Data Security | News

U Hawaii Settles Data Breach Class Action Suit

• By Dian Schaffhauser
• 01/30/12

The University of Hawaii system has settled a class action lawsuit filed on behalf of 96,000 students, faculty, staff, and alumni who were part of five alleged data breaches at four institutions between 2009 and 2011. The university, which has denied liability in the settlement, will provide two years of credit monitoring and credit restoration services to those whose personal data was exposed online and participated in the lawsuit.

"We have researched more than 40 data breaches at colleges and universities across the country. In almost every instance, two years of credit monitoring and fraud restoration were offered to data breach victims," said Bruce Sherman, one of the attorneys representing the class involved in the lawsuit. "Offering two years of credit monitoring and fraud restoration services to breach victims should be the standard response by any breaching entity in Hawaii, including government agencies."

According to Thomas Grande, who worked with Sherman on the suit, credit monitoring services cost as much as $5 to $15 per month if purchased individually. "We are extremely pleased that the University has negotiated a settlement package that provides these services to every class member who wants them," Grande said.

However, that's a fraction of the cost to the organization that suffers a breach, according to research by privacy and security research firm Ponemon Institute. The results of its 2011 survey, "U.S. Cost of a Data Breach Study," estimated that American companies spend $214 per compromised record. That includes the direct costs of a breach, such as notification and legal defense expenses, but also indirect costs such as lost business due to customer churn.

The credit monitoring service for U Hawaii recipients will be provided by Kroll Background America. Under the terms of the settlement, potential recipients of the service will be notified by letter and email by March 1, 2012.

"The university continues to work diligently so that the chance of future data breaches is significantly reduced," the institution said in a statement. "Given the uncertainties and expense of litigation, the university believes this settlement is in the best interests of the university and its entire 'ohana.'"

Among the breaches was one in 2010 that exposed the Social Security numbers of about 40,000 students who attended the University of Hawaii Manoa. Another breach earlier that year involved 53,000 students, and a 2009 breach affected 15,487 parents and students.