Christian college Lee University is being sued after a security breach allegedly impacted thousands of prospective students.
Plaintiff Michael Harris, a North Carolina resident and prospective Lee University student, filed a Class Action Complaint on behalf of himself and others involved, alleging the following:
- Count 1: Negligence
- Count 2: Breach of Implied Contract
- Count 3: Invasion of Privacy - Intrusion upon seclusion
- Count 4: Unjust Enrichment/Quasi Contract
According to a notice sent out on March 24, 2025 concerning the data breach, someone gained access through a third-party software to the university's network a year earlier in March 2024. They took names, Social Security numbers, and education-related information, or "PII" as referred to in the lawsuit.
"As soon as we discovered the incident, we took the steps described above," says the notice, referring to the data breach investigation. "As part of our ongoing commitment to information security, we are reviewing existing policies and procedures and implementing enhanced security measures to reduce the likelihood of a similar incident occurring in the future. We are further notifying you of this event and advising you about steps you can take to help protect your information."
The notice letter also notes that victims are offered "credit monitoring services", implying a lack of security and an imminent threat of identity theft and financial fraud.
The following letters shown from Lee University were sent to a family of five, impacting the parents and children of Lee Alumni:
Lee University data breach letter
Photos courtesy of Local 3 viewer
The lawsuit now alleges that Lee University:
- Waited over a year to inform victims of the data breach, a direct violation of Tennessee Code
- Failed to clarify whether they were able to contain or end the cybersecurity threat, leaving victims in fear that their PII is continuously insecure
- Failed to clarify how the data breach occurred
Due to the data breach, the Plaintiff and other class members say they were made vulnerable to identity theft in more ways than one:
"Armed with the PII accessed in the Data Breach, data thieves can commit a variety of crimes including, e.g., opening new financial accounts in Class Members’ names, taking out loans in Class Members’ names, using Class Members’ names to obtain medical services, using Class Members’ information to obtain government benefits, filing fraudulent tax returns using Class Members’ information, obtaining driver’s licenses in Class Members’ names but with another person’s photograph, and giving false information to police during an arrest."
The lawsuit also claims that the data breach was foreseeable, and that Lee University was aware of the risks.
"Despite the prevalence of public announcements of data breach and data security compromises, and despite their own acknowledgment of its duties to keep PII private and secure, Defendant failed to take appropriate steps to protect the PII of Plaintiff and the proposed Class from being compromised."
Harris and others claim that they were required by the university to hand over sensitive information as a condition of requesting and receiving information about Lee University.
They also say that the school has not offered any compensation for the time they will now need to spend monitoring their accounts, placing credit freezes and fraud alerts, and changing online passwords. Harris says he has spent over 24 hours and counting taking action to reduce the consequences of the data breach, and that he has suffered financial and mental injury due to the situation.
"Plaintiff suffered lost time, annoyance, interference, and inconvenience as a result of the Data Breach and has anxiety and increased concerns for the loss of his privacy." says the lawsuit. "Plaintiff suffered emotional distress and increased stress and anxiety as a result of the Data Breach because of the actions he has been forced to undertake, the loss of control over his most intimate information, and the fact that he must remain vigilant for the remainder of his life."
Harris' lawsuit ends with a "Prayer for Relief", or a list of demands that would bring justice:
- "For an Order certifying this action as a Class action and appointing Plaintiff and his counsel to represent the Class;
- For equitable relief enjoining Defendant from engaging in the wrongful conduct complained of herein pertaining to the misuse and/or disclosure of Plaintiff’s and Class Members’ PII, and from refusing to issue prompt, complete and accurate disclosures to Plaintiff and Class Members;
- For equitable relief compelling Defendant to utilize appropriate methods and policies with respect to data collection, storage, and safety, and to disclose with specificity the type of PII compromised during the Breach;
- For equitable relief requiring restitution and disgorgement of the revenues wrongfully retained as a result of Defendant’s wrongful conduct;
- Ordering Defendant to pay for lifetime credit monitoring services for Plaintiff and the Class;
- For an award of actual damages, compensatory damages, statutory damages and statutory penalties, in an amount to be determined, as allowable by law;
- For an award of punitive damages, as allowable by law;
- For an award of attorneys’ fees and costs, and any other expense, including expert witness fees;
- Pre- and post-judgment interest on any amounts awarded and,
- All such other and further relief as this court may deem just and proper."
For more information, read the full Class Action Complaint:
