
Indianapolis Campus Security Negligence: Who Is Responsible When a University Contractor Exploits Children on the School’s Network
You sent your daughter to Butler University in the Meridian-Kessler neighborhood of Indianapolis trusting that the campus — the sorority house on Sunset Avenue, the dining hall, the network she logs onto every night — was watched over by people who take her safety seriously. Then you learned that the head chef at her sorority house was arrested on eight counts of child exploitation and possession of child pornography. He allegedly committed these crimes on the university’s own campus, using the university’s own internet connection, dating back to 2023. For nearly two years, the systems that were supposed to protect students did not catch what was happening in the kitchen and on the network.
We are the trial team at Attorney911, and we want you to know something before you read any further: the man who was arrested is not the only party who may answer for this. The institution that placed him in a sorority house, the university that failed to monitor its own network for child sexual abuse material, and the organization that housed him among your children — each one may carry its own share of responsibility. The criminal case will address the perpetrator. The civil case is what holds the system accountable. That is why we are here.
What Happened at Butler University: The Institutional Failure
The facts that have been reported are these. Andrew Horstmann served as the head chef at the Delta Delta Delta — Tri Delta — sorority house at Butler University. He was not a direct university employee. He worked for College Fresh, a food service management company that contracts to staff Greek houses on campuses across the country. On May 21, 2025, he was arrested on eight criminal counts: four counts of possession of child pornography — one with an aggravating factor — and four counts of child exploitation — one with an aggravating factor. Child exploitation, under Indiana law, includes the knowing distribution of child pornography. Aggravating factors can include situations where the child is under the age of twelve, is threatened or forced, physically resists, is injured, or is mentally disabled. The specific details of his charges have not been released.
Here is what makes this an institutional failure, not just a criminal one. The alleged crimes were committed on the Butler University campus, using a Butler University IP address. That means the university’s own computer network — the digital infrastructure that students, faculty, and staff rely on every day — was used to access or distribute child sexual abuse material for approximately two years. And nobody caught it. The university’s IT monitoring systems, its network security protocols, its acceptable-use enforcement — none of it flagged the traffic that was passing through its servers. That is not a gap. That is a structural failure.
Then there is the timing. Horstmann’s contract with Tri Delta was terminated in April 2025 — one month before his arrest. College Fresh and the sorority have characterized that termination as involving “unrelated matters.” But the proximity of a contract termination to a criminal arrest is never something a civil lawyer accepts at face value. Discovery will examine whether College Fresh received any communication from law enforcement, any internal complaint, any IT alert, or any other signal that preceded the decision to let him go. The “unrelated” termination is a thread that, once pulled, may unravel a very different story.
His bond was set at $1,950 — a staggeringly low figure for eight counts of child exploitation — and was paid six days after his arrest. His jury trial is set for January 13, 2026, in an Indiana court. The Indianapolis Metropolitan Police Department handled the investigation. The chapter president of Tri Delta issued a statement attempting to distance the sorority from the matter entirely.
“He was an employee of College Fresh, and this is all being handled by IMPD. It doesn’t really involve Tri Delta at all, or the chapter house.”
That statement is the institutional reflex — the instinct to point at someone else. But the law does not let an institution that housed this man among its residents simply walk away by saying he was someone else’s employee. The sorority house is a residential facility. The people who manage it — directly or through contractors — owe the people who live there a duty of safety. That duty does not evaporate because the cook was technically on a food service company’s payroll.
Who Is Responsible: The Defendant Stack
When a contractor’s employee commits crimes against children on a university campus, the liability does not stop with the man who was arrested. It radiates outward through every entity that placed him there, controlled his access, and failed to monitor the environment around him. Here is the stack — the defendants a civil case targets, and why each one answers for what happened.
The perpetrator. The direct actor faces criminal prosecution and is also answerable in civil court for the intentional torts he committed. But individual perpetrators rarely have the assets or insurance coverage to make a survivor whole. The civil case reaches past him to the institutions that enabled his access.
College Fresh — the food service contractor. College Fresh placed Horstmann in a sensitive campus environment — a residential sorority house where young adults live, eat, and sleep. The company owed a duty to screen, train, and supervise the employees it puts into those environments. Negligent hiring, negligent retention, and negligent supervision are the civil theories that hold College Fresh responsible. The questions discovery must answer: What background check was performed before he was hired? Was it updated during his tenure? Had any complaint, concern, or red flag been raised about him before April 2025? What was the real reason for his termination? College Fresh is a national food service management company that provides specialized staffing for Greek houses. A company operating at that scale carries substantial general liability and professional liability insurance — but coverage for intentional criminal acts by employees often turns on theories of negligent hiring and supervision rather than vicarious liability. That is the lane the civil case must occupy.
Butler University — the institution that owned the network. The university failed to detect the use of its own IP address for child exploitation for approximately two years. That failure implicates multiple duties: the duty to monitor campus network infrastructure for illicit activity, the duty to provide a safe environment for students under Title IX, and the duty of care owed to everyone on campus. Butler is a private university, which means it cannot hide behind the sovereign immunity that protects state institutions. In Indiana, charitable immunity for private institutions like Butler is limited — it generally does not protect against gross negligence in safety or security oversight. The university’s IT department is the first target of discovery: what monitoring software was deployed, what alerts were generated, what happened to those alerts, and what the university’s own acceptable-use policy required.
Delta Delta Delta — the sorority that housed him. The local chapter and the national organization both bear premises liability for the safety of residents and visitors in the sorority house. The fact that the chef was employed by a contractor does not absolve the entity that controls the building, that determines who has access, and that houses its members there. The national sorority organization likely carries its own insurance and sets its own safety standards for chapter houses. Our firm has experience litigating against Greek organizations and universities — we understand how these institutions are structured and where the duties lie.
The critical insight is this: the institutions will all point at each other. College Fresh will say he was not our employee in the traditional sense. Butler will say the network was not our specific responsibility to monitor for this. Tri Delta will say the chef was not our staff member. Each of those statements may be technically true and legally irrelevant. The question is not who employed him on paper — it is who controlled his access, who created the environment where he operated, and who failed to detect what he was doing with their network for two years.
Indiana Law: Premises Liability, Foreseeability, and Institutional Duty
Indiana law provides several paths to hold institutions accountable for the criminal acts of third parties on their premises. The framework that governs this case is built on three pillars: the foreseeability standard for third-party criminal acts, the duty of care owed by institutions to people on their property, and the regulatory obligations that create specific duties for universities and those who work with children.
Premises liability and the foreseeability standard. Indiana follows a modified comparative fault system under Indiana Code Title 34. When a third party commits a criminal act on someone’s property — in this case, on a university campus and in a sorority house — the question is whether the criminal act was foreseeable. Indiana case law on third-party criminal acts on a premises focuses on foreseeability under the Rogers v. Martin standard. The analysis asks whether the institution knew or should have known of the danger, and whether it took reasonable steps to protect against it. A contractor employee with access to a residential sorority house who uses the university network for child exploitation is a foreseeable risk when no monitoring, no screening, and no supervision are in place. The foreseeability argument grows stronger with every piece of evidence that shows the institutions had constructive notice of the danger — prior incidents, IT alerts, law enforcement notifications, or red flags in the employee’s history.
The duty of care. Butler University, as the property owner and operator of the campus, owes a duty of reasonable care to everyone on its premises. That duty extends to the network infrastructure it operates. A university that provides internet access to its students, faculty, contractors, and staff has a duty to monitor that network for illegal activity — especially when federal law requires monitoring for child sexual abuse material. College Fresh, as the employer that placed Horstmann in the sorority house, owed a duty to screen him, supervise him, and ensure he was fit to work in proximity to young adults. Tri Delta, as the entity that controls the sorority house, owed a duty to ensure the safety of its residents from foreseeable harm by staff — whether direct employees or contractors.
Title IX and the hostile environment. Title IX regulations require universities that receive federal funding to address hostile environments created by sexual misconduct on campus. The use of the university’s own network for child exploitation — on campus, in proximity to students, by a contractor with access to residential facilities — creates the kind of environment Title IX is designed to prevent and address. Butler University’s Title IX obligations are not satisfied by responding after an arrest. They require proactive monitoring and a safe educational environment.
Mandatory reporting. Indiana Code 31-33-5 establishes mandatory reporting requirements for certain professionals who suspect child abuse or neglect. If any university employee, College Fresh employee, or sorority staff member had reason to suspect Horstmann’s conduct and failed to report it, that failure is itself a violation — and it is evidence of institutional negligence.
The statute of limitations. Indiana’s general statute of limitations for personal injury claims is two years from the date the injury occurs or is discovered. For victims of child sexual abuse and exploitation, Indiana law provides specific provisions that may toll — pause or extend — the limitations period, particularly when the victim was a minor at the time. The exact timeline depends on the victim’s age, the nature of the exploitation, and when the connection between the harm and its cause was discovered. What matters is this: the clock on a civil claim may not have started when you think it did, and it may not be as close to running out as you fear. But you cannot know for certain without talking to a lawyer who can evaluate your specific situation under Indiana law.
Charitable immunity — limited and likely inapplicable. Butler University, as a private educational institution, may attempt to invoke charitable immunity. Indiana law limits charitable immunity for private institutions and generally does not protect against gross negligence in safety or security oversight. When a university fails to monitor its own network for child exploitation material for two years, that is not a good-faith mistake — it is a systemic failure of the duty to provide a safe environment. Charitable immunity was not designed to shield that kind of institutional disregard.
The Evidence Clock: What Exists and How Fast It Disappears
Every civil case involving institutional negligence lives or dies on the evidence the institutions created — and how fast that evidence can legally be destroyed. In this case, the most critical evidence is digital, and digital evidence has the shortest lifespan of any record in the legal system. Here is what exists, who holds it, and how fast it can die.
Butler University IT and IP logs — the fastest-dying and most decisive record. These logs prove what was accessed from the university’s IP address, when, how often, and from what device. They are the single most important piece of evidence in the institutional negligence case against the university. Digital network logs are frequently purged on routine schedules — 30, 60, 90, or 180 days, depending on the system configuration. If Butler’s IT department operates on a standard retention cycle, the logs from 2023 — when the alleged crimes began — may already be gone unless a litigation hold or preservation letter was sent. This is the fastest-dying record in the entire case. The preservation demand must name the specific systems: firewall logs, web proxy logs, DNS resolution records, authentication logs, acceptable-use monitoring reports, and any CSAM-detection software alerts. The letter goes out the day you call — not after the criminal trial, not after the university finishes its internal review, not after the insurance company decides how to position the claim. The day you call.
College Fresh employment file — the hiring and termination record. This file contains the background check that was performed when Horstmann was hired, any periodic re-checks, performance evaluations, any complaints or concerns raised about him, training records, and the documented reason for his April 2025 termination. The “unrelated matters” explanation is a characterization, not a fact. The file tells the real story. Corporate records are not subject to the same rapid destruction as digital logs, but they can be “lost,” “archived,” or “inadvertently destroyed” — particularly when a company knows a criminal investigation is underway. A corporate records preservation letter must go to College Fresh immediately, naming the specific documents: the complete personnel file, the background check results, any internal communications about Horstmann, the termination documentation, and any correspondence with law enforcement.
IMPD investigative reports — the criminal file. The Indianapolis Metropolitan Police Department’s investigative reports will contain the details of how the crimes were discovered, what devices were seized, the nature of the exploitation, the IP address trail, and — critically — the identity of any victims. These reports are available through civil discovery and are the foundation of the civil case. The criminal investigation may have uncovered information that the institutions do not yet know is coming — information that establishes constructive notice or prior warnings.
Tri Delta keycard and access data — the physical presence record. The sorority house’s keycard or electronic access system records when Horstmann entered the building, what hours he was present, and whether his physical presence correlates with the times of peak illicit network activity. This data establishes the connection between the person and the digital crime — answering the defense argument that the IP address “cannot be traced to a specific person.” Physical logs and electronic access records may be overwritten on a rolling schedule. They must be preserved before the system cycles them out.
The urgency is not theoretical. Every day that passes without a preservation letter is a day the institutions can legally destroy records that would prove the case. The IT logs from 2023 are already at risk. The keycard data may be cycling out. The employment file at College Fresh is sitting in a cabinet that someone may decide to clean out. If you want to understand how a civil case is built from the ground up, our guide for parents on child injury lawsuits walks through what we look for and why timing matters.
The Medicine: Psychological Harm from Child Exploitation
Child exploitation inflicts a specific kind of harm — one that does not show up on an X-ray, does not leave a visible scar, and does not resolve with a cast and six weeks of healing. The damage is psychological, and it is profound. The defense in any civil case involving exploitation will try to minimize this harm — calling it “emotional distress” as though that phrase were small. It is not small. It is a medical injury with a name, diagnostic criteria, and a measurable lifetime cost.
Post-traumatic stress disorder is a formal medical diagnosis, not a feeling. The Diagnostic and Statistical Manual of Mental Disorders — the reference every psychiatrist in the country uses — defines PTSD through eight separate criteria. A diagnosis requires exposure to a traumatic event, intrusive symptoms like unwanted memories and nightmares, avoidance of reminders, negative changes in cognition and mood, alterations in arousal and reactivity, symptoms lasting more than one month, functional impairment, and the exclusion of other causes. This is not a checklist a lawyer picks. It is a clinical diagnosis a treating professional renders after structured evaluation.
Child exploitation is among the most psychologically devastating events a person can experience. The landmark National Comorbidity Survey found that sexual violence carried the highest conditional probability of producing PTSD of any traumatic event measured — more likely to cause lasting psychological injury than combat, than a car wreck, than a natural disaster. When the exploitation occurs in a setting of trust — a university campus, a sorority house, a dining hall where the perpetrator was a familiar face — the betrayal compounds the trauma. The harm is not only what was done. It is where it was done, and by whom.
The lifetime cost is real and calculable. Federal public-health researchers estimated the lifetime economic burden of a single sexual assault at more than $122,000 per survivor — and that figure counts only the things you can put on an invoice: therapy, doctor visits, lost productivity. It does not measure the nightmares, the relationships that strain, the front door a survivor cannot walk through alone, the education that gets interrupted, the years of trust that have to be rebuilt. For child exploitation victims, the cost is often higher — the harm occurs during development, affecting identity formation, attachment capacity, and the trajectory of an entire life.
The treatment is long-term. A survivor of child exploitation may need years of trauma-focused therapy — cognitive behavioral therapy, eye movement desensitization and reprocessing, and in some cases intensive outpatient or inpatient treatment. Psychiatric medication may be necessary for comorbid depression and anxiety. The life-care plan that a civil case builds will account for every one of these costs, projected across the survivor’s expected lifetime and reduced to present value. That is how a “lifetime of care” becomes a number a jury can understand.
The defense will exploit the invisibility of the injury. Because this harm does not show up on a scan, the defense will argue it is speculative, exaggerated, or pre-existing. The counter is the medical record built from day one: the first therapy intake, the initial psychological evaluation, the structured diagnostic assessment using validated instruments. These contemporaneous records pre-date any “litigation motive” accusation and establish the injury as real, diagnosed, and causally connected to the exploitation.
The Money: What This Case Is Worth
The value of a civil case against the institutions that enabled this failure depends on specific facts that discovery will uncover. But the framework for valuation is built from the same components as any institutional negligence case — and the range is wide because the facts are still emerging.
Economic damages include past and future psychological counseling and psychiatric care, medication costs, lost educational opportunities, lost earning capacity, and the cost of a life-care plan that projects treatment needs across a survivor’s lifetime. For a young person whose education was disrupted by exploitation, the lost-earning-capacity component alone can be substantial.
Non-economic damages cover the human losses that no receipt can measure: emotional distress, mental anguish, loss of privacy, loss of enjoyment of life, the damage to trust and identity, and the permanent alteration of a person’s relationship with their own safety. In a case where the exploitation occurred in a trusted institutional setting, the non-economic harm is magnified — the betrayal by the institution is its own distinct injury.
Punitive damages become available when discovery proves the institutions ignored warnings, concealed knowledge, or acted with reckless disregard for the safety of the people in their care. If Butler University received any law enforcement alert about its IP address prior to the arrest and failed to act, that is the predicate for punitive damages. If College Fresh had internal concerns about Horstmann and terminated him quietly rather than investigating, that is the predicate for punitive damages. If the “unrelated” termination was actually a quiet response to suspicions the company never reported, that is the predicate.
The case value range, based on the institutional negligence analysis, runs from approximately $750,000 on the low end — where institutional negligence is established but no specific local victims are identified and no constructive notice is proven — to $7,500,000 or more on the high end — where discovery identifies specific victims, proves the university or the contractor had constructive notice of the illicit network traffic as far back as 2023, and establishes the kind of institutional disregard that warrants punitive damages. The high end is not a prediction. It is an honest assessment of what the facts, if they develop in a certain direction, would support.
Past results depend on the facts of each case and do not guarantee future outcomes. Every number we discuss is grounded in the specific institutional negligence framework of this case, not in a formula or a generic settlement calculator.
How Institutions Defend Themselves: The Playbook
When a university, a contractor, and a sorority are facing a civil claim arising from child exploitation on their premises, they do not simply concede. They run a playbook — a series of predictable defense strategies designed to minimize their exposure, deflect blame, and pressure the survivor to accept less than the case is worth. We know this playbook because our team includes a former insurance-defense attorney who sat in the rooms where these strategies are developed. Here are the plays and how we counter each one.
Play 1: “He was a contractor, not our employee.” Both Butler University and Tri Delta will argue that Horstmann was College Fresh’s employee, not theirs, and that they cannot be responsible for the criminal acts of someone who was not on their payroll. The counter is the control test. Who set his schedule? Who gave him access to the sorority house? Who determined his duties? Who supervised his day-to-day work? The more control the institution exercised over his presence and conduct, the more the law holds that institution responsible — regardless of whose name was on his paycheck. The lease agreement between the sorority and College Fresh, the service contract between College Fresh and Butler, and the access-control records all establish who really controlled this man’s presence on campus.
Play 2: “The IP address cannot be traced to a specific person.” The university may argue that network traffic logs do not prove who was sitting at the keyboard. This is the technology defense — designed to create reasonable doubt about whether Horstmann was the one using the network. The counter is the correlation between physical and digital evidence. Keycard data shows when he entered the building. Network authentication logs show which device accessed which content. Employment schedules show when he was on duty. Device MAC addresses tie a specific piece of hardware to the network traffic. When you overlay the physical presence record with the digital activity record, the defense of “anyone could have done it” collapses. The timing aligns too precisely for coincidence.
Play 3: “The termination was for unrelated matters.” College Fresh will insist that the April 2025 termination had nothing to do with the criminal investigation. The counter is discovery — the targeted, aggressive, document-by-document examination of what actually happened in the weeks before his arrest. Internal emails, communications with law enforcement, HR records, witness statements, and the timeline of events will reveal whether “unrelated” is a truthful description or a convenient one. The proximity of the termination to the arrest — one month — is a fact that demands explanation, not acceptance.
Play 4: “We had no specific duty to monitor our network for this.” Butler may argue that it had no specific legal obligation to detect child exploitation material on its network. The counter is multi-layered: federal law requires certain monitoring of university networks for CSAM, Title IX requires the university to maintain a safe educational environment, and Butler’s own acceptable-use policy almost certainly prohibits using the network for illegal purposes — which implies a duty to detect and prevent such use. A university that provides network access to its community and does not monitor that access for illegal activity is not meeting the standard of care that any reasonable university would follow.
Play 5: “Charitable immunity shields us from liability.” Butler may invoke charitable immunity as a private educational institution. The counter is Indiana law itself: charitable immunity for private institutions is limited and does not protect against gross negligence in safety or security oversight. A two-year failure to detect child exploitation material on the university’s own network is not a good-faith error. It is a systemic breakdown in the duty to provide a safe environment.
Our team includes a former insurance-defense attorney who knows how adjusters and their lawyers value claims, select defense experts, and design delay tactics from the inside. That knowledge now works for the people the insurance industry used to work against.
How We Build the Proof
Building a civil case against institutions for a child exploitation failure is a chronological process that begins the day you call and proceeds through every layer of the institutional structure. Here is how the case is actually built — not in summary, but in the order it happens.
Week one: the preservation letter. The first document we generate is a litigation-hold and evidence-preservation demand. It goes to Butler University’s IT department, to College Fresh’s corporate offices, to Tri Delta’s chapter house and national headquarters, and to any third-party network monitoring vendor the university uses. The letter names specific records by name: network traffic logs, firewall logs, DNS records, web proxy logs, authentication logs, CSAM-detection software alerts, acceptable-use monitoring reports, the complete personnel file of the perpetrator, all internal communications about him, the termination documentation, keycard and access-control records, housekeeping logs, incident reports, and any correspondence with law enforcement. The letter creates a legal duty to preserve. After that letter is on file, any destruction of those records is spoliation — and the law answers spoliation with sanctions, adverse-inference instructions, and in some circumstances separate claims for the destruction itself.
Weeks two through eight: the records demand. While the criminal case proceeds, the civil case begins its own discovery. We subpoena the IMPD investigative reports to understand how the crimes were discovered, what devices were seized, and what the investigation revealed about the timeline and scope of the exploitation. We request Butler University’s IT security policies, its network monitoring configuration, its acceptable-use policy, its Title IX compliance records, and its history of any prior network security incidents. We demand College Fresh’s hiring and background-check documentation, its supervision protocols for employees placed in residential campus environments, its training records, and the complete file on Horstmann’s employment and termination. We request Tri Delta’s lease and service agreements, its access-control records, and its own safety policies for chapter houses.
The forensic IT analysis. A forensic IT specialist examines the network logs — if they survive — to determine what monitoring software was deployed, whether CSAM-detection tools were configured and active, whether any alerts were generated, and what happened to those alerts. The question at the heart of the institutional case is this: did the university’s systems flag this traffic, and did someone ignore the flag? Or did the university not have adequate monitoring in place at all? Either answer establishes institutional negligence — one through conscious disregard, the other through a failure to meet the standard of care.
The campus security expert. A campus security expert testifies to the standard of care for university network management — what a reasonably prudent university would have deployed to detect illegal activity on its network, how often it would have reviewed alerts, and what it would have done when it found them. This expert’s testimony is what converts the institutional failure from an accusation into a proven breach of duty.
The depositions. The IT director explains under oath what the university’s monitoring systems were and were not configured to detect. The College Fresh HR manager explains under oath what background check was performed and what the real reason for the termination was. The sorority house director explains under oath who controlled access to the building and what oversight existed for contractor staff. The perpetrator himself — if he testifies — explains how he was able to use the network undetected for two years.
The damages model. A life-care planner builds the cost stream of future psychological treatment. A forensic economist reduces it to present value. A treating psychologist or psychiatrist documents the diagnosis, the treatment plan, and the expected trajectory of recovery — or the lack thereof. The number at the end of the case is built from all of this — every record, every deposition, every expert report, every line item in the life-care plan — assembled into a figure a jury can trust because every piece of it is traced to a source.
Your First 72 Hours: What to Do Now
If you or a family member may have been affected by this case — if your daughter lived at the Tri Delta house, if she was a Butler student during 2023 through 2025, if you have any reason to believe she or someone you love was impacted — there are specific steps that protect both your child and any future civil claim. The most important thing is that you act now, not after the criminal trial, not after the university completes its internal review, not after the insurance company reaches out with a friendly call.
First: get your child the psychological support she needs. This is the first priority, not the last. If your daughter is exhibiting any signs of distress — withdrawal, anxiety, sleep disruption, mood changes, reluctance to return to campus — a trauma-informed therapist should evaluate her. The medical record that begins now is also the evidence that will support a civil claim later. But that is not why you do it. You do it because she is hurting and she needs help. The legal case is secondary to her well-being — always.
Second: do not sign anything, do not give recorded statements, and do not accept any communication from the institutions or their insurers. An insurance adjuster or a university representative may call you. They will sound sympathetic. They may offer to “help” or to “answer your questions.” Everything you say will be recorded and may be used against you. If anyone from Butler University, College Fresh, Tri Delta, or any insurance company contacts you, the only words you need are these: “I need to speak with an attorney first, and I will have my attorney contact you.” Then call us.
Third: preserve everything you have. If your daughter has any communications from the sorority, the university, or College Fresh about this matter — emails, text messages, letters, notifications — save them. Do not delete anything. If you have photographs of the sorority house or the campus from the relevant period, keep them. If your daughter kept a journal or calendar during the relevant time, preserve it. Every piece of personal evidence supports the larger institutional case.
Fourth: do not post about this on social media. The defense will monitor social media accounts for anything that can be used to minimize the claim, question the survivor’s credibility, or characterize the family’s motives. Silence is protection. If you want to understand the specific mistakes that can undermine an injury case, our client-mistakes video walks through what to avoid.
Fifth: call a lawyer. The preservation letter that freezes the institutional evidence cannot go out until you make the call. Every day you wait is a day the IT logs may be purged, a day the keycard data may be overwritten, a day the employment file may be “cleaned up.” The call is free. The consultation is confidential. And the clock on the evidence is already running.
Frequently Asked Questions
Can I sue Butler University for what happened?
Yes, if you or your child was harmed by the institutional failure to detect and prevent child exploitation on campus. Butler University owed a duty to monitor its network, to maintain a safe campus environment, and to protect the people on its premises from foreseeable harm. The fact that the perpetrator was a contractor’s employee does not absolve the university of its duty to monitor its own network and campus. Indiana law allows claims for premises liability and institutional negligence against private universities, and charitable immunity does not protect against gross negligence in safety oversight. Whether you have a viable claim depends on the specific facts of your situation, which we evaluate in a free, confidential consultation.
Can College Fresh be held responsible for their employee?
Yes. College Fresh placed Horstmann in a sensitive residential campus environment — a sorority house where young adults live. The company owed a duty to screen him before hiring, to supervise him during his employment, and to act on any red flags that emerged. Negligent hiring, negligent retention, and negligent supervision are well-established civil claims in Indiana. The company’s insurance coverage for intentional criminal acts by an employee often turns on these negligent-supervision theories rather than on vicarious liability — which is exactly why the civil case must be framed around what the company knew, what it should have known, and what it failed to do.
How long do I have to file a lawsuit in Indiana?
Indiana’s general statute of limitations for personal injury claims is two years. However, for victims of child sexual abuse and exploitation, Indiana law provides specific provisions that may toll — pause or extend — the limitations period, particularly when the victim was a minor at the time of the exploitation. The exact deadline depends on the victim’s age, the nature of the harm, and when the connection between the exploitation and its cause was discovered. Do not assume you have missed the deadline. Do not assume you have plenty of time. Call us and we will evaluate your specific timeline under Indiana law.
What evidence exists and how long will it last?
The most critical evidence in this case is digital — Butler University’s network traffic logs, firewall logs, DNS records, and any CSAM-detection software alerts. These logs are frequently purged on routine schedules, sometimes as short as 30 to 90 days. The logs from 2023 may already be at risk. Other critical evidence includes College Fresh’s employment file for Horstmann, Tri Delta’s keycard and access-control data, and the IMPD investigative reports. Each of these records is held by a different entity, each has a different retention schedule, and each can be legally destroyed if no preservation letter has been sent. This is why the first thing we do when you call is send the letter that freezes the evidence.
Was my daughter or family member affected?
We cannot answer that question without more information. What we can tell you is that the investigation revealed the alleged crimes were committed using a Butler University IP address, meaning the perpetrator used the university’s network. If your daughter was a member of Tri Delta, a resident of the sorority house, or a Butler student during 2023 through 2025, she was in the environment where this person had access. Whether she was directly affected is a question that may be answered through the criminal investigation, through civil discovery, or through a conversation with her. Our role is to help you understand the legal options available if she was harmed — and to hold the institutions accountable for allowing that harm to occur.
What is a case like this worth?
The value of an institutional negligence case arising from child exploitation depends on the specific facts that discovery uncovers. The analysis suggests a range from approximately $750,000 — where institutional negligence is established but no specific local victims are identified — to $7,500,000 or more — where specific victims are identified, the institutions are proven to have had constructive notice of the illicit activity, and punitive damages are warranted. Economic damages include psychological counseling, psychiatric care, lost educational opportunities, and lost earning capacity. Non-economic damages cover emotional distress, loss of privacy, and the profound disruption of a person’s sense of safety. Punitive damages may be available if the institutions ignored warnings or concealed knowledge. Past results depend on the facts of each case and do not guarantee future outcomes.
What should I do right now?
Call us. Before you talk to anyone from the university, the contractor, the sorority, or any insurance company. Before you sign anything. Before you post anything online. Before another week passes and more evidence disappears. The call is free, the consultation is confidential, and the preservation letter that protects the evidence cannot go out until you make that call. Our number is 1-888-ATTY-911. We answer 24 hours a day, seven days a week — live staff, not an answering service.
Can the sorority be held responsible?
Yes. Tri Delta — both the local chapter and the national organization — bears premises liability for the safety of residents and visitors in the sorority house. The fact that the chef was employed by a contractor does not eliminate the sorority’s duty to ensure that the people with access to its residential facility are safe and properly supervised. The national organization likely sets safety standards for chapter houses and may carry its own insurance. The chapter president’s statement that the case “doesn’t really involve Tri Delta at all” is a defense position, not a legal conclusion. The law decides who is responsible — not the institution that is trying to distance itself.
Why Our Firm
We are Attorney911 — The Manginello Law Firm, PLLC. We are a trial firm that takes cases in Indiana, working with local counsel and pro hac vice admission where required. We do not claim an office in Indianapolis, and we will not pretend to something we are not. What we are is a team of trial lawyers who know how to build an institutional negligence case from the ground up — and who have the specific experience that matters for a case involving a university, a Greek organization, and a contractor’s failure.
Ralph Manginello is our Managing Partner, licensed since 1998 — 27+ years in courtrooms, including federal court. He is a journalist before he was a lawyer, which means he knows how to find the story the documents tell. He is currently lead counsel in an active $10 million lawsuit against Pi Kappa Phi fraternity and the University of Houston — a campus institutional liability case that shares the same structural DNA as this one: an institution that failed to protect the people in its care, and a Greek organization that must answer for what happened inside its house. That case is ongoing, and it is exactly the kind of fight Ralph knows how to run. You can read more about Ralph here.
Lupe Peña is our associate attorney, licensed since 2012. Before he joined our side of the table, Lupe spent years inside a national insurance-defense firm — the rooms where adjusters and their lawyers decide how to value claims, how to delay them, and how to devalue the people who file them. He knows how the other side sets reserves in the first 48 hours, how recorded statements are engineered, how surveillance is deployed, and how the software that values claims works from the inside. Now that knowledge works for you. Lupe is fluent in Spanish and conducts full consultations in Spanish without an interpreter. You can read more about Lupe here.
We are currently litigating a campus institutional liability case against a fraternity and a university — the Bermudez v. Pi Kappa Phi / University of Houston hazing lawsuit — and we understand how Greek organizations, universities, and contractors construct the walls that are designed to keep liability out. We know how to find the seams in those walls. That experience transfers directly to a case involving a sorority house, a food service contractor, and a university that failed to monitor its own network.
We work on contingency. That means you pay nothing unless we win your case — 33.33% before trial, 40% if the case goes to trial. The consultation is free. The preservation letter is part of the representation. The first call costs you nothing and may be the most important call you make. Our firm has recovered more than $50 million for clients over our years of practice — but past results depend on the facts of each case and do not guarantee future outcomes. What we guarantee is this: we will tell you the truth about your case, we will fight for it as if it were our own family, and we will not stop until every institution that failed answers for what it allowed to happen.
Hablamos Español. Lupe conducts full consultations in Spanish — not through an interpreter, but directly. If your family prays in Spanish, we will speak with you in the language you pray in.
If Your Family Was Affected
The evidence in this case is dying. The network logs at Butler University are on a deletion schedule. The employment file at College Fresh is sitting in an office where someone may decide it is time to “clean up.” The keycard data at the sorority house is cycling out of the system. Every day that passes without a preservation letter is a day the institutions can legally destroy the proof of what they failed to do.
The criminal case will address Andrew Horstmann. The civil case is what addresses the system that placed him in a sorority house, gave him access to a university network, and failed to detect what he was doing with it for two years. If the institutions answer only to a criminal prosecution, they will never change. The civil case is what makes them change — because the only language an institution truly understands is the language of accountability, and accountability is what a courtroom enforces.
Call us. The consultation is free, it is confidential, and it is the first step in protecting both your family and the evidence. 1-888-ATTY-911. We answer 24 hours a day. No fee unless we win your case.