The King County Superior Court lately agreed to a $4.7 million settlement to pay back the people whose personal data were stolen in a breach at Washington State University in April 2017.
Portable hard drives contained copies of 1,193,190 individuals’ personal information. Washington State University stored the hard drives in a safe located in a self-storage facility. On April 21, 2017, the safe was taken when the storage facility was broken into. Most of the files in the hard drives were not protected by encryption.
The portable hard drives contained information, such as names, contact information, and Social Security numbers, patient health data, and college admissions test results. The information were associated with the 15 years research project by the WSU Social and Economic Sciences Research Center.
Though the hard drive was stolen, there was no evidence found that indicate the access or misuse of the data. Even so, a few plaintiffs claimed they suffered from identity theft or fraud because of the breach. WSU simply agreed to the settlement to save money because the cost of settlement, even if it is quite high, is still less than the legal action costs.
In January 2019, the agreed settlement amount by the WSU Board of Regents is $5.26 million. This settlement amount does not include yet the price of credit monitoring and identity theft protection services for two years covering 1,193,190 breach victims.
The total amount of settlement will only be finalized after breach victims have submitted their claims. Each breach victim can claim up to $5,000 to repay out-of-pocket expenses and lost time, but the costs must be validated. The fund set aside for claims is a $3.5 million. In case the amount of claims exceeds that of the fund, WSU will reduce the claim amounts pro rata. Approximately $800,000 is given to attorneys’ fees and $650,000 to administrative expenses. The settlement is covered by WSU’s cyber-liability insurance policy.
The university additionally revised policies and procedures to strengthen security. There are more secure backup data storage, regular data security monitoring and audits, and extra employee training. WSU will terminate IT contracts associated with the research project and manage the functions in house. Archived data of the research project will be totally destroyed.
The settlement demonstrates how important encryption is to stored data, specially data stored on portable devices. In the event that the device is lost or stolen, data is not retrievable and so the incident is not a reportable breach.