Lansing Community College (LCC) has agreed to pay a $1.45 million settlement over a data breach that occurred between December 25, 2022, and March 15, 2023.
This breach potentially exposed the personal information of more than 750,000 individuals, including students, employees, and applicants.
The settlement will provide up to $2,000 per person for documented losses, with a total cap of $150,000 for these claims.
LCC will discontinue the use of the vulnerable application that was attacked and implement additional security measures. https://www.lansingcitypulse.com/stories/lcc-agrees-to-145-million-class-action-settlement-over-2023-data-breach,113225 (Oct. 10, 2024).
Commentary
According to the source document cited above:
Compromised data, including names and Social Security numbers, could have been accessed by an "unauthorized actor" between Dec. 25, 2022, and March 15, 2023.
Readers will note the word "could" used above. In most claims stemming from a crime (e.g., sexual abuse, wrongful death), you need to prove that a wrong happened - not that it "could" happen.
For example, you don't settle a claim of workplace sexual assault just because a coworker "could have" assaulted someone. The worker either assaulted someone or did not. If he didn't, you fight the claim. If he did, you hope you can settle.
In data breach litigation, the threshold of proof to make a claim is simply that there was a crime (a breach) and data was possibly compromised. Plaintiffs' counsel does not have to show that people were harmed from the breach - only that they "could" be harmed because their data "could" have been taken.
The takeaway is that nonprofits need to use cyber experts to segment and protect data, in particular the personal identifiers of workplace participants and the people they serve, so that they can prove, in case of an attack, that personal identifiers were not stolen. With such proof, NPOs will have a fighting chance.