a bacterium that lives in the digestive tracks of animals and humans. Most varieties are harmless, but some can cause severe illness. Common sources of E. coli include:

  • Raw milk or dairy products that are not pasteurized.
  • Raw fruits or vegetables, such as lettuce, that have come into contact with infected animal feces.

Symptoms of E. Coli poisoning are very serious. They include severe stomach cramps, diarrhea, and vomiting. Some people experience high fevers and many develop life-threatening conditions.

E. coli infections often require hospitalization and expensive medical care, the damages from this food poisoning can be extensive.

The Wendy’s food poisoning claims are just at their initial stages.  Very few lawsuits have been filed to date, but it is expected dozens will be filed in courthouses shortly.  At this time, there are no reported Wendy’s food poisoning settlements.

In general, food poisoning settlements include money payment for pain and suffering, mental anguish, and the physical injuries caused by the food contamination. In addition, claims for economic losses and damages are also demanded in a food poisoning lawsuit. These are financial losses and include payment of medical bills and expenses, as well as lost wages and income resulted from missed time at work.

If you ate food at a Wendy’s Restaurant that contained romaine lettuce in July or August and were diagnosed or hospitalized with E. coli poisoning, you may benefit from speaking to a food poisoning attorney.

Buckfire & Buckfire, P.C. 2022

Supreme Court Ruling Reverses Bad 9th Circuit Precedent on Class Action Fairness Act (CAFA)

The National Law Review recently published an article, Supreme Court Ruling Reverses Bad 9th Circuit Precedent on Class Action Fairness Act (CAFA), written by Thomas R. Kaufman with Sheppard, Mullin, Richter & Hampton LLP:

Sheppard Mullin 2012

On March 19, 2013, the U.S. Supreme Court handed down Standard Fire Insurance v. Knowles, a short, narrow, and unanimous opinion addressing removal of class actions to federal court under the Class Action Fairness Act (“CAFA”).  The central holding of the case is that a district court should “ignore” representations by the plaintiff that the amount in controversy is under $5 million and instead consider the actual evidence concerning the number of class members and potential claims.  Although the Court did not expressly address Lowdermilk v. U. S. Bank Nat’l Ass’n, 479 F.3d 994 (9th Cir. 2007)—a 9th Circuit case that held that the defendant must establish with “legal certainty” that the amount in controversy exceeds $5 million when the plaintiff pleads that the amount in controversy is lower—the Supreme Court’s reasoning effectively reverses the Lowdermilk line of cases.

The Relevant Facts in Standard Fire Insurance

As relevant, the defendant removed a class action and made a showing through an analysis of the allegations in the complaint that the amount in controversy slightly exceeded $5 million.   The district court found no fault with the analysis, but noted that the Plaintiff had made a formal stipulation that the amount in controversy was less than $5 million. Invoking the old adage that the plaintiff is “the master of the complaint,” the district court held that it was bound to remand the case based on the Plaintiff’s purportedly binding representation that the class was seeking less than $5 million.

The Supreme Court’s Holding

The limited question the Supreme Court answered was, assuming the evidence otherwise indicated that the class’s potential recovery exceeds the minimum $5 million, did the formal stipulation defeat federal jurisdiction.  The Court answered this question “no.”  The plaintiff, as a mere potential representative for an uncertified class, had no power to bind the class and to require them to agree to the reduced recovery.  This is to be contrasted from where an individual stipulates that his damages are below the amount in controversy in an individual action, which does bind all relevant parties (i.e., there are no absent contingent parties).  The Court went so far as to say that the district court “should have ignored that stipulation.” Instead, the Court directed district court’s the proper process is simply “to add[] up the value of the claim of each person who falls within the definition of [the] proposed class and determine whether the resulting sum exceeds $5 million. If so, there is jurisdiction and the court may proceed with the case.”  In so concluding, the Court cited with approval Frederick v. Hartford Underwriters, 683 F.3d 1242, 1247 (10th Cir. 2012), where the Tenth Circuit rejected an attempt by a plaintiff to avoid federal jurisdiction by pleading in the prayer that the class was seeking only “a total award for compensatory and punitive damages [that] does not exceed $4,999,999.99.”

How This Impacts Ninth Circuit Precedent

Although I have never encountered a purportedly “binding stipulation” that the amount in controversy is less than $5 million in a class action, it is common in wage/hour cases filed in California for the plaintiff’s counsel simply to plead in an unverified complaint that the amount in controversy is less than $5 million. Under binding 9th Circuit precedent, Lowdermilk v. U. S. Bank Nat’l Ass’n, 479 F.3d 994, 995 (9th Cir. 2007), where a plaintiff includes such a statement in the complaint, the burden on the defendant to establish the $5 million amount in controversy is greatly raised to a “legal certainty” standard, meaning that “the party seeking removal must prove with legal certainty that CAFA’s jurisdictional amount is met.” This is contrasted with the general rule where the complaint is silent on amount in controversy that the employer merely must “prove by a preponderance of the evidence that the amount in controversy requirement has been met.” A key rationale for the Lowdermilk rule was that “it is well established that the plaintiff is ‘master of her complaint’ and can plead to avoid federal jurisdiction.”

There is no way to reconcile this reasoning with the Supreme Court’s in Standard Fire Insurance. Implicit in the Supreme Court’s reasoning is that pronouncements by the plaintiff about the amount in controversy should have no binding effect, but rather the district court should simply consider the claims pleaded, the number of potential class members, and the potential aggregate recovery for this class while “ignoring” the plaintiff’s asserted conclusions on amount in controversy. There is no logical reason why a formal stipulation to limit jurisdiction should have no impact on the CAFA analysis, while a mere statement in an unverified complaint that the amount in controversy falls below $5 million should have the impact of altering the burden of proof and making it harder for the defendant to establish amount in controversy.

Copyright © 2013, Sheppard Mullin Richter & Hampton LLP