Three lawsuits against Georgetown University concerning leaked student data were consolidated Nov. 13 to be presented to the United States District Court for the District of Columbia, the federal court in Washington, D.C.
The data breach, which occurred for 24 hours between 8 a.m. Oct. 16 and 8:30 a.m. Oct. 17, made available student information, including social security number, tax identification, marital status, disability status, immigration and visa status, ethnicity and gender. Mary Margaret “Maggie” Cleary (COL ’14) filed the initial class action lawsuit Oct. 18. Rebekah Morrison (CAS ’23) and Tyree Daniels (GRD ’19) each filed additional lawsuits, and the three were consolidated because each lawsuit regards the same issue and same defendant, Georgetown.
Georgetown’s legal counsel did not contest the consolidation of the lawsuits.
Lowey Dannenberg, P.C., a law firm based in New York, and Shub & Johns L.L.C., a law firm based in Pennsylvania, will be the lead counsel for the case.
The consolidated lawsuit is a class action lawsuit, meaning it seeks an unspecified amount of damages for the plaintiffs and “all others similarly situated.” The “similarly situated” in this lawsuit refers to others whose student data may have been accessible during the data breach, including current Georgetown students and recent graduates.
The consolidated lawsuit alleges that Georgetown was negligent in its handling of students’ private data and breached an “implied contract” between the university and its students and graduates.
The university disclosed the leak in an Oct. 17 email sent to the Georgetown community by Chief Information Officer Doug Little, ordering the 29 people who accessed the website during the time of the leak to destroy any data retained.
A university spokesperson declined to comment on the ongoing litigation.
Cleary, an attorney in Virginia, sued the university in her personal capacity as a graduate and is represented by the litigation firm Lowey Dannenberg, which declined requests for comment.
Cleary’s lawsuit says she faces anxiety from the leak due to concerns about access to her personal information.
“The Data Breach has caused the Plaintiff to suffer anxiety and stress from concerns that she faces an increased risk of financial fraud, identity theft, fraud and other types of monetary harm as a result of the stolen information,” the lawsuit reads.
Cleary’s lawsuit alleges the university has failed to appropriately inform those whom the lawsuit impacts.
“Defendant has yet to fully and accurately inform those affected of the full extent of the Data Breach,” Cleary’s lawsuit reads. “It is not clear how many total victims of the Data Breach that Defendant thus far notified, however such information will be deduced through discovery.”
Morrison is represented by Tycko & Zavareei L.L.P., a law firm in D.C. that specializes in class action and whistleblower lawsuits. The firm did not respond to requests for comment.
“Inexplicably, Georgetown has not yet fully or accurately informed those affected about the complete scope of the data breach,” Morrison’s lawsuit reads. “The Data Breach resulted from Georgetown’s inadequate security measures and failures, including insufficient protocols for safeguarding sensitive information. These vulnerabilities allowed unauthorized individuals to access Georgetown’s systems and extract the personal and academic data of potentially hundreds of thousands of individuals.”
“The data breach was directly caused by Georgetown’s flawed system configuration and design, along with its failure to implement and adhere to fundamental security protocols. This negligence allowed unauthorized access to sensitive information, making the breach both foreseeable and preventable,” Morrison’s lawsuit added.
Daniels’ representation is Lowey Dannenberg — the same representation as Cleary — and Shub & Johns. Shub & Johns did not respond to requests for comment.
“The Data Breach was a direct result of Defendant’s failure to implement adequate and reasonable cyber-security procedures and protocols necessary to protect its students’ Private Information,” Daniels’ lawsuit reads. “Defendant maintained the Private Information in a reckless manner. In particular, the Private Information was maintained on Defendant’s computer network in a condition vulnerable to Data Breaches.”
In their individual lawsuits, Cleary, Daniels and Morrison include charges of negligence, breach of implied contract and unjust enrichment. Daniels also alleges violations of the Illinois Consumer Fraud and Deceptive Business Practices Act.
Cleary’s lawsuit requests monetary damages and also urges the court to order the university to address weaknesses in personal data storage.
“Plaintiff seeks damage and injunctive relief requiring Defendant to (i) strengthen its data security systems and monitoring procedures; (ii) submit to future annual audits of those systems and monitoring procedures; and (iii) continue to provide adequate credit and identity theft monitoring to all Class Members,” the complaint reads.
Morrison’s lawsuit alleges that the university has disclosed little information about the data leak, saying the lack of information has forced students to remain concerned for the state of their data.
“These efforts are burdensome and time-consuming, especially because Georgetown has disclosed little information about the Data Breach, forcing customers to continue to monitor their accounts indefinitely,” Morrison’s lawsuit reads.