The 2013 breach at Maricopa County Community College District (MCCCD) in Arizona affected approximately 2.5 million faculty, staff, vendors, and students, making it the largest breach involving student information ever reported by a U.S. institution of higher education. A complaint by this privacy advocate alleges violations of the Safeguards Rule.
Having researched and reported on breaches for about a decade now, some breaches strike me as really appalling, and the MCCCD breach is one of those. Limited available public records suggest that MCCCD knew they had a problem in January, 2011, but failed to remedy identified vulnerabilities completely – despite repeated warnings by their own personnel and state auditors. By failing to address known risks, they left the door open to the second and massive data breach in 2013 that included personal and non-public financial information. As one of the largest higher education systems in the country, MCCCD was leaving 1/4 million students’ personal and financial information at risk each year, not to mention the personal and financial information of faculty, staff, and vendors. The risk was not just confined to current students, either, as when the breach was disclosed, students who had not attended MCCCD in decades found themselves now having to worry about becoming victims of identity theft.
Because I have complained for years on PogoWasRight.org that student data privacy and security are not being adequately protected and the government has done little to enforce either, and because I think the MCCCD breach is the poster child for poor data security in higher education and poor breach response, I have filed a formal complaint with the FTC to ask them to investigate MCCCD’s data security.
While the FTC does not have authority to enforce Section 5 of the FTC Act over non-profits (which most universities and colleges are), the FTC does have authority to enforce a law known as the Safeguards Rule. That rule requires covered organizations to have a comprehensive information security program, and provides specific standards. The FTC has enforced the Safeguards Rule in nine cases, but none of them have been in the education sector. Because MCCCD’s own internal documents state that they are obligated to comply with the Safeguards Rule, I filed the complaint under the Safeguards Rule.
If the FTC investigates – and I hope they do – they will find what I think are a slew of unreasonable data security practices that violate the standards and were likely to cause customers and consumers significant harm. Penalties for non-compliance with the Rule include civil penalties of up to $10,000 per violation for officers and directors personally liable, and for the financial institution liable, penalties of up to $100,000 per violation. Criminal penalties include imprisonment for up to five years and fines.
What You Can Do to Help Yourselves
If you were affected by the MCCCD breach, you can contact the FTC to file your own complaint about the breach. Tell them that you want them to investigate MCCCD under the Safeguards Rule or whatever other authority they may have, for unreasonable security practices and the harm they have caused or were likely to cause you. The FTC’s online complaint assistant form does not seem well-suited to this purpose, so you may want to call them. You can also tell them you support the complaint filed by “Dissent” of DataBreaches.net.
Previous Coverage of the MCCCD Breach on DataBreaches.net:
- Maricopa Community Colleges notifies 2.5M after data security breach (update 6)
- Breach at Maricopa Community Colleges may cost $14 million
- There are lessons to be learned from the Maricopa County Community Colleges breach. Learn them, dammit.
- Arizona law firm files notice of claim over Maricopa County Community College District breach; class-action lawsuit to follow?
- MCCCD IT Employees: ‘District knew about security concerns’
- Costs continue to mount in MCCCD breach
- Maricopa County Community College District sued to compel public records production (update 1)
- Another notice of claim filed against MCCCD following massive breach
- In split vote, MCCCD extends contract with law firm for data breach-related services (updated)
- Another lawsuit filed against Maricopa County Community College District over massive breach
- Class action lawsuit filed against Maricopa County Community Colleges District
- Commentary: We need a congressional inquiry into the MCCCD breach
- The MCCCD breach: Breach costs now approach $20 million
The sad thing is all of the innocent people that got or are getting fired for this breach, when the responsibility lies at the top…the chancellor. He’s the one that should have been fired for this fiasco, but instead the majority of the governing board is only looking at all the nice buildings, programs, and money he has added to the district. They have totally ignored all of the policies he and his attorney have violated in attempting to cover up their own mistakes in the IT department!
Blaming your employees or throwing them under the bus is not an element of a comprehensive information security program. There are a lot of documents that have been withheld from the public. The FTC has the ability to issue a CID (civil investigative demand). I hope they will. The education sector has to be held accountable for the security of the vast troves of personal and financial information they amass. Let it start with this case.
I attended Phoenix College from 90 to 94 and was one of the many affected by the MCCCD breach. The FCC does not make the online complaint form easy but I’ll consider filing it. It is my understand that in regards to higher education institutions the GLBA Safeguards Rule is primarily, but not exclusively, concerned with financial aid data. If an institution provides financial aid, and that’s practically all of higher ed, the institution should have GLBA on their radar. I never applied for financial aid during my time at Phoenix College so I’m probably not the best person to file a complaint.
Primarily financial, but also personal info (according to my reading of the statute). I agree with you about the FTC’s form, which is why I thought it would be easier for folks to call. MCCCD put your personal info at risk and left you at risk of identity theft, right?