YORK – A class action complaint alleges that a local technical school failed to safeguard the personally identifiable information of its students, employees and applicants, leading to a data breach where over 89,000 individuals were impacted.
Luke Heflin (individually and on behalf of all others similarly-situated) filed suit in the York County Court of Common Pleas on April 26 versus the York County School of Technology. Both parties are of York.
“Plaintiff brings this petition against York Tech for its failure to properly secure and safeguard the personally-identifiable information that it collected and maintained as part of its regular business practices, including, but not limited to: full names, driver’s licenses or state IDs and Social Security numbers (collectively, “personally-identifiable information” or “PII”). Defendant is ‘a comprehensive technical school’ based in York, Pennsylvania. Plaintiff’s and class members’ sensitive personal information – which they entrusted to defendant on the mutual understanding that defendant would protect it against disclosure – was targeted, compromised and unlawfully accessed due to the data breach,” the suit says.
“Upon information and belief, former and current students, employees, and applicants for admission or employment are required to entrust defendant with an extensive amount of their PII, used for defendant’s business, in order to enroll at York Tech or be eligible for employment. Defendant retains this information for at least many years and even after the relationship has ended. Defendant’s investigation concluded that the PII compromised in the data breach included plaintiff’s and approximately 89,000 other individuals’ information. By obtaining, collecting, using and deriving a benefit from the PII of plaintiff and class members, defendant assumed legal and equitable duties to those individuals to protect and safeguard that information from unauthorized access and intrusion.”
The suit adds that the PII compromised in the data breach was “ex-filtrated by cyber-criminals and remains in the hands of those cyber-criminals, who target PII for its value to identity thieves.”
“Defendant failed to adequately protect plaintiff’s and class members’ PII – and failed to even encrypt or redact this highly sensitive information. This unencrypted, unredacted PII was compromised due to defendant’s negligent and/or careless acts and omissions and its utter failure to protect students’ sensitive data. Hackers targeted and obtained plaintiff’s and class members’ PII because of its value in exploiting and stealing the identities of plaintiff and class members. The present and continuing risk to victims of the data breach will remain for their respective lifetimes. Plaintiff brings this action on behalf of all persons whose PII was compromised as a result of defendant’s failure to: (i) adequately protect the PII of plaintiff and class members; (ii) warn plaintiff and class members of defendant’s inadequate information security practices; and (iii) effectively secure hardware containing protected PII using reasonable and effective security procedures free of vulnerabilities and incidents. Defendant’s conduct amounts to negligence, at a minimum, and violates federal and state statutes,” the suit states.
“Plaintiff and class members have suffered injury as a result of defendant’s conduct. These injuries include: (i) invasion of privacy; (ii) theft of their PII; (iii) lost or diminished value of PII; (iv) lost time and opportunity costs associated with attempting to mitigate the actual consequences of the data breach; (v) loss of benefit of the bargain; (vi) lost opportunity costs associated with attempting to mitigate the actual consequences of the data breach; (vii) actual misuse of their PII in the form of experiencing an increase in spam calls, texts and/or emails; (viii) statutory damages; (ix) nominal damages; and (x) the continued and certainly increased risk to their PII, which: (a) remains unencrypted and available for unauthorized third parties to access and abuse; and (b) remains backed up in defendant’s possession and is subject to further unauthorized disclosures so long as defendant fails to undertake appropriate and adequate measures to protect the PII. Defendant disregarded the rights of plaintiff and class members by intentionally, willfully, recklessly or negligently failing to implement and maintain adequate and reasonable measures to ensure that the PII of plaintiff and class members was safeguarded, failing to take available steps to prevent an unauthorized disclosure of data, and failing to follow applicable, required and appropriate protocols, policies, and procedures regarding the encryption of data, even for internal use. As a result, the PII of plaintiff and class members was compromised through disclosure to an unknown and unauthorized third party. Plaintiff and class members have a continuing interest in ensuring that their information is and remains safe, and they should be entitled to damages and injunctive and other equitable relief.”
For counts of negligence, negligence per se, breach of implied contract and unjust enrichment, the plaintiff is seeking equitable and injunctive relief to protect the sensitive data of those affected by the data breach, equitable relief requiring restitution and disgorgement of the revenues wrongfully retained as a result of defendant’s wrongful conduct, an ordering for the defendant to pay for not less than 10 years of credit monitoring services for plaintiff and the class, actual damages, compensatory damages, statutory damages and statutory penalties, in an amount to be determined, as allowable by law, punitive damages, as allowable by law, attorneys’ fees, costs and any other expenses, including expert witness fees, pre- and post-judgment interest on any amounts awarded and such other and further relief as this court may deem just and proper.
The plaintiff is represented by Benjamin F. Johns of Shub & Johns in Conshohocken and Gary M. Klinger of Milberg Coleman Phillips Grossman, in Chicago, Ill.
The defendant has not yet obtained legal counsel.
York County Court of Common Pleas case 2024-SU-001254
From the Pennsylvania Record: Reach Courts Reporter Nicholas Malfitano at nick.malfitano@therecordinc.com