Risk Management

Page 2 of 2

Aeries Settles Data Breach Lawsuit for $1.75M; Illuminate Suit is Dismissed – For Now

• 04/26/23

The judge emphasized that “plaintiffs do not lack standing simply because the data breach did not involve credit card numbers, Social Security numbers, or other financial information.” But, he said, the plaintiffs must make a connection between the personal information leaked and the harms alleged.

In ruling that the plaintiffs failed to establish standing, the judge noted that “plaintiffs may be able to cure the deficiencies identified” and granted the plaintiffs 21 days to amend their complaint starting on April 19.

As of this writing, the plaintiffs in the Illuminate case had not filed an amended complaint. Illuminate Education was acquired by curriculum provider Renaissance last August. 

Why Are Ed Tech Vendors Collecting Private Data, Anyway?

Attorney Harris S. Freier, partner at Genova Burns LLC and head of the firm’s Privacy and Cybersecurity Practice, told THE Journal that ed tech providers almost never need student PII in order to provide their services and software to school districts.

“Schools should not provide student PII, and education tech vendors should not collect it,” Freier said. “It is never a good idea for any company, including education technology vendors, to ever have access to especially sensitive forms of personally identifiable information such as Social Security numbers, drivers license numbers, taxpayer ID numbers, health information, or banking/financial information of students unless they are actually providing a service linked to one of those protected categories of personal information. The liability tied to collecting this type of information — due to the near certainty that every company will eventually be breached — is almost never worth whatever business reason prompted the collection of the data to start with.”

Even the common practice of providing ed tech platforms with students’ birthdates and home addresses is a big risk for the vendors, he said; although identity theft from a data breach is far less likely if the compromised data didn’t include SSNs, drivers license numbers, or taxpayer IDs, vendors storing such data face the threat of costly lawsuits regardless of whether the breach causes actual harm.

Freier advises school districts to protect themselves in their vendor agreements.

“If sensitive PII needs to be collected — which in most cases it actually does not — encryption of the data should be required in any contract between the school and vendor, and the contract between the school and the vendor should make clear that the vendor will indemnify the school if student PII stored by the vendor is breached,” he said. 

Standing to Sue Over Breaches is Easier to Achieve Than Ever

Last September, a ruling from U.S. Court of Appeals for the Third Circuit shifted the baseline of the requirement for a data breach plaintiff to have suffered “actual or imminent harm,” Freier told THE Journal following the decision.

In that ruling, the Third Circuit Court of Appeals’ three-judge panel unanimously reinstated a putative class-action suit against a company that suffered a ransomware attack, leading to her sensitive information being released onto the dark web. 

Notably, Clemens did not suffer identity theft following the breach. After the company notified employees of the breach, Clemens “took swift action by reviewing her financial records and credit reports, switching banks and purchasing credit monitoring services,” according to court documents summarized by Freier on his legal blog.

In February 2021, the District Court for the Eastern District of Pennsylvania dismissed her case for lack of standing, due to the “speculative nature” of the injuries to the employees. But the decision issued on Sept. 2, 2022, by the Third Circuit Court of Appeals vacated the dismissal and remanded the case for consideration on the merits — giving the potential class of plaintiffs a new chance for relief and putting organizations that store PII data on notice, Freier said.

The Third Court Court of Appeals clarified that an injury can be “imminent” in order to qualify for standing, and does not need to have actually taken place at the time of suit being filed. Based on precedent in recent data breaches, the Court of Appeals “determined that the substantial risk of future injury qualifies for standing based on imminence, especially in the event of an intentional, targeted attack by a hacking group,” Freier wrote in his case analysis.

Freier told THE Journal that organizations — including ed tech providers and public schools serving minors — should take all possible precautions to protect private data stored within their systems, as the possibility of being held financially liable after a data breach is growing. 

“Now a victim of a data breach no longer needs to wait to suffer a direct harm such as their identity is stolen, and they must pay credit card and bank fees resulting from the identity theft,” he said. “Instead, the fact that a company is a victim of a hack, and the data has been released on the dark web is enough to allow any victims of the breach to bring suit, even if they have not yet suffered any harm resulting from the breach.”

In the case of K–12 schools, Freier said, a data breach that resulted in the public disclosure of academic records or PII on the dark web would put the district in an increasingly hot seat, legally and financially.

“In the case of minors, the rights to educational records are controlled by the parents/guardians, and a cyberattack where educational records are exposed to a third party is a FERPA violation, so that means the school is not only dealing with a potential class-action but also a potential Department of Education investigation,” Freier said.