Documents filed in Anne Arundel County Circuit Court show more than 13,000 people — current and former students and employees of the school — were affected by the data breach. Though the final approval hearing for the settlement is scheduled for May, the court granted the plaintiffs’ unopposed motion for preliminary approval of the settlement on Nov. 22.
The plaintiffs say in filings that Washington College’s data was breached for about a month between February and March 2023, in what the college called “a potential ransomware incident” by an “unauthorized actor” who accessed the data via VPN in a letter to the Maine attorney general obtained by The Capital Gazette. The letter says 44 Maine residents were affected by the breach.
However, the college only sent notice letters to those affected in November 2023, the documents show, almost 250 days after the attack, which “exacerbated” the injuries, according to the plaintiffs. The plaintiffs say Washington College had a duty to protect the information it collected that it didn’t fulfill.
The school was unaware of the attack until 31 days after the breach began, according to the class action petition. Additionally, the suit says the college “failed to adequately train its employees on reasonable cybersecurity protocols or implement reasonable security measures.” According to the documents, the college “has been unable to determine precisely what information was stolen and when.” It is unclear who was behind the attack.
The named plaintiffs bringing the suit are from across Maryland, including Anne Arundel, Kent and Baltimore counties. Taylor Bresnahan, of Arnold, graduated from Washington College in 2013, according to court filings, but the college hadn’t purged information like his full name and social security number from its systems after a decade. Now, according to the petition, “Bresnahan’s [information] has already been published — or will be published imminently — by cyber criminals on the dark web.”
According to the notice letter sent by the college, it discovered the breach March 14, 2023, when it “became aware of suspicious activity on [its] network and servers.” The letter says its investigation revealed the unauthorized actor “likely obtained certain files containing some of your personal information.”
The plaintiffs in the suit declined to comment. David K. Lietz, senior partner of Washington, D.C. law firm Milberg, said after discussing with co-counsel, “…we feel it is best for plaintiffs to make no comment at this time.”
Though the court is expected to finalize the settlement agreement in May, court documents suggest victims will be reimbursed for up to $5,000 in “extraordinary losses,” up to three hours of lost time at the rate of $25 an hour, up to $500 for “ordinary out-of-pocket expenses,” three years of credit monitoring “with at least $1 million in fraud protection” or $50 cash as an alternative to the other forms of compensation.
Should these conditions be finalized, if all 13,168 victims claimed $5,000 in qualifying losses, that would make the college liable for $65.8 million. On the lower end of the spectrum, if each eligible victim claimed the $50 cash alternative, that would still translate to $658,400.
By the May approval hearing, Washington College might also be required as part of the agreement to upgrade its information security policies and software to align with industry standards, which plaintiffs argued the college was not at the time of the incident.
In addition to payouts to the class of breach victims writ large, court documents describing the settlement agreement say the college could ultimately be liable for the plaintiffs’ legal fees.
Washington College’s Director of News and Media Relations Dominique Ellis Falcon said in an email, “The college has been working through litigation, which is typical following this kind of event. We are happy to move toward a resolution.”
The suit was filed in Anne Arundel County as part of settlement negotiations, court documents show. The parties agreed to go through the local court instead of federal court, as the plaintiffs initially had intended. The documents say the settlement agreement was signed over the summer after the plaintiffs backed out of their federal suit.
©2024 Baltimore Sun. Distributed by Tribune Content Agency, LLC.
