Mary Margaret Cleary (CAS ‘14), a current professor at the University of Virginia School of Law, filed a class action lawsuit against Georgetown University on Oct. 18, citing negligence after a data leak compromised the sensitive personal information of current and former students. The lawsuit alleges Georgetown failed to properly secure and store personally identifiable information (PII), including Social Security numbers and Tax ID numbers.
The Voice reached out to Cleary’s attorneys, but has not received a response at this time.
Georgetown University’s data management system, Ellucian, experienced a data leak between 8:00 a.m. on Wednesday, Oct. 16, and 8:30 a.m. on Thursday, Oct. 17, during which sensitive information was accessible to users within the university network, according to an email from Chief Information Officer Doug Little. The data included that of current students and alumni dating back to 1990.
In a university-wide email, Little wrote that 29 recent or current students might have gained access to unauthorized data, potentially compromising the information of both current students and alumni. The university has reached out to those involved, instructing them to delete any obtained data.
The lawsuit seeks damages, including monetary and punitive, and demands the establishment of a fund to provide financial assistance for those affected. Cleary is also calling for Georgetown to enhance its data security protocols, conduct annual security audits, and offer credit monitoring services to all that had their PII compromised. Additionally, the suit requests that individuals be promptly notified of any future data breaches.
The lawsuit accuses Georgetown on five counts: negligence for failing to use PII protective measures, negligence per se by violating the Federal Trade Commission Act, breach of implied contract between Georgetown students and the university, Georgetown’s unjust enrichment from monetary benefit in the form of PII, and declaratory and injunctive relief by requiring Georgetown to employ PII protective measures that follow law and industry standards.
Under the count of negligence, Cleary is suing Georgetown for 13 failures, including “failure to employ systems and educate employees to protect against unauthorized disclosure,” “failure to comply with industry standards for software and server security,” and “failure to properly update its systems when conducting scheduled maintenance.”
The legal complaint centers on the risks posed to those whose PII was exposed, noting that the data breach makes individuals vulnerable to identity theft and fraud. Compromised data includes names, Social Security numbers, dates of birth, and physical addresses.
“The exfiltrated PII, therefore, remains in the hands of unauthorized individuals who accessed the PII and can exploit the PII of the Plaintiff and the Class Members,” the lawsuit reads.
In the lawsuit, Cleary alleges she’s experienced “anxiety and stress” since the breach because of an “increased risk of financial fraud, identity theft, fraud and other types of monetary harm as a result of the stolen information.”
“Plaintiff and Class Members are entitled to damages, including actual, compensatory, punitive, and nominal damages suffered because of the Data Breach in an amount to be proven at trial,” the lawsuit states.
This story is ongoing and will be updated as more information becomes available.
