Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.

47 Filed 07/12/23 Page 1 of 42

UNITED STATES DISTRICT COURT

WESTERN DISTRICT OF MICHIGAN

IVORY WHITBY, individually and on behalf

of all others similarly situated, Case No. 1:23-cv-00738-PLM-RSK

Plaintiff, Judge Paul L. Maloney

v.
JURY TRIAL DEMANDED
LANSING COMMUNITY COLLEGE,

Defendant.

FIRST AMENDED CLASS ACTION COMPLAINT

Plaintiff Ivory Whitby (“Plaintiff”) brings this Class Action Petition (“Petition”) against

Lansing Community College (“LCC” or “Defendant”), as an individual and on behalf of all others

similarly situated, and alleges, upon personal knowledge as to her own actions and her counsels’

investigation, and upon information and belief as to all other matters, as follows:

NATURE OF THE ACTION

1. Plaintiff brings this Petition against LCC for its failure to properly secure and

safeguard the personally identifiable information that it collected and maintained as part of its

regular business practices, including, but not limited to: full names and Social Security numbers

(collectively, “personally identifiable information” or “PII”).

2. Defendant is "one of the largest community colleges in Michigan, serving more

than 17,700 students each year." 1

3. Upon information and belief, former and current students, employees, and

applicants for admission or employment are required to entrust Defendant with an extensive

1
https://www.lcc.edu/about/ (last accessed July 10, 2023).

1
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.48 Filed 07/12/23 Page 2 of 42

amount of their PII, used for Defendant’s business, in order to enroll at LCC or be eligible for

employment. Defendant retains this information for at least many years and even after the

relationship has ended.

4. "[O]n or around March 14, 2023," Defendant “became aware of suspicious

activity on [its] computer network.”2 In response, Defendant purports to have “immediately

launched an investigation, with the assistance of third-party computer specialists.” 3 As a result of

that investigation, Defendant concluded₋₋on or about May 24, 2023₋₋that "an authorized actor

may have had access to certain systems" between "December 25, 2022 and March 15, 2023[.]" 4

5. Defendant’s investigation concluded that the PII compromised in the Data Breach

included Plaintiff’s and approximately 757,000 other individuals’ information. 5

6. By obtaining, collecting, using, and deriving a benefit from the PII of Plaintiff and

Class Members, Defendant assumed legal and equitable duties to those individuals to protect and

safeguard that information from unauthorized access and intrusion.

7. Defendant failed to adequately protect Plaintiff’s and Class Members PII––and

failed to even encrypt or redact this highly sensitive information. This unencrypted, unredacted

PII was compromised due to Defendant’s negligent and/or careless acts and omissions and its

utter failure to protect students’ sensitive data. Hackers targeted and obtained Plaintiff’s and Class

Members’ PII because of its value in exploiting and stealing the identities of Plaintiff and Class

2
The “Notice Letter”. A sample copy is available at
https://apps.web.maine.gov/online/aeviewer/ME/40/9da7ece2-89a4-435a-916d-
3ab465e03645.shtml (last accessed July 10, 2023).
3
Id.
4
Id.
5
According to the report submitted to the Office of the Maine Attorney General, 757,832
individuals were impacted. See https://apps.web.maine.gov/online/aeviewer/ME/40/9da7ece2-
89a4-435a-916d-3ab465e03645.shtml (last accessed July 10, 2023).

2
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.49 Filed 07/12/23 Page 3 of 42

Members. The present and continuing risk to victims of the Data Breach will remain for their

respective lifetimes.

8. Plaintiff brings this action on behalf of all persons whose PII was compromised

as a result of Defendant’s failure to: (i) adequately protect the PII of Plaintiff and Class Members;

(ii) warn Plaintiff and Class Members of Defendant’s inadequate information security practices;

and (iii) effectively secure hardware containing protected PII using reasonable and effective

security procedures free of vulnerabilities and incidents. Defendant’s conduct amounts to

negligence, at a minimum, and violates federal and state statutes.

9. Plaintiff and Class Members have suffered injury as a result of Defendant’s

conduct. These injuries include: (a) invasion of privacy; (b) loss of time and loss of productivity

incurred mitigating the materialized risk and imminent threat of identity theft risk; (c) the loss of

benefit of the bargain (price premium damages); (d) diminution of value of their PII; and (e) the

continued risk to their PII, which remains in the possession of Defendant, and which is subject to

further breaches, so long as Defendant fails to undertake appropriate and adequate measures to

protect Plaintiff’s and Class Members’ PII.

10. Defendant disregarded the rights of Plaintiff and Class Members by intentionally,

willfully, recklessly, or negligently failing to implement and maintain adequate and reasonable

measures to ensure that the PII of Plaintiff and Class Members was safeguarded, failing to take

available steps to prevent an unauthorized disclosure of data, and failing to follow applicable,

required, and appropriate protocols, policies, and procedures regarding the encryption of data,

even for internal use. As a result, the PII of Plaintiff and Class Members was compromised

through disclosure to an unknown and unauthorized third party.

11. Plaintiff and Class Members have a continuing interest in ensuring that their

3
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.50 Filed 07/12/23 Page 4 of 42

information is and remains safe, and they should be entitled to damages and injunctive and other

equitable relief.

PARTIES

12. Plaintiff Ivory Whitby is a natural person, resident, and a citizen of Lansing,

Michigan. Defendant obtained and continues to maintain Plaintiff Whitby’s PII, and Defendant

owed her a legal duty and obligation to protect that PII from unauthorized access and disclosure.

Plaintiff Whitby would not have entrusted her PII to Defendant had she known that Defendant

failed to maintain adequate data security. Plaintiff’s PII was compromised and disclosed as a result

of Defendant’s inadequate data security, which resulted in the Data Breach.

13. Defendant LCC is a Michigan-based community college with its principal place of

business located at 411 North Grand Avenue, Lansing, Michigan 48933.

JURISDICTION AND VENUE

14. This Court has original jurisdiction over this action under the Class Action Fairness

Act, 28 U.S.C. § 1332(d)(2) because at least one member of the putative Class, as defined below,

is a citizen of a different state than Defendant, 6 there are more than 100 putative class members,

and the amount in controversy exceeds $5 million exclusive of interest and costs.

15. This Court has general personal jurisdiction over Defendant because it maintains

its principal place of business in this District, regularly conducts business in Michigan, and has

sufficient minimum contacts in Michigan. Defendant intentionally availed itself of this jurisdiction

by marketing and selling its services from Michigan to many businesses nationwide.

6
According to the report submitted to the Office of the Maine Attorney General, 138 Maine
residents were impacted in the Data Breach. See
https://apps.web.maine.gov/online/aeviewer/ME/40/9da7ece2-89a4-435a-916d-
3ab465e03645.shtml (last visited July 10, 2023).

4
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.51 Filed 07/12/23 Page 5 of 42

16. Venue is proper in this Court pursuant to 28 U.S.C. § 1391(b) because Defendant's

principal place of business is in this District and a substantial part of the events, acts, and omissions

giving rise to Plaintiff’s claims occurred in this District

FACTUAL ALLEGATIONS

Defendant’s Business

17. Defendant is "one of the largest community colleges in Michigan, serving more

than 17,700 students each year." 7

18. Plaintiff and Class Members are or were students and/or student applicants at LCC

or provided Defendant with the relevant PII for some other purpose (e.g., employment or

application for employment or study).

19. To enroll in classes or other programs at Defendant, Plaintiff and Class Members

were required to provide sensitive and confidential PII, including but not limited to: their names,

and Social Security numbers. The same or similar information was provided by other victims

of this Data Breach, including employees of Defendant or applicants for employment or

admission.

20. Upon information and belief, Defendant made promises and representations to its

students, including Plaintiff and Class Members, that the PII collected from them as a condition

of enrollment would be kept safe, confidential, that the privacy of that information would be

maintained, and that Defendant would delete any sensitive information after it was no longer

required to maintain it.

21. Indeed, the Privacy Statement posted on Defendant's website provides that: “LCC

uses appropriate technical and organizational security measures to protect your information

7
https://www.lcc.edu/about/ (last accessed July 10, 2023).

5
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.52 Filed 07/12/23 Page 6 of 42

when you transmit it to the College and when the College stores it on its information technology

systems."8

22. Plaintiff and Class Members relied on the sophistication of Defendant to keep

their PII confidential and securely maintained, to use this information for necessary purposes

only, and to make only authorized disclosures of this information. Plaintiff and Class Members

demand security to safeguard their PII.

23. Defendant had a duty to adopt reasonable measures to protect the PII of Plaintiff

and Class Members from involuntary disclosure to third parties.

24. Defendant had obligations created by FTC Act, contract, industry standards,

common law, and representations made to Plaintiff and Class Members, to keep their PII

confidential and to protect it from unauthorized access and disclosure.

25. Plaintiff and Class Members provided their PII to Defendant with the reasonable

expectation and mutual understanding that Defendant would comply with its obligations to keep

such information confidential and secure from unauthorized access.

The Data Breach

26. On or about June 30, 2023, Defendant began sending Plaintiff and other victims

of the Data Breach a Notice of Security Incident (the "Notice Letter") informing them that:

What Happened? On or around March 14, 2023, LCC became aware of suspicious
activity on our computer network. LCC immediately launched an investigation, with the
assistance of third-party computer specialists. Through our investigation, we determined
that, between December 25, 2022 and March 15, 2023, an unauthorized actor may have
had access to certain systems. In an abundance of caution, LCC reviewed the information
on those systems to confirm what information is contained within, and to whom it relates.
This process was completed on May 24, 2023. We are notifying you because information
related to you was present on the impacted systems.

What Information Was Involved? Our investigation determined the following types of

8
https://www.lcc.edu/privacy/index.html (last accessed July 10, 2023).

6
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.53 Filed 07/12/23 Page 7 of 42

your information may have been impacted by this incident: your name and Social
Security number. At this time, we have no indication that your information was subject to
actual or attempted misuse as a result of this incident.

What We Are Doing. Data privacy and security are among LCC’s highest priorities, and
we have measures in place to help protect information in LCC’s care. Upon discovery,
LCC promptly commenced an investigation with the assistance of third-party computer
specialists to confirm the nature and scope of this incident. This investigation and
response included confirming the security of our systems, reviewing the contents of
relevant data for sensitive information, and notifying impacted individuals associated
with that sensitive information. As part of our ongoing commitment to the privacy of
information in our care, we are reviewing our policies procedures and processes related to
the storage and access of personal information to reduce the likelihood of a similar future
event. We will also notify applicable regulatory authorities, as required by law. In
addition, we notified law enforcement and are cooperating with its investigation.

As an added precaution, we are also offering 12 months of complimentary access to

identity monitoring services through Kroll. Individuals who wish to receive these services
must activate by following the attached activation instructions. 9

27. Omitted from the Notice Letter were any explanation as to why Defendant did not

detect the Data Breach for nearly three months after the breach began, any explanation as to why

it took Defendant over three months to inform victims of the Data Breach's occurrence after

Defendant detected the cyberattack, the details of the root cause of the Data Breach, the

vulnerabilities exploited, and the remedial measures undertaken to ensure such a breach does not

occur again. To date, these omitted details have not been explained or clarified to Plaintiff and

Class Members, who retain a vested interest in ensuring that their PII remains protected.

28. This “disclosure” amounts to no real disclosure at all, as it fails to inform, with

any degree of specificity, Plaintiff and Class Members of the Data Breach’s critical facts. Without

these details, Plaintiff's and Class Members’ ability to mitigate the harms resulting from the Data

Breach is severely diminished.

29. Defendant did not use reasonable security procedures and practices appropriate to

9
Notice Letter.

7
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.54 Filed 07/12/23 Page 8 of 42

the nature of the sensitive information they were maintaining for Plaintiff and Class Members,

causing the exposure of PII, such as encrypting the information or deleting it when it is no longer

needed.

30. The attacker accessed and acquired files in Defendant's computer systems

containing unencrypted PII of Plaintiff and Class Members, including their names and Social

Security numbers. Plaintiff's and Class Members’ PII was accessed and stolen in the Data Breach.

31. Plaintiff further believe her PII, and that of Class Members, was subsequently sold

on the dark web following the Data Breach, as that is the modus operandi of cybercriminals that

commit cyber-attacks of this type.

Data Breaches Are Preventable

32. Defendant did not use reasonable security procedures and practices appropriate to

the nature of the sensitive information they were maintaining for Plaintiff and Class Members,

causing the exposure of PII , such as encrypting the information or deleting it when it is no longer

needed.

33. As explained by the Federal Bureau of Investigation, “[p]revention is the most

effective defense against ransomware and it is critical to take precautions for protection.” 10

34. To prevent and detect cyber-attacks and/or ransomware attacks Defendant could

and should have implemented, as recommended by the United States Government, the following

measures:

 Implement an awareness and training program. Because end users are targets,
employees and individuals should be aware of the threat of ransomware and how it is
delivered.

10
How to Protect Your Networks from RANSOMWARE, at 3, available at:
https://www.fbi.gov/file-repository/ransomware-prevention-and-response-for-cisos.pdf/view
(last visited Oct. 17, 2022).

8
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.55 Filed 07/12/23 Page 9 of 42

 Enable strong spam filters to prevent phishing emails from reaching the end users and
authenticate inbound email using technologies like Sender Policy Framework (SPF),
Domain Message Authentication Reporting and Conformance (DMARC), and
DomainKeys Identified Mail (DKIM) to prevent email spoofing.

 Scan all incoming and outgoing emails to detect threats and filter executable files from
reaching end users.

 Configure firewalls to block access to known malicious IP addresses.

 Patch operating systems, software, and firmware on devices. Consider using a

centralized patch management system.

 Set anti-virus and anti-malware programs to conduct regular scans automatically.

 Manage the use of privileged accounts based on the principle of least privilege: no users
should be assigned administrative access unless absolutely needed; and those with a
need for administrator accounts should only use them when necessary.

 Configure access controls—including file, directory, and network share permissions—

with least privilege in mind. If a user only needs to read specific files, the user should
not have write access to those files, directories, or shares.

 Disable macro scripts from office files transmitted via email. Consider using Office
Viewer software to open Microsoft Office files transmitted via email instead of full
office suite applications.

 Implement Software Restriction Policies (SRP) or other controls to prevent programs

from executing from common ransomware locations, such as temporary folders
supporting popular Internet browsers or compression/decompression programs,
including the AppData/LocalAppData folder.

 Consider disabling Remote Desktop protocol (RDP) if it is not being used.

 Use application whitelisting, which only allows systems to execute programs known
and permitted by security policy.

 Execute operating system environments or specific programs in a virtualized

environment.

 Categorize data based on organizational value and implement physical and logical
separation of networks and data for different organizational units. 11

11
Id. at 3–4.

9
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.56 Filed 07/12/23 Page 10 of 42

35. To prevent and detect cyber-attacks or ransomware attacks Defendant could and

should have implemented, as recommended by the Microsoft Threat Protection Intelligence

Team, the following measures:

Secure internet-facing assets

- Apply latest security updates

- Use threat and vulnerability management
- Perform regular audit; remove privileged credentials;

Thoroughly investigate and remediate alerts

- Prioritize and treat commodity malware infections as potential full

compromise;
- Include IT Pros in security discussions
- Ensure collaboration among [security operations], [security admins], and
[information technology] admins to configure servers and other endpoints
securely;

Build credential hygiene

- Use [multifactor authentication] or [network level authentication] and use

strong, randomized, just-in-time local admin passwords;

Apply principle of least-privilege

- Monitor for adversarial activities

- Hunt for brute force attempts
- Monitor for cleanup of Event Logs
- Analyze logon events;

Harden infrastructure

- Use Windows Defender Firewall

- Enable tamper protection
- Enable cloud-delivered protection
- Turn on attack surface reduction rules and [Antimalware Scan Interface]
for Office [Visual Basic for Applications].12

36. Given that Defendant was storing the PII of its current and former students,

12
See Human-operated ransomware attacks: A preventable disaster (Mar 5, 2020), available at:
https://www.microsoft.com/security/blog/2020/03/05/human-operated-ransomware-attacks-a-
preventable-disaster/ (last visited Oct. 17, 2022).

10
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.57 Filed 07/12/23 Page 11 of 42

employees, student applicants, and employee applicants, Defendant could and should have

implemented all of the above measures to prevent and detect cyberattacks.

37. The occurrence of the Data Breach indicates that Defendant failed to adequately

implement one or more of the above measures to prevent cyberattacks, resulting in the Data

Breach and the exposure of the PII of over seven hundred thousand individuals, including that of

Plaintiff and Class Members.

Defendant Acquires, Collects, and Stores Plaintiff's and Class Members' PII

38. Defendant has historically acquired, collected, and stored the PII of Plaintiff and

Class Members.

39. As a condition to enroll, apply for enrollment, or obtain employment at LCC,

Plaintiff and Class Members are required to give their sensitive and confidential PII to Defendant.

Defendant retains this information even after the relationship has ended and Defendant is no

longer required to retain this information.

40. By obtaining, collecting, and storing the PII of Plaintiff and Class Members,

Defendant assumed legal and equitable duties and knew or should have known that they were

responsible for protecting the PII from disclosure.

41. Plaintiff and Class Members have taken reasonable steps to maintain the

confidentiality of their PII and relied on Defendant to keep their PII confidential and maintained

securely, to use this information for business purposes only, and to make only authorized

disclosures of this information.

42. Defendant could have prevented this Data Breach by properly securing and

encrypting the files and file servers containing the PII of Plaintiff and Class Members.

43. Defendant’s negligence in safeguarding the PII of Plaintiff and Class Members is

11
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.58 Filed 07/12/23 Page 12 of 42

exacerbated by the repeated warnings and alerts directed to protecting and securing sensitive data.

Defendant Knew or Should Have Known of the Risk because Educational Providers
in Possession of PII are Particularly Susceptible to Cyber Attacks

44. Defendant’s data security obligations were particularly important given the

substantial increase in cyber-attacks and/or data breaches targeting entities that collect and store

PII, like Defendant, preceding the date of the breach.

45. Data breaches, including those perpetrated against educational institutions that

store PII in their systems, have become widespread.

46. In 2021, a record 1,862 data breaches occurred, resulting in approximately

293,927,708 sensitive records being exposed, a 68% increase from 2020. 13

47. The 330 reported breaches reported in 2021 exposed nearly 30 million sensitive

records (28,045,658), compared to only 306 breaches that exposed nearly 10 million sensitive

records (9,700,238) in 2020.14

48. Indeed, cyber-attacks, such as the one experienced by Defendant, have become

so notorious that the Federal Bureau of Investigation (“FBI”) and U.S. Secret Service have

issued a warning to potential targets so they are aware of, and prepared for, a potential attack.

As one report explained, smaller entities that store PII are “attractive to ransomware

criminals…because they often have lesser IT defenses and a high incentive to regain access to

their data quickly.”15

13
See 2021 Data Breach Annual Report (ITRC, Jan. 2022) (available at
https://notified.idtheftcenter.org/s/), at 6.
14
Id.
15
https://www.law360.com/consumerprotection/articles/1220974/fbi-secret-service-warn-of-
targeted-ransomware?nl_pk=3ed44a08-fcc2-4b6c-89f0-
aa0155a8bb51&utm_source=newsletter&utm_medium=email&utm_campaign=consumerprotect
ion (last accessed Oct. 17, 2022).

12
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.59 Filed 07/12/23 Page 13 of 42

49. Despite the prevalence of public announcements of data breach and data security

compromises, Defendant failed to take appropriate steps to protect the PII of Plaintiff and Class

Members from being compromised.

50. Defendant knew and understood unprotected or exposed PII in the custody of

educational institutions, like Defendant, is valuable and highly sought after by nefarious third

parties seeking to illegally monetize that PII through unauthorized access.

51. At all relevant times, Defendant knew, or reasonably should have known, of the

importance of safeguarding the PII of Plaintiff and Class Members and of the foreseeable

consequences that would occur if Defendant’s data security system was breached, including,

specifically, the significant costs that would be imposed on Plaintiff and Class Members as a

result of a breach.

52. Plaintiff and Class Members now face years of constant surveillance of their

financial and personal records, monitoring, and loss of rights. The Class is incurring and will

continue to incur such damages in addition to any fraudulent use of their PII .

53. Defendant was, or should have been, fully aware of the unique type and the

significant volume of data on Defendant’s server(s), amounting to potentially hundreds of

thousands of individuals’ detailed PII, and, thus, the significant number of individuals who

would be harmed by the exposure of the unencrypted data.

54. In the Notice Letter, Defendant makes an offer of 12 months of identity

monitoring services. This is wholly inadequate to compensate Plaintiff and Class Members as it

fails to provide for the fact that victims of data breaches and other unauthorized disclosures

commonly face multiple years of ongoing identity theft, medical and financial fraud, and it

entirely fails to provide sufficient compensation for the unauthorized release and disclosure of

13
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.60 Filed 07/12/23 Page 14 of 42

Plaintiff’s and Class Members’ PII.

55. That Defendant is encouraging its current and former students and other

personnel to enroll in credit monitoring and identity theft restoration services is an

acknowledgment that the impacted individuals are subject to a substantial and imminent threat

of fraud and identity theft.

56. The injuries to Plaintiff and Class Members were directly and proximately

caused by Defendant’s failure to implement or maintain adequate data security measures for the

PII of Plaintiff and Class Members.

57. The ramifications of Defendant’s failure to keep secure the PII of Plaintiff and

Class Members are long lasting and severe. Once PII is stolen––particularly Social Security

numbers––fraudulent use of that information and damage to victims may continue for years.

58. As an educational provider in custody of students’, employees’, and employee

applicants’ PII, Defendant knew, or should have known, the importance of safeguarding PII

entrusted to them by Plaintiff and Class Members, and of the foreseeable consequences if its

data security systems were breached. This includes the significant costs imposed on Plaintiff

and Class Members as a result of a breach. Defendant failed, however, to take adequate

cybersecurity measures to prevent the Data Breach.

Value of Personally Identifiable Information

59. The Federal Trade Commission (“FTC”) defines identity theft as “a fraud

committed or attempted using the identifying information of another person without

authority.”16 The FTC describes “identifying information” as “any name or number that may be

used, alone or in conjunction with any other information, to identify a specific person,”

16
17 C.F.R. § 248.201 (2013).

14
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.61 Filed 07/12/23 Page 15 of 42

including, among other things, “[n]ame, Social Security number, date of birth, official State or

government issued driver’s license or identification number, alien registration number,

government passport number, employer or taxpayer identification number.” 17

60. The PII of individuals remains of high value to criminals, as evidenced by the

prices they will pay through the dark web. Numerous sources cite dark web pricing for stolen

identity credentials.18 For example, Personal Information can be sold at a price ranging from

$40 to $200, and bank details have a price range of $50 to $200. 19 Criminals can also purchase

access to entire company data breaches from $900 to $4,500. 20

61. Social Security numbers, which were compromised for some of the Class

Members as alleged herein, for example, are among the worst kind of PII to have stolen

because they may be put to a variety of fraudulent uses and are difficult for an individual to

change. The Social Security Administration stresses that the loss of an individual’s Social

Security number, as is the case here, can lead to identity theft and extensive financial fraud:

A dishonest person who has your Social Security number can use it to get other personal
information about you. Identity thieves can use your number and your good credit to
apply for more credit in your name. Then, they use the credit cards and don’t pay the
bills, it damages your credit. You may not find out that someone is using your number
until you’re turned down for credit, or you begin to get calls from unknown creditors
demanding payment for items you never bought. Someone illegally using your Social
Security number and assuming your identity can cause a lot of problems. 21

17
Id.
18
Your personal data is for sale on the dark web. Here’s how much it costs, Digital Trends, Oct.
16, 2019, available at: https://www.digitaltrends.com/computing/personal-data-sold-on-the-dark-
web-how-much-it-costs/ (last visited Oct. 17, 2022).
19
Here’s How Much Your Personal Information Is Selling for on the Dark Web, Experian, Dec.
6, 2017, available at: https://www.experian.com/blogs/ask-experian/heres-how-much-your-
personal-information-is-selling-for-on-the-dark-web/ (last visited Oct. 17, 2022).
20
In the Dark, VPNOverview, 2019, available at: https://vpnoverview.com/privacy/anonymous-
browsing/in-the-dark/ (last visited Oct. 217, 2022).
21
Social Security Administration, Identity Theft and Your Social Security Number, available at:
https://www.ssa.gov/pubs/EN-05-10064.pdf (last visited Oct. 17, 2022).

15
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.62 Filed 07/12/23 Page 16 of 42

62. What’s more, it is no easy task to change or cancel a stolen Social Security

number. An individual cannot obtain a new Social Security number without significant

paperwork and evidence of actual misuse. In other words, preventive action to defend against

the possibility of misuse of a Social Security number is not permitted; an individual must show

evidence of actual, ongoing fraud activity to obtain a new number.

63. Even then, a new Social Security number may not be effective. According to

Julie Ferguson of the Identity Theft Resource Center, “[t]he credit bureaus and banks are able

to link the new number very quickly to the old number, so all of that old bad information is

quickly inherited into the new Social Security number.” 22

64. Based on the foregoing, the information compromised in the Data Breach is

significantly more valuable than the loss of, for example, credit card information in a retailer

data breach because, there, victims can cancel or close credit and debit card accounts. The

information compromised in this Data Breach is impossible to “close” and difficult, if not

impossible, to change—Social Security number, name, and date of birth.

65. This data demands a much higher price on the black market. Martin Walter,

senior director at cybersecurity firm RedSeal, explained, “Compared to credit card information,

personally identifiable information and Social Security numbers are worth more than 10x on

the black market.”23

66. Among other forms of fraud, identity thieves may obtain driver’s licenses,

22
Bryan Naylor, Victims of Social Security Number Theft Find It’s Hard to Bounce Back, NPR
(Feb. 9, 2015), available at: http://www.npr.org/2015/02/09/384875839/data-stolen-by-anthem-
s-hackers-has-millionsworrying-about-identity-theft (last visited Oct. 17, 2022).
23
Tim Greene, Anthem Hack: Personal Data Stolen Sells for 10x Price of Stolen Credit Card
Numbers, IT World, (Feb. 6, 2015), available at:
https://www.networkworld.com/article/2880366/anthem-hack-personal-data-stolen-sells-for-10x-
price-of-stolen-credit-card-numbers.html (last visited Oct. 17, 2022).

16
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.63 Filed 07/12/23 Page 17 of 42

government benefits, medical services, and housing or even give false information to police.

67. The fraudulent activity resulting from the Data Breach may not come to light for

years. There may be a time lag between when harm occurs versus when it is discovered, and

also between when PII is stolen and when it is used. According to the U.S. Government

Accountability Office (“GAO”), which conducted a study regarding data breaches:

[L]aw enforcement officials told us that in some cases, stolen data may be held for up to
a year or more before being used to commit identity theft. Further, once stolen data have
been sold or posted on the Web, fraudulent use of that information may continue for
years. As a result, studies that attempt to measure the harm resulting from data breaches
cannot necessarily rule out all future harm. 24

Defendant Fails to Comply with FTC Guidelines

68. The Federal Trade Commission (“FTC”) has promulgated numerous guides for

businesses which highlight the importance of implementing reasonable data security practices.

According to the FTC, the need for data security should be factored into all business decision-

making.

69. In 2016, the FTC updated its publication, Protecting Personal Information: A

Guide for Business, which established cyber-security guidelines for businesses. These guidelines

note that businesses should protect the personal customer information that they keep; properly

dispose of personal information that is no longer needed; encrypt information stored on computer

networks; understand their network’s vulnerabilities; and implement policies to correct any

security problems.25

70. The guidelines also recommend that businesses use an intrusion detection system

24
Report to Congressional Requesters, GAO, at 29 (June 2007), available at:
https://www.gao.gov/assets/gao-07-737.pdf (last visited Oct. 17, 2022).
25
Protecting Personal Information: A Guide for Business, Federal Trade Commission (2016).
Available at https://www.ftc.gov/system/files/documents/plain-language/pdf-0136_proteting-
personal-information.pdf (last visited Oct. 17, 2022).

17
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.64 Filed 07/12/23 Page 18 of 42

to expose a breach as soon as it occurs; monitor all incoming traffic for activity indicating

someone is attempting to hack the system; watch for large amounts of data being transmitted

from the system; and have a response plan ready in the event of a breach. 26

71. The FTC further recommends that companies not maintain PII longer than is

needed for authorization of a transaction; limit access to sensitive data; require complex

passwords to be used on networks; use industry-tested methods for security; monitor for

suspicious activity on the network; and verify that third-party service providers have

implemented reasonable security measures.

72. The FTC has brought enforcement actions against businesses for failing to

adequately and reasonably protect customer data, treating the failure to employ reasonable and

appropriate measures to protect against unauthorized access to confidential consumer data as an

unfair act or practice prohibited by Section 5 of the Federal Trade Commission Act (“FTCA”),

15 U.S.C. § 45. Orders resulting from these actions further clarify the measures businesses must

take to meet their data security obligations.

73. These FTC enforcement actions include actions against higher educational

institutions.

74. Defendant failed to properly implement basic data security practices.

75. Defendant’s failure to employ reasonable and appropriate measures to protect

against unauthorized access to customers’ PII constitutes an unfair act or practice prohibited by

Section 5 of the FTC Act, 15 U.S.C. § 45.

76. Upon information and belief, Defendant was at all times fully aware of its

obligation to protect the PII of their students, employees, and other personnel. Defendant was

26
Id.

18
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.65 Filed 07/12/23 Page 19 of 42

also aware of the significant repercussions that would result from its failure to do so.

Defendant Fails to Comply with Industry Standards

77. As noted above, experts studying cyber security routinely entities in possession of

PII as being particularly vulnerable to cyberattacks because of the value of the PII which they

collect and maintain.

78. Several best practices have been identified that a minimum should be

implemented by educational institutions in possession of PII, like Defendant, including but not

limited to: educating all employees; strong passwords; multi-layer security, including firewalls,

anti-virus, and anti-malware software; encryption, making data unreadable without a key; multi-

factor authentication; backup data and limiting which employees can access sensitive data.

Defendant failed to follow these industry best practices, including a failure to implement multi-

factor authentication.

79. Other best cybersecurity practices that are standard in the higher-education

industry include installing appropriate malware detection software; monitoring and limiting the

network ports; protecting web browsers and email management systems; setting up network

systems such as firewalls, switches and routers; monitoring and protection of physical security

systems; protection against any possible communication system; training staff regarding critical

points. Defendant failed to follow these cybersecurity best practices, including failure to train

staff.

80. Defendant failed to meet the minimum standards of any of the following

frameworks: the NIST Cybersecurity Framework Version 1.1 (including without limitation

PR.AC-1, PR.AC-3, PR.AC-4, PR.AC-5, PR.AC-6, PR.AC-7, PR.AT-1, PR.DS-1, PR.DS-5,

PR.PT-1, PR.PT-3, DE.CM-1, DE.CM-4, DE.CM-7, DE.CM-8, and RS.CO-2), and the Center

19
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.66 Filed 07/12/23 Page 20 of 42

for Internet Security’s Critical Security Controls (CIS CSC), which are all established standards

in reasonable cybersecurity readiness.

81. These foregoing frameworks are existing and applicable industry standards in the

higher education industry, and upon information and belief, Defendant failed to comply with at

least one––or all––of these accepted standards, thereby opening the door to the threat actor and

causing the Data Breach.

COMMON INJURIES & DAMAGES

82. As a result of Defendant’s ineffective and inadequate data security practices, the

Data Breach, and the foreseeable consequences of PII ending up in the possession of criminals,

the risk of identity theft to the Plaintiff and Class Members has materialized and is imminent, and

Plaintiff and Class Members have all sustained actual injuries and damages, including: (a)

invasion of privacy; (b) loss of time and loss of productivity incurred mitigating the materialized

risk and imminent threat of identity theft risk; (c) the loss of benefit of the bargain (price premium

damages); (d) diminution of value of their PII; and (e) the continued risk to their PII, which

remains in the possession of Defendant, and which is subject to further breaches, so long as

Defendant fails to undertake appropriate and adequate measures to protect Plaintiff’s and Class

Members’ PII.

The Data Breach Increases Plaintiff’s and Class Member’s Risk of Identity Theft

83. The unencrypted PII of Plaintiff and Class Members will end up for sale on the

dark web as that is the modus operandi of hackers.

84. In addition, unencrypted PII may fall into the hands of companies that will use the

detailed PII for targeted marketing without the approval of Plaintiff and Class Members.

Unauthorized individuals can easily access the PII of Plaintiff and Class Members.

20
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.67 Filed 07/12/23 Page 21 of 42

85. The link between a data breach and the risk of identity theft is simple and well

established. Criminals acquire and steal PII to monetize the information. Criminals monetize the

data by selling the stolen information on the black market to other criminals who then utilize the

information to commit a variety of identity theft related crimes discussed below.

86. Because a person’s identity is akin to a puzzle with multiple data points, the more

accurate pieces of data an identity thief obtains about a person, the easier it is for the thief to take

on the victim’s identity--or track the victim to attempt other hacking crimes against the individual

to obtain more data to perfect a crime.

87. For example, armed with just a name and date of birth, a data thief can utilize a

hacking technique referred to as “social engineering” to obtain even more information about a

victim’s identity, such as a person’s login credentials or Social Security number. Social

engineering is a form of hacking whereby a data thief uses previously acquired information to

manipulate and trick individuals into disclosing additional confidential or personal information

through means such as spam phone calls and text messages or phishing emails. Data Breaches

can be the starting point for these additional targeted attacks on the victims.

Loss of Time to Mitigate the Risk of Identity Theft and Fraud

88. As a result of the recognized risk of identity theft, when a Data Breach occurs,

and an individual is notified by a company that their PII was compromised, as in this Data Breach,

the reasonable person is expected to take steps and spend time to address the dangerous situation,

learn about the breach, and otherwise mitigate the risk of becoming a victim of identity theft of

fraud. Failure to spend time taking steps to review accounts or credit reports could expose the

individual to greater financial harm – yet, the resource and asset of time has been lost.

89. Thus, due to the actual and imminent risk of identity theft, Plaintiff and Class

21
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.68 Filed 07/12/23 Page 22 of 42

Members must, as Defendant’s Notice Letter encourages them, monitor their financial accounts

for many years to mitigate the risk of identity theft.

90. Plaintiff and Class Members have spent, and will spend additional time in the

future, on a variety of prudent actions, such as checking their financial accounts for any indication

of fraudulent activity, which may take years to detect.

91. Plaintiff’s mitigation efforts are consistent with the U.S. Government

Accountability Office that released a report in 2007 regarding data breaches (“GAO Report”) in

which it noted that victims of identity theft will face “substantial costs and time to repair the

damage to their good name and credit record.” 27

92. Plaintiff’s mitigation efforts are also consistent with the steps that FTC

recommends that data breach victims take several steps to protect their personal and financial

information after a data breach, including: contacting one of the credit bureaus to place a fraud

alert (consider an extended fraud alert that lasts for seven years if someone steals their identity),

reviewing their credit reports, contacting companies to remove fraudulent charges from their

accounts, placing a credit freeze on their credit, and correcting their credit reports.

93. A study by Identity Theft Resource Center shows the multitude of harms caused

by fraudulent use of personal and financial information: 28

27
See United States Government Accountability Office, GAO-07-737, Personal Information:
Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited; However, the
Full Extent Is Unknown (June 2007), https://www.gao.gov/new.items/d07737.pdf.
28
“Credit Card and ID Theft Statistics” by Jason Steele, 10/24/2017, at:
https://www.creditcards.com/credit-card-news/credit-card-security-id-theft-fraud-statistics-
1276.php (last visited Sep 13, 2022).

22
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.69 Filed 07/12/23 Page 23 of 42

94. And for those Class Members who experience actual identity theft and fraud, the

United States Government Accountability Office released a report in 2007 regarding data

breaches (“GAO Report”) in which it noted that victims of identity theft will face “substantial

costs and time to repair the damage to their good name and credit record.” 29

Diminution of Value of PII

95. PII is a valuable property right.30 Its value is axiomatic, considering the value of

Big Data in corporate America and the consequences of cyber thefts include heavy prison

sentences. Even this obvious risk to reward analysis illustrates beyond doubt that PII has

considerable market value.

29
See “Data Breaches Are Frequent, but Evidence of Resulting Identity Theft Is Limited;
However, the Full Extent Is Unknown,” p. 2, U.S. Government Accountability Office, June
2007, https://www.gao.gov/new.items/d07737.pdf (last visited Sep. 13, 2022) (“GAO Report”).
30
See, e.g., John T. Soma, et al, Corporate Privacy Trend: The “Value” of Personally Identifiable
Information (“PII”) Equals the “Value" of Financial Assets, 15 Rich. J.L. & Tech. 11, at *3-4
(2009) (“PII, which companies obtain at little cost, has quantifiable value that is rapidly reaching
a level comparable to the value of traditional financial assets.”) (citations omitted).

23
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.70 Filed 07/12/23 Page 24 of 42

96. Sensitive PII can sell for as much as $363 per record according to the Infosec

Institute.31

97. An active and robust legitimate marketplace for PII exists. In 2019, the data

brokering industry was worth roughly $200 billion. 32

98. In fact, the data marketplace is so sophisticated that consumers can actually sell

their non-public information directly to a data broker who in turn aggregates the information and

provides it to marketers or app developers. 33,34 Consumers who agree to provide their web

browsing history to the Nielsen Corporation can receive up to $50.00 a year. 35

99. As a result of the Data Breach, Plaintiff’s and Class Members’ PII, which has an

inherent market value in both legitimate and dark markets, has been damaged and diminished by

its compromise and unauthorized release. However, this transfer of value occurred without any

consideration paid to Plaintiff or Class Members for their property, resulting in an economic loss.

Moreover, the PII is now readily available, and the rarity of the Data has been lost, thereby

causing additional loss of value.

100. Based on the foregoing, the information compromised in the Data Breach is

significantly more valuable than the loss of, for example, credit card information in a retailer data

breach because, there, victims can cancel or close credit and debit card accounts. The information

compromised in this Data Breach is impossible to “close” and difficult, if not impossible, to

31
See Ashiq Ja, Hackers Selling Healthcare Data in the Black Market, InfoSec (July 27, 2015),
https://resources.infosecinstitute.com/topic/hackers-selling-healthcare-data-in-the-black-market/
(last visited Sep. 13, 2022).
32
https://www.latimes.com/business/story/2019-11-05/column-data-brokers
33
https://datacoup.com/
34
https://digi.me/what-is-digime/
35
Nielsen Computer & Mobile Panel, Frequently Asked Questions, available at
https://computermobilepanel.nielsen.com/ui/US/en/faqen.html

24
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.71 Filed 07/12/23 Page 25 of 42

change, e.g., Social Security numbers and names.

101. The fraudulent activity resulting from the Data Breach may not come to light for

years.

102. At all relevant times, Defendant knew, or reasonably should have known, of the

importance of safeguarding the PII of Plaintiff and Class Members, and of the foreseeable

consequences that would occur if Defendant’s data security system was breached, including,

specifically, the significant costs that would be imposed on Plaintiff and Class Members as a

result of a breach.

103. Plaintiff and Class Members now face years of constant surveillance of their

financial and personal records, monitoring, and loss of rights. The Class is incurring and will

continue to incur such damages in addition to any fraudulent use of their PII.

104. Defendant was, or should have been, fully aware of the unique type and the

significant volume of data on Defendant’s network, amounting to potentially hundreds of

thousands of individuals’ detailed personal information and, thus, the significant number of

individuals who would be harmed by the exposure of the unencrypted data.

105. The injuries to Plaintiff and Class Members were directly and proximately caused

by Defendant’s failure to implement or maintain adequate data security measures for the PII of

Plaintiff and Class Members.

Future Cost of Credit and Identity Theft Monitoring is Reasonable & Necessary

106. Given the type of targeted attack in this case, the sophisticated criminal activity,

and the type of PII involved in this Data Breach, there is a strong probability that entire batches

of stolen information have been placed, or will be placed, on the black market/dark web for sale

and purchase by criminals intending to utilize the PII for identity theft crimes –e.g., opening bank

25
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.72 Filed 07/12/23 Page 26 of 42

accounts in the victims’ names to make purchases or to launder money; file false tax returns; take

out loans or lines of credit; or file false unemployment claims.

107. Such fraud may go undetected until debt collection calls commence months, or

even years, later. An individual may not know that her or him Social Security Number was used

to file for unemployment benefits until law enforcement notifies the individual’s employer of the

suspected fraud. Fraudulent tax returns are typically discovered only when an individual’s

authentic tax return is rejected.

108. Furthermore, the information accessed and disseminated in the Data Breach is

significantly more valuable than the loss of, for example, credit card information in a retailer data

breach, where victims can easily cancel or close credit and debit card accounts. 36 The information

disclosed in this Data Breach is impossible to “close” and difficult, if not impossible, to change

(such as Social Security numbers).

109. Consequently, Plaintiff and Class Members are at an increased risk of fraud and

identity theft for many years into the future.

110. The retail cost of credit monitoring and identity theft monitoring can cost around

$200 a year per Class Member. This is reasonable and necessary cost to monitor to protect Class

Members from the risk of identity theft that arose from Defendant’s Data Breach. This is a future

cost for a minimum of five years that Plaintiff and Class Members would not need to bear but for

Defendant’s failure to safeguard their PII.

Loss of Benefit of the Bargain

111. Furthermore, Defendant’s poor data security deprived Plaintiff and Class

36
See Jesse Damiani, Your Social Security Number Costs $4 On The Dark Web, New Report
Finds, FORBES (Mar. 25, 2020), https://www.forbes.com/sites/jessedamiani/2020/03/25/your-
social-security-number-costs-4-on-the-dark-web-new-report-finds/?sh=6a44b6d513f1.

26
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.73 Filed 07/12/23 Page 27 of 42

Members of the benefit of their bargain. When agreeing to pay Defendant for services or

accepting employment from Defendant under certain terms, Plaintiff and other reasonable

consumers understood and expected that they were, in part, paying, or being paid less, for services

and data security to protect the PII, when in fact, Defendant did not provide the expected data

security. Accordingly, Plaintiff and Class Members received services that were of a lesser value

than what they reasonably expected to receive under the bargains they struck with Defendant.

PLAINTIFF WHITBY'S EXPERIENCE

112. Plaintiff Ivory Whitby is a former student at LCC, first enrolling in classes at LCC

in or about 1994.

113. In order to apply for admission, she was required to provide her PII to Defendant.

114. At the time of the Data Breach₋₋December 25, 2022, through March 15,

2023₋₋Defendant retained Plaintiff’s PII in its system.

115. Plaintiff Whitby is very careful about sharing her sensitive PII. Plaintiff stores any

documents containing her PII in a safe and secure location. She has never knowingly transmitted

unencrypted sensitive PII over the internet or any other unsecured source.

116. Plaintiff Whitby received the Notice Letter, by U.S. mail, directly from Defendant,

dated June 30, 2023. According to the Notice Letter, Plaintiff’s PII was improperly accessed and

obtained by unauthorized third parties, including her full name and Social Security number.

117. As a result of the Data Breach, and at the direction of Defendant’s Notice Letter,

Plaintiff made reasonable efforts to mitigate the impact of the Data Breach including, but not

limited to, checking her financial accounts for any indication of fraudulent activity, which may

take years to detect. Plaintiff has spent significant time dealing with the Data Breach, valuable

time Plaintiff otherwise would have spent on other activities, including but not limited to work

27
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.74 Filed 07/12/23 Page 28 of 42

and/or recreation. This time has been lost forever and cannot be recaptured.

118. Plaintiff suffered actual injury from having her PII compromised as a result of the

Data Breach including, but not limited to: (a) invasion of privacy; (b) loss of time and loss of

productivity incurred mitigating the materialized risk and imminent threat of identity theft risk;

(c) the loss of benefit of the bargain (price premium damages); (d) diminution of value of her PII;

and (e) the continued risk to her PII, which remains in the possession of Defendant, and which is

subject to further breaches, so long as Defendant fails to undertake appropriate and adequate

measures to protect Plaintiff’s and Class Members’ PII.

119. Plaintiff further suffered actual injury in the form of experiencing an increase in

spam calls, texts, and/or emails since the Data Breach.

120. The Data Breach has caused Plaintiff to suffer fear, anxiety, and stress, which has

been compounded by the fact that Defendant has still not fully informed her of key details about

the Data Breach’s occurrence.

121. As a result of the Data Breach, Plaintiff anticipates spending considerable time

and money on an ongoing basis to try to mitigate and address harms caused by the Data Breach.

As a result of the Data Breach, Plaintiff is at a present risk and will continue to be at increased

risk of identity theft and fraud for years to come.

122. Plaintiff Whitby has a continuing interest in ensuring that her PII, which, upon

information and belief, remains backed up in Defendant’s possession, is protected and

safeguarded from future breaches.

CLASS ACTION ALLEGATIONS

123. Plaintiff brings this action on behalf of herself and all other persons similarly

situated.

28
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.75 Filed 07/12/23 Page 29 of 42

124. Plaintiff proposes the following Class definition, subject to amendment as

appropriate:

All persons whose PII was compromised as a result of the Data Breach, for which
Defendant provided notice in June 2023 (the “Class”).

125. Excluded from the Class are Defendant's officers and directors, and any entity

in which Defendant has a controlling interest; and the affiliates, legal representatives,

attorneys, successors, heirs, and assigns of Defendant. Excluded also from the Class are

Members of the judiciary to whom this case is assigned, their families and members of their

staff.

126. Plaintiff hereby reserves the right to amend or modify the class definitions

with greater specificity or division after having had an opportunity to conduct discovery. The

proposed Class meets the criteria for certification.

127. Numerosity. The Members of the Class are so numerous that joinder of all of

them is impracticable. At least 757,000 individuals were notified by Defendant of the Data

Breach, according to the breach report submitted to Maine’s Attorney General’s Office.37 The

Class is apparently identifiable within Defendant’s records, and Defendant has already

identified these individuals (as evidenced by sending them breach notification letters).

128. Commonality. There are questions of law and fact common to the Class,

which predominate over any questions affecting only individual Class Members. These

common questions of law and fact include, without limitation:

a. Whether Defendant unlawfully used, maintained, lost, or disclosed

Plaintiff's and Class Members' PII;

37
https://apps.web.maine.gov/online/aeviewer/ME/40/9da7ece2-89a4-435a-916d-
3ab465e03645.shtml (last accessed July 10, 2023).

29
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.76 Filed 07/12/23 Page 30 of 42

b. Whether Defendant failed to implement and maintain reasonable

security procedures and practices appropriate to the nature and scope of

the information compromised in the Data Breach;

c. Whether Defendant's data security systems prior to and during the Data

Breach complied with applicable data security laws and regulations;

d. Whether Defendant's data security systems prior to and during the Data

Breach were consistent with industry standards;

e. Whether Defendant owed a duty to Class Members to safeguard their

PII;

f. Whether Defendant breached its duty to Class Members to safeguard their

PII;

g. Whether computer hackers obtained Class Members' PII in the Data

Breach;

h. Whether Defendant knew or should have known that its data security

systems and monitoring processes were deficient;

i. Whether Plaintiff and Class Members suffered legally cognizable

damages as a result of Defendant's misconduct;

j. Whether Defendant was unjustly enriched;

k. Whether Defendant failed to provide notice of the Data Breach in a timely

manner; and

l. Whether Plaintiff and Class Members are entitled to damages, civil

penalties, punitive damages, and/or injunctive relief.

30
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.77 Filed 07/12/23 Page 31 of 42

129. Typicality. Plaintiff's claims are typical of those of other Class Members

because Plaintiff's PII, like that of every other Class member, was compromised in the Data

Breach.

130. Adequacy of Representation. Plaintiff will fairly and adequately represent

and protect the interests of the Members of the Class. Plaintiff's Counsel is competent

and experienced in litigating class actions, including data privacy litigation of this kind.

131. Predominance. Defendant has engaged in a common course of conduct

toward Plaintiff and Class Members, in that all the Plaintiff's and Class Members' data was

stored on the same computer systems and unlawfully accessed in the same way. The

common issues arising from Defendant's conduct affecting Class Members set out above

predominate over any individualized issues. Adjudication of these common issues in a single

action has important and desirable advantages of judicial economy.

132. Superiority. A class action is superior to other available methods for the fair

and efficient adjudication of the controversy. Class treatment of common questions of law

and fact is superior to multiple individual actions or piecemeal litigation. Absent a class

action, most Class Members would likely find that the cost of litigating their individual claims

is prohibitively high and would therefore have no effective remedy. The prosecution of

separate actions by individual Class Members would create a risk of inconsistent or varying

adjudications with respect to individual Class Members, which would establish

incompatible standards of conduct for Defendant. In contrast, the conduct of this action as

a class action presents far fewer management difficulties, conserves judicial resources and the

parties' resources, and protects the rights of each Class member.

133. Defendant has acted on grounds that apply generally to the Class as a whole, so

31
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.78 Filed 07/12/23 Page 32 of 42

that class certification, injunctive relief, and corresponding declaratory relief are

appropriate on a Class-wide basis.

134. Likewise, particular issues are appropriate for certification because such

claims present only particular, common issues, the resolution of which would advance

the disposition of this matter and the parties' interests therein. Such particular issues

include, but are not limited to:

a. Whether Defendant failed to timely notify the public of the Data Breach;

b. Whether Defendant owed a legal duty to Plaintiff and the Class to exercise

due care in collecting, storing, and safeguarding their PII;

c. Whether Defendant's security measures to protect their data systems

were reasonable in light of best practices recommended by data security

experts;

d. Whether Defendant failed to take commercially reasonable steps to

safeguard consumer PII; and

e. Whether adherence to FTC data security recommendations, and

measures recommended by data security experts would have reasonably

prevented the Data Breach.

135. Finally, all members of the proposed Class are readily ascertainable. Defendant

has access to Class Members' names and addresses affected by the Data Breach. Class

Members have already been preliminarily identified and sent notice of the Data Breach by

Defendant.

FIRST COUNT
Breach Of Express Contract
(On Behalf of Plaintiff and the Class)

32
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.79 Filed 07/12/23 Page 33 of 42

136. Plaintiff re-alleges and incorporates the above allegations as if fully set forth herein.

137. Plaintiff and Class Members entered into valid and enforceable contracts through

which they were required to turn over their PII to LCC in exchange for services and/or

employment. That contract included promises by LCC to secure, safeguard, and not disclose

Plaintiff's and Class Members’ PII to any third parties without their consent.

138. LLC's Privacy Statement memorialized the rights and obligations of LCC and its

students and/or employees. This document was provided to Plaintiff and Class Members in a

manner in which it became part of the agreement for services.

139. In its Privacy Statement, LCC commits to protecting the privacy and security of the

PII and promises to never share Plaintiff's and Class Members’ PII except under certain limited

circumstances.

140. Plaintiff and Class Members fully performed their obligations under their contracts

with LCC. However, LCC failed to secure, safeguard, and/or keep private Plaintiff's and Class

Members’ PII, and therefore LCC breached its contracts with Plaintiff and Class Members.

141. LCC's failure to satisfy its confidentiality and privacy obligations resulted in LCC

providing services and/or employment to Plaintiff and Class Members that were of a diminished

value and in breach of its contractual obligations to Plaintiff and Class Members.

142. As a result. Plaintiff and Class Members have been harmed, damaged, and/or

injured as described herein, including by LCC’s failure to fully perform its part of the agreement

with Plaintiff and Class Members.

143. As a direct and proximate result of LCC’s conduct, Plaintiff and Class Members

suffered and will continue to suffer damages in an amount to be proven at trial.

144. In addition to monetary relief. Plaintiff and Class Members are also entitled to

33
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.80 Filed 07/12/23 Page 34 of 42

injunctive relief requiring LCC to, inter alia, strengthen its data security monitoring and

supervision procedures, conduct periodic audits of those procedures, and provide lifetime credit

monitoring and identity theft insurance to Plaintiff and Class Members.

SECOND COUNT
Breach Of Implied Contract
(On Behalf of Plaintiff and the Class)

145. Plaintiff re-alleges and incorporates the above allegations as if fully set forth

herein.

146. When Plaintiff and Class Members provided their PII to Defendant in exchange

for enrolling in classes, applying for enrollment, or obtaining employment at Defendant, they

entered into implied contracts with Defendant pursuant to which Defendant agreed to reasonably

protect such information and to destroy any PII that it was no longer required to maintain.

147. The mutual understanding and intent of Plaintiff and Class Members on the one

hand, and Defendant on the other, is demonstrated by their conduct and course of dealing.

148. Defendant solicited, offered, and invited Plaintiff and Class Members to provide

their PII as part of Defendant’s regular business practices. Plaintiff and Class Members accepted

Defendant’s offers and provided their PII to Defendant.

149. In accepting the PII of Plaintiff and Class Members, Defendant understood and

agreed that it was required to reasonably safeguard the PII from unauthorized access or

disclosure.

150. In entering into such implied contracts, Plaintiff and Class Members reasonably

believed and expected that Defendant’s data security practices complied with relevant laws and

regulations, including the FTC Act, and were consistent with industry standards.

151. Plaintiff and Class Members paid money and/or provided their labor to Defendant

34
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.81 Filed 07/12/23 Page 35 of 42

with the reasonable belief and expectation that Defendant would use part of its earnings to obtain

adequate data security. Defendant failed to do so.

152. Plaintiff and Class Members would not have entrusted their PII to Defendant in

the absence of the implied contract between them and Defendant to keep their information

reasonably secure.

153. Plaintiff and Class Members would not have entrusted their PII to Defendant in

the absence of their implied promise to monitor their computer systems and networks to ensure

that it adopted reasonable data security measures.

154. Plaintiff and Class Members fully and adequately performed their obligations

under the implied contracts with Defendant.

155. Defendant breached its implied contracts with Class Members by failing to

safeguard and protect their PII or to destroy it once it was no longer necessary to retain the PII.

156. As a direct and proximate result of Defendant’s breach of the implied contracts,

Class Members sustained damages as alleged herein, including the loss of the benefit of the

bargain.

157. Plaintiff and Class Members are entitled to compensatory, consequential, and

nominal damages suffered as a result of the Data Breach.

158. Plaintiff and Class Members are also entitled to injunctive relief requiring

Defendant to, e.g., (i) strengthen its data security systems and monitoring procedures; (ii) submit

to future annual audits of those systems and monitoring procedures; and (iii) immediately

provide adequate credit monitoring to all Class Members.

THIRD COUNT
Unjust Enrichment
(On Behalf of Plaintiff and the Class)

35
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.82 Filed 07/12/23 Page 36 of 42

159. Plaintiff re-alleges and incorporates the above allegations as if fully set forth

herein.

160. This count is pleaded in the alternative to the Breach of Express Contract claim

(Count I) and Breach of Implied Contract claim (Count II) above.

161. Upon information and belief, Defendant funds its data security measures entirely

from its general revenue, including payments made by or on behalf of Plaintiff and Class

Members.

162. As such, a portion of the payments made by or on behalf of Plaintiff and Class

Members is to be used to provide a reasonable level of data security, and the amount of the

portion of each payment made that is allocated to data security is known to Defendant.

163. Plaintiff and Class Members conferred a monetary benefit on Defendant.

Specifically, they provided their PII and paid money to Defendant in connection with their

admission applications and/or provided their labor to Defendant and/or its agents, and in so

doing, provided Defendant with their PII based on the understanding that the benefits derived

therefrom would, in part, be used to fund adequate data security. In exchange, Plaintiff and Class

Members should have received from Defendant the goods, services, and/or employment that

were the subject of the transaction and have their PII protected with adequate data security.

164. Defendant knew that Plaintiff and Class Members conferred a benefit which

Defendant accepted. Defendant profited from these transactions and used the PII of Plaintiff and

Class Members for business purposes.

165. In particular, Defendant enriched itself by saving the costs it reasonably should

have expended on data security measures to secure Plaintiff’s and Class Members’ PII and

instead directed those funds to its own profit. Instead of providing a reasonable level of security

36
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.83 Filed 07/12/23 Page 37 of 42

that would have prevented the hacking incident, Defendant instead calculated to increase its

own profits at the expense of Plaintiff and Class Members by utilizing cheaper, ineffective

security measures. Plaintiff and Class Members, on the other hand, suffered as a direct and

proximate result of Defendant’s decision to prioritize its own profits over the requisite security.

166. Under the principles of equity and good conscience, Defendant should not be

permitted to retain the money belonging to Plaintiff and Class Members, because Defendant

failed to implement appropriate data management and security measures that are mandated by

industry standards.

167. Defendant failed to secure Plaintiff’s and Class Members’ PII and, therefore, did

not provide full compensation for the benefit Plaintiff and Class Members provided.

168. Defendant acquired the PII through inequitable means in that it failed to disclose

the inadequate security practices previously alleged.

169. Defendant obtained a benefit from Plaintiff and Class Members by fraud and/or

the taking of an undue advantage, in that it misrepresented and omitted material information

concerning its data security practices when Plaintiff and Class Members relied upon it to

safeguard their PII against foreseeable risks.

170. If Plaintiff and Class Members knew that Defendant had not reasonably secured

their PII, they would not have agreed to provide their PII to Defendant.

171. Plaintiff and Class Members have no adequate remedy at law.

172. As a direct and proximate result of Defendant’s conduct, Plaintiff and Class

Members have suffered and will suffer injury, including but not limited to: (a) invasion of

privacy; (b) loss of time and loss of productivity incurred mitigating the materialized risk and

imminent threat of identity theft risk; (c) the loss of benefit of the bargain (price premium

37
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.84 Filed 07/12/23 Page 38 of 42

damages); (d) diminution of value of their PII; and (e) the continued risk to their PII, which

remains in the possession of Defendant, and which is subject to further breaches, so long as

Defendant fails to undertake appropriate and adequate measures to protect Plaintiff’s and Class

Members’ PII.

173. As a direct and proximate result of Defendant’s conduct, Plaintiff and Class

Members have suffered and will continue to suffer other forms of injuries and/or harms.

174. Defendant should be compelled to disgorge into a common fund or constructive

trust, for the benefit of Plaintiff and Class Members, proceeds that they unjustly received from

them. In the alternative, Defendant should be compelled to refund the amounts that Plaintiff and

Class Members overpaid for Defendant’s services.

PRAYER FOR RELIEF

WHEREFORE, Plaintiff prays for judgment as follows:

A. For an Order certifying this action as a class action and appointing Plaintiff and

her counsel to represent the Class;

B. For equitable relief enjoining Defendant from engaging in the wrongful conduct

complained of herein pertaining to the misuse and/or disclosure of Plaintiff's and

Class Members’ PII, and from refusing to issue prompt, complete and accurate

disclosures to Plaintiff and Class Members;

C. For equitable relief compelling Defendant to utilize appropriate methods and

policies with respect to consumer data collection, storage, and safety, and to

disclose with specificity the type of PII compromised during the Data Breach;

38
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.85 Filed 07/12/23 Page 39 of 42

D. For injunctive relief requested by Plaintiff, including but not limited to,

injunctive and other equitable relief as is necessary to protect the interests of

Plaintiff and Class Members, including but not limited to an order:

1. Prohibiting Defendant from engaging in the wrongful and unlawful acts

described herein;

2. Requiring Defendant to protect, including through encryption, all data

collected through the course of its business in accordance with all

applicable regulations, industry standards, and federal, state, or local

laws;

3. Requiring Defendant to delete, destroy, and purge the PII of Plaintiff and

Class Members unless Defendant can provide to the Court reasonable

justification for the retention and use of such information when weighed

against the privacy interests of Plaintiff and Class Members;

4. Requiring Defendant to implement and maintain a comprehensive

Information Security Program designed to protect the confidentiality and

integrity of the PII of Plaintiff and Class Members;

5. Prohibiting Defendant from maintaining the PII of Plaintiff and Class

Members on a cloud-based database;

6. Requiring Defendant to engage independent third-party security

auditors/penetration testers as well as internal security personnel to

conduct testing, including simulated attacks, penetration tests, and audits

on Defendant’s systems on a periodic basis, and ordering Defendant to

39
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.86 Filed 07/12/23 Page 40 of 42

promptly correct any problems or issues detected by such third-party

security auditors;

7. Requiring Defendant to engage independent third-party security auditors

and internal personnel to run automated security monitoring;

8. Requiring Defendant to audit, test, and train its security personnel

regarding any new or modified procedures;

9. Requiring Defendant to segment data by, among other things, creating

firewalls and access controls so that if one area of Defendant’s network

is compromised, hackers cannot gain access to other portions of

Defendant’s systems;

10. Requiring Defendant to conduct regular database scanning and securing

checks;

11. Requiring Defendant to establish an information security training

program that includes at least annual information security training for all

employees, with additional training to be provided as appropriate based

upon the employees’ respective responsibilities with handling personal

identifying information, as well as protecting the personal identifying

information of Plaintiff and Class Members;

12. Requiring Defendant to routinely and continually conduct internal

training and education, and on an annual basis to inform internal security

personnel how to identify and contain a breach when it occurs and what

to do in response to a breach;

40
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.87 Filed 07/12/23 Page 41 of 42

13. Requiring Defendant to implement a system of tests to assess its

respective employees’ knowledge of the education programs discussed in

the preceding subparagraphs, as well as randomly and periodically testing

employees’ compliance with Defendant’s policies, programs, and

systems for protecting personal identifying information;

14. Requiring Defendant to implement, maintain, regularly review, and

revise as necessary a threat management program designed to

appropriately monitor Defendant’s information networks for threats, both

internal and external, and assess whether monitoring tools are

appropriately configured, tested, and updated;

15. Requiring Defendant to meaningfully educate all Class Members about

the threats that they face as a result of the loss of their confidential

personal identifying information to third parties, as well as the steps

affected individuals must take to protect themselves; and

16. Requiring Defendant to implement logging and monitoring programs

sufficient to track traffic to and from Defendant’s servers; and

17. for a period of 10 years, appointing a qualified and independent third

party assessor to conduct a SOC 2 Type 2 attestation on an annual basis

to evaluate Defendant’s compliance with the terms of the Court’s final

judgment, to provide such report to the Court and to counsel for the Class,

and to report any deficiencies with compliance of the Court’s final

judgment.

41
Case 1:23-cv-00738-PLM-RSK ECF No. 5, PageID.88 Filed 07/12/23 Page 42 of 42

E. For equitable relief requiring restitution and disgorgement of the revenues

wrongfully retained as a result of Defendant’s wrongful conduct;

F. Ordering Defendant to pay for not less than ten years of credit monitoring

services for Plaintiff and the Class;

G. For an award of actual damages, compensatory damages, statutory damages, and

statutory penalties, in an amount to be determined, as allowable by law;

H. For an award of punitive damages, as allowable by law;

I. For an award of attorneys’ fees and costs, and any other expense, including expert

witness fees;

J. Pre- and post-judgment interest on any amounts awarded; and

K. Such other and further relief as this court may deem just and proper.

JURY TRIAL DEMANDED

Plaintiff demands a trial by jury on all claims so triable.

Dated: July 12, 2023 Respectfully submitted,

s/ Gary M. Klinger
Gary M. Klinger
MILBERG COLEMAN BRYSON
PHILLIPS GROSSMAN, LLC
227 W. Monroe Street, Suite 2100
Chicago, IL 60606
Phone: (866) 252-0878
gklinger@milberg.com

Nick Suciu
MILBERG COLEMAN BRYSON
PHILLIPS GROSSMAN LLC
6905 Telegraph Rd., Suite 115
Bloomfield Hills, MI 48301
Tel: (313) 303-3472
Email: nsuciu@milberg.com

ATTORNEYS FOR PLAINTIFF

42
 Case 1:23-cv-00738-PLM-RSK ECF No. 5-1, PageID.89 Filed 07/12/23 Page 1 of 1

SUMMONS IN A CIVIL ACTION

UNITED STATES DISTRICT COURT FOR THE WESTERN DISTRICT OF MICHIGAN

PROOF OF SERVICE

(specify)

Server’s signature

Server’s printed name and title

Server’s address