When tallying damages associated with a ransomware attack, the initial focus centers on calculating costs relating to the six steps detailed in the NIST Computer Security Incident Handling Guide that cover the initial detection and move on to the postmortem stage as quickly as possible. Those costs are perhaps the easiest to calculate, given that they are typically limited in terms of duration, with an obvious effort to gain control, stabilize operations, and return to business-as-usual.
The unfortunate reality is that damage totals will generally exceed these initial expenses, especially for entities like colleges and universities, where there are critical times when the resulting attack is much more than a mere inconvenience. Table 1 identifies the most recent ransomware attacks and the date of their reported event.
Date | Academic Institution | Approximate Student Enrollment | NSA/DHS Center of Academic Excellence |
07/04/2022 | College of the Desert | 12,500 | |
06/10/2022 | Napa Valley College | 5,000 | |
05/16/2022 | Mercyhurst University | 3,000 | |
05/02/2022 | Kellogg Community College | 6,900 | |
04/27/2022 | Austin Peay State University | 9,500 | |
04/11/2022 | Florida International University | 48,500 | Yes |
03/11/2022 | North Carolina A & T University | 11,000 | Yes |
02/14/2022 | Centralia Community College | 3,000 | |
01/20/2022 | Ohlone College | 9,000 | Yes |
12/19/2021 | Lincoln College | 600 | |
12/05/2021 | Pellissippi State Community College | 10,500 | |
11/25/2021 | Lewis and Clark Community College | 9,000 | |
11/24/2021 | Butler County Community College | 12,500 | Yes |
10/02/2021 | Washington Adventist University | 800 | |
05/19/2021 | Sierra College | 18,000 | Yes |
This table represents a list of colleges and universities that have been hit by ransomware attacks. The task of compiling this list was made easier as a result of a “Publicly disclosed U.S. ransomware attacks database” maintained on the TechTarget website.
An approximate number of students for each institution is provided. Additionally, five of the institutions that have obtained the NSA/DHS designation as a Center of Academic Excellence are identified. With a third of the institutions listed holding this designation, it’s reasonable to expect that these institutions met specific requirements associated with obtaining this designation. This may indicate that some ransomware actors specifically target entities advertising this designation.
Lincoln College, a predominantly Black college listed in this table, closed its doors in May 2022, ending 157 years of operations as a consequence of the ransomware attack coupled with Covid-19-related issues. As noted in an article detailing the situation, the ransomware “seized up its networks and data” just as it came time to process applications and figure out enrollment for the next academic year. By the time those systems were fully restored, it was too late.
While there is no good time to face a ransomware attack, many of the attacks occurred near the end of a semester, when final exams are scheduled and final grades are due. During this time, students are also completing registration for the following semester and completing financial aid applications. What is important to recognize is this potential interruption in services can have lasting consequences for faculty, staff, and students, with the number of people affected (at least as large as the student enrollment shown above).
This information provides a fair opportunity to ask if situations justify the utilization of a class action lawsuit as a forum for recovery of damages alleged to have suffered. Available hints are provided by viewing the articles referenced above for Napa Valley College and Pellissippi State Community College. Both articles appear on law office websites. The Napa Valley article states:
“Experienced data breach and class action attorneys can help you exercise your rights, evaluate your options, and decide whether you should seek compensation under the CCPA or CMIA. There are no out-of-pocket costs to you, as we only get paid if we prevail.”
The Pellissippi article states:
“If evidence emerges that Pellissippi State Community College failed to meet its consumer privacy and data security obligations, the institution may be liable through a data breach class action lawsuit.”
As to whether any of these colleges and universities will face the prospect of being a class action defendant is unknown at this time. What is known is this role has occurred in educational institutions, particularly where medical records are involved. The list below was compiled by searching the database available on the ClassAction.Org website and including the keyword “university”.
Case Name and Filing Information | Description |
Menezes v. The Regents of the University of California FILED: 09/20/2021◆§ 3:21-CV-01641 | A class action has been filed over an alleged UC San Diego Health data breach in which hackers reportedly gained unauthorized access to employees’ email accounts. |
Dinerstein v. Google, LLC et al. FILED: 06/26/2019◆§ 1:19-CV-04311 | Google and the University of Chicago are embroiled in a potential class action lawsuit over the search giant’s collection of a trove of patient medical information from the school’s medical center. |
Ware et al. v. West Virginia University Medical Corporation FILED: 07/11/2022◆§ 1:22-CV-00054 | A lawsuit claims that West Virginia University Medical Corp. failed to properly pay employees in the wake of a data breach that compromised its payroll system. |
Pallotta et al. v. University of Massachusetts Memorial Medical Center et al. FILED: 03/09/2022◆§ 4:22-CV-10361 | A lawsuit claims the UMass Memorial Medical Center has failed to pay employees timely and accurate wages after a data breach crippled its payroll vendor. |
Martinez v. University of Connecticut et al FILED: 03/18/2019◆§ 3:19CV416 | The University of Connecticut and its teaching hospital face a class action after a data breach exposed the personal information of more than 326,000 patients. |
There are several reasons initiating a class action lawsuit makes sense. As noted above in the table, the average enrollment for the 15 academic institutions is approximately 16,000 students. The floor for ransomware claims is often measured by the cost of providing credit monitoring services for a few years.
A single consumer’s out-of-pocket expense for such service would be approximately $20 to $25 per month. As noted in an article that discusses both the advantages and disadvantages of class action litigation, “the lower litigation costs will allow plaintiffs to seek relief who would not have found it financially prudent to do so in a traditional lawsuit.” With 16,000 students able to participate in a single lawsuit and not actually pay the cost of litigation, recovery of even a relatively minimal individual amount makes sense.
One possible way to avoid a class action filing may be to follow Lewis and Clark Community College’s approach by offering students credit monitoring service shortly after a ransomware attack is announced. Not only is this a reflection of the college’s concern and desire to protect those impacted by the attack, but it’s also a way to potentially reduce the possibility of a class action lawsuit being filed by lowering the number of possible claimants.