13 Parties Consolidate Claims in New York University Privacy Case
Plaintiffs in 13 class-action lawsuits against New York University proposed on Monday to consolidate their claims into a single complaint that the university violated their privacy rights. NYU is accused of exposing personally identifiable information (PII) during a cybersecurity incident as a result of its inadequate protective measures.
Sign up for a free preview to unlock the rest of this article
Privacy Daily provides accurate coverage of newsworthy developments in data protection legislation, regulation, litigation, and enforcement for privacy professionals responsible for ensuring effective organizational data privacy compliance.
“The Related Actions share common legal and factual issues, in that each of the Related Actions arise from the same Data Incident suffered by the same Defendant (NYU)," a court document said. It also said "NYU failed to adequately safeguard" the litigants' data, prompting the breach.
The complaints in case 25 -02422, such as plaintiff Christian Varbanovski’s, filed in the U.S. District Court for Southern New York in March, allege the university retained the PII of students and student-applicants, which was later exposed during a breach in March 2025. The PII includes test scores, demographic data, zip codes and citizenship status, according to the complaint, and remains in the hands of cyber criminals.
In addition to NYU’s failure to implement proper cybersecurity procedures, the university maintained, used and shared the PII recklessly, the complaint alleges. Counts of negligence, breach of implied contract and unjust enrichment are claimed.