National Math and Science Initiative Data Breach Lawsuits

National Math and Science Initiative Data Breach Lawsuits

On February 7, 2022, the National Math and Science Initiative (NMSI) sent notifications to 191,255 people, alerting them of a data security incident that exposed personally identifiable information (PPI).

Before explaining what happened, NMSI Chief Executive Officer Bernard A. Harris, Jr. first assured recipients there was no evidence that any information had been misused in connection with the data breach and that the organization was sending the notifications out of an abundance of caution.

According to Harris’ letter, on October 13, 2021, NMSI’s antivirus software alerted the organization of “unusual” network activity. An investigation of the activity revealed that an unauthorized actor possibly gained access to certain systems between September 23, 2021, and October 18, 2021. Individuals who received the notification letters had been identified as having their information present on breached NMSI systems at the time of its infiltration. 

NMSI customized each recipient’s letter to show which data elements the unauthorized actor might have accessed or acquired. Besides names, addresses, and Social Security numbers could have been subject to compromise.

The notification did not specify whether the affected people consisted of teachers, students, contractors, or employees.

How NMSI Says it Is Dealing With the Data Breach

NMSI is a Texas not-for-profit organization that works with schools and other organizations to help improve student performance.

In NMSI’s notification letter, Harris explained that the organization responded to the data breach by investigating, assessing various systems’ security, and alerting individuals whose data could be compromised.

The organization also reset account passwords and analyzed files and folders that could have been accessed to check for the presence of any personal information, Harris reported.

NMSI notified federal law enforcement of the breach and claims to have taken steps to minimize risk of this type of breach occurring in the future.

Too Little, Too Late

Despite any post-incident measures NMSI took or continues to implement, they simply are too little, too late. When a security breach exposes PII, the risk of identity theft significantly increases. The harmful consequences of this theft tie directly to the fact that by the time a victim becomes aware of the crime (sometimes years), the misuse of their identity has already negatively impacted their credit rating.  

The U.S. Government Accountability Office reports that criminals sometimes hold on to stolen data for a year or longer before using it to commit identity theft. After the data is sold or used online, its fraudulent use may persist indefinitely, often being traded on the “cyber black market” for several years.

This makes it hard to determine the full scope of detriment to the credit record and financial reputation of any individual whose PII is compromised in a data breach. Consider, for example, when hackers gained access to LinkedIn users’ passwords in 2012. Four years passed before the hackers disseminated the stolen email and password combinations.  

Quite possibly, the individuals whose PII was accessed from the NMSI data breach will experience a similar delay, obfuscating the crime and its impact on victims. Once the smoke clears, these people will endure the substantial inconvenience and cost of repairing their damaged credit and tarnished names. According to Experian, identity theft victims spend, on average, six months and around 200 hours of work to recover their identities. In complex cases where criminals take loans, open financial accounts, file taxes and receive refunds, or use stolen identities to get medical services, the process of restoring identities, stopping fraud, and reversing damages can take years.

Meanwhile, it’s an uneasy feeling knowing that one’s PII lingers in the cybersphere—not knowing when or how it will be used, or the degree of suffering its misuse will cause.  

Understanding Identity Theft

The Bureau of Justice Statistics’ National Crime Victimization Survey defines identity theft as including three general types of incidents:

  1. Unauthorized use or attempted use of an existing account
  2. Unauthorized use or attempted use of personal information to open a new account
  3. Misuse of personal information for a fraudulent purpose

According to the NCVS’ Identity Theft Supplement (ITS), nine percent of individuals 16 or older had been victims of identity theft in 2018, which represents the most recent collection of data for this crime. Of these individuals, 90% experienced misuse or attempted misuse of at least one credit card or bank account. The total losses spanning all incidents of identity theft that year was $15.1 billion.

Criminals can use accessed information to assume the identity of any person whose PPI has been acquired. According to the Federal Trade Commission (FTC) 2021 report, such breaches can result in identity theft geared toward a broad range of outcomes.

Source: Federal Trade Commission(FTC)

To visualize the growing trend and impact of identity theft, the FTC published the following infographic in January 2020 and updated the data in February 2022. The graphic presents data taken from consumer reports from individuals who phoned FTC’s call center or reported incidents of identity theft online:

A review of the Identity Theft Research Center’s (ITRC)  annual data breach report shows the pervasiveness of this crime continued to worsen in 2021. The ITRC revealed that 2021 saw a record number of data compromises—1,862 in total—which represents a 68 percent uptick from 2020. The number also beats the previous record of 1,506 instances by 23 percent. According to the ITRC report, such data breaches affected 294 million people.

What is PII?

PII consists of any information that can be used to infer the identity of an individual. The U.S. Department of Labor (DOL) lists several types of information that match this definition. Some forms of PII directly identify a person. They include:

  1. Name
  2. Address
  3. Social Security number
  4. Other identifying numbers or codes
  5. Telephone number
  6. Email address

Other forms of PII include information that an agency would use to identify a person when used in conjunction with other information. These descriptors such data elements as:

  1. Race
  2. Gender
  3. Geographic indicator
  4. Birth date

The DOL also includes as PII any electronic, paper, or other forms of media that permit the online or physical contacting of a person.

Why PII Is So Valuable

For years, scholars have taken note of the increasing value of PII. In 2009, the Richmond Journal of Law & Tech published a paper, Corporate Privacy Trend: The “Value” of Personally Identifiable Information (“PII”) Equals the “Value” of Financial Assets

Authors observed that Corporate America’s growing dependence on the electronic use of PII had transformed this information into “a commodity that companies trade and sell.

“PII, which companies obtain at little cost, has a quantifiable value that is rapidly reaching a level comparable to the value of traditional financial assets,” the paper’s authors concluded.

Former Federal Trade Commission (“FTC”) Commissioner, Pamela Jones Harbour described data as currency, with larger data sets offering the greatest profit potential. In Harbour’s words:

”A consumer’s sensitive, personally identifiable information should be treated much like banks treat a consumer’s cash. Banks hold our money in a savings or checking account… but the money is ours …. We have certain claims to and expectation rights in the money, even though it is not physically in our hands and another entity “possesses” it.”

Harbour further observed that consumers tend not to grasp the vast amounts and types of information that businesses collect, nor do they understand the value of this data.

Some companies give customers the option to sell their PII to advertisers and other third parties. This new transparency of such transactions has in turn created a new market for the sale and purchase of personal data.

When credit reporting agency Equifax was hacked in 2017, PC Magazine published an article educating readers on the value of their identity on the Dark Web. According to the article, the Social Security numbers, birth dates, and full names of people with high credit scores could fetch from $60 to $80 on the digital black market. More recently, research conducted by Safety Detectives Cybersecurity Team revealed the value of distinct types of information used in creating a new identity:

  1. Passport: From $710
  2. ID/Driver’s License: From $200
  3. Social Security Number/Card: $2-$5
  4. Birth Certificate: From $240

With the advent of cryptocurrency like Bitcoin, purchases can be untraceable, making it a favorite currency for criminals engaging in these transactions.

Although the PC Magazine article authors conceded that the source of stolen data was not always certain, an intelligence analyst told reporters that the information typically comes from computer hacking efforts, with schools and hospitals being favorite sources of cybercriminals, due to the volume of identity information these types of organizations collect.

Legal Recourse and Outcomes

Although federal prosecutors work to prosecute identity theft and fraud cases with the help of federal investigative agencies (the Federal Bureau of Investigation, the United States Secret Service, and the United States Postal Inspection Service, for example), victims can sometimes recover their financial losses through civil actions.  

These actions often take on the form of a class action lawsuit, in which individuals whose PII was accessed and misused pursue damages from the entity that housed the personal data.

In the case of an NMSI class action lawsuit, plaintiffs’ lawyers could argue that plaintiffs’ PII was exposed and subject to misuse as a result of NMSI’s failure to implement and maintain reasonable security procedures and practices appropriate to the nature of the information to protect Plaintiff’s and Class members’ PII. Lawyers could also argue that NMSI failed to implement reasonable security procedures to prevent an attack on its servers by hackers and to prevent unauthorized access of Plaintiff’s and Class members’ PII as a result of this attack.

In such an action, victims of identity theft from the NSMI data breach could seek actual damages, injunctive relief, including public injunctive relief, and declaratory relief, and other relief the Court deems appropriate.

What to Do If NSMI’s Breach Exposed Your Data

When your PII is exposed through a data breach, it puts you at substantial risk of identity theft—which can prove damaging to your credit and your name and take  great pains to repair.

If NMSI—or some other entity—sent you a letter notifying you that their system was breached and your PII exposed, consider the recourse of participating in a class action.

Why Choose Our Law Firm

Our law firm has been in existence for more than 65 years, and is recognized as one of the preeminent law firms in the United States. Based on law firm verdicts and settlements exceeding $30 billion, our class action lawyers are committed to seeking justice for the victims of data breaches.

We are the founder of Mass Torts Made Perfect. This is a national conference attended by 1,500 lawyers each year where we teach how to successfully handle lawsuits against the largest companies in the world. For more information, please visit our About Us section.

in Business 65 years * $30 Billion in Verdicts & Settlements * Best Law Firms: U.S. News & World Reports * Trial Lawyers Hall of Fame * SuperLawyers
Our Fees & Costs

Our lawyers provide free confidential case evaluations, and we never charge any fees or costs unless you first recover.

The contingency fee we charge ranges from 20% to 40%. The amount we charge is based on how much we recover for you. To review a summary of our fees and costs, click Fees & Costs.

Free Case Evaluation

To contact us for a free confidential consult, you can call us at (800) 277-1193. You also can request a free private and confidential evaluation by clicking Free & Confidential Consult. Your inquiry will be immediately reviewed by one of our attorneys who handles class action cases.