Two more suits filed against LCC over data breach

THURSDAY, July 13 — Two more suits have been filed against Lansing Community College in federal court over a data breach that may have affected more than three-quarters of a million students, employees and vendors.

That brings to three the number of legal actions against LCC. All three have been brought in the Western District of U.S. District Court in Grand Rapids. They all demand jury trials and are class-action suits.

In one of the new suits, which was filed yesterday, four plaintiffs are named: Ayden Heinig, Ashton Chapin, Kyasha Richardson and Gabriel Banish. They are only identified as being Michigan residents. However, language in the suit suggests they were or are students. They are represented by Milberg Coleman Bryson Phillips Grossman, a Chicago firm with offices in Michigan, and Siri & Glimstad, a New York firm.

In the other new suit, which was filed Tuesday, the plaintiff is Daquarious Alexander, who is identified as part of LCC’s Lansing Promise program, which provides financial support for Lansing high school graduates to attend college. He is represented by the Miller Law Firm of Rochester, Michigan.

The complaints in the new suits are similar to those brought in the other suit, which was filed Monday. That suit cited LCC “for its failure to properly secure and safeguard the personally identifiable information that it collected and maintained as part of its regular business practices, including, but not limited to full names and Social Security numbers.”

The suit identifies the plaintiff as both Ana Whitby and Ivory Whitby. It identifies her as a Lansing resident.

The plaintiff’s attorney, David Lietz of Washington, D.C., declined comment on the suit, including whether the plaintiff was a student. Whitby is also being represented by the Milberg law firm.

“LCC has been less than forthcoming about details of the breach. As a consequence, we have to tread very carefully on what we say about the suit,” Lietz said yesterday. He said that “much work” still needs to be done to determine facts in the case and that he needed to be careful not to make any incorrect statements.

Meanwhile, William B. Federman, of the Oklahoma City law firm Federman and Sherwood, said yesterday that his firm was representing Sameer Shah in a similar suit against LCC. He identified Shah as an LCC student “years ago.” Federman said the suit may have already been filed in the same court.

Federman said the plaintiffs in the two suits are “cooperating” and that “several suits will be filed.”

His law firm claims that LCC notified "757,832 employees, students and vendors that their personal information may have been accessed or acquired by an unknown unauthorized person," according to the firm’s website. 

In the Whitby suit filed on Monday, the plaintiff alleges that LCC “failed to adequately protect” her and others and that LCC “failed to even encrypt or redact this highly sensitive information. This unencrypted, unredacted PII” — “personally identifiable information” — “was compromised due to Defendant’s negligent and/or careless acts and omissions and its utter failure to protect students’ sensitive data. Hackers targeted and obtained Plaintiff’s and Class Members’ PII because of its value in exploiting and stealing the identities of Plaintiff and Class Members. The present and continuing risk to victims of the Data Breach will remain for their respective lifetimes.”

The suit claims multiple injuries to the plaintiff and others, including “invasion of privacy,” lost time and productivity “mitigating the materialized risk and imminent threat of identity theft risk,” and “the continued risk” to their information because it remains in LCC’s hands and thus remains subject to future breaches “so long as Defendant fails to undertake appropriate and adequate measures” to protect it.

Efforts to reach LCC for comment yesterday were unsuccessful.

Last spring, LCC shut down classes for several days after learning of the breach, which it said appeared to have affected "certain systems" from Dec. 25, 2022, until it was discovered on March 15, 2023. LCC  launched a two-month investigation, then issued a statement that said, "To date, we have no evidence of any identity theft or fraud in connection with this incident.”