throbber
WILLIAM SPEARMAN, BRITTNI LINN,
`JESSICA ALEXANDER, CHRISTOPHER
`SANGMEISTER, TAYLOR VETTER,
`NICHOLE ALLOCCA, KAYLI LAZARD,
`and BRIDGET CAHILL, individually and on
`behalf of all others similarly situated,
`
`
`
`v.
`
`NELNET SERVICING, LLC
`
`
`
`Plaintiffs,
`
`Defendant.
`
`
`
`
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 1 of 74 - Page ID # 1
`
`
`
`UNITED STATES DISTRICT COURT
`DISTRICT OF NEBRASKA
`
`Case No.
`
`CLASS ACTION COMPLAINT
`
`JURY TRIAL DEMANDED
`
`
`Plaintiffs William Spearman, Brittni Linn, Jessica Alexander, Christopher Sangmeister,
`
`Taylor Vetter, Nichole Allocca, Kayli Lazard, and Bridget Cahill (“Plaintiffs”), on behalf of
`
`themselves and all others similarly situated, assert the following against Defendant Nelnet
`
`Servicing, LLC (“Nelnet” or “Defendant”) based upon personal knowledge, where applicable,
`
`information and belief, and the investigation of counsel.
`
`INTRODUCTION
`
`1.
`
`Plaintiffs bring this class action against Nelnet for its (i) failure to properly secure
`
`and safeguard highly valuable, protected personally identifiable information, including without
`
`limitation, names, addresses, email addresses, phone numbers, and Social Security numbers
`
`(collectively “PII”); (ii) failure to comply with industry standards to protect information systems
`
`that contain PII; (iii) unlawful disclosure of Plaintiffs’ and Class Members’ PII; and (iv) failure
`
`to provide adequate notice to Plaintiffs and other Class Members that their PII had been
`
`disclosed and compromised.
`
`
`
`1
`
`

`

`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 2 of 74 - Page ID # 2
`
`
`
`2.
`
`Nelnet is one of the largest student loan servicers in the United States, servicing
`
`589 billion in student loans for over 17 million borrowers.
`
`3.
`
`In addition to servicing student loans, Nelnet provides online technology services
`
`such as web portal and payment processing services to other student loan servicers, including
`
`EdFinancial and the Oklahoma Student Loan Authority (“OSLA”).
`
`4.
`
`On August 26, 2022, Nelnet began publicly notifying state Attorneys General and
`
`2,501,324 impacted current and former Nelnet account holders that the PII of the 2,501,324
`
`impacted individuals had been accessed and stolen by an unauthorized third-party (the “Data
`
`Breach”).
`
`5.
`
`By August 26, 2022, Nelnet had known of the data breach for over a month but
`
`had failed to notify a single impacted individual. Nelnet chose to notify individuals via U.S Mail
`
`in letters entitled “Notice of Security Incident.”
`
`6.
`
`As a result of Nelnet’s failures and lax security protocols, hackers gained access
`
`to Nelnet’s computer systems and/or servers and were able to steal the personal information of
`
`millions of customers, including their Social Security numbers, phone numbers, emails, and
`
`addresses (the “Data Breach”).
`
`7.
`
`The Data Breach was a direct and proximate result of Nelnet’s flawed online system
`
`configuration and design and Nelnet’s failure to implement and follow basic security procedures.
`
`8.
`
`Because of Nelnet’s failures, unauthorized individuals were able to access and
`
`pilfer Plaintiffs’ and Class Members’ PII.
`
`9.
`
`As a result, Plaintiffs and Class Members are at substantially increased risk of
`
`future identity theft, both currently and for the indefinite future. Plaintiffs’ and Class Members’
`
`
`
`2
`
`

`

`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 3 of 74 - Page ID # 3
`
`
`
`PII, including their Social Security numbers, that were compromised by cyber criminals in the
`
`Data Breach, is highly valuable because it is readily useable to commit fraud and identity theft.
`
`10.
`
`Plaintiffs, on behalf of themselves and all others similarly situated, bring claims for
`
`negligence, negligence per se, breach of implied contract, unjust enrichment, breach of
`
`confidence, invasion of privacy—intrusion upon seclusion, violations of consumer protection
`
`statutes of their home states, violations of data protection statutes of their home states, and
`
`injunctive relief claims.
`
`11.
`
`Plaintiffs seek damages and injunctive relief requiring Nelnet to adopt reasonably
`
`sufficient practices to safeguard the PII that remains in Nelnet’s custody in order to prevent
`
`incidents like the Data Breach from reoccurring in the future.
`
`12.
`
`Given that information relating to the Data Breach, including the systems that
`
`were impacted, the configuration and design of Defendant’s website and systems remain
`
`exclusively in Defendant’s control, Plaintiffs anticipate additional support for their claims will be
`
`uncovered following a reasonable opportunity for discovery.
`
`JURISDICTION AND VENUE
`
`13.
`
`This Court has jurisdiction over the subject matter of this action pursuant to 28
`
`U.S.C § 1332(d), because the amount in controversy for the Class and Subclass exceeds
`
`$5,000,000 exclusive of interest and costs, there are more than 100 putative Members of the
`
`Class and Subclass defined below, and a significant portion of putative Class and Subclass
`
`Members are citizens of a different state than Defendant.
`
`14.
`
`This Court has personal jurisdiction over Defendant Nelnet because Defendant
`
`Nelnet is a resident of the State of Nebraska.
`
`
`
`3
`
`

`

`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 4 of 74 - Page ID # 4
`
`
`
`15.
`
`Venue is proper in this District pursuant to 28 U.S.C. § 1391(b)(1) because
`
`Defendant Nelnet resides in this District.
`
`16.
`
`Plaintiffs’ claims arise out of or relate to Nelnet’s contacts with California. Nelnet
`
`has intentionally created extensive contacts with California through its deliberate marketing and
`
`sale of its services in the forum.
`
`PARTIES
`
`17.
`
`Plaintiff William Spearman (“Plaintiff Spearman”) is a citizen and resident of the
`
`State of South Carolina.
`
`18.
`
`Plaintiff Brittni Linn (“Plaintiff Linn”) is a citizen and resident of the
`
`Commonwealth of Pennsylvania
`
`19.
`
`Plaintiff Jessica Alexander (“Plaintiff Alexander”) is a citizen and resident of the
`
`State of California.
`
`20.
`
`Plaintiff Christopher Sangmeister (“Plaintiff Sangmeister”) is a citizen and
`
`resident of the State of California.
`
`21.
`
`Plaintiff Taylor Vetter (“Plaintiff Vetter”) is a citizen and resident of the State of
`
`New York.
`
`22.
`
`Plaintiff Nichole Allocca (“Plaintiff Allocca”) is a citizen and resident of the State
`
`of Connecticut.
`
`23.
`
`Plaintiff Kayli Lazard (“Plaintiff Lazard”) is a citizen and resident of the State of
`
`Colorado.
`
`24.
`
`Plaintiff Bridget Cahill (“Plaintiff Cahill”) is a citizen and resident of the
`
`Commonwealth of Massachusetts.
`
`
`
`4
`
`

`

`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 5 of 74 - Page ID # 5
`
`
`
`25.
`
`Defendant Nelnet Servicing, LLC (“Nelnet”) is Nebraska limited liability
`
`company with its principal place of business located at 121 South 13th Street, Suite 100, Lincoln,
`
`Nebraska, 68508.
`
`FACTUAL BACKGROUND
`
`I.
`
`Defendant Nelnet Servicing, LLC
`
`26.
`
`Nelnet is a Nebraska-based company which primarily “engage[s] in student loan
`
`servicing, tuition payment processing and school information systems, and communications” and
`
`primarily makes money via “net interest income earned on a portfolio of federally insured
`
`student loans.”1 In other words, Nelnet primarily serves as a student loan servicer for individuals
`
`that have taken out federal student loans and makes money via the interest it charges individuals
`
`on their student loan balances. As of June 30, 2022, the Nelnet was servicing $589.5 billion in
`
`loans for 17.4 million borrowers.2
`
`27.
`
`Nelnet also earns revenue providing technology services such as website portal
`
`and payment processing to other student loan and debt servicers, 3 such EdFinancial and the
`
`Oklahoma Student Loan Authority (“OSLA”).
`
`28.
`
`No individual voluntarily engages Nelnet as their student loan servicer or
`
`payment portal provider. Instead, Nelnet is given an individuals’ federal loans to service without
`
`any choice or input given to the individual or is similarly chosen by a federal student loan
`
`servicer such as EdFinancial or OSLA to provide web portal and payment processing services
`
`without any input from the individual.
`
`
`
`
`1 About Us, NELNET, https://www.nelnetinvestors.com/Home/default.aspx (accessed Sept. 6, 2022).
`2 Nelnet 10Q Earnings Release, NELNET (Aug. 8, 2022)
`https://s21.q4cdn.com/368920761/files/doc_financials/2022/q2/8K-Exhibit-99.1-8.8.22-10Q-Earnings-Release-
`FINAL.pdf (accessed Sept. 6, 2022).
`3 Id.
`
`
`
`5
`
`

`

`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 6 of 74 - Page ID # 6
`
`
`
`II.
`
`Nelnet Obtains, Collects, and Stores Account Holders’ PII
`
`29.
`
`Nelnet requires all individuals to provide their sensitive, personal, and private
`
`protected information to register and create an account with Nelnet to use Nelnet’s services.
`
`30.
`
`Thus, all individuals whose federal student loans are assigned (without their
`
`input) to Nelnet must register with Nelnet and provide their PII to Nelnet to track and make
`
`payments on their federal student loans. Similarly, individuals whose federal student loans are
`
`serviced by a loan servicer that engages Nelnet to provide web portal or payment processing
`
`services must register and create an account with Nelnet and provide their PII to Nelnet.
`
`31.
`
`Nelnet maintains, keeps, and exploits customers’ PII for Nelnet’s own benefit,
`
`including long after individuals have paid off their loans in full and cease being Nelnet
`
`customers.
`
`32.
`
`Nelnet is in complete operation, control, and supervision of its website and systems,
`
`and Nelnet intentionally configured and designed its website and systems this way in order to
`
`make more money without regard to Plaintiffs’ and Class Members’ PII.
`
`33.
`
`By obtaining, using, disclosing, and deriving a benefit from Plaintiffs’ and Class
`
`Members’ PII, Nelnet assumed legal and equitable duties and knew or should have known that it
`
`was responsible for protecting Plaintiffs’ and Class Members’ PII from disclosure.
`
`34.
`
`Plaintiffs and Class Members reasonably expect that student loan service
`
`providers such as Nelnet will use the utmost care to keep their PII confidential and securely
`
`maintained, to use this information for business purposes only, and to make only authorized
`
`disclosures of this information.
`
`35.
`
`Nelnet acknowledges that it has an obligation to protect PII from disclosure and
`
`thus makes the following representation on the Nelnet website:
`
`
`
`6
`
`

`

`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 7 of 74 - Page ID # 7
`
`
`
`Nelnet takes careful steps to safeguard customer information. We restrict access to your
`personal and account information to employees who need to know the information to
`provide services to you, and we regularly train our employees on privacy, information
`security, and their obligation to protect your information. We maintain reasonable and
`appropriate physical, electronic, and procedural safeguards to guard your Nonpublic
`Personal Information (NPI) and Personally Identifiable Information (PII), and we
`regularly test those safeguards to maintain the appropriate levels of protection.4
`
`36.
`
`Despite the above representations, Nelnet failed to prioritize data and cyber
`
`security by adopting reasonable data and cyber security measures to prevent and detect the
`
`unauthorized access to Plaintiffs’ and Class Members’ PII.
`
`37.
`
`Had Nelnet followed industry guidelines and adopted reasonably security
`
`measures as represented in the Nelnet Privacy Policy, Nelnet would have prevented intrusion into
`
`its information systems and, ultimately, the theft of Plaintiffs’ and Class Members’ confidential
`
`PII.
`
`III.
`
`FTC Guidelines
`
`38.
`
`Nelnet is prohibited by the Federal Trade Commission Act, 15 U.S.C. § 45 (“FTC
`
`Act”) from engaging in “unfair or deceptive acts or practices in or affecting commerce.” The
`
`Federal Trade Commission (“FTC”) has concluded that a company’s failure to maintain reasonable
`
`and appropriate data security for consumers’ sensitive personal information is an “unfair practice”
`
`in violation of the FTC Act.
`
`39.
`
`The FTC has promulgated numerous guides for businesses that highlight the
`
`importance of implementing reasonable data security practices. According to the FTC, the need
`
`for data security should be factored into all business decision-making.
`
`40.
`
`The FTC provided cybersecurity guidelines for businesses, advising that businesses
`
`should protect personal customer information, properly dispose of personal information that is no
`
`
`4 Nelnet Privacy Policy Mission Statement, Our Security Procedures, NELNET, https://www.nelnet.com/privacy-and-
`security#:~:text=As%20stated%20above%20we%20do,Comply%20with%20the%20law (accessed Sept 6, 2022).
`
`
`
`7
`
`

`

`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 8 of 74 - Page ID # 8
`
`
`
`longer needed, encrypt information stored on networks, understand their network’s vulnerabilities,
`
`and implement policies to correct any security problems.
`
`41.
`
`The FTC further recommends that companies not maintain PII longer than is
`
`needed for authorization of a transaction; limit access to private data; require complex passwords
`
`to be used on networks; use industry-tested methods for security; monitor for suspicious activity
`
`on the network; and verify that third-party service providers have implemented reasonable security
`
`measures.
`
`42.
`
`The FTC has brought enforcement actions against businesses for failing to
`
`adequately and reasonably protect customer data, treating the failure to employ reasonable and
`
`appropriate measures to protect against unauthorized access to confidential consumer data as an
`
`unfair act or practice prohibited by Section 5 of the FTC Act. Orders resulting from these actions
`
`further clarify the measures businesses must take to meet their data security obligations.
`
`43.
`
`Nelnet failed to properly implement basic data security practices. Nelnet’s failure
`
`to employ reasonable and appropriate measures to protect against unauthorized access to consumer
`
`PII, or to prevent the disclosure of such information to unauthorized individuals, as reflected by
`
`the sensitive Social Security information stolen, constitutes an unfair act or practice prohibited
`
`by Section 5 of the FTC Act.
`
`44.
`
`Nelnet was at all times fully aware of its obligations to protect the PII of consumers
`
`because of its business of obtaining, collecting, and disclosing PII as well as collecting, storing,
`
`and using other confidential personal and financial information. Nelnet was also aware of the
`
`significant repercussions that would result from its failure to do so.
`
`
`
`
`
`8
`
`
`
`

`

`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 9 of 74 - Page ID # 9
`
`
`
`I.
`
`45.
`
`SUBSTANTIVE ALLEGATIONS
`
`The Data Breach
`
`Beginning in June 2022, Nelnet allowed an unauthorized third-party to access
`
`Plaintiffs’ and Class Members’ student loan account registration information, including their
`
`names, addresses, email addresses, phone numbers, and Social Security numbers. According to
`
`Nelnet, this unauthorized access continued through July 22, 2022.
`
`46.
`
`Nelnet did not discover the unauthorized access until July 21, 2022, when Nelnet
`
`claims to have notified EdFinancial and OSLA about the vulnerability and unauthorized access.
`
`47.
`
`Despite discovering the Data Breach July 21, 2022, Nelnet did not notify the U.S.
`
`Department of Education of the Data Breach until after August 17, 2022, and did not begin
`
`notifying impacted customers until August 26, 2022.
`
`II.
`
`48.
`
`Nelnet’s Data Security Failures Caused the Data Breach
`
`Up to, and including, the period when the Data Breach occurred, Nelnet breached
`
`its duties, obligations, and promises to Plaintiffs and Class Members, by its failure to:
`
`a. hire qualified personnel and maintain a system of accountability over data
`
`security, thereby knowingly allowing data security deficiencies to persist;
`
`b. properly train its employees about the risk of cyberattacks and how to
`
`mitigate them, including by failing to implement adequate security
`
`awareness training that would have instructed employees about the risks of
`
`common techniques, what to do if they suspect such attacks, and how to
`
`prevent them;
`
`c. address well-known warnings that its systems and servers were susceptible
`
`to a data breach;
`
`
`
`9
`
`

`

`
`
`
`
`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 10 of 74 - Page ID # 10
`
`d. implement certain protocols that would have prevented unauthorized
`
`programs, such as malware, from being installed on its systems that
`
`accessed customers’ personal information and otherwise would have
`
`protected customers’ sensitive personal information;
`
`e. install software to adequately track access to its network, monitor the
`
`network for unusual activity, and prevent exfiltration of data, which would
`
`have detected the presence of hackers and prevented customers’ sensitive
`
`personal information from being stolen. Specifically, there are
`
`recommended, available measures to prevent data from leaving protected
`
`systems and being sent to untrusted networks outside of the corporate
`
`systems; and
`
`f. adequately safeguard customers’ sensitive personal information and
`
`maintain an adequate data security environment to reduce the risk of a data
`
`breach or unauthorized disclosure.
`
`III. Nelnet’s Data Security Failures Constitute Unfair and Deceptive Practices
`and Violations of Consumers’ Privacy Rights
`
`49.
`
`The FTC deems the failure to employ reasonable and appropriate measures to
`
`protect against unauthorized access to sensitive personal information an unfair act or practice
`
`prohibited by Section 5 of the FTC Act, 15 U.S.C. § 45.
`
`50.
`
`In 2007, the FTC published guidelines that establish reasonable data security
`
`practices for businesses. The guidelines note that businesses should protect the personal
`
`customer information that they keep; properly dispose of personal information that is no longer
`
`needed; encrypt information stored on computer networks; understand their network’s
`
`vulnerabilities; and implement policies for installing vendor-approved patches to correct security
`
`
`
`10
`
`

`

`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 11 of 74 - Page ID # 11
`
`
`
`problems. The guidelines also recommend that businesses consider using an intrusion detection
`
`system to expose a breach as soon as it occurs; monitor all incoming traffic for activity indicating
`
`someone may be trying to hack the system; watch for large amounts of data being transmitted
`
`from the system; and have a response plan ready in the event of a breach.
`
`51.
`
`The FTC has also published a document entitled “FTC Facts for Business,” which
`
`highlights the importance of having a data security plan, regularly assessing risks to computer
`
`systems, and implementing safeguards to control such risks.
`
`52.
`
`The FTC has issued orders against businesses that have failed to employ
`
`reasonable measures to secure sensitive personal information. These orders provide further
`
`guidance to businesses regarding their data security obligations.
`
`53.
`
`Prior to the Data Breach, and during the breach itself, Nelnet failed to follow
`
`guidelines set forth by the FTC and actively mishandled the management of its IT security.
`
`Furthermore, by failing to have reasonable data security measures in place, Nelnet
`
`engaged in an unfair act or practice within the meaning of Section 5 of the FTC Act.
`
`IV.
`
`54.
`
`The Value of the Disclosed PII and Effects of Unauthorized Disclosure
`
`Nelnet was well aware that the protected PII it acquires, stores, and utilizes is
`
`highly sensitive and of significant value to the owners of the PII and those who would use it for
`
`wrongful purposes.
`
`55.
`
`PII is a valuable commodity to identity thieves, particularly when it is aggregated
`
`in large numbers. Former United States Attorney General William P. Barr made clear that
`
`consumers’ sensitive personal information commonly stolen in data breaches “has economic
`
`value.” The purpose of stealing large caches of personal data is to use it to defraud individuals
`
`or to place it for illegal sale and to profit from other criminals who buy the data and use it to
`
`
`
`11
`
`

`

`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 12 of 74 - Page ID # 12
`
`
`
`commit fraud and identity theft. Indeed, cybercriminals routinely post stolen personal
`
`information on anonymous websites, making the information widely available to a criminal
`
`underworld.
`
`56.
`
`There is an active and robust market for this information. As John Sancenito,
`
`president of Information Network Associates, a company which helps companies with recovery
`
`after data breaches, explained after a data breach “[m]ost of the time what [data breach hackers]
`
`do is they steal the data and then they sell the data on the dark web to the people who actually
`
`commit the fraud.”
`
`57.
`
`The forms of PII involved in this Data Breach are particularly concerning. Unlike
`
`credit or debit card numbers in a payment card data breach—which can quickly be frozen and
`
`reissued in the aftermath of a breach—unique social security numbers cannot be easily replaced.
`
`Even when such numbers are replaced, the process of doing so results in a major inconvenience
`
`to the subject person, requiring a wholesale review of the person’s relationships with government
`
`agencies and any number of private companies in order to update the person’s accounts with
`
`those entities.
`
`58.
`
`Indeed, even the Social Security Administration (‘‘SSA”) warns that the process
`
`of replacing a social security number is a difficult one that creates other types of problems, and
`
`that it will not be a panacea for the affected person:
`
`Keep in mind that a new number probably will not solve all your
`problems. This is because other governmental agencies (such as the
`IRS and state motor vehicle agencies) and private businesses (such
`as banks and credit reporting companies) likely will have records
`under your old number. Along with other personal information,
`credit reporting companies use the number to identify your credit
`record. So using a new number will not guarantee you a fresh start.
`This is especially true if your other personal information, such as
`your name and address, remains the same.
`
`
`
`
`12
`
`

`

`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 13 of 74 - Page ID # 13
`
`
`
`If you receive a new Social Security Number, you should not be able
`to use the old number anymore.
`
`For some victims of identity theft, a new number actually creates
`new problems. If the old credit information is not associated with
`your new number, the absence of any credit history under the new
`number may make more difficult for you to get credit.
`
`Social security numbers allow individuals to apply for credit cards, student loans,
`
`59.
`
`mortgages, and other lines of credit—among other services. Often social security numbers can be
`
`used to obtain medical goods or services, including prescriptions. They are also used to apply for
`
`a host of government benefits. Access to such a wide range of assets makes social security
`
`numbers a prime target for cybercriminals and a particularly attractive form of PII to steal and
`
`then sell.
`
`60.
`
`The ramifications of Defendants’ failure to keep Plaintiffs’ and Class Members’
`
`PII secure are long lasting and severe. To avoid detection, identity thieves often hold stolen data
`
`for months or years before using it. Also, the sale of stolen information on the “dark web” may
`
`take months or more to reach end-users, in part because the data is often sold in small batches as
`
`opposed to in bulk to a single buyer. Thus, Plaintiffs and Class Members must vigilantly
`
`monitor their financial accounts ad infinitum.
`
`61.
`
`Thus, Nelnet knew, or should have known, the importance of safeguarding the PII
`
`entrusted to it and of the foreseeable consequences if its systems were breached. Nelnet failed,
`
`however, to take adequate cybersecurity measures to prevent the Data Breach from occurring.
`
`62.
`
`As highly sophisticated parties that handle sensitive PII, Nelnet failed to establish
`
`and/or implement appropriate administrative, technical and/or physical safeguards to ensure the
`
`security and confidentiality of Plaintiffs’ and other Class Members’ PII to protect against
`
`anticipated threats of intrusion of such information.
`
`
`
`13
`
`

`

`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 14 of 74 - Page ID # 14
`
`
`
`63.
`
`Identity thieves use stolen PII for various types of criminal activities, such as
`
`when personal and financial is used to commit fraud or other crimes, including credit card fraud,
`
`phone or utilities fraud, bank fraud and government fraud.
`
`64.
`
`The PII exfiltrated in the Data Breach can also be used to commit identity theft by
`
`placing Plaintiffs and Class Members at a higher risk of “phishing,” “vishing,” “smishing,” and
`
`“pharming,” which are which are other ways for cybercriminals to exploit information they
`
`already have in order to get even more personally identifying information from a person through
`
`unsolicited email, text messages, and telephone calls purportedly from a legitimate company
`
`requesting personal, financial, and/or login credentials.
`
`65.
`
`There is often a lag time between when fraud occurs versus when it is discovered,
`
`and also between when PII is stolen and when it is used. According to the U.S. Government
`
`Accountability Office, which conducted a study regarding data breaches:
`
`[L]aw enforcement officials told us that in some cases, stolen data
`may be held for up to a year or more before being used to commit
`identity theft. Further, once stolen data have been sold or posted on
`the Web, fraudulent use of that information may continue for years.
`As a result, studies that attempt to measure the harm resulting from
`data breaches cannot necessarily rule out all future harm.
`
`Personal is such a valuable commodity to identity thieves that once the
`
`66.
`
`information has been compromised, criminals often trade the information on the cyber black
`
`market for years.
`
`67.
`
`Plaintiffs and Class Members rightfully place a high value not only on their PII,
`
`but also on the privacy of that data.
`
`68.
`
`Thus, Plaintiffs and Class Members are at an increased risk of fraud and identity
`
`theft for many years into the future.
`
`
`
`
`
`14
`
`

`

`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 15 of 74 - Page ID # 15
`
`
`
`V.
`
`69.
`
`The Data Breach Damaged Plaintiffs and Class Members.
`
`As a result of Nelnet’s deficient security measures, Plaintiffs and Class Members
`
`have been harmed by the compromise of their sensitive personal information, which is likely
`
`currently for sale on the dark web and through private sale to other cyber criminals.
`
`70.
`
`Plaintiffs and Class Members also face a substantial and imminent risk of fraud
`
`and identity theft as their names have now been linked with their Social Security numbers,
`
`emails, phone numbers, and physical addresses as a result of the breach. These specific types of
`
`information are associated with a high risk of fraud.
`
`71. Many Class Members will also incur out of pocket costs for protective measures
`
`such as identity theft protection, credit monitoring fees, credit report fees, credit freeze fees, fees
`
`for replacement cards, and similar costs related to the Data Breach.
`
`72.
`
`Plaintiffs and Class Members also suffered a “loss of value” of their sensitive
`
`personal information when it was stolen by hackers in the Data Breach. A robust market exists
`
`for stolen personal information. Hackers sell personal information on the dark web—an
`
`underground market for illicit activity, including the purchase of hacked personal information—
`
`at specific identifiable prices. This market serves as a means to determine the loss of value to
`
`Plaintiffs and Class Members.
`
`73.
`
`Plaintiffs’ and Class Members’ stolen personal information is a valuable
`
`commodity to identity thieves. William P. Barr, former United States Attorney General, made
`
`clear that consumers’ sensitive personal information commonly stolen in data breaches “has
`
`economic value.” The purpose of stealing large caches of personal information is to use it to
`
`defraud consumers or to place it for illegal sale and to profit from other criminals who buy the
`
`data and use it to commit payment card fraud. One commentator confirmed, explaining that,
`
`
`
`15
`
`

`

`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 16 of 74 - Page ID # 16
`
`
`
`“[m]ost of the time what [data breach hackers] do is they steal the data and then they sell the data
`
`on the dark web to the people who actually commit the fraud.” In fact, Plaintiffs’ and Class
`
`Members’ personal information is currently available for purchase on the dark web and/or
`
`through private sale to other cyber criminals.
`
`74.
`
`Identity thieves can also combine data stolen in the Data Breach with other
`
`information about Plaintiffs and Class Members gathered from underground sources, public
`
`sources, or even Plaintiffs’ and Class Members’ social media accounts. Thieves can use the
`
`combined data to send highly targeted phishing emails to Plaintiffs and Class Members to obtain
`
`more sensitive information. Thieves can use the combined data to commit potential crimes,
`
`including opening new financial accounts in Plaintiffs’ and Class Members’ names, taking out
`
`loans in Plaintiffs’ and Class Members’ names, using Plaintiffs’ and Class Members’
`
`information to obtain government benefits, filing fraudulent tax returns using Plaintiffs’ and
`
`Class Members’ information, obtaining Social Security numbers in Plaintiffs’ and Class
`
`Members’ names but with another person’s photograph, and giving false information to police
`
`during an arrest.
`
`75.
`
`Plaintiffs and Class Members also suffered “benefit of the bargain” damages.
`
`Plaintiffs and Class Members overpaid for services that should have been—but were not—
`
`accompanied by adequate data security. Part of the interest and fees paid by Plaintiffs and Class
`
`Members to Nelnet were intended to be used to fund adequate data security. Plaintiffs and Class
`
`Members did not get what they paid for.
`
`76.
`
`Plaintiffs and Class Members have spent and will continue to spend substantial
`
`amounts of time monitoring their accounts for identity theft and fraud, the opening of fraudulent
`
`accounts, disputing fraudulent transactions, and reviewing their financial affairs more closely
`
`
`
`16
`
`

`

`4:22-cv-03191 Doc # 1 Filed: 09/07/22 Page 17 of 74 - Page ID # 17
`
`
`
`than they otherwise would have done but for the Data Breach. These efforts are burdensome and
`
`time-consuming, especially because Nelnet has failed to disclose when the breach occurred or
`
`how long it lasted, forcing customers to continue to monitor their accounts indefinitely.
`
`77.
`
`Class Members who experience actual identity theft and fraud will also be harmed
`
`by the inability to use their credit or debit cards when their accounts are suspended or otherwise
`
`rendered unusable due to fraudulent charges. To the extent Class Members are charged
`
`monthly/annual fees for their credit and/or debit accounts, they are left without the benefit of that
`
`bargain while they await receipt of their replacement cards. Class Members will be harmed further
`
`by the loss of rewards points or airline mileage that they cannot accrue while awaiting replacement
`
`cards. The inability to use payment cards may also result in missed payments on bills and loans,
`
`late charges and fees, and adverse effects on their credit, including decreased credit scores and
`
`adverse credit notations.
`
`78.
`
`In the case of a data breach, merely reimbursing a consumer for a financial loss due
`
`to identity theft or fraud does not make that individual whole again. On the contrary, after
`
`conducting a study, the Department of Justice’s Bureau of Justice Statistics (“BJS”) found that
`
`“among victims who had personal information used for fraudulent purposes, 29% spent a month
`
`or more resolving problems.”
`
`79.
`
`A victim whose personal information has been stolen or compromised may not see
`
`the full extent of identity theft or fraud until long after the initial breach. Additionally, a victim
`
`whose personal information (including Social Security numbers) has been stolen may not become
`
`aware of charges when they are nominal, as typical fraud-prevention algorithms may not capture
`
`such charges. Those charges may be repeated, over and over again, on a victim’s account.
`
`
`
`17
`
`

`

`4:22-cv-03191 Doc # 1 F

This document is available on Docket Alarm but you must sign up to view it.


Or .

Accessing this document will incur an additional charge of $.

After purchase, you can access this document again without charge.

Accept $ Charge
throbber

Still Working On It

This document is taking longer than usual to download. This can happen if we need to contact the court directly to obtain the document and their servers are running slowly.

Give it another minute or two to complete, and then try the refresh button.

throbber

A few More Minutes ... Still Working

It can take up to 5 minutes for us to download a document if the court servers are running slowly.

Thank you for your continued patience.

This document could not be displayed.

We could not find this document within its docket. Please go back to the docket page and check the link. If that does not work, go back to the docket and refresh it to pull the newest information.

Your account does not support viewing this document.

You need a Paid Account to view this document. Click here to change your account type.

Your account does not support viewing this document.

Set your membership status to view this document.

With a Docket Alarm membership, you'll get a whole lot more, including:

  • Up-to-date information for this case.
  • Email alerts whenever there is an update.
  • Full text search for other cases.
  • Get email alerts whenever a new case matches your search.

Become a Member

One Moment Please

The filing “” is large (MB) and is being downloaded.

Please refresh this page in a few minutes to see if the filing has been downloaded. The filing will also be emailed to you when the download completes.

Your document is on its way!

If you do not receive the document in five minutes, contact support at support@docketalarm.com.

Sealed Document

We are unable to display this document, it may be under a court ordered seal.

If you have proper credentials to access the file, you may proceed directly to the court's system using your government issued username and password.


Access Government Site

We are redirecting you
to a mobile optimized page.





Document Unreadable or Corrupt

Refresh this Document
Go to the Docket

We are unable to display this document.

Refresh this Document
Go to the Docket