This week, 10 separate lawsuits against the Pennsylvania State Education Association were consolidated into one class action lawsuit—accusing PSEA of things like negligence, breach of implied contract, and more.

“The problem was they [data breach victims] weren't notified for months and months and months, so that they could do something about it,” Chip Rogers said, president of Americans For Fair Treatment.

PSEA said the breach occurred on July 6, they wrapped up an investigation on February 18th, and notified clients mid March. Over 8 months separated the incident and the notification.

Pennsylvania state law requires private entities to notify Pennsylvania residents of a data breach “without unreasonable delay.” There is a legal exception for if law enforcement get involved and tell the company to wait on notifying during an investigation. If a breach occurs, an entity must provide a year of credit monitoring.

While the organization has roughly 178,000 active members, over 500,000 people were impacted by the breach according to a report made to the Maine District Attorney’s Office.

Several outlets have reported that the ransomware group Rhysida took credit for the breach in September, 2024. PSEA did not disclose details of the breach, or any data on if/how much they paid while investigating the breach.

In an emailed statement, a PSEA spokesperson said “As soon as we became aware of this incident, we engaged cybersecurity professionals with expertise in these occurrences. We are complying with all legal and regulatory requirements.”

The data impacted in the breach included driver’s licenses, social security numbers, medical information, bank account information, and more.

The various lawsuits, before consolidated on Monday, asked for things like a longer time of credit monitoring and requiring the organization to use better data security practices.

"They need to make it right for the people that have that have been affected by this,” Rogers said. "And then secondarily, they need to make sure that this never happens again."

Responses to data breaches are mostly governed by state law. While most states have some minimum requirement that an entity reports data breaches…it varies from state to state if entities are held accountable to implement better data security practices.

In 2024, 1.3 billion people got notification letters that their private information had been compromised, according to an Identity Theft Resource Center report. There were over 3,100 incidents.

James E. Lee, president of the national group Identity Theft Resource Center, says most data breaches today are from cyber attacks. They occur through phishing, ransom ware, and occasionally still malware.

“Now, the way you defend against those is education,” Lee said. “Because it involves a human. It’s training people don’t click on links. Don’t open up attachments that you don’t know where they originated."

Lee said data breaches are often done by well organized criminal groups; and that data is used as a stepping stone to scam larger targets.

“The bad guys only want to do things where they can make money at scale, and they can automate it,” Lee said. “So for most people, we're not on their radar screen."

Lee emphasized though that having personal data compromised is devastating; it can be emotionally, financially, physically harmful.

There are smart tech tactics to prevent future breaches; using multi factor authentication is wise. New passkeys, that rely on face ID or fingerprints, can erase the need for passwords and keep account access safer.

At the root of all data security, groups can embrace data minimization.

“If you don't need it, don't collect it,” Lee said. "If you do need it, don't keep it. Once the transaction is done, you get rid of it."

While civil lawsuits can lead to some relief or settlement for victims of data breaches, a more sweeping change in industry cultures (or laws) can lead to more privacy in an age where information is the hottest commodity.

“We would like the state to take a look at this and say, 'why is this information being given to a union anyway?’” Rogers said.