Earlier this year, I reached out to the Electronic Privacy Information Center (EPIC), to encourage them to join DataBreaches.net in filing a complaint with the FTC concerning the massive data breach at Maricopa County Community Colleges District (MCCCD). I am pleased to see that they have done so, agreeing with me that MCCCD is covered by the Safeguards Rule and that the FTC can enforce it in the education sector.
EPIC has announced:
EPIC has filed a complaint with the Federal Trade Commission concerning the loss of personal information of almost 2.5 m current and former students, employees, and vendors in Maricopa County. According to EPIC, the District’s failure to maintain a comprehensive information security program led to a “massive breach of names, addresses, phone numbers, e-mail addresses, Social Security numbers, dates of birth, certain demographical information, and enrollment, academic, and financial aid information.” EPIC further alleges the District violated the Federal Trade Commission’s Safeguards Rule by failing to protect students financial information. EPIC’s complaint follows a similar complaint by DataBreaches.net. EPIC said that, “many education institutions in the United States are subject to the Safeguards Rule. The District’s case is a particularly egregious example of the risk of failing to safeguard sensitive personal information.” For more information, see EPIC: Student Privacy.
A copy of DataBreaches.net’s complaint to the FTC can be found here (7 MB, pdf).
In the weeks to come, DataBreaches.net will be releasing more documents and files that indicate that MCCCD administration was repeatedly warned about the security risks that it had not satisfactorily addressed, leaving student financial information and others’ personal information at ongoing risk of theft and misuse.