On Wednesday, a putative class action commenced against Nebraska-based student loan servicer Nelnet Servicing, LLC over an apparent data breach. The complaint was filed by named plaintiffs who were among the 2.5 million account holders whose personal data were allegedly affected by the Nelnet incident.
The complaint alleges that although Nelnet discovered unauthorized access to user accounts on July 21, then closed that access on July 22, the company did not notify the Department of Education until August 17, and Nelnet did not begin notifying impacted customers until August 26. Plaintiffs assert that the unauthorized access resulted from negligence, and the delay in notifying affected customers was unreasonable.
Plaintiffs assert that of Nelnet’s 17.4 million accounts, the incident involved personally identifiable information (PII) of about 2.5 million account holders. Beyond subclasses for various individual states, Plaintiffs define the nationwide putative class as including “All persons in the United States whose personal information was compromised in the Data Breach made public by Nelnet in August 2022.”
The particular PII allegedly included putative class members’ names, addresses, email addresses, phone numbers, and Social Security numbers. The complaint argues that the release of that information resulted from Nelnet’s (1) failure to secure the data, (2) failure to comply with industry standards, (3) unlawful disclosure, and (4) failure to provide adequate notice of the incident.
The complaint includes a lengthy discussion of FTC guidance on businesses’ data-security practice, as well as outlining an apparent timeline of the alleged breach, its remediation, and resultant notification..
Plaintiffs’ legal claims fall under theories of negligence, breach of implied contract, unjust enrichment, breach of confidence, invasion of privacy, violations of various state consumer-protection and data-protection statutes, and injunctive relief.
As relief, plaintiffs seek injunctive relief regarding Nelnet’s security measures, its notification policies, and credit monitoring for putative class members. It also seeks a declaratory judgment that Nelnet owes a legal duty to secure its customers’ PII and to establish adequate security measures.
Plaintiffs are represented by Goosmann Law Firm, Silver Golub & Teitell, and Lowey Dannenberg.
