At least three members of the state’s largest teachers union allege the union negligently failed to prevent a personal data theft last summer, then waited months to tell them and more than 500,000 others about it, according to federal lawsuits.
The three allege the Pennsylvania State Education Association discovered the breach July 6, finished its investigation Feb. 18 and didn’t tell members until March 18, according to their lawsuits filed March 19 in U.S. District Court for the Middle District of Pennsylvania.
“Immediate notification of a data breach is critical so that those impacted can take measures to protect themselves,” one suit says.
The union also had a duty to protect members’ private information and could afford “reasonable security procedures,” but failed to prevent the theft, the suit says.
Because the union screwed up, members have suffered “financial losses” and lost time “detecting and preventing identify theft," the suit says.
The union represents 187,000 teachers and school support staff but told the Maine attorney general’s office that 517,487 people, including 77 Mainers, were affected. Maine requires reporting of data breaches of its residents. The notice is on the state’s website.
Chris Lilienthal, a teachers union spokesman, declined to comment on the lawsuit.
Instead, he released the union's March 18 statement on the data breach, which refers to the July 6 discovery of "a network security incident."
"As soon as we became aware of this incident, we engaged cybersecurity professionals with expertise in these occurrences," the statement says. "PSEA is not aware of any incidents of identity theft related to this event. We are complying with all legal and regulatory requirements and are providing credit monitoring for eligible individuals who were impacted by this incident."
In a notice posted on its website, the union says not all data were stolen for each person, but said the stolen information could include dates of birth, driver’s license or state IDs, Social Security numbers, account numbers, personal identification numbers, passwords, security codes, routing and payment card numbers, passport numbers, taxpayer ID numbers and health insurance and medical information.
“We have no evidence that any of the information has been used for identity theft or to commit financial fraud,” the union notice says. “Nevertheless, out of an abundance of caution, we want to make the impacted individuals aware of the incident.”
The union says “a thorough investigation and extensive review of impacted data” found the stolen data was only in “certain files within our network.”
“We took steps, to the best of our ability and knowledge, to ensure that the data taken by the unauthorized actor was deleted,” the union says. “We want to make the impacted individuals aware of the incident and provide them with steps they can take to further protect their information."
The union says it notified law enforcement officials and is toughening its security measures and training protocols.
The members suing so far are Dominique Thomas, of Bloomsburg in Columbia County; James Smith, of Jersey Shore in Lycoming County; and Janice Shanafelt, listed only as a Pennsylvania resident.
The suits seek class action status, which would allow lawyers to sue on behalf of everyone whose data was stolen.
Thomas’ suit specifically says she’s getting more spam calls and emails and has to spend significant time monitoring her accounts to “detect and reduce the consequences of likely identity fraud.”
Everyone affected will have to worry about future identity theft and will have to spend time guarding against it, the suits say.
The suit seeks unspecified damages, restitution and attorney’s fees and costs.
