`JESSICA ALEXANDER, CHRISTOPHER
`SANGMEISTER, TAYLOR VETTER,
`NICHOLE ALLOCCA, KAYLI LAZARD,
`and BRIDGET CAHILL, individually and on
`behalf of all others similarly situated,
`
`
`
`v.
`
`NELNET SERVICING, LLC
`
`
`
`Plaintiffs,
`
`Defendant.
`
`
`
`
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 1 of 74 - Page ID # 1
`
`
`
`UNITED STATES DISTRICT COURT
`DISTRICT OF NEBRASKA
`
`Case No.
`
`CLASS ACTION COMPLAINT
`
`JURY TRIAL DEMANDED
`
`
`Plaintiffs William Spearman, Brittni Linn, Jessica Alexander, Christopher Sangmeister,
`
`Taylor Vetter, Nichole Allocca, Kayli Lazard, and Bridget Cahill (“Plaintiffs”), on behalf of
`
`themselves and all others similarly situated, assert the following against Defendant Nelnet
`
`Servicing, LLC (“Nelnet” or “Defendant”) based upon personal knowledge, where applicable,
`
`information and belief, and the investigation of counsel.
`
`INTRODUCTION
`
`1.
`
`Plaintiffs bring this class action against Nelnet for its (i) failure to properly secure
`
`and safeguard highly valuable, protected personally identifiable information, including without
`
`limitation, names, addresses, email addresses, phone numbers, and Social Security numbers
`
`(collectively “PII”); (ii) failure to comply with industry standards to protect information systems
`
`that contain PII; (iii) unlawful disclosure of Plaintiffs’ and Class Members’ PII; and (iv) failure
`
`to provide adequate notice to Plaintiffs and other Class Members that their PII had been
`
`disclosed and compromised.
`
`
`
`1
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 2 of 74 - Page ID # 2
`
`
`
`2.
`
`Nelnet is one of the largest student loan servicers in the United States, servicing
`
`589 billion in student loans for over 17 million borrowers.
`
`3.
`
`In addition to servicing student loans, Nelnet provides online technology services
`
`such as web portal and payment processing services to other student loan servicers, including
`
`EdFinancial and the Oklahoma Student Loan Authority (“OSLA”).
`
`4.
`
`On August 26, 2022, Nelnet began publicly notifying state Attorneys General and
`
`2,501,324 impacted current and former Nelnet account holders that the PII of the 2,501,324
`
`impacted individuals had been accessed and stolen by an unauthorized third-party (the “Data
`
`Breach”).
`
`5.
`
`By August 26, 2022, Nelnet had known of the data breach for over a month but
`
`had failed to notify a single impacted individual. Nelnet chose to notify individuals via U.S Mail
`
`in letters entitled “Notice of Security Incident.”
`
`6.
`
`As a result of Nelnet’s failures and lax security protocols, hackers gained access
`
`to Nelnet’s computer systems and/or servers and were able to steal the personal information of
`
`millions of customers, including their Social Security numbers, phone numbers, emails, and
`
`addresses (the “Data Breach”).
`
`7.
`
`The Data Breach was a direct and proximate result of Nelnet’s flawed online system
`
`configuration and design and Nelnet’s failure to implement and follow basic security procedures.
`
`8.
`
`Because of Nelnet’s failures, unauthorized individuals were able to access and
`
`pilfer Plaintiffs’ and Class Members’ PII.
`
`9.
`
`As a result, Plaintiffs and Class Members are at substantially increased risk of
`
`future identity theft, both currently and for the indefinite future. Plaintiffs’ and Class Members’
`
`
`
`2
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 3 of 74 - Page ID # 3
`
`
`
`PII, including their Social Security numbers, that were compromised by cyber criminals in the
`
`Data Breach, is highly valuable because it is readily useable to commit fraud and identity theft.
`
`10.
`
`Plaintiffs, on behalf of themselves and all others similarly situated, bring claims for
`
`negligence, negligence per se, breach of implied contract, unjust enrichment, breach of
`
`confidence, invasion of privacy—intrusion upon seclusion, violations of consumer protection
`
`statutes of their home states, violations of data protection statutes of their home states, and
`
`injunctive relief claims.
`
`11.
`
`Plaintiffs seek damages and injunctive relief requiring Nelnet to adopt reasonably
`
`sufficient practices to safeguard the PII that remains in Nelnet’s custody in order to prevent
`
`incidents like the Data Breach from reoccurring in the future.
`
`12.
`
`Given that information relating to the Data Breach, including the systems that
`
`were impacted, the configuration and design of Defendant’s website and systems remain
`
`exclusively in Defendant’s control, Plaintiffs anticipate additional support for their claims will be
`
`uncovered following a reasonable opportunity for discovery.
`
`JURISDICTION AND VENUE
`
`13.
`
`This Court has jurisdiction over the subject matter of this action pursuant to 28
`
`U.S.C § 1332(d), because the amount in controversy for the Class and Subclass exceeds
`
`$5,000,000 exclusive of interest and costs, there are more than 100 putative Members of the
`
`Class and Subclass defined below, and a significant portion of putative Class and Subclass
`
`Members are citizens of a different state than Defendant.
`
`14.
`
`This Court has personal jurisdiction over Defendant Nelnet because Defendant
`
`Nelnet is a resident of the State of Nebraska.
`
`
`
`3
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 4 of 74 - Page ID # 4
`
`
`
`15.
`
`Venue is proper in this District pursuant to 28 U.S.C. § 1391(b)(1) because
`
`Defendant Nelnet resides in this District.
`
`16.
`
`Plaintiffs’ claims arise out of or relate to Nelnet’s contacts with California. Nelnet
`
`has intentionally created extensive contacts with California through its deliberate marketing and
`
`sale of its services in the forum.
`
`PARTIES
`
`17.
`
`Plaintiff William Spearman (“Plaintiff Spearman”) is a citizen and resident of the
`
`State of South Carolina.
`
`18.
`
`Plaintiff Brittni Linn (“Plaintiff Linn”) is a citizen and resident of the
`
`Commonwealth of Pennsylvania
`
`19.
`
`Plaintiff Jessica Alexander (“Plaintiff Alexander”) is a citizen and resident of the
`
`State of California.
`
`20.
`
`Plaintiff Christopher Sangmeister (“Plaintiff Sangmeister”) is a citizen and
`
`resident of the State of California.
`
`21.
`
`Plaintiff Taylor Vetter (“Plaintiff Vetter”) is a citizen and resident of the State of
`
`New York.
`
`22.
`
`Plaintiff Nichole Allocca (“Plaintiff Allocca”) is a citizen and resident of the State
`
`of Connecticut.
`
`23.
`
`Plaintiff Kayli Lazard (“Plaintiff Lazard”) is a citizen and resident of the State of
`
`Colorado.
`
`24.
`
`Plaintiff Bridget Cahill (“Plaintiff Cahill”) is a citizen and resident of the
`
`Commonwealth of Massachusetts.
`
`
`
`4
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 5 of 74 - Page ID # 5
`
`
`
`25.
`
`Defendant Nelnet Servicing, LLC (“Nelnet”) is Nebraska limited liability
`
`company with its principal place of business located at 121 South 13th Street, Suite 100, Lincoln,
`
`Nebraska, 68508.
`
`FACTUAL BACKGROUND
`
`I.
`
`Defendant Nelnet Servicing, LLC
`
`26.
`
`Nelnet is a Nebraska-based company which primarily “engage[s] in student loan
`
`servicing, tuition payment processing and school information systems, and communications” and
`
`primarily makes money via “net interest income earned on a portfolio of federally insured
`
`student loans.”1 In other words, Nelnet primarily serves as a student loan servicer for individuals
`
`that have taken out federal student loans and makes money via the interest it charges individuals
`
`on their student loan balances. As of June 30, 2022, the Nelnet was servicing $589.5 billion in
`
`loans for 17.4 million borrowers.2
`
`27.
`
`Nelnet also earns revenue providing technology services such as website portal
`
`and payment processing to other student loan and debt servicers, 3 such EdFinancial and the
`
`Oklahoma Student Loan Authority (“OSLA”).
`
`28.
`
`No individual voluntarily engages Nelnet as their student loan servicer or
`
`payment portal provider. Instead, Nelnet is given an individuals’ federal loans to service without
`
`any choice or input given to the individual or is similarly chosen by a federal student loan
`
`servicer such as EdFinancial or OSLA to provide web portal and payment processing services
`
`without any input from the individual.
`
`
`
`
`1 About Us, NELNET, https://www.nelnetinvestors.com/Home/default.aspx (accessed Sept. 6, 2022).
`2 Nelnet 10Q Earnings Release, NELNET (Aug. 8, 2022)
`https://s21.q4cdn.com/368920761/files/doc_financials/2022/q2/8K-Exhibit-99.1-8.8.22-10Q-Earnings-Release-
`FINAL.pdf (accessed Sept. 6, 2022).
`3 Id.
`
`
`
`5
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 6 of 74 - Page ID # 6
`
`
`
`II.
`
`Nelnet Obtains, Collects, and Stores Account Holders’ PII
`
`29.
`
`Nelnet requires all individuals to provide their sensitive, personal, and private
`
`protected information to register and create an account with Nelnet to use Nelnet’s services.
`
`30.
`
`Thus, all individuals whose federal student loans are assigned (without their
`
`input) to Nelnet must register with Nelnet and provide their PII to Nelnet to track and make
`
`payments on their federal student loans. Similarly, individuals whose federal student loans are
`
`serviced by a loan servicer that engages Nelnet to provide web portal or payment processing
`
`services must register and create an account with Nelnet and provide their PII to Nelnet.
`
`31.
`
`Nelnet maintains, keeps, and exploits customers’ PII for Nelnet’s own benefit,
`
`including long after individuals have paid off their loans in full and cease being Nelnet
`
`customers.
`
`32.
`
`Nelnet is in complete operation, control, and supervision of its website and systems,
`
`and Nelnet intentionally configured and designed its website and systems this way in order to
`
`make more money without regard to Plaintiffs’ and Class Members’ PII.
`
`33.
`
`By obtaining, using, disclosing, and deriving a benefit from Plaintiffs’ and Class
`
`Members’ PII, Nelnet assumed legal and equitable duties and knew or should have known that it
`
`was responsible for protecting Plaintiffs’ and Class Members’ PII from disclosure.
`
`34.
`
`Plaintiffs and Class Members reasonably expect that student loan service
`
`providers such as Nelnet will use the utmost care to keep their PII confidential and securely
`
`maintained, to use this information for business purposes only, and to make only authorized
`
`disclosures of this information.
`
`35.
`
`Nelnet acknowledges that it has an obligation to protect PII from disclosure and
`
`thus makes the following representation on the Nelnet website:
`
`
`
`6
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 7 of 74 - Page ID # 7
`
`
`
`Nelnet takes careful steps to safeguard customer information. We restrict access to your
`personal and account information to employees who need to know the information to
`provide services to you, and we regularly train our employees on privacy, information
`security, and their obligation to protect your information. We maintain reasonable and
`appropriate physical, electronic, and procedural safeguards to guard your Nonpublic
`Personal Information (NPI) and Personally Identifiable Information (PII), and we
`regularly test those safeguards to maintain the appropriate levels of protection.4
`
`36.
`
`Despite the above representations, Nelnet failed to prioritize data and cyber
`
`security by adopting reasonable data and cyber security measures to prevent and detect the
`
`unauthorized access to Plaintiffs’ and Class Members’ PII.
`
`37.
`
`Had Nelnet followed industry guidelines and adopted reasonably security
`
`measures as represented in the Nelnet Privacy Policy, Nelnet would have prevented intrusion into
`
`its information systems and, ultimately, the theft of Plaintiffs’ and Class Members’ confidential
`
`PII.
`
`III.
`
`FTC Guidelines
`
`38.
`
`Nelnet is prohibited by the Federal Trade Commission Act, 15 U.S.C. § 45 (“FTC
`
`Act”) from engaging in “unfair or deceptive acts or practices in or affecting commerce.” The
`
`Federal Trade Commission (“FTC”) has concluded that a company’s failure to maintain reasonable
`
`and appropriate data security for consumers’ sensitive personal information is an “unfair practice”
`
`in violation of the FTC Act.
`
`39.
`
`The FTC has promulgated numerous guides for businesses that highlight the
`
`importance of implementing reasonable data security practices. According to the FTC, the need
`
`for data security should be factored into all business decision-making.
`
`40.
`
`The FTC provided cybersecurity guidelines for businesses, advising that businesses
`
`should protect personal customer information, properly dispose of personal information that is no
`
`
`4 Nelnet Privacy Policy Mission Statement, Our Security Procedures, NELNET, https://www.nelnet.com/privacy-and-
`security#:~:text=As%20stated%20above%20we%20do,Comply%20with%20the%20law (accessed Sept 6, 2022).
`
`
`
`7
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 8 of 74 - Page ID # 8
`
`
`
`longer needed, encrypt information stored on networks, understand their network’s vulnerabilities,
`
`and implement policies to correct any security problems.
`
`41.
`
`The FTC further recommends that companies not maintain PII longer than is
`
`needed for authorization of a transaction; limit access to private data; require complex passwords
`
`to be used on networks; use industry-tested methods for security; monitor for suspicious activity
`
`on the network; and verify that third-party service providers have implemented reasonable security
`
`measures.
`
`42.
`
`The FTC has brought enforcement actions against businesses for failing to
`
`adequately and reasonably protect customer data, treating the failure to employ reasonable and
`
`appropriate measures to protect against unauthorized access to confidential consumer data as an
`
`unfair act or practice prohibited by Section 5 of the FTC Act. Orders resulting from these actions
`
`further clarify the measures businesses must take to meet their data security obligations.
`
`43.
`
`Nelnet failed to properly implement basic data security practices. Nelnet’s failure
`
`to employ reasonable and appropriate measures to protect against unauthorized access to consumer
`
`PII, or to prevent the disclosure of such information to unauthorized individuals, as reflected by
`
`the sensitive Social Security information stolen, constitutes an unfair act or practice prohibited
`
`by Section 5 of the FTC Act.
`
`44.
`
`Nelnet was at all times fully aware of its obligations to protect the PII of consumers
`
`because of its business of obtaining, collecting, and disclosing PII as well as collecting, storing,
`
`and using other confidential personal and financial information. Nelnet was also aware of the
`
`significant repercussions that would result from its failure to do so.
`
`
`
`
`
`8
`
`
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 9 of 74 - Page ID # 9
`
`
`
`I.
`
`45.
`
`SUBSTANTIVE ALLEGATIONS
`
`The Data Breach
`
`Beginning in June 2022, Nelnet allowed an unauthorized third-party to access
`
`Plaintiffs’ and Class Members’ student loan account registration information, including their
`
`names, addresses, email addresses, phone numbers, and Social Security numbers. According to
`
`Nelnet, this unauthorized access continued through July 22, 2022.
`
`46.
`
`Nelnet did not discover the unauthorized access until July 21, 2022, when Nelnet
`
`claims to have notified EdFinancial and OSLA about the vulnerability and unauthorized access.
`
`47.
`
`Despite discovering the Data Breach July 21, 2022, Nelnet did not notify the U.S.
`
`Department of Education of the Data Breach until after August 17, 2022, and did not begin
`
`notifying impacted customers until August 26, 2022.
`
`II.
`
`48.
`
`Nelnet’s Data Security Failures Caused the Data Breach
`
`Up to, and including, the period when the Data Breach occurred, Nelnet breached
`
`its duties, obligations, and promises to Plaintiffs and Class Members, by its failure to:
`
`a. hire qualified personnel and maintain a system of accountability over data
`
`security, thereby knowingly allowing data security deficiencies to persist;
`
`b. properly train its employees about the risk of cyberattacks and how to
`
`mitigate them, including by failing to implement adequate security
`
`awareness training that would have instructed employees about the risks of
`
`common techniques, what to do if they suspect such attacks, and how to
`
`prevent them;
`
`c. address well-known warnings that its systems and servers were susceptible
`
`to a data breach;
`
`
`
`9
`
`
`
`
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 10 of 74 - Page ID # 10
`
`d. implement certain protocols that would have prevented unauthorized
`
`programs, such as malware, from being installed on its systems that
`
`accessed customers’ personal information and otherwise would have
`
`protected customers’ sensitive personal information;
`
`e. install software to adequately track access to its network, monitor the
`
`network for unusual activity, and prevent exfiltration of data, which would
`
`have detected the presence of hackers and prevented customers’ sensitive
`
`personal information from being stolen. Specifically, there are
`
`recommended, available measures to prevent data from leaving protected
`
`systems and being sent to untrusted networks outside of the corporate
`
`systems; and
`
`f. adequately safeguard customers’ sensitive personal information and
`
`maintain an adequate data security environment to reduce the risk of a data
`
`breach or unauthorized disclosure.
`
`III. Nelnet’s Data Security Failures Constitute Unfair and Deceptive Practices
`and Violations of Consumers’ Privacy Rights
`
`49.
`
`The FTC deems the failure to employ reasonable and appropriate measures to
`
`protect against unauthorized access to sensitive personal information an unfair act or practice
`
`prohibited by Section 5 of the FTC Act, 15 U.S.C. § 45.
`
`50.
`
`In 2007, the FTC published guidelines that establish reasonable data security
`
`practices for businesses. The guidelines note that businesses should protect the personal
`
`customer information that they keep; properly dispose of personal information that is no longer
`
`needed; encrypt information stored on computer networks; understand their network’s
`
`vulnerabilities; and implement policies for installing vendor-approved patches to correct security
`
`
`
`10
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 11 of 74 - Page ID # 11
`
`
`
`problems. The guidelines also recommend that businesses consider using an intrusion detection
`
`system to expose a breach as soon as it occurs; monitor all incoming traffic for activity indicating
`
`someone may be trying to hack the system; watch for large amounts of data being transmitted
`
`from the system; and have a response plan ready in the event of a breach.
`
`51.
`
`The FTC has also published a document entitled “FTC Facts for Business,” which
`
`highlights the importance of having a data security plan, regularly assessing risks to computer
`
`systems, and implementing safeguards to control such risks.
`
`52.
`
`The FTC has issued orders against businesses that have failed to employ
`
`reasonable measures to secure sensitive personal information. These orders provide further
`
`guidance to businesses regarding their data security obligations.
`
`53.
`
`Prior to the Data Breach, and during the breach itself, Nelnet failed to follow
`
`guidelines set forth by the FTC and actively mishandled the management of its IT security.
`
`Furthermore, by failing to have reasonable data security measures in place, Nelnet
`
`engaged in an unfair act or practice within the meaning of Section 5 of the FTC Act.
`
`IV.
`
`54.
`
`The Value of the Disclosed PII and Effects of Unauthorized Disclosure
`
`Nelnet was well aware that the protected PII it acquires, stores, and utilizes is
`
`highly sensitive and of significant value to the owners of the PII and those who would use it for
`
`wrongful purposes.
`
`55.
`
`PII is a valuable commodity to identity thieves, particularly when it is aggregated
`
`in large numbers. Former United States Attorney General William P. Barr made clear that
`
`consumers’ sensitive personal information commonly stolen in data breaches “has economic
`
`value.” The purpose of stealing large caches of personal data is to use it to defraud individuals
`
`or to place it for illegal sale and to profit from other criminals who buy the data and use it to
`
`
`
`11
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 12 of 74 - Page ID # 12
`
`
`
`commit fraud and identity theft. Indeed, cybercriminals routinely post stolen personal
`
`information on anonymous websites, making the information widely available to a criminal
`
`underworld.
`
`56.
`
`There is an active and robust market for this information. As John Sancenito,
`
`president of Information Network Associates, a company which helps companies with recovery
`
`after data breaches, explained after a data breach “[m]ost of the time what [data breach hackers]
`
`do is they steal the data and then they sell the data on the dark web to the people who actually
`
`commit the fraud.”
`
`57.
`
`The forms of PII involved in this Data Breach are particularly concerning. Unlike
`
`credit or debit card numbers in a payment card data breach—which can quickly be frozen and
`
`reissued in the aftermath of a breach—unique social security numbers cannot be easily replaced.
`
`Even when such numbers are replaced, the process of doing so results in a major inconvenience
`
`to the subject person, requiring a wholesale review of the person’s relationships with government
`
`agencies and any number of private companies in order to update the person’s accounts with
`
`those entities.
`
`58.
`
`Indeed, even the Social Security Administration (‘‘SSA”) warns that the process
`
`of replacing a social security number is a difficult one that creates other types of problems, and
`
`that it will not be a panacea for the affected person:
`
`Keep in mind that a new number probably will not solve all your
`problems. This is because other governmental agencies (such as the
`IRS and state motor vehicle agencies) and private businesses (such
`as banks and credit reporting companies) likely will have records
`under your old number. Along with other personal information,
`credit reporting companies use the number to identify your credit
`record. So using a new number will not guarantee you a fresh start.
`This is especially true if your other personal information, such as
`your name and address, remains the same.
`
`
`
`
`12
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 13 of 74 - Page ID # 13
`
`
`
`If you receive a new Social Security Number, you should not be able
`to use the old number anymore.
`
`For some victims of identity theft, a new number actually creates
`new problems. If the old credit information is not associated with
`your new number, the absence of any credit history under the new
`number may make more difficult for you to get credit.
`
`Social security numbers allow individuals to apply for credit cards, student loans,
`
`59.
`
`mortgages, and other lines of credit—among other services. Often social security numbers can be
`
`used to obtain medical goods or services, including prescriptions. They are also used to apply for
`
`a host of government benefits. Access to such a wide range of assets makes social security
`
`numbers a prime target for cybercriminals and a particularly attractive form of PII to steal and
`
`then sell.
`
`60.
`
`The ramifications of Defendants’ failure to keep Plaintiffs’ and Class Members’
`
`PII secure are long lasting and severe. To avoid detection, identity thieves often hold stolen data
`
`for months or years before using it. Also, the sale of stolen information on the “dark web” may
`
`take months or more to reach end-users, in part because the data is often sold in small batches as
`
`opposed to in bulk to a single buyer. Thus, Plaintiffs and Class Members must vigilantly
`
`monitor their financial accounts ad infinitum.
`
`61.
`
`Thus, Nelnet knew, or should have known, the importance of safeguarding the PII
`
`entrusted to it and of the foreseeable consequences if its systems were breached. Nelnet failed,
`
`however, to take adequate cybersecurity measures to prevent the Data Breach from occurring.
`
`62.
`
`As highly sophisticated parties that handle sensitive PII, Nelnet failed to establish
`
`and/or implement appropriate administrative, technical and/or physical safeguards to ensure the
`
`security and confidentiality of Plaintiffs’ and other Class Members’ PII to protect against
`
`anticipated threats of intrusion of such information.
`
`
`
`13
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 14 of 74 - Page ID # 14
`
`
`
`63.
`
`Identity thieves use stolen PII for various types of criminal activities, such as
`
`when personal and financial is used to commit fraud or other crimes, including credit card fraud,
`
`phone or utilities fraud, bank fraud and government fraud.
`
`64.
`
`The PII exfiltrated in the Data Breach can also be used to commit identity theft by
`
`placing Plaintiffs and Class Members at a higher risk of “phishing,” “vishing,” “smishing,” and
`
`“pharming,” which are which are other ways for cybercriminals to exploit information they
`
`already have in order to get even more personally identifying information from a person through
`
`unsolicited email, text messages, and telephone calls purportedly from a legitimate company
`
`requesting personal, financial, and/or login credentials.
`
`65.
`
`There is often a lag time between when fraud occurs versus when it is discovered,
`
`and also between when PII is stolen and when it is used. According to the U.S. Government
`
`Accountability Office, which conducted a study regarding data breaches:
`
`[L]aw enforcement officials told us that in some cases, stolen data
`may be held for up to a year or more before being used to commit
`identity theft. Further, once stolen data have been sold or posted on
`the Web, fraudulent use of that information may continue for years.
`As a result, studies that attempt to measure the harm resulting from
`data breaches cannot necessarily rule out all future harm.
`
`Personal is such a valuable commodity to identity thieves that once the
`
`66.
`
`information has been compromised, criminals often trade the information on the cyber black
`
`market for years.
`
`67.
`
`Plaintiffs and Class Members rightfully place a high value not only on their PII,
`
`but also on the privacy of that data.
`
`68.
`
`Thus, Plaintiffs and Class Members are at an increased risk of fraud and identity
`
`theft for many years into the future.
`
`
`
`
`
`14
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 15 of 74 - Page ID # 15
`
`
`
`V.
`
`69.
`
`The Data Breach Damaged Plaintiffs and Class Members.
`
`As a result of Nelnet’s deficient security measures, Plaintiffs and Class Members
`
`have been harmed by the compromise of their sensitive personal information, which is likely
`
`currently for sale on the dark web and through private sale to other cyber criminals.
`
`70.
`
`Plaintiffs and Class Members also face a substantial and imminent risk of fraud
`
`and identity theft as their names have now been linked with their Social Security numbers,
`
`emails, phone numbers, and physical addresses as a result of the breach. These specific types of
`
`information are associated with a high risk of fraud.
`
`71. Many Class Members will also incur out of pocket costs for protective measures
`
`such as identity theft protection, credit monitoring fees, credit report fees, credit freeze fees, fees
`
`for replacement cards, and similar costs related to the Data Breach.
`
`72.
`
`Plaintiffs and Class Members also suffered a “loss of value” of their sensitive
`
`personal information when it was stolen by hackers in the Data Breach. A robust market exists
`
`for stolen personal information. Hackers sell personal information on the dark web—an
`
`underground market for illicit activity, including the purchase of hacked personal information—
`
`at specific identifiable prices. This market serves as a means to determine the loss of value to
`
`Plaintiffs and Class Members.
`
`73.
`
`Plaintiffs’ and Class Members’ stolen personal information is a valuable
`
`commodity to identity thieves. William P. Barr, former United States Attorney General, made
`
`clear that consumers’ sensitive personal information commonly stolen in data breaches “has
`
`economic value.” The purpose of stealing large caches of personal information is to use it to
`
`defraud consumers or to place it for illegal sale and to profit from other criminals who buy the
`
`data and use it to commit payment card fraud. One commentator confirmed, explaining that,
`
`
`
`15
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 16 of 74 - Page ID # 16
`
`
`
`“[m]ost of the time what [data breach hackers] do is they steal the data and then they sell the data
`
`on the dark web to the people who actually commit the fraud.” In fact, Plaintiffs’ and Class
`
`Members’ personal information is currently available for purchase on the dark web and/or
`
`through private sale to other cyber criminals.
`
`74.
`
`Identity thieves can also combine data stolen in the Data Breach with other
`
`information about Plaintiffs and Class Members gathered from underground sources, public
`
`sources, or even Plaintiffs’ and Class Members’ social media accounts. Thieves can use the
`
`combined data to send highly targeted phishing emails to Plaintiffs and Class Members to obtain
`
`more sensitive information. Thieves can use the combined data to commit potential crimes,
`
`including opening new financial accounts in Plaintiffs’ and Class Members’ names, taking out
`
`loans in Plaintiffs’ and Class Members’ names, using Plaintiffs’ and Class Members’
`
`information to obtain government benefits, filing fraudulent tax returns using Plaintiffs’ and
`
`Class Members’ information, obtaining Social Security numbers in Plaintiffs’ and Class
`
`Members’ names but with another person’s photograph, and giving false information to police
`
`during an arrest.
`
`75.
`
`Plaintiffs and Class Members also suffered “benefit of the bargain” damages.
`
`Plaintiffs and Class Members overpaid for services that should have been—but were not—
`
`accompanied by adequate data security. Part of the interest and fees paid by Plaintiffs and Class
`
`Members to Nelnet were intended to be used to fund adequate data security. Plaintiffs and Class
`
`Members did not get what they paid for.
`
`76.
`
`Plaintiffs and Class Members have spent and will continue to spend substantial
`
`amounts of time monitoring their accounts for identity theft and fraud, the opening of fraudulent
`
`accounts, disputing fraudulent transactions, and reviewing their financial affairs more closely
`
`
`
`16
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 17 of 74 - Page ID # 17
`
`
`
`than they otherwise would have done but for the Data Breach. These efforts are burdensome and
`
`time-consuming, especially because Nelnet has failed to disclose when the breach occurred or
`
`how long it lasted, forcing customers to continue to monitor their accounts indefinitely.
`
`77.
`
`Class Members who experience actual identity theft and fraud will also be harmed
`
`by the inability to use their credit or debit cards when their accounts are suspended or otherwise
`
`rendered unusable due to fraudulent charges. To the extent Class Members are charged
`
`monthly/annual fees for their credit and/or debit accounts, they are left without the benefit of that
`
`bargain while they await receipt of their replacement cards. Class Members will be harmed further
`
`by the loss of rewards points or airline mileage that they cannot accrue while awaiting replacement
`
`cards. The inability to use payment cards may also result in missed payments on bills and loans,
`
`late charges and fees, and adverse effects on their credit, including decreased credit scores and
`
`adverse credit notations.
`
`78.
`
`In the case of a data breach, merely reimbursing a consumer for a financial loss due
`
`to identity theft or fraud does not make that individual whole again. On the contrary, after
`
`conducting a study, the Department of Justice’s Bureau of Justice Statistics (“BJS”) found that
`
`“among victims who had personal information used for fraudulent purposes, 29% spent a month
`
`or more resolving problems.”
`
`79.
`
`A victim whose personal information has been stolen or compromised may not see
`
`the full extent of identity theft or fraud until long after the initial breach. Additionally, a victim
`
`whose personal information (including Social Security numbers) has been stolen may not become
`
`aware of charges when they are nominal, as typical fraud-prevention algorithms may not capture
`
`such charges. Those charges may be repeated, over and over again, on a victim’s account.
`
`
`
`17
`
`
`
`4:22-cv-03191 Doc # 1 F